agasapo
asked on
Nessus Scan on Cisco ASA5510
We have a third party company coming in to do a Nessus Scan for vulnerabilities on our Cisco ASA5510. They informed us that we would have to open up an SSH port on the Cisco in order to do a proper full scan. Any recommendations on procedures to allow a Nessus scan on a Cisco ASA5510?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Actually for nessus, it ia also parsing the config. I.e plugin does the below
- grabs a copy of the configuration file, it does not run any commands against the device except 'show running', 'show config', or 'show startup'
- parse the config obtained
- look for the information it requires to check against.
The Cisco FW uses these commands so the only difference in your scans would be that the check in the audit file as they were based on the CIS benchmarks for each device.
Also if they do scan remotely via the FW, whitelist only that IP and close it once done.
- grabs a copy of the configuration file, it does not run any commands against the device except 'show running', 'show config', or 'show startup'
- parse the config obtained
- look for the information it requires to check against.
The Cisco FW uses these commands so the only difference in your scans would be that the check in the audit file as they were based on the CIS benchmarks for each device.
Also if they do scan remotely via the FW, whitelist only that IP and close it once done.
'show runing' should suffice for offline audit.