Hey again, folks! Last week we tackled how Runbook automation can help us perform an MPLS Carrier Assessment. This week, we’re going to outline how a network vulnerability assessment using a Runbook helps you easily confirm that your network devices are accessed-hardened.
Once you either complete a network’s initial configuration or take over management of an existing network, one of your first actions should always be to ensure all the network’s devices are properly hardened. Here’s how you can use this Runbook to help prevent unauthorized access to your devices:
Step 1: Check Unsafe SNMPV2 Strings
As usual, we begin by running a Qapp; in this instance, “Check Unsafe SNMPV2 Strings.” You can see in the screen capture below that it’s arranged at the top of the Network Vulnerability workflow on the left.
This Qapp automatically checks the SNMPV2 community strings for each device on your network map. If there are any public/private strings found, the corresponding device will be highlighted in red (if not found, the device will be green.)
As you can see, each of the three red-highlighted devices above need their public strings excised.
Fortunately, you can quickly make a note of each offending device directly within the “Notepad” tool in the Qapp—no application switching required. Note that if your network uses a different SNMP version, you run a different version of this Qapp.
Step 2: Check SSH Access
Your next step is to ensure that your VTY lines are set to SSH (as opposed to Telnet). The “Check SSH Access” Qapp peruses each device’s configuration file and highlights any missing SSH configs in red.
Plus, a handy sticky note automatically pops up next to each device, specifying precisely which VTY lines require repair. How cool is that?
Step 3: Check Password Encryption
Since this Runbook is all about security, it continues to the “Check Password Encryption” Qapp.
This Qapp ensures all devices on your network are storing their passwords hashed and/or encrypted. Devices highlighted yellow or red indicate they should be switched to “enable secret” or some equivalent.
Additionally, with just a couple simple clicks you can pop open a config and see a password stored in plaintext. Not good!
Step 4: Check VTY Exec-Timeout
Finally, this Qapp examines each device and informs you which ones have VTY exec-timeout values greater than 10 minutes. Recall that while high values save you aspirin during network build-out, they’re a vulnerability once you put the network into production. and should be lowered to 10 minutes or less.
Once you’ve checked up on your VTY exec-timeout values, you can save this Runbook for collaboration, escalation, postmortem, et cetera. Fortunately, the Runbook is embedded right in the .qmap file alongside all data you’ve pulled as part of your assessment. Thus, you can upload it to a file server, and all the data uploads right along with it. You can even go back in and access each individual step and peruse the raw data that was pulled during its process.
As always, remember that Runbooks are a breeze to build and are completely customizable!
So, that’s my quick overview of MPLS carrier assessment in NetBrain. If you want to watch a short video of me walking through this Runbook, click here.