Headline grabbing vulnerabilities, like SolarWinds and Log4Shell, target management software and end hosts, but if you search for “most exploited vulnerabilities” on Google, you will quickly learn that some of them directly target network and security devices as well as server load balancers.

These are the 3 most exploited CVEs in the last couple of years:

Would you be surprised to learn that network device operating systems can be vulnerable to security flaws like any other software? To remediate this risk, network and security administrators need a vulnerability management program in place. Having the right processes and technology in place can save time while protecting the network security posture.

A common approach is to split vulnerability management into two phases:

  1. Build a list of affected devices and related vulnerabilities
  2. Prioritize and address these vulnerabilities

Build a list of affected devices and related vulnerabilities 

Publicly disclosed security vulnerabilities have an assigned CVE (Common Vulnerabilities and Exposures) ID number and a severity level based on their impact. CVEs help you to coordinate the efforts to prioritize and address these vulnerabilities to make systems and networks more secure. Most enterprise networks have evolved over time and include devices from several vendors running multiple versions of operating systems. Knowing that a vulnerability was announced doesn’t give a clear picture of the organization's correlative risk.  

Large enterprises do their best to keep an accurate inventory of devices and their state, but given that most companies have experienced mergers, IT department turnover, and are resource constrained, this inventory is rarely current. Because networking vendors typically fix security vulnerabilities by issuing a new OS version, a detailed and up-to-date inventory is paramount. Trying to conduct this analysis manually is expensive, time-consuming, and error prone.

To make the analysis easier, faster, and more reliable, Forward provides a network devices vulnerability analysis that automatically compares the CVE information from the NIST National Vulnerability Database (NVD) with OS version running on the devices in your network.

This analysis provides a list of all possibly affected devices and related vulnerabilities. “Why possibly affected?” you might ask. Keep on reading and you will find out why.

The following screenshot shows an example of network vulnerability analysis in the Forward UI.

Fig 1: Forward device vulnerability analysis

The summary at the top shows the number of CVEs detected as well as the number of devices impacted.

The table shows a summary view of the CVEs including CVE ID, Severity, Description, Impacted OS, Impacted versions, and the number of Possibly impacted devices.

The Details page shows you information about devices that are impacted by that CVE like Device, Model, OS version, and Management IPs.

Fig 2: CVE details page

Prioritize and address vulnerabilities

One of the fundamental issues is that the number of vulnerabilities and devices affected can be overwhelming, making it difficult to prioritize which devices should be updated first. Filtering vulnerabilities by severity provides some help but typically the number of Critical and High severity vulnerabilities is still so high that it‘s challenging to determine a starting point. This is where the notion of “possibly affected devices” becomes pertinent. Some vulnerabilities can impact a device only if specific configurations are present, a specific feature is turned on, or they are deployed in a way that is explained in the CVE. This information is not in the NIST database, network engineers have to research vendor sites such as the Cisco Security Advisory repository to get this level of detail. 

There’s a better way

Monitoring the latest descriptions and automatically checking them against the device configurations in your network is best performed by software — it frees up highly skilled engineers to spend time on proactive strategic initiatives and is far more accurate. For many NOC teams, this capability would be A dream come true, or Like Christmas came early, right?

Well, that is exactly what Forward Enhanced Vulnerability Analysis provides!!

No more manual, tedious, and error-prone hunting for those configs on every single “possibly affected” device, one by one, that would take forever.

Just an always accurate, always updated list of devices that are actually vulnerable! Remediation efforts can be prioritized based on risk severity to ensure effort is directed to keeping the network as safe as possible.The screenshot below shows the Detected based on field. This field indicates that there is an at-risk device in the network that matches the OS version only (OS version match) or is running the impacted OS version and matches the vulnerable configuration (Config match).

Fig 3: Filtering by detection type

Additional resources

Watch this 3 minute video:

Read the use case to learn more about how Forward Enterprise can help limit your CVE exposure. Stay tuned with Forward Networks announcements because some great new innovations about vulnerabilities are...coming soon...

When a large government agency decided to refresh its infrastructure down to Layer 2 switches, Forward Networks data delivered over $6 million in savings. Like many companies around the world, this organization had challenges getting full visibility and the structure of its network, which had grown organically over time.

Initially, Forward Enterprise played a key role in providing accurate information that saved hours of manual effort by eliminating the need to manually synchronize spreadsheets from various inventory tools and internal sub-organisations. While that was certainly valuable, the real cost savings occurred through the rapid insights the platform provided.

The company's IT team wanted to understand everything connected to its network switches in hopes of finding ways to cut costs. Specifically, the team wanted to understand why its network was dependent upon a large number of 100M interfaces, which are considerably more expensive than standardizing on the more common 1G Ethernet standard.

To answer those questions, Forward's Network Query Engine (NQE) was used to create a list of all the devices connected to the network switches by MAC and VLAN. That list was then cross-referenced with the manufacturer to determine what was actually connected to the company's network switches. The results showed that the IT team didn’t need to support the 100M interfaces because the devices connected would support 1G. As such, the network was upgraded to 1G across the board, saving the agency more than $6 million. 

The agency stated that without Forward Enterprise, the inventory would never have been done at all, resulting in device failures, support for unnecessary devices, and wasteful expenditures. NQE helps to solve common challenges in network automation when it comes to retrieving network device configuration and state to verify the network posture. Customers with large networks comprised of many different vendors, technologies, and deployments, including on-prem and cloud, find this functionality extremely valuable.

The agency was able to clearly understand its network topology because Forward Enterprise organizes network information like a database, including the number of devices, physical and logical topology, maps of all possible traffic paths, device state, and configuration. Using that data, NQE makes finding information in the network as intuitive and quick as performing a web browser search.

To learn more about how you can use Forward Networks to verify your networks and automate timely processes, schedule a demo today. Be sure to read our other blogs in this series about how Forward Networks is impacting enterprise networks around the world, including Six-Figure Savings: How A Financial Institution Banked On NQE For Massive Returns; From Days To Minutes: Digital Media Provider Uses Forward Networks To Overhaul Reconciliation; and Confidence In Action: Investment Bank Uses Forward Networks To Verify Automation Software.

Top cross