Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 1
CiscoWorks Network Compliance ManagerTechnical Overview
Ng Tock HiongSystems Engineering [email protected]
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 2
Agenda
Introduction Product OverviewFeatures & Functions GUI and Screen ShotsUsage and Deployment ScenariosSummary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 3
Introduction to CWNCM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 4
expertise
high productivityrequirements
scarce expertise
expertise
high productivityrequirements
scarce expertise
growth
new servicescritical business
applications
growth
new servicescritical business
applications
Today’s IT Concerns
compliance
regulatory standardscorporate/it policies
technology rules
compliance
regulatory standardscorporate/it policies
technology rules
complexity
global networksnetwork applications
web services
complexity
global networksnetwork applications
web services
increasingchallenges
90% of IT initiatives are delivered late90% of IT initiatives are delivered late
80% of IT budget is spent on maintenance & operations
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 5
Fully automated network configuration and change management (NCCM)
Tools Manager
Network Architect
Network Manager
Security Engineers
Network Engineers
NOC Operators
IT Staff
Automate complex network management tasks through multi-threaded event-driven automation engine
Control and standardize across infrastructure in a central, secure location
AuditorManagerDirector
Network Management
Tools
Track all activity down to the very operator keystrokes
Prevent errors & enforce process through centralized point of control
Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 6
Product Overview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 7
CiscoWorks Network Compliance Manager (NCM)
A highly scalable, multi-vendoroffering for centralized network compliance management
Best-in-breed Network Configuration and Change Management (NCCM)
• real-time change detection• pre-deployment validation• policy enforcement
Sophisticated Audit and Compliance Analysis
• set policy to track compliance• automated generation of compliance reports (SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSO)
Advanced Workflows• model complex projects• define custom approval policies
Extensive Reporting • network status• compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 8
CiscoWorks NCMFunctional Overview
• Device provisioning• Configuration• Scripting• OS image updates
Change & Configuration Management
• Network audits• Best practices enforcement• SOX, VISA CISP, HIPAA,
GLBA, ITIL, CobiT, COSO
Audit & Compliance
Policy-Based or Ad HocIntegration C
onnectorsCentral Data Repository
Member of Federated CMDB
• Network compliance • Deployed assets• Change history
Reporting
CiscoWorks NetworkCompliance Manager
• Sequencing• Scheduling• Process model• Change approvals
Workflows & Approvals
Other NetworkManagement
SystemsAutomated
Discovery & Inventory Import• Individual devices (e.g.,
from CiscoWorks DCR)• Network topology• Detailed asset inventory• OS images
CiscoWorks or 3rd party
applications
Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 9
CiscoWorks NCMArchitectural Overview
Compliance & Best Practices
EnforcementAutomation & Provisioning
Network Configuration &
Change Management (NCCM)
Network Lockdown & Vulnerability Management
Management Engine
APIGUI
Reporting (compliance, change, visibility)
Telnet/SSH Proxy
Routers, Switches, Firewalls, Load Balancers, Access Points (Cisco and 35 other vendors)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 10
Features & Functions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 11
CiscoWorks NCMFeatures & Benefits - 1
Key Features Benefits
Network discovery & inventory import Elimination of manual administration of devices
Network diagramEasy visualization of topologyFacilitation of troubleshooting
Configuration & change management
Maximized uptimeEasy audit of configuration changes
Audit & compliance management
Easy modeling of regulatory, corporate, IT, technology policiesVisibility into network’s compliance with policiesIdentification of critical risks and violationsPrioritized triage of compliance violations
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 12
CiscoWorks NCMFeatures & Benefits - 2
Key Features Benefits
Integration with CiscoWorks applications
Easy cross launch of CiscoWorks NCM and CiscoWorks LMSConsistent network database via Device Credential Repository (DCR)Combination of network configuration, change, compliance, Cisco IOS/CatOS image management
Security managementRole-based access control and lock downCentralized ACL management
