Every now and again, a vendor comes along to entertain my boring existence that I’m currently experiencing. This time it was Cisco. If you don’t already know, Cisco is the big dog in networking equipment. Rivaled by few, challenged by fewer, they tend to have a good handle on networking. Recently, they have stepped further into the security side of their equipment with their “Defense in Depth” campaign. One of the tools they are considering releasing is called Cisco PSA. What follows is my very basic, official, informal review.
Cisco PSA is designed to be a tool that helps secure Cisco devices. There are a ton of devices supported but I’m not going to list them all out here. There 2 modes that you can operate PSA in: Virtual Visit & Non-invasive Scan. The names are some clear, yet somewhat obscure.
This is pretty much exactly what it says. The client provides you with X, Y, and Z configurations to Cisco devices and you run them through the tool. The tool then provides you with a very executive friendly report. This report includes what is wrong with your Cisco device (well, related to security). From here, you can choose to view the recommended fixes and the exact configuration changes that Cisco recommends you apply to the configuration file. After all that is done, you are given a report that can be emailed to anyone that shows what device was scanned, what was found wrong, and what was fixed and the end evaluation of the device’s configuration.
This is where PSA makes its mark. Normally, if you want to connect to a client on the other side of the world, you need a VPN-tunnel or a VPN-client access. The problem with this is that it takes about 45 minutes to setup the first and allowing the VPN clients access to all of your Cisco devices on your network is relatively painful as well. Enter PSA. The idea with PSA is that your client makes a very small configuration change on their externally available device they would like scanned (enabling telnet or SSH). From here, PSA takes care of the rest. A tunnel is established from the PSA website to your external device. From there, a tunnel is established from your device to the clients device and access is granted. Now, here’s where it gets fun. If they have more layers of their network they would like you to scan, they make the same changes to those internal devices and tunnels are created inside of the primary tunnel that connects you to the client. To me, that’s pretty slick knowing how much of a pain that is to accomplish. And of course, when all of these tunnels inside of tunnels are created, you have access to all the devices and can scan them accordingly. The main difference here is that after you do the scan, you can fix the issues found on any of the devices. Whereas the “Non-invasive” will only show you the changes that need to be made, you can actually click a fix button, and the issue is resolved immediately. Of course, at the end of this you get the same type of report with what was found, what was fixed, and can be emailed to anyone.
First off, the web interface is clean. I like that. Nothing is more annoying that web pages that are chalk full of stupid useless crap. I am slightly disappointed that the non-invasive scan will not present you with a repaired configuration file at the end of the scan. I know that can’t be too hard to implement, but maybe that’s just the version I’m using, supposedly there are improvements all the time. The other thing that I really like is that it checks to see if a device and OS version are supported before it will even scan them. That is a godsend know how bad somethings get messed up when you try to run an unsupported device through whatever program (CiscoWorks for Solaris for example). Over all, I’d have to say this is pretty cool technology, but I don’t know about the marketability of it. There’s a tool know at RAT that’s been around for a long time doing relatively the same thing. While it doesnt do the cool tunnel thing, it does give you pretty much the same thing as the non-invasive scan; not as many pretty pictures, but I don’t know any executives that would look at a router anyway. The other thing is that some client’s might not like you changing their routers on the fly, but that’s more of a preference thing anyway. All in all, a cool product, but I don’t think engineers would buy it. Management almost surely would.