10 Replies Latest reply: Nov 15, 2018 9:17 PM by Ramnes RSS

    Patching VIRL

    Matt

      Are there best practices that Cisco can recommend in keeping VIRL (Ubuntu OVA) up to date with patches?  Besides logging on to box and running sudo apt-get update/upgrade, can we update from the UWM-->Systems Upgrade-->Core package, and patch from that option?  Thank you.

      ,

        • 1. Re: Patching VIRL
          Jim Fickett

          Hi Matt       I would recommend you do not update the VIRL OVA. We typically see one update a year for VIRL from Cisco

           

          Jim Fickett

          • 2. Re: Patching VIRL
            Matt

            Thanks Jim.  Issue we are seeing is that we have added VIRL to our domain and therefore, Nessus is scanning it and showing vulnerabilities that need to be patched.  Is it a best practice to drop VIRL in to a DMZ so its segregated from rest of network?  Thank you.

            • 3. Re: Patching VIRL
              cwarren4101

              Most definitely isolate VIRL (or its corporate counterpart CML) as there is no safe, stable way to patch the Ubuntu OS VIRL is built on.

              • 4. Re: Patching VIRL
                Matt

                Thanks for the info.  Ill work with the team to remove from domain and drop into DMZ.

                • 5. Re: Patching VIRL
                  zx122982685

                  I run VIRL inline and also within our production enterprise network.  That said you may run the apt update and apt upgrade procedures to patch the linux kernel for vulnerability mitigation.  There will be the occasional instance where a patch to python (for example) may break some functionality within VIRL, the solution around that, (or other security upgrades) is to boot your linux OS to the previously known good kernel image. 

                  Or, isolate your virl instance completely which I find impractical and unnecessary.  Good luck Matt and I hope that's useful.

                  • 6. Re: Patching VIRL
                    Matt

                    MCV, that is what we have been doing, apt-get update/upgrade, to mitigate these vulnerabilities.  There was a python issue yesterday and we patched that and as you said, broke the functionality in VIRL.  Had to redeploy OVF and am now back working again so that brought up the question today in our meeting, what should we do.  We do not need this inline with our prod network so moving it to DMZ wouldnt be too much of an issue.  When used inline with prod or in my situation, on the domain, what are the risks of not patching python?  Thanks for the info.

                    • 7. Re: Patching VIRL
                      zx122982685

                      You bet Matt.  The risk with python is there is none as long as access to the environment is trusted and accounted for.  I've found value integrating some simulations with real Cisco gear using virl's flat and routed network plumbing.  There's no wrong way to do it, just preference.  The good news is you're one of a rare few that pay attention to security. 

                      • 8. Re: Patching VIRL
                        Ramnes

                        Hi Matt

                        I also did a apt-get update/upgrade yesterday after my first installation of VIRL, and now there is nothing working. Can you please share how you fixed this?

                         

                        EDIT: VIRL are installed on a laptop with VMWare Workstation.

                        • 9. Re: Patching VIRL
                          Matt

                          Ramnes, what errors are you seeing?  I havent had any issues with apt get update/upgrade yet but that doesnt mean it couldnt have a negative impact, in this particular instance.

                          • 10. Re: Patching VIRL
                            Ramnes

                            Hi Matt

                            I reinstalled VIRL and got it working that way.

                             

                            Thanks

                            Jorn