Network configuration compliance with our NCM tool

Our network configuration compliance feature, which is included in our network configuration management (NCM) tool, helps protect your networks from security threats that may arise from not adhering to industry standards and policies. It ensures that your network remains compliant with Cisco IOS, SOX, HIPAA, the PCI DSS, and any other customized policies.

What is network configuration compliance?

Network configuration compliance helps:

• Implement rules and policies to defend your network from potential threats.
• Ensure compliance with industry standards like Cisco IOS, SOX, HIPAA, the PCI DSS, or any other custom organizational policies.

Network administrators face a significant workload due to the increasing complexity of networks and the growing number of threats. Moreover, non-compliance with industry standards can lead to costly and risky consequences for organizations. Managing various network devices from different vendors is an overwhelming task; this is where our NCM tool helps.

The network configuration compliance feature in our NCM tool ensures network compliance by conducting compliance checks on backed-up device configurations. In the event of a rule or policy violation, network administrators are promptly alerted.

How it works

The NCM tool includes a set of rules, rule groups, and compliance policies that can be modified or added to by network administrators. These rules are essential for protecting the network. Rules are present in rule groups, and rule groups are present in compliance policies.

The NCM tool automatically backs up device configurations when a change is detected. To ensure compliance with network configurations, the NCM tool performs a compliance check and identifies non-compliance based on established policies that contain rule groups and rules. Accordingly, network administrators receive alerts based on their threshold settings. 

Compliance Dashboard

1. Log in to your Site24x7 account.
2. Navigate to Network > NCM > Compliance > Dashboard.
3. View violations according to:
   1. Policy in the Policies view.
   2. Devices in the Devices view.
   3. Compliance rules in the Rules view.
4. Click each record to view more details about the violation.
5. In the Policies view, click on a record and then click the device name to navigate to the device compliance page. 

Figure 1. Compliance dashboard

Adding a compliance rule

1. Navigate to Network > NCM > Compliance > Rules. You can view all the already available rules on the Compliance Rules page.
2. Click the Add Rule button in the top-right section of the page.
3. In the Add Compliance Rule pop-up, provide the following details:
   1. In the Display Name field, provide a name to identify the rule.
   2. Enter an appropriate Description.
   3. For Criteria, toggle to select between Simple, Advanced, and Custom as needed.
      1. Simple Criteria: Single pattern check allowed.
      2. Advanced Criteria: Multiple pattern checks allowed.
      3. Custom Criteria: Multiple pattern checks allowed within a single configuration block that start and end based on user-defined conditions.
   4. In the Configuration File field, select one of these options from the drop-down: should contain all lines, should not contain any line, should contain exact set, or should not contain exact set. Also select the number of time(s) the configuration file should be checked for a pattern that you will be entering in the next field.
   5. In the Pattern field, enter the value that should be checked.
      
      Figure 2. Adding a compliance rule with a Simple Criteria.
      In the example shown in Figure 2, the configuration file will be scanned for the pattern check. If it is present only once, then the rule is not violated. Otherwise, this rule is violated.
   6. If you select Advanced Criteria, provide the following details:
      1. In the Condition field, select one of these options from the drop-down: should contain or should not contain.
      2. For Pattern, provide the value that should be checked in the configuration file.
      3. Enter the number of times the pattern should be checked in the Time(s) field. 
      4. Click the plus + icon beside the Time(s) field to add more rows.
         
         Figure 3. Adding a compliance rule with an Advanced Criteria.
         In the example shown in Figure 3, the rule will be violated only if both conditions are not satisfied.
   7. If you select Custom Criteria, provide the following details:
      1. Provide a value in the Configuration Block Start and Configuration Block End fields to check for a value within a block in the configuration file.
      2. Provide additional criteria to be checked in the Configuration Block field. Select an option between should contain and should not contain in the drop-down. Then, provide the value that should be present within the block in the empty field beside the drop-down.
      3. Next, provide the pattern that must be checked within the block. This is similar to the steps provided in Advanced Criteria.
         
         Figure 4. Adding a compliance rule with a Custom Criteria.
         According to the given example in Figure 4, if a configuration file has a block that starts with check and ends with end, and includes the element date, it will be examined for the patterns utc (occurring any number of times) and GMT-4 (occurring once). If these conditions are present, a Critical alert will be produced for the rule.
   8. For Severity, toggle to select an option between Critical, Major, and Warning.
4. Click Save.

Modifying a compliance rule

1. Navigate to Network > NCM > Compliance > Rules.
2. Then, click the pencil icon beside the rule that you wish to edit (Figure 5, marked as 1).
   
   Figure 5. Editing a compliance rule.
3. You can also click a compliance rule to view more details about it and click Edit Rule at the bottom-left of the Compliance Rule pop-up.
   
   Figure 6. View details about a compliance rule.
4. This will open the Edit Compliance Rule pop-up (Figure 7).
   
   Figure 7. Edit Compliance Rule pop-up.
5. Edit the fields as required, and then click Save at the bottom-left section of the pop-up.
6. To delete a rule, click the trash icon beside a rule (Figure 5, marked as 2) on the Compliance Rules screen.
   
   

   A rule can be deleted only if it is not associated with any rule group.
7. In the dialog box to verify if you wish to delete, click Delete. 

Adding a compliance rule group

1. Navigate to Network > NCM > Compliance > Rule Groups.
2. Click the Add Rule Group button in the top-right section of the Compliance Rule Groups screen.
   
   Figure 8. Compliance Rule Groups screen. 
3. In the Add Compliance Rule Group pop-up, provide the following details:
   1. Enter a Display Name to identify the rule group.
   2. Then, provide a Description to describe it.
   3. Next, in the Select Rules section, select all the rules that should be added to the rule group. Then, click Save (Figure 9).
      
      Figure 9. Adding a compliance rule group.

Modifying or deleting a compliance rule group

1. Navigate to Network > NCM > Compliance > Rule Groups.
2. Click the pencil  icon beside a compliance rule group to edit the record (Figure 10, marked as 1).
   
   Figure 10. Editing a compliance rule group. 
3. You can also click anywhere on the row to view more details about the compliance rule group, and then click Edit Rule Group at the bottom-left of the pop-up.
   
   Figure 11. Editing a compliance rule group. 
4. On the Edit Compliance Rule Group pop-up, modify the details as required, and select or deselect rules in the Select Rules section.
   
   Figure 12. Edit Compliance Rule Group pop-up. 
5. Once you have completed all the changes, click Save.
6. To delete a rule group, click the trash  icon beside a rule group (Figure 10, marked as 2) on the Compliance Rule Groups screen.
   
   

   A rule group can be deleted only if it is not associated with any policy.
7. In the dialog box to verify if you wish to delete, click Delete. 

Adding a compliance policy

1. Navigate to Network > NCM > Compliance > Policies.
2. Click Add Policy in the top-right section of the Compliance Policies screen (Figure 13, marked as 1).
   
   Figure 13. Adding a compliance policy. 
3. On the Add Compliance Policy screen, provide the following details:
   1. Enter a Display Name to identify the compliance policy.
   2. Then, provide a Description to describe it.
   3. Toggle between Startup or Running to select one Configuration Type.
   4. Toggle between Any rule in this policy is violated and Only if a Critical or Major rule in this policy is violated in the Policy Violation Criteria field.
   5. If you wish to add rules, click the Rules tab.
      1. Add a new rule by clicking the Add Rule button (Figure 14, marked as 1).
         This will take you to the Adding a compliance rule pop-up. Once you save the rule, it will be added to the compliance policy.
         
         Figure 14. Add Compliance Policy screen.
      2. You can also associate an existing rule by clicking Associate Rules (Figure 14, marked as 2). Once you do that, the Associate Rules pop-up window will open where you can select the rules to be added to a Default Rule Group. Then, click Save (Figure 15).
         
         Figure 15. Adding rules to a compliance policy.
   6. If you wish to add a rule group, click the Rule Groups tab.
      
