Firewall Wizards mailing list archives

Re: SNMP RW ASA 7.2.1

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 21 Jul 2006 15:19:38 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



My error, missed a few lines in the paste, here is the full story;

July 19, Security Focus Retired: Cisco Security Monitoring Analysis andResponse System multiple vulnerabilities. CiscoSecurity Monitoring, Analysis and Response System (CSMARS) is prone tomultiple vulnerabilities. Analysis: To includeprivilegeescalation, arbitrary commandexecution, and informationdisclosureissues. An attacker could exploit these issuesto retrieve potentially sensitive information and possibly executearbitrary commands with Super User privileges. This

may facilitate a remote compromise of affected computers.

Vulnerable: Cisco CSMARS 4.1.5; Cisco CSMARS 4.1.3; Cisco CSMARS 4.1.2;Cisco CSMARS 4.1.

Solution: Fixes are available. Refer to the Cisco advisory for details:http://www.securityfocus.com/bid/19071/references

Source: http://www.securityfocus.com/bid/19071/references



Thanks,

Ron DuFresne


On Thu, 20 Jul 2006, Pablo Pérez wrote:

Thanks a lot  for your cooperation, it was very helpfully.
Regards.-

Pablo


 _____

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Victor
Williams
Sent: Miércoles, 19 de Julio de 2006 07:23 p.m.
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SNMP RW ASA 7.2.1


Well, notice I said the VMS replacement.

VMS 2.3 will not let you do anything but collect syslogs from a 7.2.x ASA or
PIX device.  You can't manage the configuration or anything like that.  You
have to go back to 6.3.5 PIX OS or earlier for true management capabilities.
You can still collect syslog messages from the PIX and do reports on them
tho...HTML or PDF format I believe are your only options.

VMS with the Firewall Manager add-on (free if you bought the VMS suite)
allowed you to collect the system configuration via PDM or SNMP (assuming
you were using 6.3.5 OS or before) and then re-apply it with the RW ability
of SNMP or through PDM.  Personally, it never worked like I wanted it to,
and the syntax/display of the VPN configuration for a PIX always looked
completely stupid (unintuitive)  to me in the VMS interface, so I always
reverted to managing all those devices at the command line...i.e. it was a
worthless tool for my tastes.  Basically what I wanted was a pretty report
on denied messages of any kind (for the managers that like that sort of
thing) and any other message of higher severity than warning...which was the
stuff I was actually interested in.  Throw in the fact that you had to have
ONE specific version of the Java runtime for everything to work right
(always the version that interferes with everything else you're doing on
your PC), and I was completely disenchanted.

The replacement for VMS 2.3 (called Cisco Security Monitoring, Analysis and
Response System (CS-MARS)) will let you manage all the current
security-related products as well as monitor them from a semi-central
location.  This would include ASA and VPN 3000 series devices, the IDS/IPS
add-on to the ASA devices, as well as the security agents that get loaded on
Windows/Unix/Linux hosts.  I haven't actually used it, but seen it in action
at a customer NOC.  However, the ONE specific Java requirement for it all to
work right is still there...so I won't be using it anytime soon.

Regarding the monitoring that I wanted to do, I wanted to see certain denied
messages or error messages, as well as get reports on those.  I also wanted
to get alerted on when something like the active firewall in an
active/failover pair failed and the failover one picked up.  Basically, the
only way I got it to work like I wanted and to get an alert in near
real-time (page me or send an email to my mobile device), I used a
combination of SNMPc and AdventNet's Firewall Analyzer.  SNMPc for the
uptime/downtime/alert monitoring, AdventNet's Firewall Analyzer for the
pretty reports to managers that don't mean a thing 99.999% of the time
except to tell you that Blaster and Code Red is still alive and well.

Since pre-7.x PIXen didn't send SNMP traps for anything but like 8 different
things except via Syslog, you need to have a syslog collector/parser that
does it while it's receiving the syslog.  SNMPc does that, and you can
program the action it takes depending on what the syslog message is.  So if
you received a SNMP trap via syslog protocol that stated you had a failover
action in a pair of firewalls, that's what would get sent to you via
whatever action you specified.  In this case, an SMTP email sent to my cell
phone.

Given the choice again, I wouldn't spend the time/money on the Cisco
management solution unless I needed to monitor/manage LOTS of Cisco-only
infrastructure.  The current situation doesn't call for it, so a
roll-your-own OSS setup or a cheap software solution (sub $4k) works the
same in our situation.  I just don't have the time to roll my own
anything...so I always look for something low-$$ that does a specific task
and isn't dependant on ONE version of (insert software name here) to work
correctly.


Brian Loe wrote:

What exactly does VMS do that's special so far as communication goes?

Even on older boxen its able to see tunnel traffic - where is it

pulling it from? Its not avialable via SNMP...



I'd like to avoid VMS and use all open-source tools. Not even for

management, really, just monitoring and such.



On 7/19/06, Victor Williams  <mailto:vbwilliams () neb rr com>
<vbwilliams () neb rr com> wrote:



I'm pretty sure they removed RW access because the management interfaces

for the ASA units is now SSH and/or SSL/TLS.



Basically, if you want anything other than logging/alerting remotely

(outside of SSH command line access), you have to use ASDM or Cisco's

new replacement of VMS which lets you manage 7.x ASA and/or PIX units as

well as VPN concentrators.



_______________________________________________

firewall-wizards mailing list

firewall-wizards () listserv icsalabs com

https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

- --~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEwSjNst+vzJSwZikRAultAJ9bBnblVJ3GJ8zF8wMl04qNYvoLhQCgi003
JVec/De5SOb1VI/WqGCkLiA=
=+Zqt
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: dual ISP connections Eagle Fire (Jul 05)
- Re: dual ISP connections Patrick M. Hausen (Jul 05)
  - Re: dual ISP connections Eagle Fire (Jul 09)
  - SNMP RW ASA 7.2.1 Pablo Perez (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Victor Williams (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Brian Loe (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Victor Williams (Jul 20)
    - Re: SNMP RW ASA 7.2.1 Pete Capelli (Jul 21)
    - Re: SNMP RW ASA 7.2.1 Pablo Pérez (Jul 21)
    - Re: SNMP RW ASA 7.2.1 R. DuFresne (Jul 21)
    - Re: SNMP RW ASA 7.2.1 R. DuFresne (Jul 21)