[c-nsp] Vulnerabilities in HTTP server on Catalyst Switches
Curtis Doty
Curtis at GreenKey.net
Thu Jun 9 11:49:02 EDT 2005
John Neiberger wrote:
>I'm having a disagreement with a security admin and I wanted to get
>some opinions.
>
>Can any of you think of a good reason to leave the http server on a
>Catalyst switch turned off? I understand that it's best to leave
>services turned off if you don't need them, but what if you want to
>use Cisco Network Assistant, for example, and that requires you to
>turn on the http server?
>
>The security admin just says "it's best practice to leave it off" and
>doesn't back it up with any useful information.
>
>What do you all think? Is there any real security risk by giving
>someone read-only access through CNA? I don't see a downside to it.
>
>
You might have a better chance of winning him over if you show him how
you've carefully designed separate data and control planes. With
carefull attention to aaa and policing the control plane. Then, of
course, allow him to audit your design. And finally, convice him that it
was all his idea.
../C
--
These are not the droids you're looking for. - Obi-Wan Kenobi
More information about the cisco-nsp
mailing list