SlideShare una empresa de Scribd logo

SCAP and NETCONF

Descargar como PPTX, PDF
C
c3i

Further expanding the discussion on inter-networking devices (Routers and Switches) the NETCONF protocol will be discussed. NETCONF is a open standard protocol supported by major inter-networking vendors. This session looks to leveraging the NETCONF schema to retrieve the configuration files from inter-networking devices. This session will cover issues and challenges related to: •Security Automation and inter-networking devices. •Access methods to retrieve and process device configuration settings.

Tecnología
1 de 14
SCAP and the Network Configuration Protocol (NETCONF) Security Automation Developer Days July 12, 2012 Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
SCAP and NETCONF Further expanding the discussion on inter-networking devices (Routers and Switches) the NETCONF protocol will be discussed. NETCONF is a open standard protocol supported by major inter-networking vendors. This session looks to leveraging the NETCONF schema to retrieve the configuration files from inter-networking devices. This session will cover issues and challenges related to: • Security Automation and inter-networking devices. • Access methods to retrieve and process device configuration settings. 2 www.apexassurance.com © 2012 Apex Assurance Group
NETCONF  RFC 6241 Network Configuration Protocol “The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).” http://tools.ietf.org/html/rfc6241  RFC 6242 Using the NETCONF protocol over Secure Shell (SSH) http://tools.ietf.org/html/rfc6242 www.apexassurance.com © 2012 Apex Assurance Group
Why NETCONF for SCAP?  Leverage existing mechanisms such as NETCONF, SNMP, etc…  By design NETCONF is geared for configuration management  XML based messages and XML based configuration (Xpath) 4 www.apexassurance.com © 2012 Apex Assurance Group
NETCONF capabilities  Client server RPC based communications  Request types: – <get> configuration and state data – <get-config> configuration and state data – <edit-config> edit operations conducted on the device – <copy-config> create or replace configuration operation – <delete-config> delete configuration operation – <lock> lock configuration operation to session – <unlock> release configuration operation – <close-session> graceful session termination – <kill-session> Force session termination 5 www.apexassurance.com © 2012 Apex Assurance Group
NETCONF capabilities  XML Subtree Filter  NETCONF sessions  YANG data models  SSH 2.0, BEEP, HTTP, TLS  Vendors that support NETCONF – Cisco, Juniper, Brocade … 6 www.apexassurance.com © 2012 Apex Assurance Group
OVAL tests (Inter-networking devices) 7 www.apexassurance.com © 2012 Apex Assurance Group
Scanning methods Inter-networking devices don’t support OVAL tools to run locally (yet?) Connection using SSH and NETCONF over SSH 8 www.apexassurance.com © 2012 Apex Assurance Group
Demo Content  OVAL NETCONF schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 9 www.apexassurance.com © 2012 Apex Assurance Group
NETCONF and Remediation  Leverage existing protocols suited for remediation  Remedial aspects of NETCONF  NETCONF is a protocol that can commit and roll-back changes to configurations  Ideal for configuration remediation? < thoughts? 10 www.apexassurance.com © 2012 Apex Assurance Group
Software Defined Networks (SDN) • NETCONF is part of the OF-Config 1.1 specification (opennetworking.org) • Raging debate in the inter-networking industry • SDN based on OpenFlow protocol (not to be confused with Netflow) • SDN is about programmability of the inter-networking devices 11 www.apexassurance.com © 2012 Apex Assurance Group
Programmable Networks  Juniper Junos Space  Cisco OnePK  API into programing networks 12 www.apexassurance.com © 2012 Apex Assurance Group
Network Infrastructure STIG Topology 13 www.apexassurance.com © 2012 Apex Assurance Group
Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 14 www.apexassurance.com © 2012 Apex Assurance Group

Recomendados

CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
Puppet day v1.1
Puppet day v1.1Puppet day v1.1
Puppet day v1.1
Wojciech Dec
 
UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
ali raza
 

Recomendados

CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
Puppet day v1.1
Puppet day v1.1Puppet day v1.1
Puppet day v1.1
Wojciech Dec
 
UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
ali raza
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
daisuke_tanabe
 
Network Engineer
Network EngineerNetwork Engineer
Network Engineer
varma ksn
 
Opensource tools for OpenStack IAAS
Opensource tools for OpenStack IAASOpensource tools for OpenStack IAAS
Opensource tools for OpenStack IAAS
Satya Sanjibani Routray
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICs
Robb Boyd
 
