Out with SolarWinds and in with LARG*ncm part 3
Welcome to the third instalment of our quest to replace Solarwinds’ Network Configuration Manager (NCM) with a homegrown app. This quest began when we (and the world) discovered SolarWinds’ alarming lack of security. The RCEs keep dropping which further justifies the decision to abandon SolarWinds. In part 2 we evaluated a couple open source options and none fully met our criteria. Since the requirements of an NCM are not complex and I want to learn a Python web framework, I set off with a goal to create one for us.
LARG*ncm was born not knowing how much time it would take to build. Fortunately my multiple other projects provided a good base of knowledge to get started and I steadily built LARG*ncm using python. Regular readers will be familiar with my feelings for python but if you’re new here check out my previous blog <3 python. Now that we’re all on the same page, lets go over what makes up LARG*ncm:
Django
Django provides a fast to develop and also fast in performance. “Reassuringly secure” sounds great so hopefully I didn’t break that. Their documentation is fantastic so I picked up the basics and spooled up a functional app rapidly. This was only possible because of Django. Thanks Django team!
Django Q
Django Q is a simple system that schedules and asynchronously runs functions to prevent weird website hangups and drastically improve performance. Django may be great in a lot of way but it unfortunately doesn’t include a scheduler so I appreciate Django Q’s simple install and ease of use. Thanks Django Q team!
Netmiko
I used Paramiko at first but HP ProCurves had some weird issues. Fortunately replacing Paramiko with Netmiko not only resolved those issues but also simplified device configuration for users of LARG*ncm. Thanks Netmiko team!
Cisco Conf Parse
Cisco Conf Parse is a python library that enables quick and easy configuration audits. The project has morphed to include many other vendors including brace-delimited configurations like Juniper. This library also allows for the creation of security reports using rules based on the hardening guides. Thanks CiscoConfParse team!
LARG*ncm
My main goal for the UI is simplicity. I think you can agree it doesn’t get much easier than this! Here’s the process to add a new device immediately after install. Credentials save in the drop-down to make setting up subsequent devices much easier.
All you need for devices is name, IP address, type, and credentials. I can change the daily schedule by clicking on the link again to immediately pull the current configuration and generate a security report.
Style work is on-going but the site uses mostly HTML5/CSS flex design and, eventually, our usual colour scheme.
The download latest links give you immediate access to the device’s latest configuration file. Running a security report is quick and easy - just click “Run report” and 30 seconds later you have Success/Fail result and a link to the failure criteria. I think I will eventually run the security report automatically.
There’s also a daily email feature requiring SMTP configuration if you want to enable it. The email consists of a summary of devices and includes config download links. I am debating whether it’s smart to include the full configuration as an attachment so our team has this info handy in case the app is unavailable. As always it’s a matter of security risk potential vs easy access. Comment your thoughts!
Diff pages are also generated to help the user quickly identify what has changed. In this case the configuration didn’t actually change but IOS XR devices include the date the configuration was pulled each time you run a backup.
Now that you’re familiar with the basics we can get get down to business. Stay tuned!