In the referenced message, David Daley said:
<snip>
4) There isn't anything to track non sanctioned changes to the network
(i.e.: hacker induced re-configurations)
I would be really surprised if anything other than mom-and-pop shops
didn't have _at least_ this.
rtrmon or rancid can do great config archiving and provide difference
output.
:: I would be really surprised if anything other than mom-and-pop shops
:: didn't have _at least_ this.
::
:: rtrmon or rancid can do great config archiving and provide difference
:: output.
::
I don't think the issue is detecting change as much as it is associating
change to specific goals/tickets, etc.. If an ACL changes on a router,
rancid will pick it up, but right now there is no automated way to tell
whether that was as a result of a customer request or a security breach.
-jba
I didn't find anything that really suited my needs at the time (late
2000/early 2001), so I ended up writing my own archiver. From time to
time I've thought about adding it to the COSI-NMS project on Sourceforge,
but never gotten around to it. I've also other similar tools outside of
Sourceforce, such as Pancho (http://pancho.lunarmedia.net/).
I wrote the code behind mine to be fairly modular, so that adding a module
to back up a config from a new device is pretty easy. It currently backs
up these devices using either SNMP or Expect scripts for devices that
require it:
Cisco IOS <12.0
Cisco IOS >=12.0
Cisco CatOS
Cisco 5000 VPN concentrators (the Compatible Systems ones, not Altiga)
Cisco LocalDirectors
Lucent TAOS (Max TNTs)
Alteon WebOS (ACEdirectors)
Redback AOS
Nortel BayRS (Bay Networks nee Wellfleet) <-config is binary
other odds and ends as they come up, like Netopia routers, etc.
I haven't written anything to back up Junipers yet because I don't have
any to test against. Aside from the Nortel routers, I support versioning
on everything else.
Keep in mind this is only one piece of the puzzle - backing up what's
already out there. I intentionally left out the functionality to allow a
config to be uploaded to one of the devices above for reasons already
specified in this thread - it's just too dangerous. You can melt down a
whole network really quickly if you're not careful.
jms