Now a days every organization has to perform some kind of compliance check not just to follow best practices, internal security policies, government regulations and guidelines but also demonstrate network devices remain compliant to the policies defined. Companies utilize a lot of time, takes a lot of man hours or man days for compliance management and generating reports for audit.
HPE Network Automation (NA) is a solution that helps you to automate compliance and generate compliance reports in a matter of minutes. NA also provides a solution for mitigating compliance issues by running an auto-remediation script.
How Compliance is managed?
NA manages devices like routers, switches, and firewalls over a network.
When a device gets discovered in NA, you can configure syslog task which enables you to schedule the automatic configuration of one or more devices to send Syslog messages to NA. So whenever a configuration change is detected, NA runs a compliance check to see whether the devices are in compliance with the applied policies or not.
These policies are created by you and can have one or more rules that determines the devices are in compliance with either Configuration, Diagnostic or Software level policies.
You can import a pre-defined policies and export policies to a file.
Figure 2 – Steps in compliance management
Configuration Policy Management
NA runs a compliance check on a device's configuration whenever a configuration change is detected. If configured, you will be notified if a configuration change violates applied policies.
Use Case 1:
Consider a device eg: Cisco having Model no. "Nexus5010" & Config text "CiscoDevice".
In the Create a Policy step you can import a pre-defined policy or can create a policy with a configuration rule and give rule conditions like config text "Must Contain" Cisco Device. NA, has various rule conditions like:
"Must not Contain"
Enable auto-remediation script on NA and add command script for eg: set the banner of the device to "Text" by giving set banner motd "Test" command in the script.
After enabling auto-remediation, you can enforce the created policy to the device and apply the same policy to multiple devices.
So whenever a configuration change is detected on the device, NA runs a configuration compliance check and if the changed configuration does not match the applied policy, then a particular out of compliance event is generated in an automated fashion. When you click on the Policy Non-compliance event, you can view what is out of compliance relative to configuration for that particular device.
Once Device is detected under policy non-compliance, an auto-remediation script is generated and mitigates the compliance issue by running the command script (as mentioned in step 2) on the device.
Diagnostic Policy Management
NA generates a diagnostic text (eg: Hardware information) for a device by running diagnostics task. So you create a diagnostic rule which checks whether the device(s) Diagnostic text is in compliance with the current diagnostic rule.
Use Case 2:
Every network resources such as Router, Switch, Firewall has below information:
Device information like Model, Hostname
NA runs diagnostic task on a device and generates diagnostic text which has all the above information. You can create a policy with a diagnostic rule regarding valid IP addresses (eg: checking for four bytest x.x.x.x), so whenever a change is made on the IP address, NA runs the policy and checks if the changed IP matches the diagnostic text content or not. If not, it reports the device as Out of Compliance order.
Software Policy Management
In Software policy compliance, NA checks to see if the selected device(s) are in compliance with the current software rule.
Use Case 3:
Each software maintains some standards fields like Software Version, Model No. etc. So whenever there is a change in software lets assume you are upgrading the software and after the upgrade the software version gets changed. So as per the Software Policy, it does not meet the software standards and the device will be considered as Out Of Compliance.
NA mitigates Compliance issue
You should enable an auto-remediation script on NA in order to resolve the compliance issues, so once the device is detected under policy non-compliance, NA runs command script and takes mitigation action on the device as per the actions mentioned in the command script.
The command script contains the device specific commands, so whenever you enable auto-remediation, you have to consider the device access mode and the driver supports to the respective device. NA provides a variety of built-in Device Variables which can be included in the script parameter and in the script itself. There are various in-built command script that NA has for eg:
1. Set Banner
// Script to set the login banner
banner motd ^$Banner_Text$^
2. Set Location
// Script to set the SNMP location
set system location $Location$
Example: In Use Case1, Step2 once the device is detected under Policy Non-compliance category, as per the mitigation step, NA changes the banner of the device to "Test".
What is Compliance Center?
The Compliance center is nothing but NA’s portal which gives the detailed reporting of the current compliance status with respect to government regulations and IT standards. It is really helpful when you are subject to policy compliant environment like PCI Data Security Standard which gives the information about security standard for organizations that handle credit cards.
There are various policy compliant environment which NA supports. eg.
COBIT (Control Objectives for Information and related Technology)
HPE Network Automationsoftware automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration.Start your free trial today!