We would like to thank everyone for their attendance at the Cisco IOS webcasts held June 7th in the EU and June 14th in the US. There were a number of great questions. Below is a summary of the questions and answers from both sessions by topic:
Q: Over which protocol does this solution communicate?
A: Authentication is via SSH. Communication between the scanner appliance and our Secure Operations Center is via SSL, port 443.
Q: DNS resolution is possible by Qualys ?
A: The QualysGuard scanner appliances can resolve DNS.
Q: If we have intermediate devices for authentication (UNIX Jump Hosts), how does Qualys works in this environment ?
A: QualysGuard Policy Compliance cannot currently proxy though another host. We must authenticate directly to the device.
Q: How are the Cisco config files stored within Qualys secured? Where are the results from sh run, sh ver, sh logg sent-the appliance or the portal? Are these output results deleted after analysis? Will the report show the running config? How Qualys protects the data collected from the show run command?
A: They are only stored in memory on the scanner appliance for analysis. Once the analysis is complete, they are removed from memory.
Q: Is the device password remove from the reports? How is the encrypted display of the password protected in the report?
A: The password is not displayed in the report.
Q: Where are the authentication records stored?
A: Cisco IOS authentication records are stored in the QualysGuard platform.
Q: How do you authenticate to the devices? Can it utilize centralized authentication like TACACS?
A: We authenticate using SSH. We support username,password, and enable password, as well as RADIUS and TACACS.
Q: Are these scans handled the same as other/ordinary authenticated scans?
A: Yes within Policy Compliance. In the case of Cisco IOS, there is a new authentication record that uses SSH for authentication.
Q: Does the scanner retain credentials for the target devices?
A: Only for authentication. Once authenticated, the scanner removes the credentials from memory.
Q: How do you manage authentication with many different devices and combinations of user id/passwords? Especially for newly discovered devices?
A: Authentication records are required for each username/password combination. Using a centralized username/password for all devices will ease management.
Q: How is this solution better than BladeLogic Network Automation tool that reports on configuration settings also.
A: After doing some additional research, BladeLogic uses an agent in their solution. The agent is primarily used for provisioning and configuration changes, with limited compliance capabilities according to a BMC representative that I spoke with. QualysGuard Policy Compliance uses agent-less scanning to collect this data and does not impact the performance of the device. In addition, QualysGuard is a good external auditor to a solution like BladeLogic.
Q: Which things are checked? Can you discuss the types of configuration issues that can be analyzed? What sort of standards are the configurations based on? How do you cover the standard CIS Cisco IOS? Are there specific QIDs we can review in the knowledge base that relate to Cisco scanning? Are there specific QIDs we can review in the knowledge base that relate to Cisco scanning?
A: This capability is part of the Policy Compliance module and does not use QIDs. The current list of controls have been created using the Center for Internet Security (CIS) benchmark. The current list of configuration checks are available in the Controls section of the Policy Compliance module. There is also a list on the Qualys Community at https://community.qualys.com/docs/DOC-2733.
Q: How do you handle ios version based default settings ?
A: If there are differences in default settings by version, we recommend a different policy for each technology version. During the scan, we pull the actual result and use the policy to determine pass/fail criteria.
Q: What issues/limitations are there with regards to versions of IOS? E.g., a router may have 2 or 3 versions deployed in the enterprise with the same settings represented differently, is it intelligent enough to differentiate.
A: If there are different baselines for different versions, then additional policies should be created by version. Once we authenticate, we execute ‘show version’ to get the specific version. However, when we analyze the settings, we return the actual value to compare to the policy. Therefore, multiple baselines require multiple polices for evaluation.
Q: Our current Qualys results are good in helping point you in the right direction for remediation, will this IOS based system and/or workarounds?
A: In the case of Cisco IOS, we are checking configurations using Policy Compliance. We add the specific filters we are checking within the running configuration in the extended evidence section of reports. This information will help in identifying remediation areas.
Q: Is this just configuration management? Can you speak to the vulnerability detection/ aspect?
A: We already check vulnerabilities for Cisco IOS as part of Vulnerability Management. This presentation was specific to configuration audit of Cisco IOS using Policy Compliance.
Q: Is the license fee charge per IP basis?
A: Yes, it is per IP within the Policy Compliance module.
Q: If you have already have a scanning appliance used for vulnerability, do you need an additional module for this?
A: This capability is part of Policy Compliance, which is an additional module. The scanner appliance can be used for both, so no additional scanner appliances are required.
Q: We already have a Qualys Appliance we use for servers and desktop OS. Will scanning a range charge us for all devices in the range or just the Cisco IOS devices?
A: This capability is part of Policy Compliance. It is licensed per IP and can share the same scanner appliances.
Q: Do you have a compliance function?
A: Yes, it is our Policy Compliance module which supports these capabilities.
Q: What types of reports can be generated? Can scanning and the resulting reports be automated/scheduled?
A: Policy Compliance supports interactive and template reports very similar to Vulnerability Management reports. Reports can be scheduled through the API. We are also planning to add scheduled reporting into QualysGuard later this year.
Q: Are there any Cisco devices that this technology is NOT compatible with (e.g. Nexus7K or UCS embedded Nexus5K)? Do you also discover Cisco ASA/Firewall devices? Can you discover Adtran devices?
A: Not currently. The initial release supports Cisco IOS12.x and 15.x.
Q: Can I get the presentation?
A: The slides and recording have been posted:
Q: Can I find the step-by-step process for completing IOS authenticated scans by searching Qualys help?
A: The Qualys Community has the following resources on Cisco IOS: