Automating Cisco IOS Software Vulnerability Assessment - FAQ from webcast

Anim Saxena · ‎04-24-2013

Introduction
General Questions
CVRF
OVAL
Related Info:

Introduction

Automating Cisco IOS Software Vulnerability Assessment - Slides from Webcast with Omar Santos With Omar Santos

Omar Santos is an incident manager with Cisco's PSIRT. He has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the U.S. Marine Corps and the U.S. Department of Defense. He is also the author of many Cisco online technical documents and configuration guidelines. Prior to his current role, he was a technical leader within the World Wide Security Practice and Cisco's Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization.

He is also the author of these Cisco Press books: Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance; Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting; End-to-End Network Security: Defense-in-Depth; and Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition).

General Questions

Q. Management of this will be incorporated in MARS or another product or can information be parsed to the Cisco device via snmp ?

A. It is not a commercial product, it is a tool which was devloped by my team. It can be used not only by Cisco but other vendors also. Currently we do not support integration with Cisco Prime,LMS or MARS as it is an emerging technology. We do have capabilities in CIsco Prime and MARS to check for Vulnerabilities in a different way.

Q. Are other authentication methods supported or just username/password?

A. The tool which i was using and showing is an open source tool which is known as Joval. We will connect it to a router and in my case i have local data base. Users can use external authentication RADIUS,TACACS. The tool supports an ability to connect to router via SSH or via SNMP. Here i am using SSH to connect to router so i will be using username/password.

Q. The demo was one CVE at a time. Is it possible to test multiple CVEs in one run?

A. That is also possible . It also depends upo the capabilities of tool.

Q. What else for specific platform like ASR 5000 with SGSN / GGSN product software is supporting ?

A. We have submitted xml schemata for IOS-XE devices, currently we are not releasing OVAL for IOX-SE, but if the schemata get adopted in OVAL and depending on customer demand this is in our radar.

Q. The authoring tool is it available for end users? ( cisco partners)

A. The authoring tool was developed internally only for us, in order to be able to publish advisories in OVAL, there are free tools out there like eSCAPe that will generate OVAL for you .If you need to do it for Cisco related definitions authoring tools are not very successful as of now (or as of the last time I checked)

Q. Was the ssh command embedded in the joval script?

A. Yes, joval is able ssh to a live router in order to do the assessment, alternatively it can read a file with the command outputs in order to do the assessment .

Q. How soon will joval go compatible with other device other than Cisco?

A. joval and other free tools like openscap/ovaldi support OVAL for other vendors (since it is not Cisco's product, I would suggest looking into their website and talking to the jOval folks for more info)

Q. Are they other methods by which jOval connects to device apart from ssh?

A. To our knowledge, it can also look into a file that contains the command output or system characteristics in order to do the assessment

CVRF

Q. How can i Validate a CVRF document?

A. CVRF parse a tool which i have mentioned before like OVAL it is a XML document. In case of CVRF you can use other open source tool that can validate the structure of the document.

Q. Is there any cisco press product/training or tutorial that goes through OVAL usage ? (other than the mentioned online links)

A. Basically the OVAL, CVRF and many other standards are emerging as we speak right now. There is no Cisco Press book yet as we are in transition period. Once things are little more mature and implementation is more progresive i can assure a lot more. The resources which are mentioned in the presentation That have a lot of information for implementation.

OVAL

Q. How often does Cisco publish a full collection of CVE OVAL content? Not just individual OVAL entries for a specific CVE but a full collection?

A. OVAl is currently supported for Cisco IOS only. So everytime now we publish a Security Advisory, we do publish an OVAL defination. For very very rare cases where we can not chech the device configuration or for device compliance. In such cases OVAL defination will do full check. Every time

Cisco pulish security advisory we will publish OVAL content for specific CVE. Cisco publish Security Advisory twice a year along with it we publish an ERP document which summarizes all the vulnerabilities,CVEs which are part of that. It also has links for customer to download the file.

Q. Management of this will be incorporated in MARS or another product or can information be parsed to the Cisco device via snmp ?

A. It is not a commercial product, it is a tool which was devloped by my team. It can be used not only by Cisco but other vendors also. Currently we do not support integration with Cisco Prime,LMS or MARS as it is an emerging technology. We do have capabilities in CIsco Prime and MARS to check for Vulnerabilities in a different way.

Q. Is OVAL only for routers or does it have value on layer 2 switches?

A. OVAL is not only for network devices it can be used to check for device compliance, vulnerability assessment. In case of IOS ofcourse depending upon the vulnerability you may be checking for a router or switch say Catalyst 6500 running on Cisco IOS but it doesn't end there the OVAL supports whole OS as Microsoft, Redhat, and many others. I can mention before the community is trying to take it to next level where we are checking for mobile devices such as iPhone and Android devices.

Q. Are you planning to create OVAL content for all advisories or only for new one (since September 26,2012)?

A. When we started doing OVAl adoption last year wed created global content for all the adviseries all the way back to march 2010. Right now we are supporting anything from March 2010 onwards. OVAL is an execution standard and is based on XML so it need schemas. The next 2 products that we created the schemas potentially supporting CISCO ISI and IOS XE. We will extend our support to new products such as Nexus OS or other products we have. We have already created schemas for ASA and IOS XE.

Q. Omar's example was for a CVE violation. Do you have an example for a configuration "best practices"violation (for example telnet enabled) encoded in OVAL?

A. Unfournately in this one it was concentrating on Vulnerability assessment but yes the language specificly for IOS supports a good range. If you are a tech savy you can create your own OVAL definations. A configuration tempplate or configuration example you may have in your organization lets say does all your internet facing devices have anti-spoofing capabilities or anti-spoofing ACLs or you have specific set of infrastructure ACLs to protect.

Q. Does Oval support other third party vulnerability scan tools than Cisco ?

A. To our knowledge, only jOval can support Cisco OVAL definitions, there are open source tools like ovaldi and commercial tools that will be able to consume OVAL for other vendors, like Microsoft, Linux etc.