Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
3
Replies

Cisco Recommended OS for ASA 5500-X series

Steven Williams
Level 4
Level 4

‎04-13-2015 10:52 AM - edited ‎03-11-2019 10:46 PM

Is there a site that I can look at the states Cisco recommended IOS/OS versions for all their devices?

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-13-2015 10:59 AM

Sure - the recommended ASA software version(s) are denoted by a gold star on the software download page. For instance, see this one for the 5525-X which shows that 9.1(5.21) and 9.2(3) are currently recommended.

That does not always take into account the very latest security advisories. If that's of concern to you, you might want to go with something a bit newer, as noted in this current advisory.

The same guidance applies to many other platforms (but not every single one). 

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎04-13-2015 11:24 AM

Lets be honest though, every version is going to have vulnerabilities! Qualys can detect one or two on code 9.1 and then I go to 9.4, whos to say it wont detect 5 or 6? How do people manage this?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎04-13-2015 11:54 AM

Well I do this for a full-time living; so how I manage it may differ from the occasional ASA admin. Here's my process:

I read the release notes with every release (except the interims). I also subscribe to the Cisco Security Advisories and go through each one seeing if the advisory is relevant for any of the use cases I'm supporting.

When it is, I first see if there are compensating controls I can put in place or if the risk level is acceptable for a given environment. (I tend not to just jump on every interim release as they are not as completely regression test as the maintenance releases.) Ths step is very important because just running automated scans and looking for a "perfect" score is, as you implied, chasing a will o' wisp

If there are no compensating controls and/or the risk is unacceptable then I schedule a deployment of the software in a planned maintenance window. I do some basic sanity check tests to make sure nothing obvious is broken, and then follow up with the customer in a week or so to make sure no subtle problems have cropped up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card