Runbook of the Week: Network Vulnerability Assessment

Matthew Speidel
By Matthew Speidel March 25, 2017 3 minute read
Matt is NetBrain's Technical Training Engineer, the first stop for all how-to questions about the NetBrain platform. He's been with NetBrain since 2015. When he's not answering technical questions or making tutorial videos, Matt enjoys reading, writing, and playing video games. He is also an avid historical reenactor.

Hey again, folks! Last week we tackled how Runbook automation can help us perform an MPLS Carrier Assessment. This week, we’re going to outline how a network vulnerability assessment using a Runbook helps you easily confirm that your network devices are accessed-hardened.

Flow of a NetBrain Runbook for Network Vulnerability Assessment

Once you either complete a network’s initial configuration or take over management of an existing network, one of your first actions should always be to ensure all the network’s devices are properly hardened. Here’s how you can use this Runbook to help prevent unauthorized access to your devices:

Step 1: Check Unsafe SNMPV2 Strings

As usual, we begin by running a Qapp; in this instance, “Check Unsafe SNMPV2 Strings.” You can see in the screen capture below that it’s arranged at the top of the Network Vulnerability workflow on the left.

Checking for unsafe SNMP strings with a NetBrain Runbook

This Qapp automatically checks the SNMPV2 community strings for each device on your network map. If there are any public/private strings found, the corresponding device will be highlighted in red (if not found, the device will be green.)

As you can see, each of the three red-highlighted devices above need their public strings excised.

Fortunately, you can quickly make a note of each offending device directly within the “Notepad” tool in the Qapp—no application switching required. Note that if your network uses a different SNMP version, you run a different version of this Qapp.

Step 2: Check SSH Access

Your next step is to ensure that your VTY lines are set to SSH (as opposed to Telnet). The “Check SSH Access” Qapp peruses each device’s configuration file and highlights any missing SSH configs in red.

Checking SSH with a NetBrain Runbook

Plus, a handy sticky note automatically pops up next to each device, specifying precisely which VTY lines require repair. How cool is that?

Step 3: Check Password Encryption

Since this Runbook is all about security, it continues to the “Check Password Encryption” Qapp.

Checking that all passwords are encrypted with a NetBrain Runbook

This Qapp ensures all devices on your network are storing their passwords hashed and/or encrypted. Devices highlighted yellow or red indicate they should be switched to “enable secret” or some equivalent.

Additionally, with just a couple simple clicks you can pop open a config and see a password stored in plaintext. Not good!

Step 4: Check VTY Exec-Timeout

Finally, this Qapp examines each device and informs you which ones have VTY exec-timeout values greater than 10 minutes. Recall that while high values save you aspirin during network build-out, they’re a vulnerability once you put the network into production. and should be lowered to 10 minutes or less.

Checking VTY exec-timeout with a NetBrain Runbook

 

Once you’ve checked up on your VTY exec-timeout values, you can save this Runbook for collaboration, escalation, postmortem, et cetera. Fortunately, the Runbook is embedded right in the .qmap file alongside all data you’ve pulled as part of your assessment. Thus, you can upload it to a file server, and all the data uploads right along with it. You can even go back in and access each individual step and peruse the raw data that was pulled during its process.

As always, remember that Runbooks are a breeze to build and are completely customizable!

So, that’s my quick overview of MPLS carrier assessment in NetBrain. If you want to watch a short video of me walking through this Runbook, click here.