Basic Analysis of CDP protocol

The network structure is quite complex and there are also different protocols at each layer. Then, the CDP protocol (Cisoco Discovery Protocol) is a protocol that works on the data link layer. It is mainly used to discover and view the simple configuration information of adjacent devices. This is also a layer-2 protocol enabled by default for Cisco network devices and an important protocol for identifying the details of connected devices. It plays an irreplaceable role in troubleshooting and performance optimization. Unfortunately, it also has some security risks. In this article, I will make an objective evaluation of the advantages and disadvantages of the CDP protocol, and give some suggestions on security issues.

I. Working Principle of CDP protocol

To understand the security vulnerabilities of CDP, you must first understand how it works. Generally, CDP is independent of the existing network protocol type and runs on vrouters, vswitches, and other network devices. In general, CDP can run in all media that support the SNAP subnet access protocol frame type. By sending periodic information to multicast MAC addresses on all interfaces that support the CDP protocol, the CDP protocol can work. The basic principle is that the device can learn the information of the connected device by using the information sent by the Adjacent Device. Note that all CDP messages contain important information about related network devices. If such information is disclosed, attackers can exploit this information to threaten the security of enterprise networks. The security information may include the following content.

Such as the network address, the sending port or interface information, the hardware platform, the sending device function, and the software disk. This information is mainly stored in the embedded part of the TLV field. In general, this part of information is stored in plain text, that is, no encryption measures are taken. Users who can obtain this information can easily obtain this confidential information through some tools.

Ii. Analysis of security risks caused by CDP protocol to the enterprise intranet

In most cases, the role of CDP protocol is irreplaceable. For example, in most networks, CDP can provide a lot of useful information and assist administrators in network troubleshooting and performance optimization. However, the potential security risks cannot be ignored. By default, the switch sends system information on all interfaces by default (as described above, these system information contains some sensitive information and is not encrypted ). Therefore, attackers can easily obtain this information through tools such as network sniffer. Obviously, CDP can cause security issues. This security risk is especially serious when the network is connected to multiple organizations. However, you do not have to worry too much. If the CDP protocol is abolished for security reasons, it would be a bit difficult. What network administrators need to consider now is how to achieve a balance between security and functionality. That is, you can enjoy the advantages brought by CDP without being troubled by its security problems. As shown in, the author provides.

According to the working principle of CDP protocol, we can know that the information sent by CDP protocol contains some sensitive information. If such information is obtained by criminals, it will bring great security risks to the enterprise's network. To this end, the focus of our protection is to prevent such sensitive information from being known to outsiders. Therefore, the author suggests that, in order to avoid CDP protocol leaking the relationship between network devices in Sydney, you can enable CDP protocol only on the enterprise's internal network devices. The CDP protocol is disabled on interfaces on enterprise-level Edge Routers connected to the Internet. In this case, the sensitive information will not be exposed to the external network of the enterprise. With network firewall and other functions, You can ensure the security of CDP protocol information. As shown in, I suggest you disable the CDP protocol on the interface connecting to the server provider or the enterprise edge router. In other cases, you can determine whether to enable CDP based on your needs. If possible, it is better to enable the CDP protocol.

Iii. enable or disable CDP protocol

By default, CDP is enabled. For security reasons, the security specialist may need to disable the CDP protocol on some specific interfaces. To do this, the operation is not difficult. It is also necessary to determine the interfaces on which CDP protocol should be disabled based on the principles mentioned above. If more is disabled, the CDP protocol cannot play its due role. On the contrary, if more is enabled, it will cause serious security risks. Whether to enable or disable the service, which requires the security specialist to weigh according to the actual situation. Such as the importance of security and the nature of the industry.

In addition, when you disable the CDP protocol, the security specialist can also choose whether to disable it globally or based on each interface. For industries with high security levels, such as the financial industry, they may disable CDP protocol throughout the enterprise network. In this case, you only need to use the globally disabled policy. In this case, you only need to operate on a vswitch or vro once. In most industries, you only need to disable the CDP protocol on a specific interface, for example, disabling the CDP protocol on an enterprise edge router. In this case, you must select to disable the CDP protocol based on each interface.

If the security specialist needs to disable the CDP protocol globally, run the following command on a vswitch: no cdp run. After the command is run, the CDP protocol of all devices (including switches and routers) in the network will be disabled. Because this command affects multiple network devices, you must be careful when using it. Note that this command is only valid on IOS software. To use the CATOS software, run the set dp disable command. The results are the same, but the syntax is slightly different.

If you need to disable CDP based on a specific port, you must first enter the interface configuration mode of the vswitch or vro, then, you can use the following command to disable the CDP protocol of a port or interface: no cdp enable. The keyword used for configuration based on a specific interface is different from that in global mode. In global mode, the keyword used is run. The keyword used for configuration based on the specific interface mode is enable. Similarly, this command is only valid for IOS software. If the CATOS software is used, use the set cdp disable command.

It is not very difficult to enable or disable the CDP protocol. It is just a simple command that can be completed in a few seconds. However, it is difficult for the security specialist to determine under what circumstances the CDP protocol should be used or disabled. This may be a long analysis process. Sometimes it is necessary to adjust the network topology of the enterprise or the need for troubleshooting. In whatever circumstances, the security specialists need to weigh between functions and security. The general principle of the author is that the CDP protocol can be enabled on the internal network of the enterprise. On the edge router, the CDP protocol must be disabled. This principle may apply to most enterprises.

Iv. Security conflicts between voice VLAN and CDP

In the speech VLAN application environment, CDP is also required. A typical VoIP case is to connect a workstation to an IP phone and then connect the IP phone to a switch. In this case, if the CDP protocol is enabled on the switch, the security of the CDP protocol is also involved in VoIP. As with the above analysis, I suggest you enable CDP in the enterprise's internal network. The CDP protocol is disabled on enterprise-level edge routers.

I need to emphasize that dividing an enterprise's internal network into several independent virtual networks through VLANs can split broadcast packets and narrow down conflicting domains, it plays a major role in the security of enterprises' internal networks. However, this does not affect the use of CDP. That is, even if the Vlan network is used, the information packets sent by CDP can still be transmitted across multiple virtual networks. This is a functional consideration. From the very beginning, I mentioned that CDP is a protocol unrelated to the network protocol type.