Granted, I've only taken a very, very brief look at this - but four of the nine exploits it attempts are against the HTTP server on the device, which even Cisco recommends should be switched off. The remainder (the Catalyst SSH protocol mismatch exploit springs particularly to mind) aren't new, and the 677 & 678 devices are xDSL bridges / routers - so relatively low-gain and dependent on telnet access to the device facing the internet unless it's an inside job. Most of these exploits have been patched in recent IOS (or other) subreleases.

Pretty much, it looks like someone just took the fruit roll-up approach to a bunch of existing exploits and made them kiddie-friendly. Doesn't seem real new or exciting from here unless there's something I've missed.

You are correct that these are well known exploits bundled into a kiddie friendly package. What I found interesting is that I haven't seen something analogous to libwhisker for infrastructure hardware and peripherals.

I agree with you on that. In my opinion, network infrastructure is largely overlooked, both from an audit and attack perspective. In the case of the former, I've noticed that a lot of security teachings revolve around hardening and configuring a box to be resilient against attack - but the traffic that box sends out and how that traffic is moved is a secondary concern, if one at all.

From the latter point of view, there seems to be a prevailing opinion that the devices are unhackable - at least, unhackable in the sense that the same effort to find and release exploits for them aren't happening to the same degree as for <insert OS and platform here>. Which is true as far as it goes, but is not accurate at all - the effort is there, but it is very much a minority interest.

Personally, I'd like to see a Nessus or libwhisker-alike tool specifically designed to evaluate and audit infrastructure configurations. As I currently do this manually (using Ciscoworks as my main tool since there's fuck-all else available), some automation of the process would be rather nice.

Good question. I hadn't really considered it fully myself, so this is forcing me to think about it.

Something like the MBSA would be nice, but going beyond the functionality of that tool - I'd like to see reporting for things like sloppy router configuration (default routing of traffic that could never have originated (i.e., source-spoofed) on that device), poor administrative techniques (use of telnet and http), password auditing (including TACACS), testing of configuration-related vulnerabilities (Nessus-style), loose routing protocols, etc. and other wider-span issues. In a perfect world, it'd be able to use CDP or similar to crawl out a map of the network and determine best configuration based on known topology.

Obviously, there are other things that could be a part of it that would make it a lot better to live with that I'm not thinking of here.

And while I'm dreaming, I'll take some Ferraris and a helicopter, please :)

anyone here test out CSA(Cisco Security Agent) themselves? Ive seen a few macromedia presentations that make it look bulletproof but i was wondering if it really was all that good.

No. It isn't. It's good, but not the magic cure-all Cisco would like everyone to believe it is.

I'm presently involved with a CSA deployment that's in the final planning stages. Personally, I'm not real enthused about it because I feel that about 85% of the functionality provided by CSA can be replicated (in an Active Directory environment) by proper configuration and control of Group Policy. Most of the remaining 15% is covered by antivirus and IDS. In short: what worries me here is that CSA is going to be used in lieu of good administrative practices, rather than as a supplement to them.

Remember that it's a Host Intrusion *Prevention* System - and that Prevention part means that in order to prevent something for happening, it has to first understand what is permitted to happen. This sounds great in practice, but computers in general are relatively stupid devices. Unless a human defines 'good' and 'not good' behaviour, it won't know what to do. And even when it does know what to do, there's a good chance that when it encounters something outside of its narrow scope of understanding it'll throw up a false positive and block a legitimate activity.

Notice also that I only speak about this from a Windows perspective. There's a good reason for this: in most environments, the Windows boxes are typically the problem children from an attack perspective. Yes, CSA will run on a number of *nix platforms, but it's even more redundant there, since much of its functionality is provided by default in most *nices.

I won't even get into the bad idea that is trying to shim an OS to protect it,

Essentially it's process-level security, which is a) nothing new and better implemented elsewhere and b) all well and good right up to the point where it goes completely sideways. Always be wary of any product that claims to be the last word in locking things down on a network.

Yeah, good point, CSA is not the last word on network security. i did get the impression cisco is kind of implying the end of the need for(emergency patching) and (up to date)antivirus software and security patches.

also, Since i know very little about CSA. I was wondering if it could operate on a lone workstation(home computer) or if it needed servers and other cisco devices in order to operate.

I like CSA, and i think it would be great when combined with antivirus and firewalls.