[c-nsp] Feedback on: Security Advice for Routers and Switches
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sun May 6 11:22:00 EDT 2007
Hi,
> Here's the draft document:
> http://www.opus1.com/www/whitepapers/securityroutersswitches.pdf
>
> Any and all feedback is welcome!
not too bad! ..just as i was about to start writing something
you appeared to miss when talking about switch port settings, you
came along in a later slide to add - eg nonegotiate. you did
mention bpduguard...perhaps best to note that on the edge
switches, you can do a global
spanning-tree portfast bpdufilter default
and all 'portfast' ports will have filtering on - this even goes back
to the 3500XL switches.
as for SSH - yes, some devices have, others dont. but those that
DO have it have historically been a little flaky - people got burned
and a wary of it on some of the smaller edge devices.
CISCO have been running a quite handy 'turn it on' campaign and
one of the best of these is the CISF fature set
http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf
currently with your setup I can attack it very nastily with some classic
L3 attacks. without being detected or blocked. I would therefore
suggest at least DHCP snooping and Dynamic Arp Inspection.
port protected is also good but could have issues (see my related email ;-))
alan
More information about the cisco-nsp
mailing list