1.4.4.2. Network Device Compliance

Network Device Compliance centralizes and automates the audit of electronic configurations with reference configurations, baselines, or Best Practices. It facilitates the adaptation of the organization with standards and frameworks such as ISO2700x, NIST, ENS, etc., and ensures the secure implementation of NAC technology.

1.4.4.2.1. What does NDC contribute?

Network Device Compliance contributes to the following requirements:

../../../_images/ndc_intro.png


  • Centralize: Checks of all the electronics are carried out from a single solution and interface, simplifying and accelerating the audit work.

  • Automate: Checks can be launched on-demand or on a scheduled basis to align with audit tasks.

  • Facilitates compliance with standards and frameworks: It is possible to implement the necessary configuration verification rules for the adequacy of standards and frameworks.

  • Ensures secure NAC implementation: It can be ensured that the electronics are correctly configured so that NAC works optimally.

1.4.4.2.2. NDC modes

We can have Network Device Compliance in two modes:

../../../_images/ndc_intro2.png


  • Actively: NDC can launch active check rules dynamically (directly) against network devices and statically (first generating a backlog of the configuration to later perform the check)

  • Passively: You can also perform the same process passively against a configuration repository without having to refer to the electronics at any time.

1.4.4.2.3. Audit in three steps

We can find three audit steps:

../../../_images/ndc_intro3.png


  • Register: A network device (via SSH). A repository of configurations in the case of a passive check (by SCP).

  • Define rules and launch: Define the rules, and corresponding rule group for the device and/or device group. Possibility of launching the checks at the moment or scheduling them.

  • Review results: The results are displayed from the centralized dashboards (successful checks, failures/findings, etc.).

1.4.4.2.4. Basic Concepts for NDC

Basic concepts for configuration validation in NDC:

  • ON CMDB: Configuration Management Database (CMDB) is a database that contains all the relevant information about the hardware and software components used by the system, and also contains the relationships between those components.

  • Network Devices (CMDB): Network Devices, found in the CMDB, are all those network devices where users connect. They are usually devices in the access layer. Here all the configuration related to each of these network devices is saved, such as IP, MAC, backup configuration, connection configuration, etc.

  • Configuration file: To determine how a network device is configured, we must access its configuration. There are two ways to obtain this information, through a direct connection with the device in question, where the configuration will be obtained from the response to a given command, or by accessing the repository where network devices store their configuration in plain text files.

  • Regular expressions: Regular expressions allow us to find matches in a text. This allows us to detect and validate the configurations of network devices from their configuration file or backup.

../../../_images/ndc_intro4.png


  • TAG’S: Tags are labels that are assigned to network devices found in the CMDB. These tags reflect information about the device. In the NDC module, the tags are assigned to the devices depending on the results of the test groups, tests, and rules that have been evaluated on them.