How to Audit Network Security Vulnerabilities from Cisco PSIRTs with Itential’s Automated Configuration Compliance

Keeping your network secure is just as time consuming as it is crucial, and with Cisco’s Security Advisory Bundled Publication in September it becomes a top priority for most teams. It’s a perpetual responsibility for network and security teams to ensure that your network is not only operating efficiently, but operating as securely as possible. However, the rapid state of updates and changes in infrastructure makes it a challenge to ensure that network and security device configurations are standardized and maintain compliance.

If you’re still using manual methods to review and audit, you already know it’s error prone and simply does not scale. With Itential’s multi-vendor automation and orchestration platform, network and security teams can audit network and security device configuration and operational data using templates that can are updated by vendors almost as quickly as new vulnerabilities are identified. The Itential platform can then report and automatically remediate changes, with the ability to integrate with ticketing, inventory, and messaging systems.

In this demo, Joksan Flores, Senior Solutions Engineer at Itential, demos step-by-step how teams can:

  • Create Golden Configuration templates for both network and security devices.
  • Automate auditing live device configurations for known vulnerabilities.
  • Audit operational state of devices for vulnerabilities using Command Templates.
  • Orchestrate with notification systems like MS Teams or Slack for reporting.
  • Enable self-service, on-demand audit of device configuration with APIs.

  • Demo Notes

    (So you can skip ahead, if you want.)

    00:00 Introduction & Demo Overview
    08:15 Designing A Golden Config CLI Template Based on A PSIRT Advisory
    13:35 Associating Multiple Devices to the Golden Config Template
    15:24 Creating a Command Template to Gather Operational Data Based on a PSIRT Advisory
    21:05 Walkthrough Workflow to Orchestrate an Audit Check, Report, & Notification
    25:50 Publishing the Workflow in Operations Manager for Manual, API, & Scheduled Execution
    30:20 Running the Audit & Report Workflow Manually
    32:00 Review the Audit Report Example & Verify Email Notification
    36:45 Conclusion

     

  • View Transcript

    Dan Sullivan • 00:00

    Hello everybody and welcome to another Itential webinar. Today we’re going to be focusing on auditing network security vulnerabilities from Cisco P-certs in this example, but this is not something that’s specific to Cisco, using the Itential automated configuration compliance. And this solution is focused around the Itential platform on how we can use the tooling that we have to audit configurations to look for those vulnerable configurations that we get thrown at us every time we see a bias series. The timing of this, I think it’s probably due. I think we had one bundled security advisory from Peace Francisco last week for iOS XR. This is totally applicable to any operating system, Francisco, Arista, Juniper, the usuals and not the so-usuals, to detect configurations that are impacted by any CVEs. Also, we wanted to release this because the iOS bundled security publication is due either this week or next week. So it’d be a good idea to go through and do a refresher on how to use iTunes capability to detect some of these and then produce some reporting.

    Dan Sullivan • 01:13

    There are various challenges with creating reporting for advisory, right? This is one of those tasks that engineers have to do and network engineers have to do more specifically, but don’t necessarily prepare for this, right? A lot of people don’t necessarily focus or prepare for doing this throughout the entire year. I did several years of consulting, I worked for Cisco for 10 years, and one of the things that I had to do throughout the many years that I worked there was actually support our customers throughout the releases of these advisories, right? And sometimes we have to build custom reporting due to demands from executives, right? Somebody says, I want to know from our entire infrastructure, what devices are impacted by this piece that just came out last week. Or sometimes we have to do it on demand based on some of these industry wide advisories that we get hit with every now and then.

