topic Re: Finding patch levels on networking equipment and hardening our network for DDoS risks in Network Security

Finding patch levels on networking equipment and hardening our network for DDoS risks

s_p_92 — Sun, 13 Sep 2020 09:11:20 GMT

Our management wants to know at a short notice which of our networking equipment like our Cisco ASA firewalls, routers are missing patches for the vulnerabilities.

I know a networking team member can go to each networking equipment, log in to the device, open a command line interface, get the version of software running and see if that is the latest version released by Cisco or not, but this is a manual process and we have lot of Cisco devices so doing this would take up lot of time from the networking team.

For our desktops, laptops we have Qualys cloud agents installed which can generate a report of desktops, laptops which are missing patches with level 4,5 severity. This allows management to allocate more people to patching team so they can complete the work sooner.

1. Is there a quick way to determine patch levels of our networking equipment, ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc. to see which device is vulnerable to which vulnerabilities which are shown by CVE numbers like CVE 2020-3452?

Management has heard about Distributed Denial-of-Service(DDoS) attacks and wants to know how well we are prepared for it.

2. I know severe DDoS attacks need a mitigation service like CloudFlare, Akamai who have the bandwidth to absorb the extra attack packets, but what level of hardening can we do to detect a DDoS attack and withstand it using our ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc.?

Any suggestions would be helpful.

Re: Finding patch levels on networking equipment and hardening our network for DDoS risks

Marvin Rhoads — Sun, 13 Sep 2020 12:29:52 GMT

You can use the free Cisco Network Assistant to inventory your devices and show which have CVEs and PSIRTs applicable to the code version they are running.

For DDOS protection you can follow this Cisco guide:

https://tools.cisco.com/security/center/resources/guide_ddos_defense

It's a Cisco-specific superset of IETF BPC 38:

https://tools.ietf.org/html/bcp38

FTD isn't mentioned in the guide but there are some equivalent settings to ASA threat protection in the Network Analysis Policy (if you're using FMC).

Re: Finding patch levels on networking equipment and hardening our network for DDoS risks

s_p_92 — Mon, 09 Nov 2020 00:28:07 GMT

Thanks Marvin,

Sorry for the late response.

We have around 400 devices so Cisco network assistant may not work as it is for networks with 80 devices from https://www.cisco.com/c/en/us/products/cloud-systems-management/network-assistant/index.html

It is a mix as we have mostly Cisco devices but also some Palo alto, Checkpoint.

Can Cisco Configuration Professional (Cisco CP) work for managing 400 devices(switches, routers, access points, controllers, ASA firewalls) or is that more for Cisco access routers only?

I saw your useful suggestions at https://community.cisco.com/t5/network-management/good-network-monitoring-tool/td-p/2337986

Thanks for all the support you provide in this forum!

Re: Finding patch levels on networking equipment and hardening our network for DDoS risks

Marvin Rhoads — Mon, 09 Nov 2020 03:14:27 GMT

CCP is for routers only and not a maintained product.

Prime Infrastructure offer a compliance report as part of its many features. It will show you all security issues regarding PSIRTs and configuration problems with your devices - routers, switches, ASAs etc. SolarWinds NCM can do similar.