current security patch level IOS/how to verify device is at it?

Unanswered Question
Aug 8th, 2008
User Badges:

Hello all,


I am an IT auditor and I am trying to determine how can I verify the most current security patches for a sample of devices. Here is what the 4 devices have from the "show version" command:


C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)


Cisco IOS Software, CGESM Software (CGESM-LANBASE-M), Version 12.2(25)SED, RELEASE SOFTWARE (fc1)


Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JEA, RELEASE


Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1710-K9O3SY-M), Version 12.3(2)T, RELEASE SOFTWARE (fc1)


Two of these are routers (the 12.3 versions) and the other are switches (12.2).


How can I tell if these devices have the latest patches applied for those versions? I know 12.4 is available so none of these are current on version, but I need to make sure they have all available security patches.


Any advice would be great for someone who is not a network expert. Thanks.


Chad

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 08/08/2008 - 09:44
User Badges:
  • Green, 3000 points or more

Chad,


You would probably start in security advisory, usually is the place to start in checking Cisco's report on most critical security vulnerabilities and affected products and codes, if none of these

applies to your current devices your next step could probably be to check IOS release notes, just search in cisco main page your IOS version release notes to be aware of open CAVEATS that perhaps may be affecting your production network, generaly you would want to use codes in GD ( General Deployment), you can also check IOS retirement table at.

http://www.cisco.com/kobayashi/library/iosplanner/retired.shtml


Take a look in understanding IOS Designation GD, ED, MD DF etc.. on this link to hellp you understand IOS cycle it will help in desition making if upgrading, note that you need CCO login to get to this one bellow.

http://www.cisco.com/kobayashi/library/iosplanner/reldesignation.html#GD


Security Advisories

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Security Vulnerability Policy

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html



HTH

Jorge


Richard Burts Fri, 08/08/2008 - 10:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chad


I think we should clarify one aspect mentioned in your post. While it is true that 12.4 is the most recent version for IOS routers (and therefore anything less than 12.4 is not quite current) we can not say the same thing about the Cisco Catalyst switches. I checked in the feature navigator on the Cisco site for the 3750 switch. For the SEC code train (which your 3750 is running) 12.2(25) is in fact the most recent code version offered.


HTH


Rick

fit4lyf13 Fri, 08/08/2008 - 10:26
User Badges:

Jorge,


Thanks for the reply. However, I don't think I have access to some of those links (I am sure people in our network area do, but us in Audit would not).


What I really need to is to tell if the 4 devices I listed have the latest patches for the given levels of IOS they are running. I am sure I could find what Cisco has released, but how can i tell if any of those have been applied to the devices? My real objective is to determine if these 4 devices are patched successfully based on today's known vulnerabilities.


Any other thoughts on how I can translate the output I supplied into determining if these devices are patched? Thanks.


Chad

Richard Burts Fri, 08/08/2008 - 11:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chad


Perhaps there is something else here that we can clarify a bit. You are describing your objective as determining path level within a release level. But that is not how Cisco generally does it. Cisco does not release a patch for a release as much as it releases a new version that incorporates the fix for the vulnerability. So once you know the specific version level for a device you would know exactly what its patch level is.


The difficult part is correlating a particular version with what fixes it contains. And I do not know of a good way to do that.


HTH


Rick

Actions

This Discussion