Link Layer Discovery Protocols (LLDPs) must be disabled on all external facing interfaces.

From Perimeter Router Security Technical Implementation Guide Cisco

Part of The Link Layer Discovery Protocols (LLDPs) are not disabled

SV-3077r4_rule Link Layer Discovery Protocols (LLDPs) must be disabled on all external facing interfaces.

Vulnerability discussion

LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices; thereby, enabling the application to send SNMP queries to those devices. LLDPs are also media- and protocol-independent as they run over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing LLDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. Examples of LLDPs are Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED).

Check content

Review all router configurations to ensure LLDPs are not included in the global configuration or LLDPs are not included for each active external interface. On Cisco routers ensure "no cdp run" is included in the global configuration or "no cdp enable" is included for each active external interface. If LLDPs are configured globally or on any external facing interfaces, this is a finding.

Fix text

Configure the device so Link Layer Discovery Protocols are not included in the global configuration or Link Layer Discovery Protocols are not included for each active external interface.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer