In this chapter, we reviewed the process of discovering remote Cisco appliances and in vestigating a single selected device using passive sniffing for Cisco-specific protocols, passive, semiactive, and active host fingerprinting. In addition to common Cisco routers and switches, a PIX firewall, a Cisco VPN concentrator, and an Aironet 1200 wireless ac-cess point underwent our detailed scrutiny. We analyzed the differences between all devices audited and provided brief summaries useful for distinguishing remote Cisco appliances and their operation systems in "black box" testing.
A healthy dose of criticism was provided, so that you don't take the output of com-monly used scanning tools for granted. For instance, we suggest you use more than one tool and the whole variety of scan options available for the tools you select; then repeat the same scan multiple times and take into account the hop distance to the target.
In a rather lengthy countermeasures section, we presented a hands-on analysis of various safeguards against portscanning and OS fingerprinting of Cisco hosts . It culmi-nates in an informative discussion of enumeration and fingerprinting attempts discovery, logging, and blocking, with many original IDS signatures supplied.
We hope that the data presented will help you detect remote attackers and hamper their attempts to enumerate and fingerprint Cisco hosts on the network you run. Early phase attack discovery prior to the actual intrusion attempt is absolutely crucial and builds a proper foundation for efficient intrusion prevention.