NOTE: This is Part 3 of a multi-blog post about network compliance.
In part 1 and part 2 of this blog series, I introduced the concept of 3-D Compliance, a model for achieving compliance nirvana for networks. Today, in Part 3, I’ll show how we use all three dimensions to close the Cisco CVE 2018-0171 introduced in Part 2 of this blog series. I will also discuss and then maintain compliance on an ongoing basis as part of compliance lifecycle management.
Close the Vulnerability – Cisco CVE-2018-0171
When the Cisco Smart Install admin tool is enabled, it provides an open port for unauthorized access to the device. Since Smart Install is not part of the configuration of these devices, it requires the use of Running State show commands to detect this issue. Now, I address closing this CVE.
Knowing that each company has different response protocols for dealing with CVEs, Micro Focus Network Operations Management provides two ways for customers to close a vulnerability:
1 – The Micro Focus ITOM Marketplace provides a security and compliance service delivering policies for customers.
2 – Customers can create their own compliance policy to check the running state for Smart Install being enabled, cross checked against vulnerable OS versions, and can disable the Smart Install service as a quick fix.
Using Micro Focus NOM’s configuration and compliance capabilities makes this a simple and automated ongoing function versus a protracted project. Often, the complexity required to create scripts to, or manually close-down CVEs, leads to partially compliant fixes or compliance violations that reoccur.
Below, you can see a simple yet powerful way to construct the logic required for this CVE.
What we’ve constructed is a way to:
- Find ONLY the affected devices by vendor/model, OSes, and running state (the vstack status is the key to knowing whether Smart Install is enabled and the “show vstack” cmd gives you this status).
- Remediate the issue via the device command to disable vstack or more permanently by upgrading to a fixed OS version, both which are features of NOM.
- Record history of affected devices and when they were made compliant, which is critical for audit reports.
As many network engineers will choose to keep Smart Install on devices for future use, turning it off using the “no vstack” cmd will only temporary disable it. Subsequently, when a user manually enables it, Smart Install remains enabled even when the user logs out of the device. And, as is often the case in high-pressure situations, possibly forget to disable it afterwards.
The engineer could also upgrade the OS to remove the vulnerability, but this usually takes additional testing for production use. However, both options could be undone unwittingly by others in the organization over time. (Do you feel like that proverbial fox yet? You know the one chasing the rabbit round and round the track, and never winning the prize?) Obviously, to completely deal with this CVE, you need to continually monitor for its reappearance and automatically close it.
Maintaining 3-D Compliance
Since networks are dynamically changing, the job of maintaining compliance isn’t done with single fixes… it takes a broad and deep understanding of your network. Maintaining compliance also requires a continued process of ongoing maintenance of your network configuration.
This is referred to as the compliance lifecycle, and NOM provides a comprehensive solution to monitor and alert for changes, to remediate, and audit.
The Compliance Lifecycle:
- Build & Deploy Policy – Build and deploy policy for configuration, running state and software version. This is the baseline to maintain.
- Monitor & Notify – Continuous real-time monitoring of changes to all three axes, and notify those responsible to screen changes (often Operations).
- Check verses Policies – Check changes against defined policies and alert Engineering and/or Security Ops of severity.
- Remediate – Restore baseline quickly and automatically if possible. For new CVEs, check for vendor fixes, and construct new policy if required.
- Audit – Create audit reports to maintain record of changes.
Summary of 3-D Compliance…
While many network engineering departments have and continue to focus on a single dimension of compliance, 3-D Compliance looks more comprehensively at all three dimensions of network compliance beyond configuration - including the OS version and what is actually happening on the device. This model continuously identifies network vulnerabilities, preventing data loss, down-time, and even penalties. These issues typically require a broader view of compliance criteria than just the configuration details.
Have we achieved compliance nirvana yet? No, but, we you now have a model to look holistically at our network security and use tools that help enable and maintain it; even as you transition to new software defined and virtual network technologies. But, that’s for a future blog – stay tuned!
Did you miss the previous blogs? Get caught up here:
For more information, contact your Micro Focus representative or download the trial at:
Network Operations Management