CiscoWorks Network Compliance Manager · CiscoWorks Network Compliance Manager 16 NCM Alert Center – Security Alerts ... 101? Tracking servers to VLAN segments Which servers are

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 1

CiscoWorks Network Compliance ManagerTechnical Overview

Ng Tock HiongSystems Engineering [email protected]


Agenda

Introduction Product OverviewFeatures & Functions GUI and Screen ShotsUsage and Deployment ScenariosSummary


Introduction to CWNCM


expertise

high productivityrequirements

scarce expertise

expertise

high productivityrequirements

scarce expertise

growth

new servicescritical business

applications

growth

new servicescritical business

applications

Today’s IT Concerns

compliance

regulatory standardscorporate/it policies

technology rules

compliance

regulatory standardscorporate/it policies

technology rules

complexity

global networksnetwork applications

web services

complexity

global networksnetwork applications

web services

increasingchallenges

90% of IT initiatives are delivered late90% of IT initiatives are delivered late

80% of IT budget is spent on maintenance & operations


Fully automated network configuration and change management (NCCM)

Tools Manager

Network Architect

Network Manager

Security Engineers

Network Engineers

NOC Operators

IT Staff

Automate complex network management tasks through multi-threaded event-driven automation engine

Control and standardize across infrastructure in a central, secure location

AuditorManagerDirector

Network Management

Tools

Track all activity down to the very operator keystrokes

Prevent errors & enforce process through centralized point of control

Network


Product Overview


CiscoWorks Network Compliance Manager (NCM)

A highly scalable, multi-vendoroffering for centralized network compliance management

Best-in-breed Network Configuration and Change Management (NCCM)

• real-time change detection• pre-deployment validation• policy enforcement

Sophisticated Audit and Compliance Analysis

• set policy to track compliance• automated generation of compliance reports (SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSO)

Advanced Workflows• model complex projects• define custom approval policies

Extensive Reporting • network status• compliance


CiscoWorks NCMFunctional Overview

• Device provisioning• Configuration• Scripting• OS image updates

Change & Configuration Management

• Network audits• Best practices enforcement• SOX, VISA CISP, HIPAA,

GLBA, ITIL, CobiT, COSO

Audit & Compliance

Policy-Based or Ad HocIntegration C

onnectorsCentral Data Repository

Member of Federated CMDB

• Network compliance • Deployed assets• Change history

Reporting

CiscoWorks NetworkCompliance Manager

• Sequencing• Scheduling• Process model• Change approvals

Workflows & Approvals

Other NetworkManagement

SystemsAutomated

Discovery & Inventory Import• Individual devices (e.g.,

from CiscoWorks DCR)• Network topology• Detailed asset inventory• OS images

CiscoWorks or 3rd party

applications

Network


CiscoWorks NCMArchitectural Overview

Compliance & Best Practices

EnforcementAutomation & Provisioning

Network Configuration &

Change Management (NCCM)

Network Lockdown & Vulnerability Management

Management Engine

APIGUI

Reporting (compliance, change, visibility)

Telnet/SSH Proxy

Routers, Switches, Firewalls, Load Balancers, Access Points (Cisco and 35 other vendors)


Features & Functions


CiscoWorks NCMFeatures & Benefits - 1

Key Features Benefits

Network discovery & inventory import Elimination of manual administration of devices

Network diagramEasy visualization of topologyFacilitation of troubleshooting

Configuration & change management

Maximized uptimeEasy audit of configuration changes

Audit & compliance management

Easy modeling of regulatory, corporate, IT, technology policiesVisibility into network’s compliance with policiesIdentification of critical risks and violationsPrioritized triage of compliance violations


CiscoWorks NCMFeatures & Benefits - 2

Key Features Benefits

Integration with CiscoWorks applications

Easy cross launch of CiscoWorks NCM and CiscoWorks LMSConsistent network database via Device Credential Repository (DCR)Combination of network configuration, change, compliance, Cisco IOS/CatOS image management

Security managementRole-based access control and lock downCentralized ACL management

Advanced workflow and approvals

Close the change loop with real-time process enforcement

Multivendor support

Thousands of device models/versions supported out of the box across Cisco and 35 other vendorsObject-oriented driver architecture enables rapid driver developmentFrequent driver releases


CiscoWorks NCMHigh Availability Features

Active/Active Management via High Availability Database Replication

RemoteOffice

NCM SatelliteManagement of remote offices & duplicate IP addressed space

Meshed to work around network failures

CWNCM Core

NCM HAReal-time synchronization between all NCM coresEnables remote management, disaster recovery and global visibilityReplicated database, software, user directory & routes commands to correct locations

Key Elements Key AttributesCoreHASatellite

Secure, scalableNo single point of failureRemotely manage any device—including duplicate addressed networks

NCM Core

Managed Network

NCM Core

Managed Network

Managed Network


CiscoWorks NCMExtensive, Multi-Vendor Device SupportSupports over 500 device models across Cisco and other vendors


NCM Alert Center

Security Alerts– vendor security alerts translated into NCM software policies

Shared Product Extensions – leverage scripts, packages and policies

Functionality Updates – new capabilities avaialble outside the release cycle

What is it?New, optional subscription service that provides NCM

users with ongoing updates of security alerts and automation packs

Benefits:


NCM Alert Center – Security Alerts

Automatically downloads and continuously updates Network Vulnerability Alerts

Based on industry leading alert service

NCM translates alerts into Software Compliance Policies

NCM server securely downloads new alerts (approx. ~3-5 per week)

Users can review and activate desired policies in their environment


Vulnerability Awareness

Vulnerability Awareness

Ongoing Compliance

Ongoing Compliance

Identification &

Remediation

Identification &

RemediationVulnerability Translation

Vulnerability Translation

Automated delivery of vulnerability alerts

Immediately actionable policies

Automated alerts on any regression

The right people get alerted immediately and

everyone has a consistent view of the

vulnerabilities

Vulnerability alerts come pre-translated and are immediately

actionableCustomers can

easily choose which alerts to activate

based on pre-attached risk levels

Immediately alerts when existing devices regress

or new devices with known vulnerabilities are

added to the network

Security Alert Service

Rapid identification and

remediation

Automatically identifies all vulnerable devices and provides an ‘at-a-

glance’ dashboard viewNCM will remediate all

vulnerable devices concurrently

NCM Alert Center differenceAutomated, reliable, and rapid remediation


GUI and Screen Shots


Diagram, Visualization & Troubleshooting

The ChallengeCreating network diagrams is labor intensive processDiagrams often out of date with current state of the network causing increased downtime and less effective troubleshooting

NCM SolutionApplies deep network understanding to generate real-time, accurate topology diagramsProvides integrated server & network diagrams for complete picture of the IT infrastructure

BenefitsEliminate 99% of the time spent building diagramsFacilitates troubleshootingAllows server/network dependencies to be mapped

Annotate diagrams with configuration and asset information

Leverages deep network knowledge to create real-time topology diagrams


Layer 2 Modeling

The ChallengeNo visibility into network <-> server dependencies Armed with the MAC address of a server, users are unable to complete the puzzle

what the IP Address of the server? which network switch is that server attached to?

NCM SolutionCapture and store L2 information for managed devices and attached nodesCalculate L2 topology from device configurations and diagnosticsMAC – port – switch – interface –router mapping tool

Immediately locate device & port MAC address is seen

Provides layer 2 networking intelligence in one central repository


VLAN Management

The ChallengeDistributed VLANs cause complexity

Which switches participate in VLAN 101?

Tracking servers to VLAN segmentsWhich servers are in Finance VLAN?

