If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered. With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.
Why Cisco IOS?
With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices. As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers. In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).
Scanning Cisco IOS
Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device. Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily. Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.
QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices. The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config. The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings. By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan. Once the signatures are completed, the XML file is deleted from memory.
To see a demo of this new feature, please view the Cisco IOS Scanning Demo.