Nagios-yating
Nagios-yatingNagios-yating
Nagios-yating
yating yang
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
IT Tech
 
Introduction to CORD project
Introduction to CORD projectIntroduction to CORD project
Introduction to CORD project
sangyun han
 
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Irsandi Hasan
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
Ken Baugh
 
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 20133 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
Puppet
 
Deployment guide c07_554713
Deployment guide c07_554713Deployment guide c07_554713
Deployment guide c07_554713
John Yu
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
wolfSSL
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
IT Tech
 
Cisco Virtualized Network Services
Cisco Virtualized Network ServicesCisco Virtualized Network Services
Cisco Virtualized Network Services
Soumen Chatterjee
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013
Puppet
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Puppet
 
Chapter 7
Chapter 7 Chapter 7
Chapter 7
ali raza
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
Zivaro Inc
 
SDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier OpportunitiesSDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier Opportunities
rjain51
 
Oval Internetworking Devices
Oval Internetworking DevicesOval Internetworking Devices
Oval Internetworking Devices
c3i
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
c3i
 

Más contenido relacionado

La actualidad más candente

Network Engineer
Network EngineerNetwork Engineer
Network Engineer
varma ksn
 
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Irsandi Hasan
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
Ken Baugh
 
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 20133 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
Puppet
 
Deployment guide c07_554713
Deployment guide c07_554713Deployment guide c07_554713
Deployment guide c07_554713
John Yu
 
Chapter 7
Chapter 7 Chapter 7
Chapter 7
ali raza
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
Zivaro Inc
 
SDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier OpportunitiesSDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier Opportunities
rjain51
 

La actualidad más candente (20)

Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
 
Network Engineer
Network EngineerNetwork Engineer
Network Engineer
 
Opensource tools for OpenStack IAAS
Opensource tools for OpenStack IAASOpensource tools for OpenStack IAAS
Opensource tools for OpenStack IAAS
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICs
 
Nagios-yating
Nagios-yatingNagios-yating
Nagios-yating
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Introduction to CORD project
Introduction to CORD projectIntroduction to CORD project
Introduction to CORD project
 
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
 
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 20133 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
3 Years of Puppet at Cisco: The Secrets to Our Success - PuppetConf 2013
 
Deployment guide c07_554713
Deployment guide c07_554713Deployment guide c07_554713
Deployment guide c07_554713
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco Virtualized Network Services
Cisco Virtualized Network ServicesCisco Virtualized Network Services
Cisco Virtualized Network Services
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Chapter 7
Chapter 7 Chapter 7
Chapter 7
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
 
SDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier OpportunitiesSDN and NFV: Facts, Extensions, and Carrier Opportunities
SDN and NFV: Facts, Extensions, and Carrier Opportunities
 

Similar a SCAP and NETCONF

End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center Virtualization
Cisco Canada
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open DiscussionCisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco DevNet
 
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
Cisco Canada
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SAMeh Zaghloul
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
DPDK & Cloud Native
DPDK & Cloud NativeDPDK & Cloud Native
DPDK & Cloud Native
Michelle Holley
 

Similar a SCAP and NETCONF (20)

Oval Internetworking Devices
Oval Internetworking DevicesOval Internetworking Devices
Oval Internetworking Devices
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center Virtualization
 
WWT Software-Defined Networking Guide
WWT Software-Defined Networking GuideWWT Software-Defined Networking Guide
WWT Software-Defined Networking Guide
 
SDN and NFV Friends or Enemies ?
SDN and NFV Friends or Enemies ?SDN and NFV Friends or Enemies ?
SDN and NFV Friends or Enemies ?
 
Know about SDN and NFV
Know about SDN and NFVKnow about SDN and NFV
Know about SDN and NFV
 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
 
DEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLightDEVNET-1006 Getting Started with OpenDayLight
DEVNET-1006 Getting Started with OpenDayLight
 
OVNC 2015-Open Ethernet과 SDN을 통한 Mellanox의 차세대 네트워크 혁신 방안
OVNC 2015-Open Ethernet과 SDN을 통한 Mellanox의 차세대 네트워크 혁신 방안OVNC 2015-Open Ethernet과 SDN을 통한 Mellanox의 차세대 네트워크 혁신 방안
OVNC 2015-Open Ethernet과 SDN을 통한 Mellanox의 차세대 네트워크 혁신 방안
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open DiscussionCisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open Discussion
 
