<div>
They dont need live SSH access.<br />
'show runing' should suffice for offline audit.
</div>


They dont need live SSH access.
'show runing' should suffice for offline audit.

<div>
Actually for nessus, it ia also parsing the config. I.e plugin does the below<br />
- grabs a copy of the configuration file, it does not run any commands against the device except 'show running', 'show config', or 'show startup'<br />
- parse the config obtained <br />
- look for the information it requires to check against. <br />
<br />
The Cisco FW uses these commands so the only difference in your scans would be that the check in the audit file as they were based on the CIS benchmarks for each device.<br />
<br />
Also if they do scan remotely via the FW, whitelist only that IP and close it once done.
</div>


Actually for nessus, it ia also parsing the config. I.e plugin does the below
- grabs a copy of the configuration file, it does not run any commands against the device except 'show running', 'show config', or 'show startup'
- parse the config obtained
- look for the information it requires to check against.

The Cisco FW uses these commands so the only difference in your scans would be that the check in the audit file as they were based on the CIS benchmarks for each device.

Also if they do scan remotely via the FW, whitelist only that IP and close it once done.

<div>
<div class="content wysiwyg-content">
We have a third party company coming in to do a Nessus Scan for vulnerabilities on our Cisco ASA5510. They informed us that we would have to open up an SSH port on the Cisco in order to do a proper full scan. Any recommendations on procedures to allow a Nessus scan on a Cisco ASA5510?
</div>
</div>


We have a third party company coming in to do a Nessus Scan for vulnerabilities on our Cisco ASA5510. They informed us that we would have to open up an SSH port on the Cisco in order to do a proper full scan. Any recommendations on procedures to allow a Nessus scan on a Cisco ASA5510?

Nessus Scan on Cisco ASA5510

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Cisco

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Hardware Firewalls

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.