CDP
Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.
CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.
CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands
CDP per-port
switch(config)#configure terminal
switch(configp)#interface gigabitethernet 0/1
switch(config-if)#no cdp enable
CDP Globally
switch(config)#configure terminal
switch(config)#no cdp run
Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols
Telnet
Telnet has a few problems:
- All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
- A user with an account on the system can gain elevated privelages.
- A remote attacker could crash the Telnet service, preventing legitimate service rendering.
- A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.
iow Dont Telnet over the internet
SSH
SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.
switch(config)#configure terminal
switch(config)#line vty 0-15
switch(config-line)#transport input ssh
VTY Access Control Lists (ACL)
One can associate ACLs to permit or deny access to a vty port to a switch.
The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open
switch(config)#configure terminal
switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255
switch(config)#line vty 0 15
switch(config-line)#access-class 12 in
Notes and Notices:
This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.