I could see a case for

cmazur · ‎03-05-2017

Our Internal Auditor is asking for SSH access to our ASA's to do Vulnerability Scan.

My first thought was "NO" then I thought about it more and I still think "NO".

Can anyone think why someone should have SSH access to the firewall to perform

this scan?

Karsten Iwen · ‎03-05-2017

For a vulnerability scan my answer would also be "no". But perhaps they plan a config-audit (sand just used the wrong wording), and for that access to the ASA would be needed.

Marvin Rhoads · ‎03-06-2017

I could see a case for allowing their source address to access the ssh service on the ASA. That way they can legitimately check for ssh vulnerabilities. (Although I've recently heard of some folks getting dinged for false positive hits - I think one or more of the common scanning tools (cough *Nessus) is doing that).

Or you could just tell them it's locked down and it would open you up to vulnerabiliteis to change that configuration. Let them have at it scanning from an address that's not allowed ssh access. ;)

I would NOT give them an account though.

cmazur · ‎03-08-2017

Thank you, A Nessus scan is exactly what they are doing. They are telling me now that they need to have root access to our firewalls. So I am not sure how to do that. Any thoughts?

Marvin Rhoads · ‎03-08-2017

I'd call "shenanigans" on that request.

If it was me and my management overrode me, I'd document in wirting that the access was given over my objection.

cmazur · ‎03-08-2017

Thank you, I met with this person and pretty much determined he didn't know what he was doing with this scan and told him that I would do whatever the CSO wanted me to do ,,,,,but whatever the change is , it would be Very Temporary.

Thanks again

SSH access to ASA for vulnerability scan.