    Dan Sullivan • 02:08

    And we get these advisories on the vendor’s website and we get some details from those advisories, but there’s not a lot of clear path on how we get from there to actually identifying what is vulnerable on our infrastructure, right? Sometimes we get an email, we get a link from our support people saying, hey, you might be impacted by these, but we don’t have necessarily the tooling necessary a lot of times to actually go ahead and check on the environment against our real devices. What we’re trying to do today is demonstrate how Itential provides the capability to add new advisory checks very quickly and compare them against your environment, so you can assess any potential vulnerabilities and potential threats in the future to your environment, how to prepare these so that they can be executed on-demand or scheduled as well. One of the things that becomes really important is once we do the first check against the environment, we want to go and figure out an action plan and remediate those as we can. A lot of times we are not able to just submit configuration immediately to remediate those, or sometimes you have to upgrade software, and that requires planning, it requires maintenance windows, approvals, and so forth. From then on, we actually want to make sure that we execute ongoing checks against the environment to make sure that we’re tracking what gets remediated and what is left to be remediated. The schedule piece of this becomes really key, and having the reusability of whatever automation we designed so that we can use it in the future for any new advisories that get released.

    Dan Sullivan • 03:55

    One of the other pieces that’s really important is that some of these advisories are very easy to identify by just looking at potential configuration parameters that are identified as vulnerable, right? Some of the ones that we’re going to be keying on today are the usual suspects, right? Things like Telnet, things like HTTP server running on the devices, HTTP secure server and so on. But there are also some other parameters that may not be as easy to identify, right? Things like crypto, like V1, for example, is one of those that you don’t necessarily need to configure in order for it to be running on the device, right? If the device may have some features that you don’t necessarily need to configure, right? in the back-end that are using some of those protocols that may be affecting the device and you may not know it.

    Dan Sullivan • 04:42

    That requires also not just auditing configurations, but also auditing the operational state of the device. One of the things that we’re going to be doing is actually looking at both aspects of this. How do we audit configuration that’s existing on the device? Also, how do we audit operational data by issuing show commands live on the device and actually checking against certain parameters that we want? For example, executing a show crypto ISA camp peers and making sure that we don’t have any peers active on IP1, or making sure that we don’t have any essays active and so forth. Lastly, the reporting piece of this. We actually are going to showcase how we can utilize basic HTMLs or basic tooling that we have available, and we can use things like ChatGPT and so forth to build that basic HTML templates that we can use for reporting and using attentions integrations actually display this in the tool itself.

    Dan Sullivan • 05:42

    But not only that, but also be able to send it as an e-mail. Today we’re going to demonstrate how we send the report over e-mail and that becomes very useful for those scheduled runs where we just get an e-mail at night and we say, hey, this is compared against like the environment and so forth. But then there’s also the other plethora of integrations that exist within the attention platform that you can use for this, namely Microsoft Teams, Slack, or any other systems where we could actually have these reports being attached to a change request, something like ServiceNow or incident creation in Salesforce and so forth. For the demo portion of this, what we’re going to do is we’re going to be focusing on compliance piece and the Golden Config application of the Attentional Platform to identify those vulnerable features on iOS 6C devices. We’re going to use two or three iOS 6C devices I have in my lab for this and they have some configurations there that purposefully are impacted so that we can just go ahead and showcase those and see how we go about creating reporting for those in the format that we have decided. We’re going to go live and create a Golden Config to do this for the actual configuration parameters identified. We’re also going to use command templates to audit operational features.

    Dan Sullivan • 07:06

    Like I was explaining before, some of these vulnerabilities cannot be identified by just looking at the config, but we actually have to execute show commands to identify the operational state of some of those features. We’re going to go ahead and do those. We’re going to use those two together. and we’re going to execute a reusable workflow that we have that will scan the devices and will generate a report for us and show it to us in the tool on the platform, as well as be able to send it via e-mail so that we can notify our teams or everybody else and showcase how we use the attentional integration to actually make those reports meaningful to the organization, not just us. Lastly, we’re going to demonstrate how we can publish this automation via a manual method so that we can actually expose the automation to be executed on demand. We can also create an API for the automation so that it can be executed by somebody else using their scripts, and they can get their reports on demand as well, and also scheduling so that we can showcase how we can execute this, let’s say, every day at 1 AM or the like. With that said, let’s switch into the platform and see how we can go about this.

