If you are running Cisco WebVPN

Started by icecream-guy, January 30, 2018, 06:30:58 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions

deanwebb

#1
January 30, 2018, 10:42:54 AM
Time to get the upgrade... and upgrade!

This is why I hate finding gear on old code with no reboot for many years... hundreds of things on it that can get ripped up that are known patched vulnerabilities.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

#2
January 30, 2018, 02:49:07 PM
what security advisories are you guys running? I did not get an alert on this at all.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

#3
January 30, 2018, 02:54:33 PM
This came up in my Cisco RSS feed yesterday. Here's the URL... http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml

It works in my news reader, but never worked well with the forums here as a feed piping into a thread.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SofaKing

#4
January 30, 2018, 03:33:47 PM
Quote from: deanwebb on January 30, 2018, 10:42:54 AM
Time to get the upgrade... and upgrade!

Or migrate to a new vendor  ;)
Networking -  You can talk about us but you can't talk without us!

deanwebb

#5
January 30, 2018, 03:37:02 PM
Quote from: SofaKing on January 30, 2018, 03:33:47 PM
Quote from: deanwebb on January 30, 2018, 10:42:54 AM
Time to get the upgrade... and upgrade!

Or migrate to a new vendor  ;)

True, there's that... but most shops can't swap out the gear instantaneously. ;)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

#6
January 31, 2018, 03:07:24 AM
What a shit show it has been with the ASAs in the last years. I really wonder why anyone would still even consider buying these, unless they are really ignorant about all the exploits.

wintermute000

#7
January 31, 2018, 04:06:09 AM
This affects Firepower/Sourcefire as well....

deanwebb

#8
January 31, 2018, 11:17:38 AM
Quote from: SimonV on January 31, 2018, 03:07:24 AM
What a shit show it has been with the ASAs in the last years. I really wonder why anyone would still even consider buying these, unless they are really ignorant about all the exploits.

Along the lines of the "accounting is architecture" line in my sig, sometimes accounting is also a big part of the vendor selection process. I always hated to hear "We'll accept the risk" as a manager signed off on a less-expensive product that had security concerns. Sometimes, it's price that drives a decision. If a company only wants to tick all the boxes on the compliance checklist, they're not going to be overly concerned with bigger issues, like actual security.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#9
January 31, 2018, 01:06:27 PM
Quote from: deanwebb on January 30, 2018, 02:54:33 PM
This came up in my Cisco RSS feed yesterday. Here's the URL... http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml

It works in my news reader, but never worked well with the forums here as a feed piping into a thread.

Trying something new with it, hope it will populate properly in Vendor Advisories... we'll see...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SofaKing

#10
January 31, 2018, 02:51:40 PM
Quote from: deanwebb on January 31, 2018, 11:17:38 AM
I always hated to hear "We'll accept the risk" as a manager signed off...

This guy has a great sense of humor and his videos are generally on-point:
https://www.youtube.com/watch?v=9IG3zqvUqJY&t=3s
Networking -  You can talk about us but you can't talk without us!

wintermute000

#11
February 01, 2018, 05:10:37 AM
ASA: if you want a crap firewall that has lots of vulnerabilites, next-to-no NGFW functions unless you bolt on a (separate) sourcefire VM, is earmarked for the graveyard (FTD is the future obviously)  and couldn't even do routed VPNs (GRE over IPSEC) or even peer BGP until a few years ago. And oh no zones. And oh awful central management. And no GUI (do you count ASDM? LOL). And next to no automation / terrible API.

I suppose they are usually very stable, that's all the good things I have to say about ASAs.

The only reason they ever sold was because of the badge

LynK

#12
February 01, 2018, 09:39:16 AM
soo..... I just found out about this:

https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html

includes all EoL, Security, Bugs, etc, etc. NICE!
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

icecream-guy

#13
February 01, 2018, 10:28:07 AM
Quote from: LynK on February 01, 2018, 09:39:16 AM
soo..... I just found out about this:

https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html

includes all EoL, Security, Bugs, etc, etc. NICE!

I used to use that for email notifications. Yes, was nice, a real PITA to go through all the selections to fine tune what is of value. I gave up on it because I started getting TCP vulnerabilities from like 17 years ago, more than a few times.
I contacted Cisco about this, and after many humble apologies, the issue was never fixed, so I let my email notifications expire.
:professorcat:

My Moral Fibers have been cut.

deanwebb

#14
February 01, 2018, 11:18:43 AM
Quote from: SofaKing on January 31, 2018, 02:51:40 PM
This guy has a great sense of humor and his videos are generally on-point:
https://www.youtube.com/watch?v=9IG3zqvUqJY&t=3s
I lol'd  :smug:

Quote from: wintermute000 on February 01, 2018, 05:10:37 AM
ASA: if you want a crap firewall that has lots of vulnerabilites, next-to-no NGFW functions unless you bolt on a (separate) sourcefire VM, is earmarked for the graveyard (FTD is the future obviously)  and couldn't even do routed VPNs (GRE over IPSEC) or even peer BGP until a few years ago. And oh no zones. And oh awful central management. And no GUI (do you count ASDM? LOL). And next to no automation / terrible API.

I suppose they are usually very stable, that's all the good things I have to say about ASAs.

The only reason they ever sold was because of the badge

Certifications have a hand in that, as well. It's easier to find someone that learned firewall stuff on an ASA than, say, a CheckPoint. Some firms make purchasing decisions influenced by their estimate of how easy/difficult it will be to find people that can support that technology.

Quote from: ristau5741 on February 01, 2018, 10:28:07 AM
Quote from: LynK on February 01, 2018, 09:39:16 AM
soo..... I just found out about this:

https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html

includes all EoL, Security, Bugs, etc, etc. NICE!

I used to use that for email notifications. Yes, was nice, a real PITA to go through all the selections to fine tune what is of value. I gave up on it because I started getting TCP vulnerabilities from like 17 years ago, more than a few times.
I contacted Cisco about this, and after many humble apologies, the issue was never fixed, so I let my email notifications expire.


Agreed, had to let mine expire, as well. I don't mind getting a firehose turned on, so long as I can filter the flow.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1 2 3
User actions