      Figure 16. Adding rule groups to a compliance policy.
      1. Click Add Rule Group to add a new rule group (Figure 16, marked as 1). Provide details in the Adding a compliance rule group pop-up, and then click Save.
      2. To associate one or more existing rule groups to the compliance policy, click Associate Rule Group (Figure 16, marked as 2), and select the desired rule groups in the pop-up window (Figure 17).
         
         Figure 17. Associating a rule group to a compliance policy. 
   7. Once you've added all the details, click Save Policy in the top-right section of the screen (Figure 18, marked as 1). 
      
      Figure 18. Saving and associating a new compliance policy. 
   8. Click Save and Associate to associate the policy to an NCM device (Figure 18, marked as 2). In the Associate Devices pop-up (Figure 19), select the devices to which you wish to associate this policy, and then click Save.
      
      Figure 19. Associating devices to a new compliance policy. 

Associating devices with a compliance policy

1. Navigate to Network > NCM > Compliance > Compliance Policies.
2. Click Associate beside the compliance policy which you wish to associate to a device (Figure 13, marked as 2).
3. You can also click a record to view more details and click Associate Devices in the top-right of the screen (Figure 20, marked as 1).
   
   Figure 20. Associating devices to a compliance policy. 
4. In the Associate Devices pop-up (Figure 19), select the devices to which you wish to associate this policy, and then click Save.

Bulk-associating devices with a compliance policy

1. Navigate to Network > NCM > NCM Compliance > Compliance Policies.
2. Click Bulk Associate in the top-right section of the Compliance Policies screen (Figure 13, marked as 3).
3. In the Associate Devices pop-up (Figure 21), provide the following details:
   1. In the Policies drop-down, select all the compliance policies you wish to associate to devices.
   2. Next, in the Device(s) field, select all the devices which you wish to associate to the policies selected in the previous step. Then, click Save.
      
      Figure 21. Associating devices to compliance policies. 

Modifying or deleting a compliance policy

1. Navigate to Network > NCM > Compliance > Compliance Policies.
2. Then, click the pencil  icon beside the rule that you wish to edit (Figure 13, marked as 4).
3. You can also click a record to view more details and click Edit Policy in the top-right of the screen (Figure 20, marked as 2).
4. Modify as needed. You can also perform operations like adding a rule, associating rules, adding a rule group, and associating a rule group as specified in the Adding a compliance policy section of this help document.
5. In the top-right section of the screen, click Save Policy to save the changes, or click Save and Associate to associate the compliance policy to one or more devices (Figure 22).
6. To delete a compliance policy, click the trash  icon beside it (Figure 13, marked as 5) on the Compliance Policy screen.
   
   

   A compliance policy can be deleted only if it is not associated with any devices. If there is a default rule group while deleting, only the rule group will be deleted. The rules present in the rule group will remain untouched.
7. In the dialog box to verify if you wish to delete, click Delete.
   
   Figure 22. Editing a compliance policy. 

NCM device compliance

Verify if an already added NCM device satisfies the compliance policies and rules. You can also associate compliance policies to an existing NCM device from the Edit NCM Device screen.

Compliance status

1. Navigate to Network > NCM > NCM Devices. Then, select the required device.
2. Click the Compliance tab.
3. View Name, Policy Status, Rules Status, and Last Checked details to understand if a device has violated a policy or not and to verify how many rules have been met (Figure 23).
   
   Figure 23. Compliance details of an NCM device. 

Associating compliance policies to an NCM device

1. Navigate to Network > NCM > NCM Devices. Then, select the required device.
2. Click the hamburger icon to view options. Then, click Edit. You can also click a device, click the hamburger  icon beside the monitor name in the monitor summary page, and then click Edit.
3. On the Edit NCM Device screen, scroll to the Compliance section.
4. In the Compliance drop-down, select all the policies you wish to associate to the device. Then, click Done.
5. Click Save in the top-right section of the screen to save the changes.
   
   Figure 24. Associating compliance policies to an NCM device. 

Related articles

• Network Configuration Manager
• Firmware Vulnerability Management using NCM