    Dan Sullivan • 08:23

    Okay, so now that we’re in the platform here, the first thing that we’re going to do is we’re actually going to design a golden config. For that, I’m going to go into Configuration Manager, and I am going to create a new golden configuration, and I’m going to call it, let’s see, PcertBundleSeptember2024, let’s do March. I’m using March Pcerts mostly as the example for this, so I’m going to use some of those Pcerts that were published in March, so we’re just going to do that for this. PcertBundleMarch2024Report, and that’s going to be very important because the automation that we built, that is reusable, we can actually point it to a golden configuration that we have designed. and we need to remember this name. This name is actually going to copy it here and save it on my handy-dandy notepad here for later because we will use this. The automation that we have designed is actually reusable, so we can point it towards any golden configuration that we had designed, and it’ll create the report dynamically at the time that we execute that automation.

    Dan Sullivan • 09:30

    Go ahead and create, that automation is for Cisco iOS, this one specifically. We’re actually going to keep things fairly simple, and I’m not going to get one of the things. If you have seen the attentional webinars in the past, we actually have a hierarchical capability to design the golden config trees in here that allows you to actually drill down into different levels of creating children nodes in here, so that you can create golden configs for things like regional or you can create different nodes for different platforms and different devices and so forth. Today, we’re actually going to keep this fairly simple, so I’m actually going to delete that, and we’re just going to use the base node. Since we’re just looking across the board on our devices, we want to look for these config commands that we have identified. I’m actually going to start pulling commands here from my list that I have pulled up from the March piece of Bundle. One of the things that we wanted to look for was Crypto Isecamp Fragmentation, which is an IPv1 fragmentation vulnerability.

    Dan Sullivan • 10:26

    Let’s see, we will also have an IP DHCP snooping vulnerability. In this case, we’re not going to find any of these because we’re actually using routers for this and this is not applicable, but I’m just going to put it in there anyway so that we get an idea of how this works for all those. We also had a LISP command vulnerability. I’m just going to look for router LISP. Obviously, the devices running router LISP are not just going to remove it. Remediation strategy there has to be different, but in this case, we’re not focusing necessarily on remediation, but just an identification of the features that are enabled. Then I added a couple of the usual suspects.

    Dan Sullivan • 11:02

    I added HTTP server, HTTPS also being enabled, which is one of those features that not necessarily everybody runs but sometimes are enabled on the devices. I’m also going to get a little fancy here and I’m going to add a check for Telnet inside BTY lines. Sometimes you see one of those obscure ones, then we say, no, we’re not running Telnet on our devices, but it’s good to check because I’ve been surprised very, very, very many times by customers saying, we disallowed the use of Telnet 10 years ago, and we go and walk through the infrastructure and we find 100 devices running Telnet. I have added a checking here. Now, one of the things that is interesting and different here is that what this denotes is we’re using the regular expressions for this. What I have done here is I have said, and because we’re identifying vulnerable commands only, I want to look at the stuff that I don’t want to be in the environment, and we’ll do that in a second. But I actually want to check if we have transport input telnet and SSH, I have it as allow.

    Dan Sullivan • 12:04

    Essentially, what I’m saying here is this is a conditional statement. If SSH exists, I don’t care. That’s completely fine. By me, I only want to focus on if the command has telnet in it. Hopefully, there’s something else in there. Nobody should be configuring our login or anything like that these days, but you never know. I just want to focus on those. The other thing that we want to do here is because I am looking for the existence and I want to disallow these commands, I don’t want them to exist, is I want to flag the stuff as disallow on the platform.

    Dan Sullivan • 12:34

    I’m going to actually change the colors here from dark into white background just so we can see this better. I actually want to go here and say disallow. and that’ll do it for these here as well as this one. What that is saying is it’s telling the platform, whenever we walk the config of the device, if you find these specific commands, let’s flag them. They should not be on the device. That’s the logic. It’s a little inverse here. Traditionally, the use of Golden Config is we want to put every single command that we want on the device, and we’re auditing to see if they’re missing.

    Dan Sullivan • 13:13

    In this case, we’re actually using inverse logic. We’re using the functionality in the platform to detect the stuff that’s in the config that we don’t want. This is why we’re disallowing the majority of these commands. I am not disallowing line VTY 0-4 because we want that to exist. We want to log into the devices. I just want to disallow this sub-command, in this case, which is transport input telnet with the optional SSH parameter that I don’t care about. I will hit an update here so that we can save that.

    Dan Sullivan • 13:40

    Then the other thing that I got to do is add devices into this GoldenConfig. Now, this is very important, especially for this use case. I want to add devices here because what happens is the way that this automation is designed, we are actually going to only focus on the devices that are added into this GoldenConfig. We’re going to ignore the rest of the devices. As such, I need to add them in here first. That way, when I go and run my operational checks, look at my show commands and I use my command template feature for that, I can actually pass those device names to the command template. There are multiple options to address this.

    Dan Sullivan • 14:20

    I can actually have the user provide a list of devices in the form or I could have other mechanisms where I can read the list of devices from some source of truth, some inventory tool, I could go and query, let’s say something like a DSM or a NetBox or something like that, that I can say, hey, give me all the devices that are iOS routers and I will audit against those. Multiple options to go about this. In this case, I wanted to keep this as simple as possible because what we want to showcase is how you can do this on-demand very quickly a couple of days before the P-cert or a couple of days after you get the P-cert so that you can address that demand or that ask from your executives, or somebody that’s requesting a report, showcasing what devices are affected. Now, our config compliance is built. We have our devices added. We have our name recorded. I’m just going to keep that tab in there just in case.

    Dan Sullivan • 15:15

    But from here on out, we can actually move on and build our second piece of our checks, which is our operational commands using our command template feature. I’m actually going to jump into my project here inside of IAP, which is a self-contained set of assets that belong to the automation, and right now we’re looking at the Workflow Canvas. But before we go ahead and focus on the Workflow Canvas, I want to go ahead and build that command template that we talked about. Let’s build a new asset in here, and we’re going to build a command template, and we’re going to use the same name that we use for the golden config. They’re not going to clash because they’re different asset types, but I just want to make sure that I keep everything consistent across the board, so that when I will go ahead and execute my automation, I remember the things that I’m going to execute against. Let’s build that command template. Now, from here on, I have several commands that I have picked out on things to go ahead and check.

    Dan Sullivan • 16:14

    I have some commands that are very simple and some that are more complicated. I’m going to start by some of those that are a little bit simpler. I’m going to go with the usual suspects, the HTTP server. What I’m going to do is I’m actually going to copy and paste here from my handy-dandy notepad. I want to check for show IP HTTP server status, and I’m filtering this to include status only. That’s the only one that I really care about. I want to make sure that it says that if it’s enabled or not.

    Dan Sullivan • 16:43

    Like I said before, in this case, we’re actually looking for the things that we don’t want to see on the config. I want to see this output, which is HTTP server status enabled. If that exists on the device, then I want to report on that. If I don’t see that, namely, if it’s disabled, then I don’t want to worry about it. That’s what we’re going to do across the board for all the commands. Let’s do the next one over, which is secure server status. The output for that also shows up on the show IP HTTP server, but I want to make sure that I’m thorough and I report these individually.

    Dan Sullivan • 17:11

    I’m going to go ahead and do that. Let’s see, we’re going to do a contains in here, and we’re going to do a secure service status enabled, and then let’s add a couple more. Now we start getting into the more interesting stuff. We’re going to look at IKB1 vulnerability. Like I said before, IKB1 is one of those that’s a little bit tricky. It doesn’t necessarily mean that if you don’t have it configured, that you’re not running it. There are some things in the background that use it, that run IKB1 features, and you want to make sure that it’s operationally, that it’s not running.

    Dan Sullivan • 17:45

    We’re going to actually use a ShowCryptoICAMPSA. That tells me if there’s an SA actually active on the device, meaning that there’s interesting traffic traversing it, and it’s matching some crypto policy, and it’s actually encrypting using IKB1 for phase 1 encryption. What we’re going to do is we’re actually going to use that ShowCryptoICAMPSA, but I don’t necessarily want to look at the whole output. I actually want to look at whether I see any IP addresses on that output. That tells me that there’s actually interesting traffic, and we’re actually matching and building an SA. I’m actually going to use a regular expression here, and we’re going to keep it fairly simple. We don’t want to get too complicated with the regular expression.

    Dan Sullivan • 18:23

    I heard an expression the other day that said, when you have to, build a regular expression to solve a problem. Now you have two problems. We want to keep it very simple. Right now what I’m doing is I’m building a regular expression that finds an IP address format string, and this is just looking for four digits separated by dots. You can get really crazy with this stuff. You can go from numbers from 0 to 255, or realize that’s what an IP address format looks like.

    Dan Sullivan • 18:50

    I’m just trying to keep it simple to demonstrate the functionality there. I’m actually going to flag this as global there so that it finds it on the entire output as one match. Then we’re going to get into an application visibility control command that I had seen. Now this one may not necessarily produce an output in the devices that I have, but I wanted to make sure that I include it just so that I can showcase how we can actually look for multiple rules. I’ve actually established multiple rules against that particular command. This is a show AVC as the service info detail. We have it filtered in here as well.

    Dan Sullivan • 19:24

    There is a couple of rules that we need to look against, and one of them is DCS enabled. We’re going to do a contains rule here, and we’re going to say DCS enabled true. But also another thing that I want to look at in here is this is Learn Mac on 5th FIF true. This is one of the things that allows me to showcase all the functionality of the platform. I can actually build multiple rules and can get very granular because the way that I read this advisory was these conditions both have to be true. This actually allows me to build and look against this command output and check, is DCS enabled true and is Learn Mac on FIF true? Both conditions have to be true, and that is controlled by this knob right here.

    Dan Sullivan • 20:12

    If I just wanted one rule, if one of these two identifies the device as vulnerable, then I flick it and set it to one rule must pass. In this case, I actually want to have it as all rules must pass, as the advisory was saying, that these both have to be true in order for the device to be identified as vulnerable. I think that looks good. Let’s review this again. We have four commands total that we want to report against, and we have our logic setup ready, regex, blah, blah, blah. That looks good. We’re going to go ahead and save that. Now we got both our golden config design for the parameters that we have picked out earlier from that March piece of bundle, and also our command template design for this.

    Dan Sullivan • 20:59

    Now let’s go ahead and review the actual workflow. What I’m going to do is I’m going to duplicate this tab really quickly. Let’s look at the workflow that we have designed for this first. This is a fairly simple workflow. It has a handful of tasks in it, so I’m actually going to go ahead and walk through what it’s actually doing really quickly at a very high level before we go ahead and demonstrate the functionality for this. The first thing that we’re going to do is this workflow gets launched via, like I mentioned before, it gets launched by either manually on-demand by the user. It also can be launched by a schedule or via API.

    Dan Sullivan • 21:37

    We’re going to showcase how we build all those triggers as well in a minute here before we go ahead and execute the actual automation. The workflow gets triggered and the first thing that it’s going to do is it’s going to run config checks. So this is actually going to run a config compliance job. So it’s actually using the modularity of the platform to actually reuse some workflows that we’ve used in the past to just run any config compliance trees that we built. So in this case, I’m just passing the tree ID and let’s go ahead and look at what that workflow looks like. So there’s actually this workflow here. So if I go ahead and double-click, look at that reference, it’s called Run Config Compliance.

    Dan Sullivan • 22:11

    We can actually go and pop in that workflow. It’s a fairly simple workflow. It runs config compliance for the node. It gets the report ID. It takes the report out and then it does some parsing on the data. And we want to parse the data out in a format that our report can actually accept. But not only that, but so that it can do it for all the p-cert reports that we want to run later in the future.

    Dan Sullivan • 22:33

    So this is very commoditized and that’s why we build it in modularity like that so that we can reuse these animations later in the future. From there on, I have to query a couple of parameters, query the device issues, and like I said, very importantly, the devices. The devices that I assign in my config manager here to this tree will be actually queried out by this task here in order to pass it so that we can run show commands against it. That’s a very important piece because we’re actually just to keep the automation very simple, we’re actually controlling most of what we’re running within the config manager application there. Then we execute our operational checks. We can look at that workflow as well. Very simple workflow.

    Dan Sullivan • 23:13

    It just runs the command template and it parses the data to a particular format so that we can run that report later. Then from there, we execute a couple of queries with a little bit of data manipulation. We render a template, and our render template essentially what it’s doing between this task and this task here, what they’re doing is actually rendering an HTML report that we have built for this. Within the platform, it actually gives me the capability and we’re using Jinja2 for this, which is a very commonly known Python templating framework. It allows me to actually build very extensive reporting within the platform. I can just plug in my HTML report and actually pass it the data optic from the results of my show commands. and my config compliance and actually build a pretty report.

    Dan Sullivan • 24:01

    I can actually build some nice tables that have my device names, that actually has some command outputs within it. It’ll tell me if a device is affected or not and so forth, and you’ll see those as we go through there. Then from there, we will showcase it in the automation live on demand. This is an optional part of the automation. We can actually view it or we can just bypass it. A lot of times we want to do this when we run the automation on demand, but whenever we run it scheduled, we just want to send that report somewhere. Whether it is create an incident in some CRM system, or we want to send it via e-mail.

    Dan Sullivan • 24:38

    In this case, we’re just focusing on send this to my e-mail, and because Outlook renders HTML very nicely, we’ll actually get the results of that very quickly. Now that we have looked at the entire workflow and what it does, and it’s actually a fairly simple one. The other thing that I want to highlight before we actually go into Operations Manager is that this workflow is reusable. The whole idea of this is, and as you saw before, I actually created the assets on the fly, and these are the ones that we’re going to be actually using to run these checks against on the fly. The whole idea here is that if you had these in your attention platform, you could actually go and build a config compliance and a command template very quickly. This is something that anybody can do. For the most part, you saw me doing just copying and paste, adding configs into a tool, which is basically what you do when you take things from a notepad and paste them on the device.

    Dan Sullivan • 25:36

    You can actually go through the advisories, paste those commands into your Config Manager or your command template tool and then run the reusable workflow and get your report on demand. That’s the whole idea and the way that this was designed. Now let’s go ahead and look at how we go and actually expose this and we can go ahead and run it. I have actually created an automation in our operation manager already for this, and what that does is it ties that workflow to this automation, so I can get an on-demand entry for this. One of the things that I had done beforehand, actually before starting this, was actually I created a form against this. I already have a manual mechanism to execute this. What this form does is it actually dynamically populates all the GoldenConfig trees that I have built on the platforms.

    Dan Sullivan • 26:21

    If you can see here, we actually already see the piece or bundle March 24th, 2024 report here, as well as the command template. These are all dynamic, so I can actually see that piece or bundle March as well here. Those are the ones that we’re going to execute against. Now, this is my on-demand use case. One of the things that we also talked about was how do we expose these in multiple ways. I’m actually going to create a couple more triggers, and let’s do the API trigger first. We’re going to call it API, and we’re just going to put it in API typing here, and we’re going to call it endpoint.

    Dan Sullivan • 26:54

    We’re going to say this is a piece or the PSIRT report. Now, when I save this, I have an API endpoint running on the platform that allows you to run this on-demand. It allows you to say there’s an API route that says PSIRT report. You can pass it a payload that includes the command template in the golden config, and it’ll produce a report against it and send it over email, like we had talked about. Now, the other thing that we can do is, like I said before, you create these and you run them once. You don’t want to sit here and click in the buttons every time.

    Dan Sullivan • 27:30

    Probably the best use case for this is actually go ahead and schedule so that we can get a report and look at how your remediation is tracking over time. We’re going to create one that says Nightly Schedule, and we’re going to go ahead and set this as a schedule. We’re going to be repeating this thing, and we’re going to be doing it at, let’s see. We’re going to be doing it at. Where are we at here? Let’s do 2 AM, 2 AM, 00, to make it simple here, let’s do it at 2 AM and we’re going to do it every day. That’s good. This is starting 9.16, so it’s going to start, actually, we want to do it starting tomorrow at 2 AM, and this is going to repeat every one day.

    Dan Sullivan • 28:18

    Process miss run, we’re going to say none. This is optional and we’re going to keep it there for now. What that’s going to do is that’s going to run that every single day and we can tie all the things to it as well. We can actually tie a form. Let’s just tie a form here. We’re going to tie this form and we’re going to do, let’s actually do this one. Now, that actually saves it and it’s going to run against those every single night.

    Dan Sullivan • 28:50

    The one thing that’s also important to note, and I was actually thinking through this today as I was planning how to go ahead and showcase this is, I could actually create multiple entries in this. For example, I already have a test job. Let’s do nightly schedule here Let’s do it for March bundle, but I also have a couple of test automations. Let’s do it just for September bundle. If I want to check for the September bundle as well, I could actually go ahead and reuse this same automation. Let’s go ahead and repeat. Let’s do none, and we’re going to use the same form, but we’re actually going to pass it the test jobs that I had done.

    Dan Sullivan • 29:35

    What this allows me to do is here now, I actually have the same automation being used to report against two completely different sets of advisories that I’m testing against. One is testing against the one that I just built, which is focused on the March 2024 piece or bundle, and the other one is focused on some test data that I was using before. Now that allows me to do this over and over again if I wanted to report. As I go and deprecate, if some of these reporting start coming empty because they’re not as relevant anymore, I can go ahead and delete those triggers. This allows me to showcase a lot of the functionality that it gives us, and a lot of the flexibility just with one simple automation that I had created and showcased earlier. For now, we’re just going to run this on demand. I’m going to go ahead and click on ”Run now.”

    Dan Sullivan • 30:27

    We’re going to go ahead and select our GoldenConfig and our operational checks template. Our GoldenConfig tree was called PizzerBundle and that’s there, PizzerBundleMarch2024, perfect. Our command template is called PizzerBundleMarch2024Report as well. That’s also selected there and I’m just going to go ahead and click ”Run Now” and see what happens. Now we see the automation running. One of the things is that this is going to take a second because it’s actually going and executing live against the devices. It’s running against three devices, so it actually has to go and get a show run from each one of those and then compare them against the GoldenConfig.

    Dan Sullivan • 31:10

    That’s what the first piece of this automation does. Then from there, it’ll actually turn around and execute the show commands as well to verify those. Let’s just wait a second and see. That finished the config compliance checks, and it’s now doing the operational checks. It’s actually executing all those show commands. We specified four show commands into three devices, so it actually goes ahead and runs those. Then it queries to some data, renders that template very, very, very quickly, all the stuff that is not a CLI interaction runs fairly quickly.

    Dan Sullivan • 32:03

    And now it gives us the ability to actually look at our report. Let’s see what comes out of it. Now, we actually see a report how it was created before, and this is actually a fairly basic HTML. You can get fairly creative with this. You can add and remove parameters as you see fit. This is meant to be an example to showcase the functionality and the capability that is there. You can actually collapse those in one table.

    Dan Sullivan • 32:29

    I just wanted to make sure that I separated them to show the difference between each. This tells me, this shows me actually the results of what came out of my Goldik effect. It says that all my CSRs have these commands that are disallowed in the config. It has isocamp fragmentation enabled, router list is running, HTTP server is running, HTTPS, and then they also have transport input telnet enabled. These two do, the other one doesn’t. iOS CSR AWS 3 does not have telnet running, so that’s a good thing, but it has the rest of the stuff enabled. Now, as I had said before, some of these checks will actually require us to go into the devices and actually execute show commands, so it’s not just config oriented, and that’s what the operational check results showcase at the bottom here.

    Dan Sullivan • 33:17

    If you go at simple or as complicated as you want here, you can showcase a lot of detail or very little detail. In this case, I actually wanted to make sure that I myself saw partial outputs of what those show commands were running so that I can actually validate by myself. that this is actually the case. I actually got evidence now of what’s happening here. I get my device name, I got shown my show software version. It says that it’s affected, it’s true, because we had established some rules that said, if HTTP server is enabled, we’re going to flag that device is affected, and some commands is not affected. This is for the actual for that AVC command that we had said before.

    Dan Sullivan • 33:59

    You can augment this to actually show the show command itself. That’s one thing that I didn’t do, but that can be done as well. One of the things that’s very interesting here is, as you can see here, for the crypto commands, I can actually see that there’s an active SA here on these two guys. I actually see there’s an active SA, so this device is actually effectively running IP1, and there’s a couple more that are actually running it. CSR AWS2 is also running IP1, the third one doesn’t seem to be. But this shows me a fair amount of detail here, so this is a clean output down here. It’s not running, so it’s not affected, which is a great thing to know here.

    Dan Sullivan • 34:33

    This device is fairly clean, the other ones are in trouble. The whole idea here is, like I said, to showcase basic capability. This report could be very extensive. This could be a lot more detailed or less detailed as you see fit. Some people just want to see if the device is affected or not, and some people want to see a lot of more detail. That’s catering to both audiences in here. The other thing that I also specified is this is an optional step in order to look at the report live on-demand when we run the automation.

    Dan Sullivan • 35:07

    But for the most part, we cared about the reporting after the fact. We typically want to see this sent us an e-mail, or perhaps I’ve had some customers that want to do this like uploading this to some web server or something like that, that they can look at on a daily basis. This is one of those things that you look at in the morning to make sure that you’re in the know so that when somebody asks a question, you have the relevant answers for them. From here, I’m just going to go ahead and hit proceed and now the last task is going to be to send this over e-mail. Let me go ahead and check my e-mail. and I’m going to pop this out so that we can also see it. I got an e-mail with my report.

    Dan Sullivan • 35:48

    I’m not going to go over it because we already saw it live, but I’ll actually see this from the platform. Like I said, now because I have scheduled that report, that automation to run every day at 2 AM, and I scheduled actually twice. I’ve scheduled one for this data and one for the test data, I will get two e-mails whenever this executes every day. It allows me to do this very quickly. We’ve been here for about 30 something odd minutes and with me ranting about capability and showcasing, but we were able to do this very quickly. Like I said, the whole idea is to showcase how this is done in a very quick and easy manner and more importantly, reusable, that we’re able to run this over and over against different sets of data, to make it as dynamic as we can so that we don’t have to keep rebuilding the same automation all the time. Now, that concludes our webinar for today.

    Dan Sullivan • 36:51

    Again, like I said earlier, the whole idea was to promote and give visibility to these capabilities ahead of the September piece of bundle for Cisco. One was released a week ago or so on the 16th, I believe it was, or a few days ago. and there’s another one coming at some point. So hopefully this is useful for those of you that are our customers and those of you looking to become our customer. So let us know how we can help with this and hopefully this was informative. Thank you and have a good rest of the day.

Watch More Itential Demos

How SOC Teams Can Self-Serve Hybrid Network Security Services with Itential  
Blog
How SOC Teams Can Self-Serve Hybrid Network Security Services with Itential
Read More  

Additional Resources

Demo: How to Execute Compliance & Remediation of Vulnerable Features on Cisco IOS XE Devices Blog: From Chaos to Compliance: How a Utilities Company Adopted Itential to Modernize Configuration Management Blog: The Benefits of Automating Compliance Reporting & Remediation Blog: Don’t Get Spooked: Hunt Down Ghost Configs Before They Haunt Your Network On-Demand Webinar: Introduction to Itential’s Network Configuration Management Capabilities