Advanced workflow and approvals
Close the change loop with real-time process enforcement
Multivendor support
Thousands of device models/versions supported out of the box across Cisco and 35 other vendorsObject-oriented driver architecture enables rapid driver developmentFrequent driver releases
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 13
CiscoWorks NCMHigh Availability Features
Active/Active Management via High Availability Database Replication
RemoteOffice
NCM SatelliteManagement of remote offices & duplicate IP addressed space
Meshed to work around network failures
CWNCM Core
NCM HAReal-time synchronization between all NCM coresEnables remote management, disaster recovery and global visibilityReplicated database, software, user directory & routes commands to correct locations
Key Elements Key AttributesCoreHASatellite
Secure, scalableNo single point of failureRemotely manage any device—including duplicate addressed networks
NCM Core
Managed Network
NCM Core
Managed Network
Managed Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 14
CiscoWorks NCMExtensive, Multi-Vendor Device SupportSupports over 500 device models across Cisco and other vendors
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 15
NCM Alert Center
Security Alerts– vendor security alerts translated into NCM software policies
Shared Product Extensions – leverage scripts, packages and policies
Functionality Updates – new capabilities avaialble outside the release cycle
What is it?New, optional subscription service that provides NCM
users with ongoing updates of security alerts and automation packs
Benefits:
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 16
NCM Alert Center – Security Alerts
Automatically downloads and continuously updates Network Vulnerability Alerts
Based on industry leading alert service
NCM translates alerts into Software Compliance Policies
NCM server securely downloads new alerts (approx. ~3-5 per week)
Users can review and activate desired policies in their environment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 17
Vulnerability Awareness
Vulnerability Awareness
Ongoing Compliance
Ongoing Compliance
Identification &
Remediation
Identification &
RemediationVulnerability Translation
Vulnerability Translation
Automated delivery of vulnerability alerts
Immediately actionable policies
Automated alerts on any regression
The right people get alerted immediately and
everyone has a consistent view of the
vulnerabilities
Vulnerability alerts come pre-translated and are immediately
actionableCustomers can
easily choose which alerts to activate
based on pre-attached risk levels
Immediately alerts when existing devices regress
or new devices with known vulnerabilities are
added to the network
Security Alert Service
Rapid identification and
remediation
Automatically identifies all vulnerable devices and provides an ‘at-a-
glance’ dashboard viewNCM will remediate all
vulnerable devices concurrently
NCM Alert Center differenceAutomated, reliable, and rapid remediation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 18
GUI and Screen Shots
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 19
Diagram, Visualization & Troubleshooting
The ChallengeCreating network diagrams is labor intensive processDiagrams often out of date with current state of the network causing increased downtime and less effective troubleshooting
NCM SolutionApplies deep network understanding to generate real-time, accurate topology diagramsProvides integrated server & network diagrams for complete picture of the IT infrastructure
BenefitsEliminate 99% of the time spent building diagramsFacilitates troubleshootingAllows server/network dependencies to be mapped
Annotate diagrams with configuration and asset information
Leverages deep network knowledge to create real-time topology diagrams
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 20
Layer 2 Modeling
The ChallengeNo visibility into network <-> server dependencies Armed with the MAC address of a server, users are unable to complete the puzzle
what the IP Address of the server? which network switch is that server attached to?
NCM SolutionCapture and store L2 information for managed devices and attached nodesCalculate L2 topology from device configurations and diagnosticsMAC – port – switch – interface –router mapping tool
Immediately locate device & port MAC address is seen
Provides layer 2 networking intelligence in one central repository
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 21
VLAN Management
The ChallengeDistributed VLANs cause complexity
Which switches participate in VLAN 101?
Tracking servers to VLAN segmentsWhich servers are in Finance VLAN?
