Re: [fw-wiz] SNMP RW ASA 7.2.1

Hash: SHA1

July 19, Security Focus Retired: Cisco Security Monitoring Analysis and Response System multiple vulnerabilities. Cisco
Security Monitoring, Analysis and Response System (CSMARS) is prone to multiple vulnerabilities. Analysis: To include
privilegeescalation, arbitrary commandexecution, and informationdisclosure issues. An attacker could exploit these issues
to retrieve potentially sensitive information and possibly execute arbitrary commands with Super User privileges. This
may facilitate a remote compromise of affected computers.


Ron DuFresne

On Thu, 20 Jul 2006, Pablo Pérez wrote:

Thanks a lot for your cooperation, it was very helpfully.



From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Victor
Sent: Miércoles, 19 de Julio de 2006 07:23 p.m.
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SNMP RW ASA 7.2.1

Well, notice I said the VMS replacement.

VMS 2.3 will not let you do anything but collect syslogs from a 7.2.x ASA or
PIX device. You can't manage the configuration or anything like that. You
have to go back to 6.3.5 PIX OS or earlier for true management capabilities.
You can still collect syslog messages from the PIX and do reports on them
tho...HTML or PDF format I believe are your only options.

VMS with the Firewall Manager add-on (free if you bought the VMS suite)
allowed you to collect the system configuration via PDM or SNMP (assuming
you were using 6.3.5 OS or before) and then re-apply it with the RW ability
of SNMP or through PDM. Personally, it never worked like I wanted it to,
and the syntax/display of the VPN configuration for a PIX always looked
completely stupid (unintuitive) to me in the VMS interface, so I always
reverted to managing all those devices at the command line...i.e. it was a
worthless tool for my tastes. Basically what I wanted was a pretty report
on denied messages of any kind (for the managers that like that sort of
thing) and any other message of higher severity than warning...which was the
stuff I was actually interested in. Throw in the fact that you had to have
ONE specific version of the Java runtime for everything to work right
(always the version that interferes with everything else you're doing on
your PC), and I was completely disenchanted.

The replacement for VMS 2.3 (called Cisco Security Monitoring, Analysis and
Response System (CS-MARS)) will let you manage all the current
security-related products as well as monitor them from a semi-central
location. This would include ASA and VPN 3000 series devices, the IDS/IPS
add-on to the ASA devices, as well as the security agents that get loaded on
Windows/Unix/Linux hosts. I haven't actually used it, but seen it in action
at a customer NOC. However, the ONE specific Java requirement for it all to
work right is still I won't be using it anytime soon.

Regarding the monitoring that I wanted to do, I wanted to see certain denied
messages or error messages, as well as get reports on those. I also wanted
to get alerted on when something like the active firewall in an
active/failover pair failed and the failover one picked up. Basically, the
only way I got it to work like I wanted and to get an alert in near
real-time (page me or send an email to my mobile device), I used a
combination of SNMPc and AdventNet's Firewall Analyzer. SNMPc for the
uptime/downtime/alert monitoring, AdventNet's Firewall Analyzer for the
pretty reports to managers that don't mean a thing 99.999% of the time
except to tell you that Blaster and Code Red is still alive and well.

Since pre-7.x PIXen didn't send SNMP traps for anything but like 8 different
things except via Syslog, you need to have a syslog collector/parser that
does it while it's receiving the syslog. SNMPc does that, and you can
program the action it takes depending on what the syslog message is. So if
you received a SNMP trap via syslog protocol that stated you had a failover
action in a pair of firewalls, that's what would get sent to you via
whatever action you specified. In this case, an SMTP email sent to my cell

Given the choice again, I wouldn't spend the time/money on the Cisco
management solution unless I needed to monitor/manage LOTS of Cisco-only
infrastructure. The current situation doesn't call for it, so a
roll-your-own OSS setup or a cheap software solution (sub $4k) works the
same in our situation. I just don't have the time to roll my own I always look for something low-$$ that does a specific task
and isn't dependant on ONE version of (insert software name here) to work

Brian Loe wrote:

What exactly does VMS do that's special so far as communication goes?

Even on older boxen its able to see tunnel traffic - where is it

pulling it from? Its not avialable via SNMP...

I'd like to avoid VMS and use all open-source tools. Not even for

management, really, just monitoring and such.

On 7/19/06, Victor Williams <mailto:vbwilliams@xxxxxxxxxx>
<vbwilliams@xxxxxxxxxx> wrote:

I'm pretty sure they removed RW access because the management interfaces

for the ASA units is now SSH and/or SSL/TLS.

Basically, if you want anything other than logging/alerting remotely

(outside of SSH command line access), you have to use ASDM or Cisco's

new replacement of VMS which lets you manage 7.x ASA and/or PIX units as

well as VPN concentrators.


firewall-wizards mailing list


- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant:
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.4.4 (GNU/Linux)

-----END PGP SIGNATURE-----_______________________________________________
firewall-wizards mailing list