Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2826
Views
5
Helpful
3
Replies

Finding patch levels on networking equipment and hardening our network for DDoS risks

s_p_92
Level 1
Level 1

‎09-13-2020 02:11 AM

Our management wants to know at a short notice which of our networking equipment like our Cisco ASA firewalls, routers are missing patches for the vulnerabilities.

 

I know a networking team member can go to each networking equipment, log in to the device, open a command line interface, get the version of software running and see if that is the latest version released by Cisco or not, but this is a manual process and we have lot of Cisco devices so doing this would take up lot of time from the networking team.

 

For our desktops, laptops we have Qualys cloud agents installed which can generate a report of desktops, laptops which are missing patches with level 4,5 severity. This allows management to allocate more people to patching team so they can complete the work sooner.

 

1. Is there a quick way to determine patch levels of our networking equipment, ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc. to see which device is vulnerable to which vulnerabilities which are shown by CVE numbers like CVE 2020-3452?

 

Management has heard about Distributed Denial-of-Service(DDoS) attacks and wants to know how well we are prepared for it.

 

2. I know severe DDoS attacks need a mitigation service like CloudFlare, Akamai who have the bandwidth to absorb the extra attack packets, but what level of hardening can we do to detect a DDoS attack and withstand it using our ASA firewalls, Aggregation Services Routers, VPN concentrators, Firepower Threat Defense etc.?

 

Any suggestions would be helpful.

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-13-2020 05:29 AM

You can use the free Cisco Network Assistant to inventory your devices and show which have CVEs and PSIRTs applicable to the code version they are running.

For DDOS protection you can follow this Cisco guide:

https://tools.cisco.com/security/center/resources/guide_ddos_defense

It's a Cisco-specific superset of IETF BPC 38:

https://tools.ietf.org/html/bcp38

FTD isn't mentioned in the guide but there are some equivalent settings to ASA threat protection in the Network Analysis Policy (if you're using FMC).

s_p_92
Level 1
Level 1
In response to Marvin Rhoads

‎11-08-2020 04:28 PM

Thanks Marvin,

 

Sorry for the late response.

 

We have around 400 devices so Cisco network assistant may not work as it is for networks with 80 devices from https://www.cisco.com/c/en/us/products/cloud-systems-management/network-assistant/index.html

It is a mix as we have mostly Cisco devices but also some Palo alto, Checkpoint.

 

Can Cisco Configuration Professional (Cisco CP) work for managing 400 devices(switches, routers, access points, controllers, ASA firewalls) or is that more for Cisco access routers only?

 

I saw your useful suggestions at https://community.cisco.com/t5/network-management/good-network-monitoring-tool/td-p/2337986

 

Thanks for all the support you provide in this forum!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to s_p_92

‎11-08-2020 07:14 PM

CCP is for routers only and not a maintained product.

Prime Infrastructure offer a compliance report as part of its many features. It will show you all security issues regarding PSIRTs and configuration problems with your devices - routers, switches, ASAs etc. SolarWinds NCM can do similar.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card