Solved: Is it recommend to have a vulnerability scan for Cisco ASA device.

Chin · ‎04-16-2014

Dear everyone.

I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report.

Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

Marvin Rhoads · ‎04-18-2014

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

View solution in original post

Marvin Rhoads · ‎04-17-2014

Vulnerability scan of an ASA is fine. I have seem them turn up issues. You can find things like ssh v1 being allowed, weak ciphers allowed for https, etc.

If you find nothing (according to the scan criteria being used) then you can count that as a small victory and move your attention to the areas that didn't do as well.

Chin · ‎04-17-2014

Hi Marvin,

Thanks for your explanation. I have try to let my ASA to have vulnerability scan. But I found the ASA was drop the connection by itself.

I just figure out how do I let my ASA for internal vulnerability scan. Do you have any idea how to do it?

Currently I am using ASA 9.1 version.

Marvin Rhoads · ‎04-18-2014

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

Chin · ‎04-22-2014

Thanks Marvin.

I guess my company insist to have a vulnerability to scan the ASA version and some ssh and telnet credential access.

Just wonder if it can scan the management port of ASA and gain those report like version, credential, snmp and so on.

Marvin Rhoads · ‎04-23-2014

If they want to scan the ASA itself, then they may observe, for instance, whether you allow only strong SSL ciphers for any https service (i.e. for remote access VPN portal).

SNMP, even when allowed is restricted to authorized hosts so their scanning address would have to be allowed explicitly. Likewise with ssh. You can and should lock down both of those services - i.e. require SNMP v3 with only encrypted ("Priv") communications and AES-256, restrict ssh to v2 and use a strong (2048-bit) RSA key.

Hope this helps.