[c-nsp] Quick IOS security check

Ted Mittelstaedt tedm at toybox.placo.com
Sun Aug 21 08:37:40 EDT 2005


Unfortunately particularly with the older Cisco devices (like the 1600
series)
Cisco's security fixes often entail having to update to IOS versions that
are
larger than what the original ram and flash are that came in the system.

For example, 1600 R series that came with 4MB flash/8MB ram no longer
have a 12.0 series of IOS that they can run that is without security
holes.

2500's with 8MB flash/4MB ram are in the same boat.

As a result you may need to backflash to older IOS release trains to get
a security-fixed IOS that fits in the ram/flash - assuming that is that
your
device isn't using any of the advanced features in the newer IOS (like
address
translation for example)  Or replace the router.  Or try scrounging
around on
Ebay or some such for parts (try buying 1600 ram chips new that will
work in a 1600, har har!)

You could possibly write a script using snmp that would query every
device
in your network looking for your routers, and report back the IOS
version - if
you have enabled snmp on all your devices, of course - but it still takes
some
human intelligence to look at each device, see what it's doing and where
it is,
whether the IOS version on it has vulnerabilities that are exploitable in
the
location it's in, and what you can do about it.

This is why we get paid the big bucks.  There are parts of the job that
do
requirel some actual real work to be done. ;-)

Ted

>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
>Jean-Christophe Varaillon
>Sent: Friday, August 19, 2005 3:03 AM
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Quick IOS security check
>
>
>Hi,
>
>I have a list of the 100 Cisco devices that we have on our network with
>their corresponding IOS.
>
>I am looking for a quick way to see which device should be upgraded due
>to IOS security issues (not bug issues).
>
>From
>http://www.cisco.com/en/US/customer/products/products_security_advisorie
>s_listing.html, we have the list of security issues, but, manually, it
>would take very long to see which of the 100 devices has vulnerabilities
>and should be upgraded.
>
>Is there any tool available from Cisco site where I would enter the IOS
>string name and where it would give me the list of vulnerabilities and
>the recommended IOS upgrade?
>
>Would CiscoWorks be of any help to achieve this quick security check?
>
>Any comments/suggestions are welcome!
>
>Thank you,
>
>Christophe
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>--
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date:
>8/19/2005
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 8/19/2005



More information about the cisco-nsp mailing list