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
 
OpenStack with OpenDaylight
OpenStack with OpenDaylightOpenStack with OpenDaylight
OpenStack with OpenDaylight
 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or Enemies
 
Open coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi AlkobiOpen coud networking at full speed - Avi Alkobi
Open coud networking at full speed - Avi Alkobi
 
A 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANGA 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANG
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
 
CloudX on OpenStack
CloudX on OpenStackCloudX on OpenStack
CloudX on OpenStack
 
DPDK & Cloud Native
DPDK & Cloud NativeDPDK & Cloud Native
DPDK & Cloud Native
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

SCAP and NETCONF

  • 1. SCAP and the Network Configuration Protocol (NETCONF) Security Automation Developer Days July 12, 2012 Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
  • 2. SCAP and NETCONF Further expanding the discussion on inter-networking devices (Routers and Switches) the NETCONF protocol will be discussed. NETCONF is a open standard protocol supported by major inter-networking vendors. This session looks to leveraging the NETCONF schema to retrieve the configuration files from inter-networking devices. This session will cover issues and challenges related to: • Security Automation and inter-networking devices. • Access methods to retrieve and process device configuration settings. 2 www.apexassurance.com © 2012 Apex Assurance Group
  • 3. NETCONF  RFC 6241 Network Configuration Protocol “The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).” http://tools.ietf.org/html/rfc6241  RFC 6242 Using the NETCONF protocol over Secure Shell (SSH) http://tools.ietf.org/html/rfc6242 www.apexassurance.com © 2012 Apex Assurance Group
  • 4. Why NETCONF for SCAP?  Leverage existing mechanisms such as NETCONF, SNMP, etc…  By design NETCONF is geared for configuration management  XML based messages and XML based configuration (Xpath) 4 www.apexassurance.com © 2012 Apex Assurance Group
  • 5. NETCONF capabilities  Client server RPC based communications  Request types: – <get> configuration and state data – <get-config> configuration and state data – <edit-config> edit operations conducted on the device – <copy-config> create or replace configuration operation – <delete-config> delete configuration operation – <lock> lock configuration operation to session – <unlock> release configuration operation – <close-session> graceful session termination – <kill-session> Force session termination 5 www.apexassurance.com © 2012 Apex Assurance Group
  • 6. NETCONF capabilities  XML Subtree Filter  NETCONF sessions  YANG data models  SSH 2.0, BEEP, HTTP, TLS  Vendors that support NETCONF – Cisco, Juniper, Brocade … 6 www.apexassurance.com © 2012 Apex Assurance Group
  • 7. OVAL tests (Inter-networking devices) 7 www.apexassurance.com © 2012 Apex Assurance Group
  • 8. Scanning methods Inter-networking devices don’t support OVAL tools to run locally (yet?) Connection using SSH and NETCONF over SSH 8 www.apexassurance.com © 2012 Apex Assurance Group
  • 9. Demo Content  OVAL NETCONF schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 9 www.apexassurance.com © 2012 Apex Assurance Group
  • 10. NETCONF and Remediation  Leverage existing protocols suited for remediation  Remedial aspects of NETCONF  NETCONF is a protocol that can commit and roll-back changes to configurations  Ideal for configuration remediation? < thoughts? 10 www.apexassurance.com © 2012 Apex Assurance Group
  • 11. Software Defined Networks (SDN) • NETCONF is part of the OF-Config 1.1 specification (opennetworking.org) • Raging debate in the inter-networking industry • SDN based on OpenFlow protocol (not to be confused with Netflow) • SDN is about programmability of the inter-networking devices 11 www.apexassurance.com © 2012 Apex Assurance Group
  • 12. Programmable Networks  Juniper Junos Space  Cisco OnePK  API into programing networks 12 www.apexassurance.com © 2012 Apex Assurance Group
  • 13. Network Infrastructure STIG Topology 13 www.apexassurance.com © 2012 Apex Assurance Group
  • 14. Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 14 www.apexassurance.com © 2012 Apex Assurance Group

Notas del editor

  1. http://tools.ietf.org/html/rfc6241
  2. Discussion on scanning methods. Discuss on protocol connections.
  3. http://www.opennetworking.org
  4. https://developer.juniper.net/content/jdn/en/develop-overview/junos-space-sdk/getting-started.htmlCisco onepkhttp://developer.cisco.com/web/getyourbuildon/onepk