Saturday, August 5, 2017

The Elusive Java Sweet Spot

 on  with No comments 
In , ,  
If you've worked been on the Cisco cert train and/or worked with Cisco products (particularly their security products) for long enough, you know exactly what I'm talking about here.  My first taste of this came with Cisco's Security Device Manager (SDM).  I've never seen SDM actually used in production, but at the time that I was studying for the CCNA, it was still a required topic for both the CCNA and the CCNA Security.  The problem was that at the time, it was old.  It was old, and was not receiving updates as Cisco had moved on to the Cisco Configuration Professional (CCP) program already but had not updated the exams content yet.  Because it was old, it didn't work well with Java that was newer than JRE 6 update 43 (and didn't work well with many versions that were older than that either).

The first issue here is that we all know about the security track record of Java.  Being forced to use a version that is several years old is just asking for trouble.  Every month, the Nessus scan is updated to look for yet another new version of Java as the previous one has several critical vulnerabilities.  You can read all the gory details here if you care to.  I don't know what's worse, Java or Flash in this regard, and CCP just happens to use both.

And it's not just SDM/CCP that has given me fits about Java versions.  Most of the Cisco ASA's that I've installed were for small businesses (the 5505 and 5506-x models), so I have to set up ASDM for their use as there's never an actual IT guy on staff.  And since I'm rarely a party to the purchase of the ASA, I'm also rarely a party to the decision of which version of the ASA software it comes with.  Which means I rarely see the same version of the ASA software, and by extension the corresponding version of ASDM, on more than one firewall.  There was a firewall install that I literally spent 2 hours trying out different versions of Java on my computer in order to find one that would work with both the client's ASA 5506-x and my ASAv that I was using to study at the time.  Yes, I could just change out Java when I move to a different ASA, but I'm not trying to keep track.

Also using Java, though not as much of a headache is the Cisco Configuration Assistant (CCA).  Not a product that I particularly like, but good luck with Cisco support on a UC500 series PBX if you're not using it.


Post a Comment

Discuss this post!