使用思科设备的企业似乎一直在为如何最好地确定他们应该在特定的思科产品上运行的代码版本而烦恼。IT部门正在寻找特性和稳定性的最佳平衡。在处理安全产品时,客户经常向我征求这方面的建议。为此,我认为与您分享一些我用于研究(清除)Cisco安全产品代码版本的公共资源是一个好主意。在研究适合您的环境的最佳代码时,需要考虑三个基本问题。首先,您需要确定所涉及的产品范围。例如,如果你想标准化你的ASA代码,那么问问你自己你有什么模型(即ASA5540)和什么功能对你的ASA最重要。它是防火墙、ipsec VPN、SSLVPN,还是这些的组合?只要有可能,您就希望将类似的设备分组。所以对于ASA,你可能有两个组,一个是只做防火墙的as,另一个是做vpn的as。 For the ASA platform specifically this grouping makes even more sense given that Cisco releases code revisions the same way. Case in point is the Cisco ASA BU will release one code version that is heavy on new firewall features and the next release will be heavy on VPN features. Cisco flips every other release for its focus, FW or VPN. To further reinforce this product grouping best practice, consider the fact that Cisco is releasing considerably more VPN features (specifically SSLVPN features) lately than new FW features. This has everything to do with the difference in the maturity of the two technologies. Firewall has been around for a long time whereas SSLVPN is a new evolving technology that is being upgraded more aggressively. This is the same reason larger companies choose to split FW and VPN onto different physical appliances. The firewall and its code wouldn’t have to be upgraded nearly as often as the VPN ASA would be. So now that you have your product scope and functional groups in place the next thing to consider is the top features you will be using on these appliances. Keeping with the ASA example above, your list might include: Cisco Secure Desktop, smart tunnels, clientless vpn plugins, and NAC features. Knowing your tops features becomes critical when you start to do code version research. The final basic contemplation is considering the criticality of the products that are in scope. For example, is it your sole perimeter FW pair that you are researching code for? Or is it a FW that is protecting your guest networks? Knowing the criticality before you start your research is key. It helps you determine how aggressive you can be with tipping the balance towards new wiz bang features vs. selecting a time tested code that doesn’t include the newest features. There are several other considerations you’ll need to mull over but the above 3 will get you off to a good start. Now on to exploring some of the tools and resources that Cisco offers to you for doing your own code review and validation. Cisco offers the most software tools for its IOS routers so many of these tools are only for them. Here are some of the best tools and research sites for finding the code version you need on your Cisco security products.
- IOS软件顾问工具-一个优秀的工具,获得关于最好的IOS代码使用的自动建议。我强烈推荐研究软件选项卡。
- 思科IOS参考指南-这个不可或缺的指南解释了IOS是如何打包的各个方面,什么功能集的意思,如何理解IOS的编号方案,如何解释IOS图像名称中的每个字符的意思,等等。
- 思科Bug工具包-你的工具,为所有思科安全产品做代码漏洞清除。我强烈建议您检查高级选项按钮。这为你的研究提供了更多的选择。
- 功能导航-允许你找到什么IOS代码完全匹配的功能,你需要。允许您比较两个图像并排。
- 产品提醒工具-注册接收IOS和其他思科产品的PSIRT安全警报。
- PSIRT搜索工具-使用此工具查找思科安全产品的安全警报。使用关键字字段输入您要查找的产品名称。
- 思科现场通知-领域通知是针对重大问题发布的通知,而不是与安全漏洞相关的问题,通常需要升级、解决方案或其他客户操作。一定要检查这些通知,作为我们研究的一部分。
- 产品发布说明-找到这些的最好方法是使用CCO搜索工具。一个很好的搜索模式是“发布说明”
”。例如,“release notes asa 8.0.4”。一定要仔细注意发布说明的公开说明部分。 - 思科论坛-这些论坛是向你的同行和思科提问的好地方。
这里提供的意见和信息是我个人的意见,而不是我的雇主。
Jamey Heary报道: 信用卡欺诈:小偷如何在你不知情的情况下窃取你的信用卡信息 思科进入了拥挤的AV和DLP客户市场 思科的新ASA代码允许您安全地携带您的思科IP电话到任何地方 思科以赛门铁克、迈克菲为目标推出了新的杀毒软件客户端 谷歌的Chrome浏览器引发了安全问题,尝起来像鸡爪去 思科子网 浏览更多思科新闻、博客、论坛、安全警报、图书赠品等。*
*
*
*
*