No. Any device credentials entered into the scanner (both web and desktop versions) are sent directly from the local web browser or system, to the locally-run java scanner application, and are never sent to the Active Advisor portal. Additionally, as devices are scanned, scanner collects information such as 'show running-config', and will sanitize certain data before uploading to the Active Advisor portal, as detailed below.



Security Considerations for Cisco Active Advisor


Cisco Active Advisor is built upon standard web based technologies to ensure the privacy and security of our customer’s information. To this end, the following methods are in place:


Access to data is restricted using a cisco.com ID (username and password that should not be shared, and known only to the user). Data is only accessible to the user who scanned the data. A user may delete their account at any time at which point their data will no longer be available in the service.


Access to the Cisco Active Advisor web service is provided only through secure communications over HTTPS (SSL/TLS). This standard web technology ensures that the data flows over the public internet only in encrypted form. This ensures that even if the data is intercepted en-route from the user to Cisco Active Advisor, that it is unreadable. HTTPS also provides other security measures such as confirming the identity of www.ciscoactiveadvisor.com when you connect to the site to guard against “man in the middle” attacks.


The Active Advisor web site takes additional measures to ensure the security of communications. For example, authentication cookies issued by Cisco Active Advisor are marked as secure and un-scriptable (HttpOnly flag) and all communications are protected against cross-site request forgery using appropriate security tokens.


The Active Advisor scanners use Java based applications that run locally on the user's own machine. This means that the user's machine is the one connecting to and examining the various network entities that are being scanned. Credentials entered into the Active Advisor scanner are never forwarded to Cisco Active Advisor and remain on the user's machine only. The configuration and other device information derived from local scans are locally parsed and sensitive information (usernames, passwords, SNMP community strings, keys, etc.) are removed prior to the data being sent to Cisco Active Advisor.


The default action of scanner is to upload the results to the portal immediately following the scan. However, the user may, if desired, select to disable the automatic upload of scan results to Cisco Active Advisor so he/she can examine the contents to be uploaded, as shown in the following image:



After completing the scan the user can:

  1. View the devices that were scanned successfully.
  2. View the configuration of those devices to ensure that sensitive information has been correctly sanitized 
  3. Select which (if any) devices to upload to Cisco Active Advisor before 
  4. Initiating the actual upload by clicking on the “Upload Results” button: