When can I have it? LARG*ncm? part 4

Welcome to part 4 of our homegrown NCM adventure, thanks for joining us. I appreciate your interest in this project. LARG*ncm scratches an itch we have but there has been wonderful support and interest in this project so it seems like others have the same itch.

Membership Releases

Let’s jump to the key question… we will release LARG*ncm to our members for free! Any members wanting a copy can email us at security@largnet.ca for details.

We included a redacted image of the 9 original trial devices (one of each type in our network) from the pilot project. We’ve added the rest of our devices in the last 2 weeks and can confidently say the fundamentals are in place and working great.

Supported Devices

The list of supported devices types is fairly extensive at this point and can grow by request. So far we’ve got:

  • arista_eos

  • brocade_fastiron

  • cisco_asa

  • cisco_ios

  • cisco_nxos

  • cisco_xe

  • cisco_xr

  • dell_powerconnect

  • hp_procurve

  • juniper_junos

  • linux

  • paloalto_panos

  • ruckus_fastiron

  • ubiquiti_edge

  • vyatta_vyos

The supported platforms come from Netmiko’s supported platform list. Additional platforms can be added assuming the vendor supports pulling configuration via SSH. We will not support unencrypted protocols like telnet and TFTP.

Improvements

There have been many improvements to LARG*ncm over the last 2 weeks.

Versions

Checking versions are a manual process but the system pulls hardware model and software versions.

This is difficult to show completely because of OPsec nature of this information but hats off to our NOC’s excellent patching regimen.

Eventually this feature will automatic and version information will be included in the security reports.

RADIus Authentication

Local authentication was the only option until this week but a rather simple addition using a fixed version of Django-Radius interfacing Pyrad to Django allowed me to add RADIUS to the mix. Many thanks to both those teams for making my job easier.

Security Reports

The security reports are in a constant state of improvement. The goal is to apply the relevant vendor’s hardening guide to each device’s configuration to generate a list of potential issues.

This process is difficult because some evaluation of various rules is required. Classifications like Fail/Recommendation/Success are unclear without context. There are also some excluded rules in the hardening guides. For example unicast reverse path forwarding (uRPF) is useful but also contentious since not every environment supports it.

Backups of LARG*ncm

As with an dev project, LARG*ncm has undergone many changes. Some are minor and some required wiping the database and starting from scratch. Obviously building a backup solution is as necessary as it is challenging.

I initially used CSV formatting but quickly blew through its limits and ended up creating my own backup format. This feature is still a work in progress. Though completely functional, naturally I want to fix what’s not broken.

Future Goals

My to do list keeps growing but then so does LARG*ncm’s feature list.

There is lots of work to be done on security reports. I need access to configurations for devices/vendors we don’t currently have in our network to create security report templates for those devices. Please send me a copy if you are willing to share a Arista, Dell, Palo Alto, Ruckus, Ubiquiti, or Vyos configuration. I appreciate the community support to improve this project.

Comment with features you would like to see added and I’ll add them to the list. Maybe we can work out a configuration for feature trade!

LARG*netComment