This global command disables CDP traffic from being generated by the switch. However, unless the device has all interfaces facing the Internet, there is no real need to disable CDP across the entire platform. You can disable CDP from being sent from the switch on a per-interface level. This is where my argument for CDP begins. This deployment was an enterprise refresh and included many points of entry. Being in higher education, I have found that kids like to practice what is preached in class.
With that, I proposed the first of a few suggestions. Overhead By restricting the interfaces where CDP traffic is sent from, you in turn reduce the overhead on your links. The debate about CDP should be a wider than just security.
Disabling CDP might reduce security risk by reducing an attackers capability to gather information about the network if they are able to compromise a network device, or the authentication system that controls access. For example, troubleshooting connectivity is much faster with CDP enabled, and often shows unexpected problems when devices that should not be adjacent are visible.
On balance, operational integrity is more important, in my opinion, and I do not recommend disabling CDP. After all, if your network is down and your business fails, security is not a consideration. Following the guidelines you set out in this post I cannot see why enabling CDP in this fashion should be a problem. Over time, that could well change for the reasons you cite. When using Cisco phones and turning off cdp because of security is the craziest way this happens in the places I go….
Then they wonder why the phones do not work right and qos stinks or does not work, so many issues, and that is why you bought all Cisco switches and phones, or so I thought…. I agree I would like to see some devices Cisco and other vendors connected and running LLDP and see what interoperability issues occur. The level of information you get compared to CDP. Congrats on the first post! Because Cisco dominates the network equipment market, the bugs impact millions of devices.
All software has flaws, but embedded device issues are especially concerning given the potential for espionage and the inherent complexity of patching them.
These particular vulnerabilities, found by the enterprise security firm Armis, can also break out of the "segmentation" that IT managers use to silo different parts of a network, like a guest Wi-Fi, to cause widespread issues. Attackers could target a vulnerable Cisco network switch—which moves data around an internal network—to intercept large amounts of unencrypted, internal information and move between different parts of a target's system.
Attackers could use related flaws, also disclosed by Armis, to attack batches of Cisco devices at once—like all the desk phones or all the webcams—to shut them down or turn them into eyes and ears inside a target organization. And we know that enterprise devices are being targeted in the world. If they have this type of vulnerability, unfortunately that can be very powerful for a group like an APT. The flaws lie in the implementation of a mechanism known as the Cisco Discovery Protocol, which allows Cisco products to broadcast their identities to each other within a private network.
CDP is part of a network's "Layer 2," which establishes the foundational data link between network devices. Cisco has issued fixes for five security glitches that can be found in a wealth of its networked enterprise products — from switches and routers to web cameras and desktop VoIP phones.
The problems center around vulnerabilities in the implementation of the Cisco Discovery Protocol CDP that could let remote attackers take over the products without any user interaction. While no public exploit has been found, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network to take advantage of the weakness, Cisco stated. It enables management of Cisco devices by discovering networked devices, determining how they are configured, and letting systems using different network-layer protocols learn about each other, according to Cisco.
The five vulnerabilities, revealed by Armis Security and dubbed CDPwn, are significant because Layer 2 protocols are the underpinning for all networks, Armis wrote in a blog about the problems. Network segmentation is utilized as a means to improve network performance and also to provide security.
0コメント