09-13-2020 02:11 AM
Our management wants to know at a short notice which of our networking equipment like our Cisco ASA firewalls, routers are missing patches for the vulnerabilities.
I know a networking team member can go to each networking equipment, log in to the device, open a command line interface, get the version of software running and see if that is the latest version released by Cisco or not, but this is a manual process and we have lot of Cisco devices so doing this would take up lot of time from the networking team.
For our desktops, laptops we have Qualys cloud agents installed which can generate a report of desktops, laptops which are missing patches with level 4,5 severity. This allows management to allocate more people to patching team so they can complete the work sooner.
1. Is there a quick way to determine patch levels of our networking equipment, ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc. to see which device is vulnerable to which vulnerabilities which are shown by CVE numbers like CVE 2020-3452?
Management has heard about Distributed Denial-of-Service(DDoS) attacks and wants to know how well we are prepared for it.
2. I know severe DDoS attacks need a mitigation service like CloudFlare, Akamai who have the bandwidth to absorb the extra attack packets, but what level of hardening can we do to detect a DDoS attack and withstand it using our ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc.?
Any suggestions would be helpful.
09-13-2020 05:29 AM
You can use the free Cisco Network Assistant to inventory your devices and show which have CVEs and PSIRTs applicable to the code version they are running.
For DDOS protection you can follow this Cisco guide:
https://tools.cisco.com/security/center/resources/guide_ddos_defense
It's a Cisco-specific superset of IETF BPC 38:
https://tools.ietf.org/html/bcp38
FTD isn't mentioned in the guide but there are some equivalent settings to ASA threat protection in the Network Analysis Policy (if you're using FMC).
11-08-2020 04:28 PM
Thanks Marvin,
Sorry for the late response.
We have around 400 devices so Cisco network assistant may not work as it is for networks with 80 devices from https://www.cisco.com/c/en/us/products/cloud-systems-management/network-assistant/index.html
It is a mix as we have mostly Cisco devices but also some Palo alto, Checkpoint.
Can Cisco Configuration Professional (Cisco CP) work for managing 400 devices(switches, routers, access points, controllers, ASA firewalls) or is that more for Cisco access routers only?
I saw your useful suggestions at https://community.cisco.com/t5/network-management/good-network-monitoring-tool/td-p/2337986
Thanks for all the support you provide in this forum!
11-08-2020 07:14 PM
CCP is for routers only and not a maintained product.
Prime Infrastructure offer a compliance report as part of its many features. It will show you all security issues regarding PSIRTs and configuration problems with your devices - routers, switches, ASAs etc. SolarWinds NCM can do similar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide