![]() ![]() ![]() Audit – Create audit reports to maintain record of changes.For new CVEs, check for vendor fixes, and construct new policy if required. Remediate – Restore baseline quickly and automatically if possible.Check verses Policies – Check changes against defined policies and alert Engineering and/or Security Ops of severity.Monitor & Notify – Continuous real-time monitoring of changes to all three axes, and notify those responsible to screen changes (often Operations).Build & Deploy Policy – Build and deploy policy for configuration, running state and software version.This is referred to as the compliance lifecycle, and NOM provides a comprehensive solution to monitor and alert for changes, to remediate, and audit. Maintaining compliance also requires a continued process of ongoing maintenance of your network configuration. Since networks are dynamically changing, the job of maintaining compliance isn’t done with single fixes… it takes a broad and deep understanding of your network. (Do you feel like that proverbial fox yet? You know the one chasing the rabbit round and round the track, and never winning the prize?) Obviously, to completely deal with this CVE, you need to continually monitor for its reappearance and automatically close it. However, both options could be undone unwittingly by others in the organization over time. ![]() The engineer could also upgrade the OS to remove the vulnerability, but this usually takes additional testing for production use. And, as is often the case in high-pressure situations, possibly forget to disable it afterwards. Subsequently, when a user manually enables it, Smart Install remains enabled even when the user logs out of the device. Record history of affected devices and when they were made compliant, which is critical for audit reports.Īs many network engineers will choose to keep Smart Install on devices for future use, turning it off using the “no vstack” cmd will only temporary disable it.Remediate the issue via the device command to disable vstack or more permanently by upgrading to a fixed OS version, both which are features of NOM.Find ONLY the affected devices by vendor/model, OSes, and running state (the vstack status is the key to knowing whether Smart Install is enabled and the “show vstack” cmd gives you this status).Often, the complexity required to create scripts to, or manually close-down CVEs, leads to partially compliant fixes or compliance violations that reoccur.īelow, you can see a simple yet powerful way to construct the logic required for this CVE. Using Micro Focus NOM’s configuration and compliance capabilities makes this a simple and automated ongoing function versus a protracted project. Knowing that each company has different response protocols for dealing with CVEs, Micro Focus Network Operations Management provides two ways for customers to close a vulnerability:ġ – The Micro Focus ITOM Marketplace provides a security and compliance service delivering policies for customers.Ģ – Customers can create their own compliance policy to check the running state for Smart Install being enabled, cross checked against vulnerable OS versions, and can disable the Smart Install service as a quick fix. Since Smart Install is not part of the configuration of these devices, it requires the use of Running State show commands to detect this issue. When the Cisco Smart Install admin tool is enabled, it provides an open port for unauthorized access to the device. I will also discuss and then maintain compliance on an ongoing basis as part of compliance lifecycle management.Ĭlose the Vulnerability – Cisco CVE-2018-0171 Today, in Part 3, I’ll show how we use all three dimensions to close the Cisco CVE 2018-0171 introduced in Part 2 of this blog series. In part 1 and part 2 of this blog series, I introduced the concept of 3-D Compliance, a model for achieving compliance nirvana for networks. NOTE: This is Part 3 of a multi-blog post about network compliance. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |