Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
5
Helpful
2
Replies

Managing Configs with Prime 3.1

dxm
Level 1
Level 1

‎07-16-2020 08:16 AM

I would like to begin using Prime to manage switch and router configurations across our enterprise.

My concern is with security. 

The way I understand it is that I must supply Prime with r/w credentials to all of my network devices.

My concern is that once I do this - anyone who gains access to Prime owns my network. This doesn't seem safe.

Of course access to Prime will be limited but I'm worried about those accounts being compromised.

 

Of course, accounts being compromised would be bad without Prime in the equation but that one portal into the whole network would make it really easy for a bad actor to do damage quickly. 

 

I've asked Cisco (both my SE and TAC) for best practices for this and all they have come up with is the official documentation.

I'm looking for real world use cases. 

 

Is anyone using Prime to manage their infrastructure this way? If so do you have any advice on managing credentials used to control your devices?

Such as:

1. Do you use SNMP or CLI credentials?

2. Do  you use local accounts or TACACS accounts?

3. What precautions do you take to minimize risk?

 

Thank you!

 

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎07-17-2020 06:25 AM

of course anything depends on authorization
ofcourse if you want Prime to be able to change the configs anyone with privileged access to Prime can use it.
but Prime knows "roles" which limit users in acessing menus and so make some hierarchy in administrators possible

(read-only, monitor-only etc)
These roles can be expanded even further when using a TACACS+ server 

i recall (never used) Prime also knows "workflows" so a change can be prepared by one user but needs to be validated by another user before it's executed/applied.

you can tighten authentication (not authorization) by using 2FA (two factor authentication ) you'll need something "extra" besides user/password (like a digital-certificate or an RSA-token) to log-in into Prime

 

dxm
Level 1
Level 1
In response to pieterh

‎07-20-2020 07:06 AM

We've recently implemented MFA. I'll definitely set that up. Thanks for the info!
0 Helpful
Customers Also Viewed These Support Documents