Do you have security policy requirements that need to be enforced on your routers and switches? One option to accomplish this task is to periodically check the configurations of all routers and switches. This approach is painful and time consuming. Another option is to use an application to automate this process. This is one of the areas where Cisco Network Compliance Manager (NCM) can assist. With NCM you can create policies that regularly check for elements of your security policy and alert you if they are not being met. NCM does this by first grabbing the router and switch configurations on a periodic basis. NCM then matches these configurations against the NCM policies that you create to meet your security policy. Here’s an example showing how this would be configured within NCM.
In this example, we’re assuming that security policy states that SNMP access to routers and switches must be limited by an access control list (ACL). The overall steps are listed below. We’ll go into each step in detail.
- Create a policy and define which devices the policy applies to
- Assign rules to the policy
- Test the policy
- Configure the policy to run on at schedule intervals
Creating the Policy
1. Access “Policies > New Policy”
2. Fill in the name of the policy and the device groups that will be checked with this policy
3. Click on “New Rule” to create a rule that defines the policy requirements.
4. In our case, we will be creating a rule for Cisco IOS devices that enforces an ACL to be applied to all SNMP community strings. This will control the IP addresses that can access the IOS devices via SNMP. The first step is to create a rule name and define the rule type. In our case, we will be looking at the configuration, so we will choose the “Configuration” type shown below. This will be the rule type used in most cases.
5. In the next section of the rule configuration, choose the device drivers that this applies to. In this example all device drivers that apply to Cisco IOS are chosen. This is shown below
6. In the next section of the rule configuration, we define the rule. This rule should ensure that when an SNMP community string is defined in IOS, there is an associated ACL applied to limit which IP addresses can access the device via SNMP. An example of this command would be “snmp-server community MYSNMPSTRING RO 55”. In this example, the community string is MYSNMPSTRING, the SNMP community is read-only, and the ACL is 55. We must create a regular expression that will match that string as well as other valid strings. The full regular expression is shown below.
“snmp-server community [a-zA-Z0-9_]+ (RO|RW) [a-zA-Z0-9]+”
This regular expression starts with the fixed string “snmp-server community”. This is followed by a regular expression that allows lower case, upper case, numbers, and _ in it. This should match the community string. This is followed by either RO or RW. Finally, another lower case, upper case, and numeric regular expression follows that defines a named or numbered standard ACL.
One important item is that the regular expression checkbox must be checked. If this is not checked, the regular expression, in the text box, will not be evaluated. Also highlighted, in the screenshot below, is the get help link. This link provides additional help information on regular expressions.
7. At the bottom of the rule creation screen, there are additional comments that can be added. Once those are added, click “Save”
8. Clicking “Save” brings you back to the policy configuration screen. At the bottom of this screen, add any additional comments and click “Save”
9. Clicking “Save” on the policy configuration screen brings you back to the policy list. From here we can test the newly created policy. One method of testing is to click on the “Test” action on far right column of the policy row. This is shown below.
10. Clicking on “Test” displays another screen where the devices to test the policy on are chosen. Choose a device and click the “>>>” button to add the device. Then click “Perform Test” to run the policy against the device. This will happen quickly, because it operates on the last saved configuration that was retrieved from the device.
11. If the test fails, check the device configuration to see if it is in compliance. If the device is in compliance, check for errors in the regular expression. The screenshot below shows an example of a failed policy check.
12. Another method of testing the policy is to click on “Policies > Test Policy Compliance”. This method has the added benefit of allowing commands to be entered into a text field and run the policy check against those commands. This is a quicker and easier way to troubleshoot issues with a policy.
13. In the “Test Policy Compliance” screen that appears, choose the policy that was just created, enter a sample SNMP string into the text box, and choose the device family. Then click “Perform Test”
14. Using this method, you can easily check a number of different scenarios to make sure the policy rule is working as it should. The screenshot below shows the result from a successful policy check.
Scheduling the Policy to Run
At this point, the policy has been defined. It still needs to be scheduled to run before it takes effect. As an analogy, this state is similar to defining an ACL, but not applying it to an interface. The policy is scheduled by creating a new task. The steps for doing this are shown below.
1. Create a new task by accessing “Devices > Device Tasks > Check Policy Compliance”
2. Fill in the fields, to run on the appropriate group, check configuration policy compliance, and run daily. This is shown below with the important fields in red
3. Click on “Save Task”. Now the SNMP policy, that was just created, will run on a recurring daily basis. This also means that any new configuration policies assigned to the inventory group will also run on a daily basis.