[c-nsp] Quick IOS security check

Kim Onnel karim.adel at gmail.com
Sun Aug 21 08:53:41 EDT 2005


well, you could have an IOS that is vulnerable to IPv6 holes, but you
dont have ipv6 enabled, so i think you need to do it manually, per bug
not per IOS version: check recent bugs, if u have it, then upgrade.

On 8/21/05, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
> 
> Unfortunately particularly with the older Cisco devices (like the 1600
> series)
> Cisco's security fixes often entail having to update to IOS versions that
> are
> larger than what the original ram and flash are that came in the system.
> 
> For example, 1600 R series that came with 4MB flash/8MB ram no longer
> have a 12.0 series of IOS that they can run that is without security
> holes.
> 
> 2500's with 8MB flash/4MB ram are in the same boat.
> 
> As a result you may need to backflash to older IOS release trains to get
> a security-fixed IOS that fits in the ram/flash - assuming that is that
> your
> device isn't using any of the advanced features in the newer IOS (like
> address
> translation for example)  Or replace the router.  Or try scrounging
> around on
> Ebay or some such for parts (try buying 1600 ram chips new that will
> work in a 1600, har har!)
> 
> You could possibly write a script using snmp that would query every
> device
> in your network looking for your routers, and report back the IOS
> version - if
> you have enabled snmp on all your devices, of course - but it still takes
> some
> human intelligence to look at each device, see what it's doing and where
> it is,
> whether the IOS version on it has vulnerabilities that are exploitable in
> the
> location it's in, and what you can do about it.
> 
> This is why we get paid the big bucks.  There are parts of the job that
> do
> requirel some actual real work to be done. ;-)
> 
> Ted
> 
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net
> >[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
> >Jean-Christophe Varaillon
> >Sent: Friday, August 19, 2005 3:03 AM
> >To: cisco-nsp at puck.nether.net
> >Subject: [c-nsp] Quick IOS security check
> >
> >
> >Hi,
> >
> >I have a list of the 100 Cisco devices that we have on our network with
> >their corresponding IOS.
> >
> >I am looking for a quick way to see which device should be upgraded due
> >to IOS security issues (not bug issues).
> >
> >From
> >http://www.cisco.com/en/US/customer/products/products_security_advisorie
> >s_listing.html, we have the list of security issues, but, manually, it
> >would take very long to see which of the 100 devices has vulnerabilities
> >and should be upgraded.
> >
> >Is there any tool available from Cisco site where I would enter the IOS
> >string name and where it would give me the list of vulnerabilities and
> >the recommended IOS upgrade?
> >
> >Would CiscoWorks be of any help to achieve this quick security check?
> >
> >Any comments/suggestions are welcome!
> >
> >Thank you,
> >
> >Christophe
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >--
> >No virus found in this incoming message.
> >Checked by AVG Anti-Virus.
> >Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date:
> >8/19/2005
> >
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 8/19/2005
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list