Cykor has been assisting department of defense (dod) agencies with disa security technical implementation guide (stig) deployments for their network equipment since being founded. As the practice has matured, cykor has been automating this effort with various tools.
STIGs are configuration standards developed by the Defense Information Systems Agency (DISA). They are designed to make device hardware and software as secure as possible, safeguarding the DoD IT network and systems.
Here is a look at our strategic process for automating STIG deployment, as well as recommendations for those considering the process.
Our high level goal during STIG deployments is to automate configurations, automate upgrades, and maintain state of the devices.
Some of the biggest challenges our technical team has encountered during STIG deployments include:
- Time Intensive: Implementing STIG configurations manually and managing checklists are both extremely time consuming.
- Human Error: There are many opportunities for human error throughout the process if not controlled properly.
- Maintenance: It can be difficult to keep up with changes in device configurations, as well as the constant patches and upgrades.
- Security: The security posture of the network is at risk if teams are unsure about fully meeting compliance.
In working to develop the most efficient, effective, and sustainable solutions to our challenges, our CyKor team has identified a number of tools and processes that can be used to help automate tasks.
Below are three different tools that can assist with the most common STIG deployment challenges. These solutions can operate independently or work together.
Cisco Network Services Orchestrator (NSO)
NSO is a robust orchestration platform that provides a link between automation tools and vendors/technologies. It’s very popular in the services provider space, but is becoming more prevalent in the enterprise where automation has become essential.
NSO has a northbound API that allows for seamless integrations. It has Network Element Drivers (NEDs) that communicate through its southbound. The NEDs can provide translation into vendor specific configurations. For example, there is a specific NED for IOS-XE, IOS-XR, NX-OS, JUNOS, EOS, and dozens of other vendor specific software.
One of the most important features of NSO is the ability to keep a Configuration Database (CDB) for each device it is managing. NSO can then maintain the “state” of each configuration. For example, an admin can set a baseline for a device, or set of devices, and can be alerted when that device is out of baseline. It is a simple one-click task to bring that device back to its original baseline. This is a huge benefit when talking about keeping devices in a state of compliance from a STIG perspective.
Cisco has also developed a package for NSO called CARE (Cisco Audit and Remediation Engine). CARE automates the validation and provides remediation of STIG vulnerabilities; it’s a purpose-built tool to manage STIGs. Below are some of its benefits:
Cisco manages the database of individual STIGs and provides updates for their customers whenever DISA releases updates to STIGs.
Customers can enter variables specific to their network for when CARE audit devices for STIGs.
CARE can automate the push of most STIG configurations to a device.
CARE can generate a checklist which can be opened by tools such as STIGViewer with most of the information filled out.
The above results in removal of human error and greatly reduced time for managing STIGs.
CyKor has use cases with multiple customers using NSO CARE, as well as the full NSO package.
Ansible is an open-source IT automation tool from Red Hat. Ansible has packages that can push configurations directly to devices, such as switches and routers. Many entities we have spoken to have or are starting to adopt Ansible as their go-to automation tool, which makes it relevant when talking about STIG implementation.
At CyKor, we have experience developing custom playbooks for customers that require a standard configuration across their devices. By using playbooks to push DoD-approved configurations, these customers can deploy configurations to bare-metal network gear in a fraction of the time that it would take by hand. This also allows them to manage configuration templates by being able to push updates in bulk, rather than one at a time. Playbooks have also been developed to do a mass upgrade of devices to ensure they are compliant with latest patches and updates.
One of the benefits of Ansible is that the Playbooks are extremely customizable. CyKor will typically work with customers to understand all the necessary requirements to produce optimal playbooks. The result is Ansible playbooks that meet the specific needs of each situation.
Ansible can also be leveraged in the previous example with NSO. Instead of running STIG checks and configuration pushes from the NSO native GUI, it can be streamlined by using Ansible to push those kinds of things through NSO’s northbound API. This can save even more time by doing pushes and entering variables via text files, rather than clicking around a GUI to manage a large number of devices.
Cisco DNA Center
Cisco DNA Center is Cisco’s network management tool that manages Cisco’s enterprise network components. DNA Center is best used when managing Cisco Catalyst Switches, Routers, and Wireless technologies. Therefore, it is limited in scope compared to NSO and Ansible, which both can provide automation/orchestration functionality to a wide variety of vendors and technologies. However, CyKor has worked with some clients that have very large Cisco campus networks, hence DNA Center is a viable option for assisting with STIGs in those types of environments. It also comes with a very long list of other useful features for managing a Cisco campus environment outside of the STIG discussion.
One of the most useful features of the DNA Center is the Template Editor. The Template Editor supports Velocity or Jinja scripting languages. It allows for simple scripts based on CLI-configurations using variables, or more complex scripts using the built-in logic functions. CyKor has developed and tested modular templates that can scale the deployment of Catalyst devices, whether it’s a brownfield environment or greenfield environment using the Plug-and-Play functionality.
The tools discussed above are just a few of the possibilities that exist when it comes to STIG deployment. The best solution for your organization depends on several factors, including specific problems that need to be solved, existing investments, existing processes, customer expertise, and budget.
If you are interested in discussing challenges or ways to automate STIG implementation, our team can help. Reach out to CyKor at firstname.lastname@example.org.