SCAP and NETCONF

836 views
738 views

Published on


Further expanding the discussion on inter-networking devices (Routers and Switches) the NETCONF protocol will be discussed. NETCONF is a open standard protocol supported by major inter-networking vendors. This session looks to leveraging the NETCONF schema to retrieve the configuration files from inter-networking devices. This session will cover issues and challenges related to:

•Security Automation and inter-networking devices.
•Access methods to retrieve and process device configuration settings.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
836
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • http://tools.ietf.org/html/rfc6241
  • Discussion on scanning methods. Discuss on protocol connections.
  • http://www.opennetworking.org
  • https://developer.juniper.net/content/jdn/en/develop-overview/junos-space-sdk/getting-started.htmlCisco onepkhttp://developer.cisco.com/web/getyourbuildon/onepk
  • SCAP and NETCONF

    1. 1. SCAP and the Network ConfigurationProtocol (NETCONF)Security Automation Developer DaysJuly 12, 2012 Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
    2. 2. SCAP and NETCONFFurther expanding the discussion on inter-networking devices (Routersand Switches) the NETCONF protocol will be discussed. NETCONF is aopen standard protocol supported by major inter-networkingvendors. This session looks to leveraging the NETCONF schema toretrieve the configuration files from inter-networking devices. Thissession will cover issues and challenges related to:• Security Automation and inter-networking devices.• Access methods to retrieve and process device configuration settings.2 www.apexassurance.com © 2012 Apex Assurance Group
    3. 3. NETCONF  RFC 6241 Network Configuration Protocol “The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).” http://tools.ietf.org/html/rfc6241  RFC 6242 Using the NETCONF protocol over Secure Shell (SSH) http://tools.ietf.org/html/rfc6242 www.apexassurance.com © 2012 Apex Assurance Group
    4. 4. Why NETCONF for SCAP? Leverage existing mechanisms such as NETCONF, SNMP, etc… By design NETCONF is geared for configuration management XML based messages and XML based configuration (Xpath)4 www.apexassurance.com © 2012 Apex Assurance Group
    5. 5. NETCONF capabilities Client server RPC based communications Request types: – <get> configuration and state data – <get-config> configuration and state data – <edit-config> edit operations conducted on the device – <copy-config> create or replace configuration operation – <delete-config> delete configuration operation – <lock> lock configuration operation to session – <unlock> release configuration operation – <close-session> graceful session termination – <kill-session> Force session termination5 www.apexassurance.com © 2012 Apex Assurance Group
    6. 6. NETCONF capabilities XML Subtree Filter NETCONF sessions YANG data models SSH 2.0, BEEP, HTTP, TLS Vendors that support NETCONF – Cisco, Juniper, Brocade …6 www.apexassurance.com © 2012 Apex Assurance Group
    7. 7. OVAL tests (Inter-networking devices)7 www.apexassurance.com © 2012 Apex Assurance Group
    8. 8. Scanning methods Inter-networking devices don’t support OVAL tools to run locally (yet?) Connection using SSH and NETCONF over SSH8 www.apexassurance.com © 2012 Apex Assurance Group
    9. 9. Demo Content OVAL NETCONF schema OVAL definition XCCDF – based on DISA STIG CPE CCE9 www.apexassurance.com © 2012 Apex Assurance Group
    10. 10. NETCONF and Remediation Leverage existing protocols suited for remediation Remedial aspects of NETCONF NETCONF is a protocol that can commit and roll-back changes to configurations Ideal for configuration remediation? < thoughts?10 www.apexassurance.com © 2012 Apex Assurance Group
    11. 11. Software Defined Networks (SDN) • NETCONF is part of the OF-Config 1.1 specification (opennetworking.org) • Raging debate in the inter-networking industry • SDN based on OpenFlow protocol (not to be confused with Netflow) • SDN is about programmability of the inter-networking devices11 www.apexassurance.com © 2012 Apex Assurance Group
    12. 12. Programmable Networks Juniper Junos Space Cisco OnePK API into programing networks12 www.apexassurance.com © 2012 Apex Assurance Group
    13. 13. Network Infrastructure STIG Topology13 www.apexassurance.com © 2012 Apex Assurance Group
    14. 14. ThanksReference www.apexassurance.com www.joval.org – Tool download http://joval.org/download/mitre www.secpod.com – Content download http://scaprepo.com/ Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening14 www.apexassurance.com © 2012 Apex Assurance Group

    ×