[c-nsp] Vulnerabilities in HTTP server on Catalyst Switches

Church, Chuck cchurch at netcogov.com
Thu Jun 9 16:12:44 EDT 2005


The http server has been found to have security vulnerabilies in the
past, but if you're locking it down to only certain address ranges being
able to attach, it should be secure enough.  Keeping the management
interface in a separate VLAN is certainly a good idea as well.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Neiberger
Sent: Thursday, June 09, 2005 3:20 PM
To: Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Vulnerabilities in HTTP server on Catalyst Switches

I'm only interested in the security aspects of the http server on the
switches, not the usability of the GUI. I also prefer the CLI but I'm
considering offering CNA to some of the other people in our department
so they can do some basic troubleshooting on their own without
involving me.

Thanks,
John

On 6/9/05, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
> 
> On Thu, Jun 09, 2005 at 09:28:56AM -0600, John Neiberger wrote:
> > Can any of you think of a good reason to leave the http server on a
> > Catalyst switch turned off?
> 
> Oh yes.  Web UIs are slow and annoying (and the java stuff is
especially
> bad).  Command line rules.
> 
> But that's personal user preferences.
> 
> From a security point of view, the best practice for switch management
> is to put the management VLAN behind a HUGE firewall (preferably the
> air-gap type) and stop worrying about L3 exploits against your nice
> L2 devices.
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list