Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4680
Views
0
Helpful
5
Replies

Is it recommend to have a vulnerability scan for Cisco ASA device.

Go to solution
Chin
Level 1
Level 1

‎04-16-2014 05:30 PM - edited ‎02-21-2020 05:09 AM

 

Dear everyone. 

 

I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 

Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chin

‎04-18-2014 06:22 AM

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-17-2014 07:05 PM

Vulnerability scan of an ASA is fine. I have seem them turn up issues. You can find things like ssh v1 being allowed, weak ciphers allowed for https, etc.

If you find nothing (according to the scan criteria being used) then you can count that as a small victory and move your attention to the areas that didn't do as well.

0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marvin Rhoads

‎04-17-2014 10:36 PM

Hi Marvin, 

Thanks for your explanation. I have try to let my ASA to have vulnerability scan. But I found the ASA was drop the connection by itself. 

I just figure out how do I let my ASA for internal vulnerability scan. Do you have any idea how to do it?

Currently I am using ASA 9.1 version. 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chin

‎04-18-2014 06:22 AM

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marvin Rhoads

‎04-22-2014 05:49 PM

Thanks Marvin. 

I guess my company insist to have a vulnerability to scan the ASA version and some ssh and telnet credential access. 

Just wonder if it can scan the management port of ASA and gain those report like version, credential, snmp and so on. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chin

‎04-23-2014 03:48 AM

If they want to scan the ASA itself, then they may observe, for instance, whether you  allow only strong SSL ciphers for any https service (i.e. for remote access VPN portal).

SNMP, even when allowed is restricted to authorized hosts so their scanning address would have to be allowed explicitly. Likewise with ssh. You can and should lock down both of those services - i.e. require SNMP v3 with only encrypted ("Priv") communications and AES-256, restrict ssh to v2 and use a strong (2048-bit) RSA key.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card