Cisco ASA Detection


#1

Be gentle, this is my first post. Apologies in advance if I do something wrong.

I need help with getting my setup to detect a Cisco ASA-5516-X firewall. It comes back with being unable to identify the OS message, and that’s all. The scan can detect the FirePOWER side, but not on the firewall side. I have tried searching for a solution but only kicked up one article from Feb 2017 that sounded similar, but the thread seemed to identify shortcomings in OpenVAS that were corrected. My feeds and system are up to date, so that should not be the issue, but I have no idea what to check to get it to work.

Can somebody give me an idea or suggestion?


#2

A Cisco ASA specific detection is currently available via three methods:

  1. Authenticated SSH login to the appliance
  2. SSL VPN / WebVPN HTML Login page via HTTP
  3. SNMP sysDescr

A SSH login (1.) needs to be configured separately in your scan by following Authenticated Scan using Local Security Checks.

For SNMP (3.) the above might be required too if the service isn’t using a “public” community.

Generally i might be also possible that the mentioned methods above are missing the detection due to unexpected results / answers. In this case it could be required that you need to provide more information (like a snmpwalk against the SNMP service or the content of a HTTP login page) so that the Detection can be updated.

Additionally you could also have a look at your reports for the information mentioned here which could provide additional information about your target which could help to update / improve the detection:


#3

Thank you for a pretty straightforward explanation. We opted for #1 as being the simplest. As a followup question, what level of access to the Cisco appliance is needed to ensure it can perform scans as they are intended?


#4

Have a look at https://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#requirements-on-target-systems-with-cisco-os

Please note that up-to-date Cisco checks are not part of the community feed (GCF) but rather in the Greenbone Security Feed (GSF).


#5

Precisely what I needed. Thanks.