NCM SolutionInstantly identify VLAN based on MAC/port/switch data

Real-time VLAN reports

Provides VLAN networking intelligence in one central repository

Produce real-time reports of VLAN membership


Prioritized Triage of Compliance Violations

The ProblemCompliance violations are not all created equalNo way to filter and triage hundreds or thousands of compliance violations besides manual review

Prioritized Compliance RulesEach violation has a risk ratingAutomated triage based on risk ratings, such as:

Auto-remediateOpen new trouble ticketSend email / pageEmail daily summary

Prioritize Compliance Rules

Pushing the most critical violations to the forefront


Policy Rules Engine

Configuration, Diagnostic and Software policy checks for “as-configured” and “as-running”analysisIntelligent policy analysis of whether the device’s current behavior is matching the expected behavior Optional use of regular expressions in policy creationLeverage NCM data model elements within rules, including standard and extended device custom data fieldsAssociate auto-remediation scripts with policy rules

Search for Policies and rules

Search for CompliancePrioritize

Compliance Rules

Flexible policy creation, search and usage


Software Image Management

Easy intuitive UI to setup bulk image upgrades across network

Image validation

Image recommendation

Auto download from Cisco.com

Roll back on failure

Notification of job

Intelligent Software upgrade recommendation and update

Software image recommendation


Security Management

Centralized patch management

Telnet/SSH ProxySingle sign-onFull session loggingCentralized enforcement of privileges and approval policy

Advanced ACL managementView & search current ACLs, historical ACLs and audit trailsPersistent ACL comments & handlesBatch ACL edits for rapid vulnerability responseACL Templates

Patching, lock-down & centralized ACL management

ACL Change History


2. Select group of interfaces based on result of search

Interface Management and Provisioning

The ChallengeNeed to configure multiple interfaces on multiple devices to enable a new feature/technology E.g., all Vlan100 interfaces

NCM SolutionSearch for interfaces that match a criteria E.g., all interfaces configured down

Push configuration on selected interfaces without the need for scripting

Bulk provisioning and management of interfaces

3. Deploy changes to interfaces easily with no

scripting or regex required.

1. Search for interfaces based on detailed criteria


Advanced Workflow and Approvals

Model complex projectsCombine automated and manual activities

Define custom approval policiesRequire approval based on user, activity and/or device affectedRequire approvals for manual or automated activitiesGrant permission for approval overridesIntegrate with external workflow and process systems

Daily activity calendarConflict alertsFlexible reporting & notification

Change reporting dashboard Email /other notifications

Close the change loop with real-time process enforcement

Change Approval Rules


Reporting

Report on device inventoryBy group, vendor, user

Change reporting Who changed what, why & when

Compliance reportingRegulatory complianceCorporate complianceNSA Router best practices

Network status reportsPolicy compliance at-a-glanceIdentify and address risk factors

Pre-defined and custom reports

Network Status

Reports


End-of-Sale/End-of-Life Reports

Generate a report for Cisco devices that have reached End-of-Life and End-of-Sale status

EoX data automatically pulled from Cisco.com

Links to Cisco.com are provided for the EOL/EOS announcement

System can automatically mail users the report at scheduled times

The report can be saved for reference

Determine which Cisco devices need upgrading

EoS/EoL Report


Role-Based Access Control

Completely hide devices and device-related records when a user does not have permission

Role-based permissions covers all areas of NCM including searches andreports.

Region 2Region 1

Datacenter A Datacenter B Datacenter C Datacenter DDatacenter A

Operator

Region 1 Supervisor

Corporate Architect

Control user actions through role-based permissions model


Summary


SummaryCisco provides enterprises with the broadest and most complete network configuration product portfolio in the industryWith the introduction of CiscoWorks Network Compliance Manager (NCM), best-in-breed network compliance and NCCM are now fully included in this portfolio

highly scalable, multi-vendor offering for centralized network compliance managementsophisticated audit and compliance analysis functionality including out of the box audit capabilities for regulatory, corporate, IT, and technology policies such as SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSOCiscoWorks integration

NCM 1.3 is orderable and started shipping in December 2007

Cisco TAC support and Cisco Advanced Services are also available


Documents

CiscoWorks Network Compliance Manager · CiscoWorks Network Compliance Manager 16 NCM Alert Center – Security Alerts ... 101? Tracking servers to VLAN segments Which servers are