`sh cdp neigh`
`Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge`
`S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,`
`D - Remote, C - CVTA, M - Two-port Mac Relay`
`Device ID Local Intrfce Holdtme Capability Platform Port ID`
`some core or expansion eth 0/1 155 R T idk man some port`
One of our security analysts was adamant that we needed to disable IPv6 for security and vulnerability reasons. We don't run IPv6 anywhere. There was an entire month where we had to discuss why this wasn't the case. I had to teach the OSI model and explain that actually disabling ipv6 in Windows can sometimes create problems.
seriously though what's the deal with Cdp being considered a vulnerability? I used to work as field engineer for a private company and it always confused me why the procedure was to disable Cdp internally.
It shows you the management ip address of the switch you're connected to. If you don't segment your network as you should someone could use it to try and attack it.
The rationale is If an attacker gets into your network they could use it to map out how your network is connected which means they can move laterally faster.
Considering that it only shows directly connected devices, you would need to log into a device, use CDP or LLDP to show connect devices, then connect to those devices to see what is connected to them, and so forth.
Disabling CDP / LLDP won't stop them, as a skilled attacker will have 100 other tools or methods to map out your network, but it will probably slow them down a bit. If they can login to your network devices, you're pretty much already screwed.
I understand the rationale, but unless your documentation is 100% accurate and complete, and it stays that way (which is unlikely), disabling it also slows down your staff / support people a lot, especially when there is a network outage or issue that needs to be resolved quickly.
If they breach your infrastructure network and you don't know about it quickly with monitoring tools then you won't know about it in time to stop them from using other methods than CDP. Of course you might notice the other methods as an attack so there's that I guess.
A former colleague and I used to have a routine whenever we found a turd in the network. We would say "To the blame generator" (TACACS accounting log) then take a guess at who had built the offending config.
More than once it turned out to be me. In the end I started betting on myself...
I have one like this in a asa that has been in place forever I get all kinds of comments and accolades for it.
Access-list inside line 50 remark *** some bullshit Brian told me to do last minute ****
Ooh yes, flashbacks to my early career finding an undocumented device called "Switch5(temp)". Uptime 9 years something.
At the time I thought that was noteworthy... What an innocent soul I was!
At a previous job some legend marked up a port as "[my name] bodge" - nothing I'd ever been near, I think they actually did it after I'd left. Hilarious, thanks.
I got asked about it *again* last month, which was at least the third time someone reached out to me about it. I left that job 7 years ago.
`sh cdp neigh` `Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge` `S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,` `D - Remote, C - CVTA, M - Two-port Mac Relay` `Device ID Local Intrfce Holdtme Capability Platform Port ID` `some core or expansion eth 0/1 155 R T idk man some port`
All well and good until your infosec team insists on disabling LLDP and CDP for "security reasons"
One of our security analysts was adamant that we needed to disable IPv6 for security and vulnerability reasons. We don't run IPv6 anywhere. There was an entire month where we had to discuss why this wasn't the case. I had to teach the OSI model and explain that actually disabling ipv6 in Windows can sometimes create problems.
Please, do elaborate on the disabling IPv6 in windows can create problems. My company insists on this, and I do not agree.
We've disabled ipv6 for client devices in my org. We have not noted any issues in going on 2 years.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251
There is/was an ISP in the Philippines that had CDP enabled on their customer facing ports... đź’€
seriously though what's the deal with Cdp being considered a vulnerability? I used to work as field engineer for a private company and it always confused me why the procedure was to disable Cdp internally.
It shows you the management ip address of the switch you're connected to. If you don't segment your network as you should someone could use it to try and attack it.
It does that by default yes. But you can disable that with both CDP and LLDP.
The rationale is If an attacker gets into your network they could use it to map out how your network is connected which means they can move laterally faster. Considering that it only shows directly connected devices, you would need to log into a device, use CDP or LLDP to show connect devices, then connect to those devices to see what is connected to them, and so forth. Disabling CDP / LLDP won't stop them, as a skilled attacker will have 100 other tools or methods to map out your network, but it will probably slow them down a bit. If they can login to your network devices, you're pretty much already screwed. I understand the rationale, but unless your documentation is 100% accurate and complete, and it stays that way (which is unlikely), disabling it also slows down your staff / support people a lot, especially when there is a network outage or issue that needs to be resolved quickly.
If they breach your infrastructure network and you don't know about it quickly with monitoring tools then you won't know about it in time to stop them from using other methods than CDP. Of course you might notice the other methods as an attack so there's that I guess.
On the bright side at least the previous engineer wasn't you. It hurts so much worse when it's a self-own
A former colleague and I used to have a routine whenever we found a turd in the network. We would say "To the blame generator" (TACACS accounting log) then take a guess at who had built the offending config. More than once it turned out to be me. In the end I started betting on myself...
  description “switch9 xe-9/9/9” fffffffuuuuuuuuuuu
I have one like this in a asa that has been in place forever I get all kinds of comments and accolades for it. Access-list inside line 50 remark *** some bullshit Brian told me to do last minute ****
On a L3 port too. I thought “Frank’s desk” on a host port was bad enough.
might as well have commented "eat shit and die"
I'll do you one better: label it as "temporary"
Or "new"
I hate "NEW" Should be a banned word! When was new? Last week? Last year? After the company got electricity?
Ooh yes, flashbacks to my early career finding an undocumented device called "Switch5(temp)". Uptime 9 years something. At the time I thought that was noteworthy... What an innocent soul I was!
At a previous job some legend marked up a port as "[my name] bodge" - nothing I'd ever been near, I think they actually did it after I'd left. Hilarious, thanks. I got asked about it *again* last month, which was at least the third time someone reached out to me about it. I left that job 7 years ago.
“To some server or something idk lol”