Network Security
You can encrypt a variety of sensitive data in the configuration file of each device and on the user interface using Enable Encryption for Sensitive Data option.
| Check Box | Default Value | Description |
| Enable Encryption for Sensitive Data | Enabled | If this check box is not selected, the encryption for sensitive data is disabled and you cannot select either of the following two encryption methods. The sensitive data include:
|
| Mask Data at Back-end (no traceback) | Enabled | This method allows you to replace the matched texts both in the database and UI with asterisks (***). |
| Only Mask Data on User Interface | Disabled | This method allows you to replace the matched texts displayed in the UI with asterisks (***). Note that the corresponding texts are not replaced in the database. |
 |
Note: Any changes to the settings will take effect starting from the next discovery and benchmark task. |
Hiding Sensitive Information in Device Config Files
Specific texts in device config files can be hidden by replacing them with "********". This section specifies how we should provide settings to have this done.
Format of Settings
Specify your settings with a multi-line text. Each line must look like:
| mode_selection | part_a | | | part_b | | | part_c | \r\n |
|---|
- mode_selection: one of "
exact_prefix:" (note the colon), "regex_replacement:" and "" (empty string). You use this field to select the mode of text processing between exact_prefix and regex_replacement; if you use an empty string "", the mode defaults to exact_prefix. - part_a: a list of device type ID's represented by int32_t in CSV format. No "
|", "\r" or "\n" characters are allowed. - |: a vertical bar character "
|". - part_b: a string that will be prepended to each replaced line in a device config files. No "
|", "\r" or "\n" characters are allowed. - |: another vertical bar character "
|". - part_c: a list of fields in CSV format about the details of how lines in device config files should be replaced. No "
\r" or "\n" characters are allowed.
|
Note: For each mode, a given device type ID should NOT appear more than once. If it does, the last appearance takes effect. If a line of settings has a bad format, the whole line will be ignored. |
Examples
Exact_prefix Mode
You can provide a list of keywords in part_c. For each line in a device config file, all leading blank characters (that is, tab '\t' and space ' ') are skipped. Then if the remaining starts with one of the provided keywords (use key to denote this keyword), a replacement will take place. The whole line will become:
| leading blank characters | part_b | key | ******** |
|---|
If a keyword is a prefix of another, the shorter takes effect in the replacement.
Python |
exact_prefix:2008,4020|###|set admin user blah,set admin user |
If device 4020 has the following line in its config file:
Python |
set admin user blah abcdef890 |
The line will be substituted with:
Python |
###set admin user ******** |
Regex_replacement Mode
You should provide a list of Perl regular expressions in part_c. In order to replace a line in the config file using a regex, the regex must match the whole config line without "\r\n". In the regex, use parenthesis-enclosed capture groups "(...)" to specify the parts of the config line that you would like to erase in the outcome. Those capture groups will be replaced with " ******** ". In addition, nested parentheses are ignored.
Example 2
Given the following line of settings,
Python |
regex_replacement:2008,4020|!@#|"set admin user(.*)set admin pass(.*) OK",set admin user(.*)set admin pass((.*) OK).+ |
If a device 2008 has the following line in its config file:
Python |
set admin user username; set admin pass PASSWORD OK; and something more |
The line will be substituted with:
Python |
!@#set admin user ******** set admin pass ******** ; and something more |
Order of Processing
The code for hiding device config file sensitive information is processed based on the following two rules:
- exact_prefix mode is evaluated first. For any line the in the config file, if it's successfully replaced under the rule of exact_prefix, the processing of this line is considered done. Even if there is a regex that matches the line well, it will not be considered.
- Regular expressions in the regex list are considered in the order of their appearances in the settings. If a regex successfully matches, all remaining regexes are ignored for this line.