Is SNMP read only access sufficient to run an authenticated scan against Cisco networking devices ?
The reason we recommend SSH for authenticated access to Cisco devices over SNMP is that the majority of the detections use that authentication mechanism, they assume that level of access to the device. Indeed the detections which use SSH need that level of access to identify vulnerabilities, they simply cannot be implemented over SNMP.
By way of example, if you search the KnowledgeBase for Cisco vulnerabilities that are discovered by SNMP you will find there are currently 315 entries, versus 684 for Unix (SSH). Of these 315 entries, 12 are Severity 5 and 118 are Severity 4 - the majority of which are Potential rather than Confirmed vulnerabilities. So, while you may be able to find some information on the device itself you will not be able to discover most of the vulnerabilities which may exist. Moreover the vulnerabilities which you do detect will be for the most part Potential, meaning some further investigation will be required to confirm their existence. This inevitably leads to a false picture of your exposure to the threats posed by those vulnerabilities and the risks associated with their exploitation as well as a much increased workload for the network administrators who will have to chase down the potentials. Thus it is far simpler for everyone concerned to allow SSH access to the devices.
I hope this helps build your justification.
You should spend some time reading the Qualys docs and searching this form. To help you get started, check out the official documentation about cisco authentication: https://qualysguard.qualys.com/qwebhelp/fo_portal/authentication/win_cisco_ios_record.htm
You will see that to authenticate to cisco devices, you will need to ssh or telnet and provide an appropriate account with the right permissions to run required commands (link in the aforementioned link to a list of those commands).
Thanks a lot for that reply. I am well aware of that linked document and I have read it several times. Issue is that due to security concerns, the networking team will not grant ssh nor telnet access and we are only left with SNMP option... This is the reason I am trying to collect some feedback on how viable actually this option is and whether it will have any significant advantage vs performing a standard NON authenticated scan ?
We all have been there buddy. Stick in there. Not sure why networking things granting access to a scanner is more risky than not knowing the patch/configuration level of your networking devices... I have had to fight the battle of who understands security better with our network folks many times.
At the end of the day, you need to be able to articulate the risk associated with not knowing patch levels vs having ssh open with a limited number of accounts with access... Beautiful thing, you can make your account have a long password, you can audit it, etc... Not sure why ops always wants to tell us in security that SSH is dangerous... Anyway, do a write up articulating that risk and give it to your senior management. They should be fighting for you. Again, in my opinion, visibility via authentication should trump anyone's fears of opening up ssh...
Retrieving data ...