Insider’s view on how to decide what Cisco code versions to run

Businesses who use Cisco gear seem to constantly struggle with how best to determine the code version they should run on a particular Cisco product. IT departments are looking for the best balance of features and stability. Customers frequently ask me for my advice on this when it deals with security products. To that end, I thought it would be a good idea to share with you some of the public resources that I use for researching (scrubbing) code versions for Cisco security products. There are three basic things that you need to consider when you are researching the best code for your environment. First, you need to identify the product scope that will be involved. For example, if you are looking to standardize your ASA code then ask yourself what models do you own (i.e. ASA5540) and what functions are most important to you with regard to your ASAs. Is it firewall, ipsec VPN, SSLVPN, or a combination of these? Whenever possible you want to group like devices into groups. So for ASA you might have two groups, one for ASAs that only do firewall and another group for ASAs that do VPNs. For the ASA platform specifically this grouping makes even more sense given that Cisco releases code revisions the same way. Case in point is the Cisco ASA BU will release one code version that is heavy on new firewall features and the next release will be heavy on VPN features. Cisco flips every other release for its focus, FW or VPN. To further reinforce this product grouping best practice, consider the fact that Cisco is releasing considerably more VPN features (specifically SSLVPN features) lately than new FW features. This has everything to do with the difference in the maturity of the two technologies. Firewall has been around for a long time whereas SSLVPN is a new evolving technology that is being upgraded more aggressively. This is the same reason larger companies choose to split FW and VPN onto different physical appliances. The firewall and its code wouldn’t have to be upgraded nearly as often as the VPN ASA would be. So now that you have your product scope and functional groups in place the next thing to consider is the top features you will be using on these appliances. Keeping with the ASA example above, your list might include: Cisco Secure Desktop, smart tunnels, clientless vpn plugins, and NAC features. Knowing your tops features becomes critical when you start to do code version research. The final basic contemplation is considering the criticality of the products that are in scope. For example, is it your sole perimeter FW pair that you are researching code for? Or is it a FW that is protecting your guest networks? Knowing the criticality before you start your research is key. It helps you determine how aggressive you can be with tipping the balance towards new wiz bang features vs. selecting a time tested code that doesn’t include the newest features. There are several other considerations you’ll need to mull over but the above 3 will get you off to a good start. Now on to exploring some of the tools and resources that Cisco offers to you for doing your own code review and validation. Cisco offers the most software tools for its IOS routers so many of these tools are only for them. Here are some of the best tools and research sites for finding the code version you need on your Cisco security products.

  • IOS software Advisor Tool - An excellent tool for getting automated advice on the best IOS code to use. I highly recommend the Research Software tab within this tool.
  • Cisco IOS Reference Guide – This indispensable guide explains all aspects of how IOS is packaged, what feature sets mean, how to make sense of the IOS numbering scheme, how to interpret what each character in an IOS image name means, and more.
  • Cisco Bug Toolkit - Your tool for doing code bug scrubs for all Cisco security products. I highly recommend you check the advanced options button. This gives you many more options to use in your research.
  • Feature Navigator - Allows you to find what IOS code exactly matches the features you require. Allows you to compare two images side by side.
  • Product Alert Tool - sign up to receive PSIRT security alerts for IOS and other Cisco products.
  • Intellishield PSIRT search tool - Use this tool to find security alerts on Cisco’s security products. Use the keyword field to input the product name you are looking for.
  • Cisco Field Notices - Field Notices are notifications that are published for significant issues, other than security vulnerability related issues, and typically require an upgrade, work-around, or other customer action. Be sure to check these notices as part of our research.
  • Product Release Notes – The best way to find these is to use the CCO search tool. A good search pattern to use is “release notes ”. For example, “release notes asa 8.0.4”. Be sure to pay careful attention to the open caveats section of the release note.
  • Cisco Discussion Forums - These forums are a good place to ask questions to your peers and to Cisco.
While not a complete list, the above recommendations will give you a solid base from which to start your research. Of course Cisco employees have access to additional internal only resources but even internally their is no silver bullet tool for producing code recommendations. The unfortunate reality is that doing a thorough code review takes time, sometimes a lot of it. But your diligence will pay off in the end by resulting in a very stable network environment with all the features you require. Another route you could go is to purchase software that automates this process for you or invest in professional services by Cisco or others to outsource code reviews. Anyone have any other tools or resources to share that you think should be added to my list? Anyone recommend any 3rd party tools or sites that help with code scrubs?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

*

*

*

*

*

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022