07-16-2020 08:16 AM
I would like to begin using Prime to manage switch and router configurations across our enterprise.
My concern is with security.
The way I understand it is that I must supply Prime with r/w credentials to all of my network devices.
My concern is that once I do this - anyone who gains access to Prime owns my network. This doesn't seem safe.
Of course access to Prime will be limited but I'm worried about those accounts being compromised.
Of course, accounts being compromised would be bad without Prime in the equation but that one portal into the whole network would make it really easy for a bad actor to do damage quickly.
I've asked Cisco (both my SE and TAC) for best practices for this and all they have come up with is the official documentation.
I'm looking for real world use cases.
Is anyone using Prime to manage their infrastructure this way? If so do you have any advice on managing credentials used to control your devices?
Such as:
1. Do you use SNMP or CLI credentials?
2. Do you use local accounts or TACACS accounts?
3. What precautions do you take to minimize risk?
Thank you!
07-17-2020 06:25 AM
of course anything depends on authorization
ofcourse if you want Prime to be able to change the configs anyone with privileged access to Prime can use it.
but Prime knows "roles" which limit users in acessing menus and so make some hierarchy in administrators possible
(read-only, monitor-only etc)
These roles can be expanded even further when using a TACACS+ server
i recall (never used) Prime also knows "workflows" so a change can be prepared by one user but needs to be validated by another user before it's executed/applied.
you can tighten authentication (not authorization) by using 2FA (two factor authentication ) you'll need something "extra" besides user/password (like a digital-certificate or an RSA-token) to log-in into Prime
07-20-2020 07:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide