Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Cisco Vulnerabilities and Events

by Cody Dumont
April 25, 2016

Cisco Vulnerabilities and Events

Overlooking threat vectors in an organization can be disastrous, and network infrastructure such as routers and switches often escape the purview of vulnerability scans. Scanning network infrastructure devices is important; however, most of the useful information collected from these devices is gained through log collection.  This dashboard provides a centralized view of vulnerability and log data collected on Cisco devices such as routers, switches, and firewalls.

Performing vulnerability scans on Cisco devices is perfectly safe. However, there is a stigma surrounding vulnerability scanning a router, switch and firewall.  Due to this stigma, Cisco devices are often regulated to being scanned on monthly basis and in very limited time windows.  Creating targeted scan policies and only scanning the necessary devices can help reduce the negative stigma and allow the network team to become more comfortable with the vulnerability scanning of Cisco devices.

In addition to vulnerability scanning, SecurityCenter comes with many audit files for Cisco devices.  The audit files are automatically updated as part of the SecurityCenter plugin feed, and are now easily downloaded using the templates provided in SecurityCenter GUI.  The audit files support checks against DISA STIGs, CIS Configuration Guides, and other documented best practices.  SecurityCenter also supports editing audit files using a new GUI interface where key values such as NTP Server, Logging Server, and other settings can be easily modified.  Once downloaded, audit files can be manually edited and re-imported into SecurityCenter.  By adding audit files to vulnerability scans, the network team can obtain information of potential configuration vulnerabilities found in the Cisco device configurations.

During the times between vulnerability and audit scans, the Passive Vulnerability Scanner (PVS) can detect over 100 Cisco vulnerabilities, such as ACL bypass, shell detection, SNMP configuration, VPN detections, and TFTP usage.  In addition to PVS, the Log Correlation Engine (LCE) can also be used to collect logs and NetFlow from Cisco devices.  By collecting logs, LCE can identify Cisco devices, software version, and other possible vulnerabilities.  LCE also normalizes over 1000 syslog events for easier analysis and threat detection.

When incorporating SecurityCenter Continuous View (CV) into the daily operations of both the network team and security team, the overall improvement of security will increase.  Using vulnerability and audit scans, along with PVS and log collection, the organization will be able to gain a clear view of the risks and security concerns of the Cisco devices.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets.  The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments. The dashboard requirements are:

  • SecurityCenter 5.1.0
  • Nessus 6.5.6
  • LCE 4.8.0

SecurityCenter Continuous View (CV) is the standard by which other solutions should measure themselves.  SecurityCenter CV provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Continuous monitoring with SecurityCenter CV allows for the most comprehensive and integrated view of network health.   SecurityCenter CV supports more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure.  The tight integration of vulnerability analysis, compliance review, and log correlation can help to make your Cisco network infrastructure more secure and stable.


Cisco Vulns and Events - Cisco Event By Type: This matrix provides indicators for the event types attributed to Cisco events.  The indicators provide an easy-to-use method for analyzing log data. 

Credentialed Cisco Scanning - Appliance Interfaces Available with SSH Port: This matrix component indicates the percentage of Cisco hosts with vulnerabilities discovered on TCP port 22 (SSH). Nessus uses Secure Shell (SSH) for credentialed scans on Cisco devices. Nessus supports three types of authentication methods for use with SSH: username and password, public/private keys, and Kerberos. If SSH servers are running on another port, the scan policies will need to be modified, and the filter in this matrix will need to be modified to reflect the correct SSH service port.

Credentialed Cisco Scanning - OS Identification: This table component displays the various Cisco appliances being audited with credentialed scans. This table is sorted by OS count and displays the OS version, count, and detection method. This information is useful to an analyst who needs to know the number of Cisco platforms that are being scanned in the network environment. This component filters using passive and active plugins to locate all Cisco systems. The OS Identification plugins use several techniques to identify the OS, with differing levels of confidence. This component uses the vulnerability text string “cisco” in conjunction with plugin IDs.

Cisco Vulns and Events - Vulnerabilities by Search Method: This matrix provides an easy and effective method to locate all Cisco related vulnerabilities, using three common search methods.  The first method uses the Plugin Family as the filter, which is comprised of Active plugins. Active plugins are used by Nessus to identify vulnerabilities.  The  second row uses the Plugin Name, which encompasses Active, Passive, and Event based plugins.  The third row uses Common Platform Enumeration (CPE) as the search string to identify vulnerabilities.  This method is useful for finding software components such client software or packages that may be manufactured by Cisco, but do not use Cisco in the name of the product.

Cisco Vulns and Events - Event Subnet Usage: This table provides a summary by subnet of logs attributed to a subnet where hosts reside.  The component searches for Cisco in the Normalized Event name, and then summarizes the based on a 24 Bit Classless Inter-Domain Boundary (CIDR).  The analysts should monitor this component for sudden changes over time and then investigate as necessary.

Cisco IOS Audit Results - Compliance Summary: When performing configuration audit of systems in accordance with a GRC program, security analysts can benefit from a summary view of the data set.  The Cisco IOS Compliance Summary table provides a high-level view of the Cisco IOS compliance status.

Cisco Vulns and Events - Vulnerabilities by Subnet: This chart provides a summary by subnet for the top 10 most vulnerable subnets with respect to Cisco vulnerabilities.  The chart uses the searches with Plugin Name filter of “Cisco” and the returns the results for each subnet along with a 24 Bit Classless Inter-Domain Boundary (CIDR). 

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.