Cisco IOS Version audit (Vulnrable or Not?)

December 4, 2005

I am looking for people to share there advise or any software that will
allow me to achieve the following.

I would like to do an SNMP walk over all of my Cisco devices, to get the
hardware and IOS version information.
With this information I would then like to audit each IOS version to see
– Latest IOS image ave liable
– Recommended IOS Image
– Last IOS image that doesn’t have any vulnerabilities
– Then possibly an advanced check to see if my Cisco device supports
the mimimum hardware requirements

The main difficulty here is an easy automated way to get this information.

Any suggesions?

- Search for kiwicattools ( http://www.kiwisyslog.com/cattools2.htm ) .. That
may solve all of your MASS CISCO problems. We have a network of 300+ routers
and switches and it works nicely.

Muhammad

- I’ve had great success doing much of the things your interested in. Did
it under linux

using snmpwalk/snmpget and python with some shell for
glue (or was that in shell with python for glue?), but I suspect any
number of other *nix type OSes would work, dunno about cygwin on
windows. Probably an equivalent library or toolset somewhere if you
wanna do windows natively.

As for cisco IOS versions, these 3 charts @

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_tech_note09186a00800afdb6.shtml

are very illustrative, I’m sure something like this exists in an ordered
parseable form somewhere…

- Ciscoworks ??? should be able to get it if you have CCO.

Could try OpenNMS if you using *nix / so you would not have to pay alot
of licensing fees.

http://www.opennms.org/wiki//

Hope that helps …

-

Posted in Q & A