Should I be seeing network management protocols on 'user' subnets?
When performing a passive packet capture of a network, I have seen a large amount of traffic being broadcast using different protocols. These protocols are primarily used to perform some kind of traffic routing/fail over/redundancy in case a device goes down in the topology.
Several of these protocols have known weaknesses and can be used to manipulate traffic flows between networking devices. For example HSRP is seen as broadcasting authentication data with a clear text password. This is bad and can be exploited using software like 'Yersinia' to perform interception and denial of service attacks.
My main question is: Assuming that the presence of these protocols is required for operations, should I be seeing them in all subnets, including those only used by 'users' or can they be constrained in some way to a specific management only subnet while still providing functionality?
The protocols i'm looking at are:
I'm also interested in any other protocols I might have missed that might fall into the category of 'network management protocols that can be abused by an attacker on the local subnet'.
It depends on your network. If you have a large corporate network, you should limit the protocols to the subnets/vlans/ports where they are required. On the other side of the spectrum, on most home networks, you will see a lot of protocols that people just don't know about.
Do not just think about subnets where they may be used, but also think layer 2 and physical ports. For example: LLDP could be used to identify your network layout, and could be useful too. However, you will most certainly not want it activated on user access ports.
Looking through the list, most of it you do not want on access ports. There are some exceptions, for example, Cisco phones can use CDP. Also, if your users use their own switches - whether they ar allowed or not - you might want to enable Spanning Tree. Some protocols, like DTP, you should never see anywhere.
But honestly, your question should be the other way around. Every protocol needs a justification why it is there. Most of the protocols should not be seen in user access networks. Certain protocols (like RIP or OSPF) should only be seen in networks between routers. VTP should only be seen between routers and switches or between switches.
Note: should not != must not. RFC 2119.
Going through the list, with my own experience as (perhaps insufficient; comments welcome) guidance:
- STP: usefull in a network between switches (layer 2), but should not be used elsewhere
- CDP and LLDP: see remarks above
- HSRP, VRRP: in general not on the user access ports
- DTP: Nowhere. Either use trunks or access, but not negotiating.
- ISL: Inter-switch link. Says it all.
- VTP: Only where VLAN tunks are, so in general not in user-access networks.
- EIGRP: Normally only in networks between routers
- WLCCP: Only if you have (Cisco) access points on that subnet/vlan
- BFD: only between routers/switches
- LDP: only where you are running MPLS.
For the rest, some examples:
- you should see routing protocols (OSPF, RIP, ... ) only between routers
- You should see BGP only on the outside of your network, in general
- Multicast DNS: if you're not using it, disable it.