Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
1
Replies

Customized Automatic Collection

bparr
Cisco Employee
Cisco Employee

‎02-01-2017 11:41 AM

Require automatic collection, not 3rd party or import.  Security requires that management on the switches be accessed only via an SSH through a jump host.  Is there any way to write a script to customize the collection?

Labels:
0 Helpful
1 Reply 1

graham.kirtley
Level 1
Level 1

‎02-02-2017 03:41 AM

Hi,

With increasing concerns and focus on network security by most network operators, such restrictions on accessing networks are becoming the norm.  The current abilities of the CSPC collector solution don't quite meet the demands of such operators; in fact I represent one such operator ;-)

Such security aspects can be categorised into two areas:

  1. Security/confidentially of the information collected
  2. Network access security

For the first one, Information Security, assurance of this can be managed using the following:

  • Ensure that the collection profile is only collecting data for aspects that you want/need to upload to Cisco
  • If required use the 'data privacy feature' which will replace hostnames and IP addresses with dummy data.  See the following app note data-privacy-feature-application-note.

Now in the case of the second one, Network Security, this directly relates to the issue you have in that 'security' require separation between the collector and the network.

There are workarounds to the current constraints that the collector; can only poll/communicate with the devices itself directly (it needs to be a trusted entity within the network, it won't accept data via 3rd party collection; and for automatic upload it needs to have connectivity to the internet (albeit via an optional proxy).

WRT accessing the devices, accessing them via SSH isn't (IMO) preferable over RO rights using SNMPv3.

So if we have the collector in the trusted zone of the network, how do we maintain separation between the network and the internet, if uploading via a proxy is not deemed acceptable by security teams?

Well one way is to upload via intermediate device in a demarcation zone (DMZ) and then from there to Cisco.  To do this you configure the collection upload job to 'file system', so the inventory archive is created on the local machine.  This can be transferred (via SCP using shared keys) to the first host in the DMZ (there may be a 2nd transfer to another 'internet facing' DMZ host).  Then the archive can be uploaded to Cisco; to do this take a look at the entitlement package that you will have for the collector - if you are familiar with PKI & x.509 certificates then this should be straightforward to figure out how, as I'll not be posting up the details here.  ;-)

Rgds,

Graham

0 Helpful
Customers Also Viewed These Support Documents