Skip to content

2021

The Role of Network Security to Fight Log4Shell

December 9th, 2021 rocked the world for a significant number of IT professionals responsible for building and protecting applications their organizations create/deploy. Apache announced CVE-2021-44228, commonly referred to as log4Shell, a zero-day vulnerability affecting their log4j logging software. Due to the severity of the vulnerability and the relative ease at which to exploit it, it is critical to ensure that affected assets are protected. This article aims to highlight how the network plays a critical role in the protection of assets and detection of vulnerabilities like log4shell.

  • in NAC
  • 15 min read

Cisco ISE 2.4 to 3.0 Upgrade Procedure

If you have ever read through Cisco ISE 3.0 Upgrade Guide you know that it involves a lot of decision points and having to reference many other Cisco reference documents just to build a complete implementation plan for upgrading Cisco ISE from 2.x to 3.x. It is a complicated process if you have never been through it before, and often times you're left with more questions than answers when researching how to proceed. This usually involves engaging Cisco TAC to help clarify points that aren't necessarily obvious in their documentation. Having gone through this upgrade path this past year, I thought that documenting the procedures that I followed may help others gain success in their own upgrades. Understand that all implementations are different, so use this as another piece of information as you research how to perform this upgrade.

Cisco IOS XE Netconf and Restconf Authentication Bypass Vulnerability

Earlier this week Cisco announced in its semiannual Cisco IOS and IOS XE bundled software security advisory publication some very concerning security advisories (3 critical, 11 high and 11 medium severity), one of which allows an attacker to bypass authentication on devices configured for netconf or restconf. After an attacker has bypassed authentication, they can install, manipulate, or delete your Cisco IOS XE devices configuration or cause a memory corruption that results in a denial of service (DoS) condition.

Best Practices for Safe Ansible Playbook Execution

Ansible can be a very powerful automation tool, allowing you to interact with hundreds or thousands of network devices at once. The automation is defined through a combination of inventory files, variable files, and playbooks (with optional task files and roles). The combination of these features makes a very powerful automation tool, but with that comes a high-level of risk. In this guide I highlight a few best practices to follow when executing Ansible playbooks. By following these best practices you will have increased confidence that you are implementing the correct tasks against the correct set of devices, and avoid any surprises!

  • 1 min read

A Practical Guide to Deploying SAML for AnyConnect (External)

The pandemic has rapidly advanced the need for high-quality and secure remote access VPN solutions (RAVPN). As a result, many RAVPN solutions provided by vendors have been targetted by hackers. This has resulted in newly identified vulnerabilities and security advisories being released by the vendors. One area of concern is around user credential management and multi-factor authentication (MFA). The configuration examples, provided by Cisco and authentication providers, for configuring SAML and Cisco AnyConnect fail to highlight how to configure multiple group-policies so that you can restrict access appropriately for each business unit and vendor. Instead, they highlight have to apply a single group-policy to cover all of your remote access users. I've written a blog post for my employer Optanix that provides a production-grade example of how to deploy SAML for Cisco AnyConnect, using multiple group-policies and LDAP attribute maps for fine-grained access control.

Read A Practical Guide to Deploying SAML for AnyConnect for more details and let me know what you think!

Simple SNMP Queries with Python

The need to query network devices for information on a repeated and consistent basis always been a critical function of performing network management. Monitoring the health of your network devices, building reports for use by management, querying the status of a particular function, and so on. There are an increasing number of ways to perform this type of data gathering. From the extremes of manually logging in to run a CLI command or check a web GUI, to using the latest API or Netconf, network engineers have their choice of protocol to use. However, nothing is as common and widely deployed as Simple Network Management Protocol (SNMP). Most network monitoring platforms will rely on using SNMP, especially if a particular network platform is a decentralized platform like common routers and switches, requiring each network device to be queried individually instead of through a centralized controller.

Using Ansible Inventory Files in Python Scripts

With the various methods for performing network automation, one of the challenging aspects to consider is inventory management. One of the tools available to us is Ansible which expects an inventory file in YAML format with specific variable or to use a dynamic inventory. But Ansible doesn't solve all automation use-cases. I have used Ansible for configuration management, but I have also used many different Python scripts for generating reports and performing complex operations that seemed easier to implement directly in Python than in Ansible. There is no 'one size fits all' solution to network automation.

  • 1 min read

Increase Network Change Implementation Success (External)

Having worked in the Network Management / Operations industry for over 15 years, I have been involved in the implementation of network changes on many ocassions. I have also helped drive process transformation of how various teams implement changes based on best practices that I have picked up along the way. I've written a blog post for my employeer Optanix on some steps that you can take to help increase confidence and success in network changes.

Read Increase Implementation Success With a Proven Network Change MAnagement Process for more details and let me know what you think!

  • 1 min read

How to Upgrade Cisco ASA Firewalls (External)

With the ever increasing number of vulnerabilities and security advisories that are released by networking vendors, having a well defined plan for performing software upgrades each platform in your network is critical. Cisco ASA firewalls are most commonly deployed at the edge of your network, many times with interfaces that are connected to the public network or to a network that you may not manage. I've written a blog post for my employer Optanix that defines a well-defined plan for upgrading Cisco ASA firewalls.

Read How to Upgrade Cisco ASA Firewalls for more details and let me know what you think!

Exploring NETCONF and YANG on Cisco IOS-XE

I have been reading up on model-driven programmability using NETCONF and YANG models and found myself playing around with these after a Reddit user was having difficulty updating a Cisco IOS-XE interface description and VLAN. Other than reading about YANG and getting the basic capabilities from my lab router, I hadn't actually configured anything using NETCONF and YANG models before so this seemed like a good challenge to get me thinking in the right mindset. I suspected that it had to do with the XML namespace the user was referencing, but I had to figure out a way to prove it. In this post I will cover a little bit about NETCONF/YANG as well as how you can explore using it with your Cisco devices. This guide isn't meant to be a complete overview of these protocols, just something to get you started on learning about them.