Qualys Blog

www.qualys.com

Configuration Scanning of Cisco IOS

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.

Demo

To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

2 responses to “Configuration Scanning of Cisco IOS”

  1. Is it documented somewhere what commands are run on the command line during compliance scanning? I assume these are different to those run during vuln scanning (which appear to be documented on another post).

Leave a Reply