NCM SolutionInstantly identify VLAN based on MAC/port/switch data
Real-time VLAN reports
Provides VLAN networking intelligence in one central repository
Produce real-time reports of VLAN membership
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 22
Prioritized Triage of Compliance Violations
The ProblemCompliance violations are not all created equalNo way to filter and triage hundreds or thousands of compliance violations besides manual review
Prioritized Compliance RulesEach violation has a risk ratingAutomated triage based on risk ratings, such as:
Auto-remediateOpen new trouble ticketSend email / pageEmail daily summary
Prioritize Compliance Rules
Pushing the most critical violations to the forefront
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 23
Policy Rules Engine
Configuration, Diagnostic and Software policy checks for “as-configured” and “as-running”analysisIntelligent policy analysis of whether the device’s current behavior is matching the expected behavior Optional use of regular expressions in policy creationLeverage NCM data model elements within rules, including standard and extended device custom data fieldsAssociate auto-remediation scripts with policy rules
Search for Policies and rules
Search for CompliancePrioritize
Compliance Rules
Flexible policy creation, search and usage
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 24
Software Image Management
Easy intuitive UI to setup bulk image upgrades across network
Image validation
Image recommendation
Auto download from Cisco.com
Roll back on failure
Notification of job
Intelligent Software upgrade recommendation and update
Software image recommendation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 25
Security Management
Centralized patch management
Telnet/SSH ProxySingle sign-onFull session loggingCentralized enforcement of privileges and approval policy
Advanced ACL managementView & search current ACLs, historical ACLs and audit trailsPersistent ACL comments & handlesBatch ACL edits for rapid vulnerability responseACL Templates
Patching, lock-down & centralized ACL management
ACL Change History
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 26
2. Select group of interfaces based on result of search
Interface Management and Provisioning
The ChallengeNeed to configure multiple interfaces on multiple devices to enable a new feature/technology E.g., all Vlan100 interfaces
NCM SolutionSearch for interfaces that match a criteria E.g., all interfaces configured down
Push configuration on selected interfaces without the need for scripting
Bulk provisioning and management of interfaces
3. Deploy changes to interfaces easily with no
scripting or regex required.
1. Search for interfaces based on detailed criteria
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 27
Advanced Workflow and Approvals
Model complex projectsCombine automated and manual activities
Define custom approval policiesRequire approval based on user, activity and/or device affectedRequire approvals for manual or automated activitiesGrant permission for approval overridesIntegrate with external workflow and process systems
Daily activity calendarConflict alertsFlexible reporting & notification
Change reporting dashboard Email /other notifications
Close the change loop with real-time process enforcement
Change Approval Rules
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 28
Reporting
Report on device inventoryBy group, vendor, user
Change reporting Who changed what, why & when
Compliance reportingRegulatory complianceCorporate complianceNSA Router best practices
Network status reportsPolicy compliance at-a-glanceIdentify and address risk factors
Pre-defined and custom reports
Network Status
Reports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 29
End-of-Sale/End-of-Life Reports
Generate a report for Cisco devices that have reached End-of-Life and End-of-Sale status
EoX data automatically pulled from Cisco.com
Links to Cisco.com are provided for the EOL/EOS announcement
System can automatically mail users the report at scheduled times
The report can be saved for reference
Determine which Cisco devices need upgrading
EoS/EoL Report
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 30
Role-Based Access Control
Completely hide devices and device-related records when a user does not have permission
Role-based permissions covers all areas of NCM including searches andreports.
Region 2Region 1
Datacenter A Datacenter B Datacenter C Datacenter DDatacenter A
Operator
Region 1 Supervisor
Corporate Architect
Control user actions through role-based permissions model
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 31
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 32
SummaryCisco provides enterprises with the broadest and most complete network configuration product portfolio in the industryWith the introduction of CiscoWorks Network Compliance Manager (NCM), best-in-breed network compliance and NCCM are now fully included in this portfolio
highly scalable, multi-vendor offering for centralized network compliance managementsophisticated audit and compliance analysis functionality including out of the box audit capabilities for regulatory, corporate, IT, and technology policies such as SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSOCiscoWorks integration
NCM 1.3 is orderable and started shipping in December 2007
Cisco TAC support and Cisco Advanced Services are also available
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33© 2006 Cisco Systems, Inc. All rights reserved.CiscoWorksNetwork Compliance Manager 33