[c-nsp] Vulnerabilities in HTTP server on Catalyst Switches
Rodney Dunn
rodunn at cisco.com
Thu Jun 9 11:53:13 EDT 2005
Yep....protect the device from all angles.
He could argue the same thing about *any* port
being open.
Rodney
On Thu, Jun 09, 2005 at 08:49:02AM -0700, Curtis Doty wrote:
> John Neiberger wrote:
>
> >I'm having a disagreement with a security admin and I wanted to get
> >some opinions.
> >
> >Can any of you think of a good reason to leave the http server on a
> >Catalyst switch turned off? I understand that it's best to leave
> >services turned off if you don't need them, but what if you want to
> >use Cisco Network Assistant, for example, and that requires you to
> >turn on the http server?
> >
> >The security admin just says "it's best practice to leave it off" and
> >doesn't back it up with any useful information.
> >
> >What do you all think? Is there any real security risk by giving
> >someone read-only access through CNA? I don't see a downside to it.
> >
> >
> You might have a better chance of winning him over if you show him how
> you've carefully designed separate data and control planes. With
> carefull attention to aaa and policing the control plane. Then, of
> course, allow him to audit your design. And finally, convice him that it
> was all his idea.
>
> ../C
>
> --
> These are not the droids you're looking for. - Obi-Wan Kenobi
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list