Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

Determining Vulnerable Devices

ezuser666
Level 1
Level 1

‎01-01-2017 11:25 AM - edited ‎03-10-2019 12:45 AM

Evening All,

I've been given nice belated xmas present  from my vulnerability management team asking me to advise which of our devices are vulnerable to the latest 30 advisories released by Cisco (and others). 

Let me set the scene, the network we are responsibile for has approximately 15000 Cisco devices being a mixture of IOS, XR, XE, NX-OS and ASA devices.  We don't have any vulnerability scanners so I'm reliant on the information given by our NMS which gives me Vendor, System OID, SNMP description, Software Version also(where known) device type.

I've tried doing some of the reviews manually but it takes way too much time. Experiments with the Cisco OpenVuln API have also proved fruitless as the data given by that appears to very inconsistent, something not even mapping to the same list of devices shown on the website. The Cisco software checker also (AFAIK) only works for IOS versions, not other devices such as the ASA firewalls.

Anyone else have this issue where your not permitted to run active scans on the network to look for these things and/or run automated configuration audits?

I'm still fighting the case for something like Nessus or Nexpose but so far the conversation is falling on deaf ears. Even a free solution like openVAS isn't being well received.

Any suggestions would be very much appreciated.

Thanks in advance

Labels:
0 Helpful
2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-01-2017 02:26 PM

There are a few methods around this madness.  One method is to find out what are the different IOS versions of each appliances and then compare them to the vulnerability reports.   The older the IOS, the longer the list of known vulnerabilities. 

The other method is to do a comprehensive upgrade of all the appliance to the latest version.  The problem with this is no one like to upgrade appliances because this means rebooting them and rebooting means dealing, liaising and negotiating with a lot of other teams/business units that it's just madness.   

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-01-2017 10:15 PM

Have you seen Cisco Active Advisor? It's free and while it may not cover every device (I don't think it handles IOS-XR), it's pretty comprehensive. See https://help.ciscoactiveadvisor.com/support/home

You could also reach out to a partner. For a network of that size, they could get Cisco to sponsor a Cisco Funded Network Assessment. Under the auspices of that, they can bring in something like Netformix or RISC Networks tools and run them (at no charge) for you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents