Chef Blogs

Using InSpec with Cisco IOS Devices

Julian Dunn | Posted on | Chef InSpec | compliance

On Wednesday, August 1, we presented a webinar on using InSpec with Cisco IOS network devices. Today, fewer than 10% of network teams are using any automation tools, yet through the NetOps 2.0 movement, network administrators are starting to adopt some of the best practices from development and operations, realizing, as Gartner says in the Market Guide for Network Automation, that they often “lag behind other domain groups in embracing automation as a way to meet growing business need.”

One concrete use case for network automation is to audit and report on device configurations for the purposes of compliance and audit. Network devices are at the heart of an enterprise’s infrastructure, since, without a fully-functioning network, all servers, virtual machines, containers and so on are useless. That’s where InSpec comes in. InSpec is Chef’s open-source tool for DevSecOps. It allows cross-functional application, infrastructure, and security teams to collaborate on and remediate compliance issues through the whole software delivery process.

Using the features built into InSpec 2.0 and launched at ChefConf 2018 with Chef’s commercial product, Chef Automate 2.0, customers can easily write InSpec code to validate common network configurations or detect misconfigurations. Examples of controls would be to make sure switches do not unnecessarily have CDP (Cisco Discovery Protocol) turned on, that switch ports without a link are disabled (to prevent malicious actors from connecting an Ethernet cable to wall jacks to get network access), that SNMP communities are not using their default names and that secure SNMP versions are being used, and so on. For example, here’s a fragment of InSpec code to ensure that the device has a loopback interface configured:

describe cisco_ios_interfaces.where(name: /Loopback/) do
 its('entries') { should_not be_empty }
end

Many of these network configuration best practices are encapsulated in the Center for Internet Security (CIS) Cisco IOS Benchmarks Levels 1 and 2. With a Chef Automate subscription, you get access to these profiles as well as any bugfixes and updates from CIS. Chef Automate also allows you to initiate scheduled and ad-hoc scans of all your infrastructure including Cisco IOS devices to ensure you’re in compliance at all times – and get alerted if something changes.

Learn more

Watch a recording of the webinar to learn more:

 

Start a 60-day trial

To take Chef Automate for a 60-day free trial, please visit chef.io/automate.