Cisco IOS policy-based routing is a process of ensuring that your Cisco devices comply with the industry standards to keep your network secure. Generally, organizations use Cisco devices for their network's perimeter defense. Certain factory settings and frequent changes made to the configurations can lead to the devices making the network vulnerable to attacks. Such vulnerabilities can be fixed by adhering to the Cisco IOS policy. By running frequent compliance checks and fixing policy violations in Network Configuration Manager, you can achieve complete network compliance.
With the following features Network Configuration Manager ensures that crucial security parameters are enforced on all the Cisco devices.
User activity log in Network Configuration Manager provides you information about the who, what and when of configuration changes. You can check if syslog servers have been enabled with compliance checks. Syslog messages are sent to the syslog server every time a user logs out of a device. These messages help track user activity and also in triggering configuration backups.
If the passwords are not encrypted, an attacker can easily use this to their advantage and gain access to the network. With Network Configuration Manager, you can check the passwords for encryption. If encryption has not been enabled, you can encrypt them using Network Configuration Manager.
Netflow has to be enabled in devices for them to be able to export bandwidth and traffic data for analysis. With compliance checks you can check if netflow has been enabled. If it is disabled, Network Configuration Manager has the option to enable it by executing configlets. Once enabled, netflow data can be exported to a netflow analyzer tool.
An SNMP public community string would make the device data accessable to all users. Compliance tests run through all the device configurations and identify the strings. These strings can then be removed to fix the vulnerability.
Users must be automatically logged out of devices after a certain period of inactivity for security reasons. Console timeouts have to be configured to set the maximum period of inactivity before the user is logged out. Network Configuration Manager checks for console timeout being enabled. If disabled, you can fix the issue and set timeout period using configlets.
Compliance reports are generated after every manual or automated compliance check. With the help of the compliance reports, you can get detailed information about the rules that have been violated by each device or device groups. The report also shows the user the severity of the violations based on preset criteria. These violations can be remediated using configlets in Network Configuration Manager. Configlets are executable configuration templates that can be used to automate network operations. Each rule can be associated with a remediation configlet in Network Configuration Manager. Once violations have been reported, remediation configlets can be executed to fix them and achieve complete policy compliance.