Cisco IOS policy-based routing is a process of ensuring that your Cisco devices comply with the industry standards to keep your network secure. Generally, organizations use Cisco devices for their network's perimeter defense. But certain device factory settings and frequent changes to device configurations can make the network vulnerable to attacks.
Vulnerabilities like these can be fixed by adhering to the Cisco IOS policy. By running frequent compliance checks and fixing policy violations in Network Configuration Manager, you can achieve complete network compliance.
With the following features, Network Configuration Manager ensures crucial security parameters are enforced on all Cisco devices.
The user activity log in Network Configuration Manager provides you with information about who made what configuration changes and when. You can check if syslog servers have been enabled with compliance checks. Syslog messages are sent to the syslog server every time a user logs out of a device; these messages help track user activity and can also trigger configuration backups.
If passwords aren't encrypted, attackers can easily gain access to the network. You can check whether passwords are encrypted, and if encryption hasn't been enabled, you can encrypt the passwords using Network Configuration Manager.
NetFlow has to be enabled in a device for it to be able to export bandwidth and traffic data for analysis. With compliance checks, you can monitor whether NetFlow has been enabled. If it's disabled, Network Configuration Manager has the option to enable it by executing configlets. Once enabled, NetFlow data can be exported to a NetFlow analyzer tool.
An SNMP public community string could make the device data accessable to all users. Compliance tests run through all the device configurations and identify the strings. These strings can then be removed to fix the vulnerability.
Users must be automatically logged out of devices after a certain period of inactivity for security reasons. Console timeouts have to be configured to set the maximum period of inactivity before the user is logged out. Network Configuration Manager checks whether console timeouts are enabled. If disabled, you can fix the issue and set timeout periods using configlets.
Compliance reports are generated after every manual or automated compliance check. Using compliance reports, you can get detailed information about the rules that have been violated by each device or device group. The report also shows you the severity of violations based on preset criteria; these violations can be remediated using configlets in Network Configuration Manager.
Configlets are executable configuration templates that can be used to automate network operations. Each rule can be associated with a remediation configlet in Network Configuration Manager. Once violations have been reported, remediation configlets can be executed to fix these violations in order to achieve complete policy compliance.