Continuous Compliance & Security

You are here:
< All Topics

Personas: (Compliance Officer, Compliance Analysts)

NP-Live enables organizations to adopt a culture of continuous compliance and security.  By combing the below features, NP-Live can monitor your network devices 24 x 7 x 365, alerting individuals or ticketing systems when security or compliance vulnerabilities are identified.

NP-Connect

NP-Connect facilitates the configuration of connectors to poll devices on a schedule importing the latest configurations for analysis.

Policy management

Risk and Warnings are generated based on policy requirements that automatically run on network device configuration files imported into the workspace. Each requirement has its own checking logic that can run on either:

  • the device configurations
  • the access rules
  • the path analysis
  • the output logs of the device parsers

Requirements are organized into policies which can be assigned to specific devices. NP-Live includes a set of default policies that are read-only. Policies can be deactivated and assigned to specific devices but not deleted.

Administrators and Workspace Admin’s can create custom policies to monitor Configuration files, Rules, Path analysis and Parser logs.  Custom logic is written using the YARA condition statement. An alert is triggered if the logic statements evaluate to true. There are multiple keywords that can be used to access internal data structures: CONFIG represents the configuration files, PARSER represents the parser output, RULE_* represents access rules, and PATH_* represents the path analysis fields. You can download the detailed list of fields with a logic template for RULE_* and PATH_* from within the application. The operators `matches` and `contains` can be used to evaluate a field with a regex and a string value, respectively. Logical operators `or` and `and` and `not` can also be used for richer logic expressions.

NP-Live Default Requirements
The default requirements and their associated Yara logic can be seen in the table below:
Policy Requirement Risk Severity Yara Rule
NP Parser Policy Unnecessary EIGRP Network Low PARSER contains “Unnecessary EIGRP Network”
Broadcast traffic permission Low PARSER contains “permits broadcast traffic other than bootpc and bootps”
Traffic to multicast group Low PARSER contains “allows traffic to multicast group”
Empty Field Low PARSER contains “empty” and PARSER contains “group (s)” and PARSER contains “zone (s) (unbound to interfaces)”
Unused ACL’s Low PARSER contains “unused” and PARSER contains “acl (s)”
Unused group Low PARSER contains “unused” and PARSER contains “group (s)”
Mixed any and not any Low PARSER contains “has mixed any and not any”
Unassigned interface Low PARSER contains “not assigned to any zone and not passing traffic”
Missing interfaces Low PARSER contains “zone (s) missing interfaces”
Rule following schedule Low PARSER contains “following schedule”
NP Path Policy Any protocol path Medium PATH_PROTOCOL contains “any”
NP Rule Policy Any to any IP High not RULE_ACTION == “deny” and RULE_SOURCE contains “any” and RULE_DESTINATION contains “any”
Any source IP Medium not RULE_ACTION == “deny” and RULE_SOURCE contains “any” and not RULE_DESTINATION contains “any”
Any destination IP High not RULE_ACTION == “deny” and not RULE_SOURCE contains “any” and RULE_DESTINATION contains “any”
Any protocol Medium not RULE_ACTION == “deny” and RULE_SERVICE contains “any/”
Any destination port Medium not RULE_ACTION == “deny” and RULE_SERVICE contains “to any” and not RULE_SERVICE contains “ICMP”
Once the policy is created, the “Run” button can be used to execute the policy and test the results of the query.  Once saved, a custom policies can be edited/saved, assigned to specific devices, enabled/disabled, or deleted.

Notifications

Notification manager allows users to setup rules based on multiple criteria and to have those notifications delivered to multiple services on a schedule. Notifications can be setup by one or more of the following:

  • Workspace
  • Activity type (Risks, Warnings, Errors, Comments and Changes)
  • Activity status (New, Confirmed, Resolved, Fixed, False Positive, Will Not Fix)
  • Severity (Low, Medium, High)
  • Keyword match

Notifications can be sent to the services configured by the Administrator and can include (e-mail, ticketing systems, syslog, taxii).

Change tracking

Change tracking provides the user with the ability to review changes made to the system and review the potential impact of the changes. Changes can also be setup as notifications as described above.

Table of Contents