Check: CISC-RT-000370
Cisco NX OS Switch RTR STIG:
CISC-RT-000370
(in versions v2 r3 through v1 r0.1)
Title
The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces. (Cat III impact)
Discussion
CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. CDP is media-and-protocol-independent as it runs over layer 2; therefore, two network nodes that support different layer 3 protocols can still learn about each other. Allowing CDP messages to reach external network nodes provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.
Check Content
Step 1: Verify CDP is not enabled globally via the command no cdp enable By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2. Step 2: Verify CDP is not enabled on any external interface as shown in the example below: interface Ethernet2/2 description link to DISN no switchport no cdp enable Note: By default CDP is enabled on all interfaces if CDP is enabled globally. If CDP is enabled on any external interface, this is a finding.
Fix Text
Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command.
Additional Identifiers
Rule ID: SV-221097r856650_rule
Vulnerability ID: V-221097
Group Title: SRG-NET-000364-RTR-000111
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Controls
Number | Title |
---|---|
SC-7 (11) |
Restrict Incoming Communications Traffic |