Monitoring CISCO Credentialed Scanning

by Ron Gula
October 25, 2011

Final

This dashboard was designed to assist in monitoring the status of CISCO credentialed scanning over SSH in support of compliance auditing. It highlights network and host blockages and failures.

When rolling out CISCO credentialed scanning for the first time across an enterprise it is important to understand how successful the credentialed scanning is and to determine blockages and failures. It is also important on an ongoing basis to continue to monitor the success of credential scanning in an environment where network and host changes might disrupt credentialed scanning. 

The dashboard consists of six components that leverage the following plugins which must be enabled during a credentialed scan:

  • 19506 Nessus Scan Information
  • 11936 OS Identification
  • 21745 Authentication Failure - Local Checks Not Run
  • 10267 SSH Server Type and Version Information

The "Appliance interfaces available with SSH port" matrix component indicates the percentage of CISCO appliance management interfaces whose TCP 22 port are found open by a Nessus server. If you run management interface SSH servers on another port you will need to modify the matrix to reflect the correct SSH service port.

The "Accessible appliance interface authentication services" matrix component highlights the percentage of management interfaces whose SSH service is available to a Nessus server which is necessary for a compliance auditing.The "OS Identification" table component highlights the various CISCO appliance platforms being audited with a credentialed scan.

If a login fails or the login session does not provide the necessary resources to perform a compliance audit then authentication will fail, highlighted as a percentage over the hosts audited in the "Appliance Failed Logons" matrix component. The authentication failure status is provided by plugin 21745 reporting a problem. The CISCO appliance management interface IP and DNS name of authentication failures are displayed in the "Appliance Failed Logon Details" table component.

Please note the dashboard components do not attempt to filter by those hosts you are using CISCO SSH credential scans on and those you are not. You may wish to modify the dashboard components to filter by an asset list or alternatively provide the dashboard to a SecurityCenter user that is already filtered to the CISCO appliance assets you are running credentialed scanning against. A very quick way to determine if you need to filter the components can be determined by looking at the O/S Identification table component and looking at the list of appliance platforms.