Menu
▾
▴
Re: [Netdisco] Security issue: Sending SNMP strings to all CDP devices
|
From: Tristan R. <Tri...@we...> - 2006-03-07 22:04:15
|
>>> Mike Hunter <mh...@ac...> 03/07/06 2:57 PM >>> On Mar 07 at 14:15, "Tristan RHODES" wrote: > I apologize if I have misunderstood how Netdisco discovers network > devices. > > I believe that Netdisco will start discovery based on the > "center_network_device" and then look for CDP neighbors to that device. > Once it identifies a CDP neighbor, it tries to connect to the CDP > neighbors using the SNMP strings configured in netdisco.conf. If a SNMP > string fails, it will send the next SNMP string, and so on until all the > SNMP strings have attempted to connect to the CDP neighbor. > > Now consider the possibility that an attacker is running CDP on a > workstation. He is also running SNMP with a random community string. > Won't Netdisco send all of your valid SNMP strings for him to capture? > > The best solution to this problem is to disable CDP on all user switch > ports. Any other ideas? Interesting! I think the solution is (like you say) to disable CDP on all user switch ports. Am I correct that this wouldn't be a problem with encrypted SNMP v3? I.e. does the encryption handshaking reveal the actual password? I'd guess not, but does anybody know for sure? Mike Mike, Thanks for your reply. We were just discussing SNMPv3, to see if that solves the problem by encrypting the "password". Does anyone on the mailing list have any information on this? Tristan |
