Disabling HTTP Service on Cisco MDS

Question

All of the Cisco MDS 9509, 9140, and 9134 switches at our customer have been flagged for 'Track and Trace' being enabled on the HTTP daemon. Is anyone aware of this vulnerability and can it be disabled on these switches? If HTTP can be disabled all together will the switch still be accessible via Fabric Manager and Device Manager?

emcers · Answer

Here's what I found:HTTP is only used for the distribution and installation of the Cisco Fabric Manager software. It is not used for communication between the Cisco Fabric Manager and Cisco MDS 9000 Family switches.http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_1_x/1_3/fm/configuration/guide/GetStart.htmlAnd I believe we can use the IP-ACL feature to disable HTTP and WWW, by denying port 143 and port 80.http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/ipacl.html

RRR · Answer

AFAIK the internal flash isn't large enough to hold the FM software anymore and since about half a year or so you need to download FM from the internet (Powerlink of Cisco).

AranH1 · Answer

Yeah, he is referencing an older version of the SAN-OS. It only comes on CD or as a download of the ISO.

emcers · Answer

Is there any other method to disable HTTP service running on the Cisco MDS?

ConnectrixHelpe · Answer

Hello,There are various ways to secure the HTTP service but there is no way to completely stop the HTTP service without going to the Linux level. Here are possible things to consider:1) Using Access Control Lists via the Access-List list command2) Using HTTPs instead of HTTP3) Creating a separate VLAN for limited hosts to the switch4) Creating Firewall rules to block the use of HTTPThank you.

Connectrix

Disabling HTTP Service on Cisco MDS

Was this post helpful?