24 Replies Latest reply on Mar 25, 2019 4:39 AM by sayalirevalkar

    Roles and Permissions In Network Config and Management

    wirednot

      Not everyone needs the same access to network management systems. Too often, we take the easy path when assigning access credentials on our important tools (and the network resources they manage) and treat all users the same. Do you forego the rigors of RADIUS/TACACs style authentication on your network components, or give everyone from installers to the helpdesk the same login credentials on your management systems?

       

       

      How you administer your systems should be arrived at with the same care that shapes other operational practices. Accept anything less, and you’re probably lacking important pieces of the overall security and support puzzles.

       

      By requiring anyone who needs system access to use their own credentials with permissions appropriate to their positions, you gain important audit trails and safeguards against misconfigurations. If a settings change mucks things up in an environment where lots of fingers are in the pie but everyone logs in with the same credentials, it’s hard to know who really did what. And those who need view-only rights shouldn't have access to GUI or CLI knobs and buttons outside of their scope, even if they are trusted staff. Don’t risk it!

        • Re: Rolls and Permissions In Network Config and Management
          Aforsythe

          That should be sysadmin 101, but that's not always the case. At one company I worked for I had 2 admins come behind me and setup default admin passwords for everything and re-enable any administrator accounts I had disabled. I corrected them, convinced them of their wrong-doings and then watched as the next guy for the job did the exact same thing.

           

          Some tools also do not really allow for this, but in those cases, I've been able to lock down the machine, VM, or in a few cases the entire room to help add some security.

          • Re: Rolls and Permissions In Network Config and Management
            jeffreyc

            We set up different levels of access for help desk , System Administrators and Network Engineers on our Solarwinds Server. We Use AD groups to accomplish this. This is very important when many of the Solarwinds modules have the ability to make actually changes and restart processes on network devices and servers.

              • Re: Rolls and Permissions In Network Config and Management
                wirednot

                This is a much better strategy than giving people access to everything and saying "... and please never go here and do this or that because those are not in your scope". Curiosity and good-intentioned adventuring can do a lot of damage. Better to not provide the door at all rather than to provide it and say "don't walk through that door".

                  • Re: Rolls and Permissions In Network Config and Management
                    Aforsythe

                    It's easy to fall into a re-active, firefighting mode, especially in a small company setting where you're the only one on the IT staff, or one of just a few. Lax network security is a prime way to get there, it can create an astounding number of fires that burn endlessly, and usually leads to unorthodox fixes that cover up or band-aid the problem making things even worse in some cases, but only providing temporary relief in the best cases.

                     

                    I walked into a network one time with a completely unprotected file-server. Everyone used it, and everyone had access to everything on it. Luckily no one was smart enough to hack any payroll files, but other company financials were out there. I lucked into finding it early because I walked by an employee who was looking at some spreadsheets in a folder with the company owner's name. I stopped her and told her to close the folder. I know it was just an excuse of ignorance, but I almost laughed at her response because it was so true... "I figured if I could get to it, it was ok for me to look at it"...

                      • Re: Rolls and Permissions In Network Config and Management
                        jeremymayfield

                        I am in a Small company, and we do have a limited IT Staff, but I can assure you that security is a major priority on our list.   We take nothing for granted.  Role based security is fantastic and we can ensure proper access to the data.  Look Data is the most important piece to any company.  Without data we have nothing.   Sure we can operate possibly, but today's business its about securing the data, and getting it back if its ever lost.  Letting security become lax is the easiest way to lose important data and I wont let that happen on my watch.

                         

                        Our approach is simple, if the role requires access, then we will vet out exactly what and why, and ensure everyone has what they need to work, but nothing they need to get themselves in trouble.  Its just part of the culture you must have to be successful. 

                    • Re: Roles and Permissions In Network Config and Management
                      mphalak

                      Hey Jeffery: Can you share more information on how did you set up different levels of access for help desk , System Administrators and Network Engineers on our Solarwinds Server. Is there a way to limit a set of users to do only discovery and no other management capabilities and how ? Any help appreciated also if you could link me to some documents around this would be helpful.

                       

                      Thanks,

                    • Re: Rolls and Permissions In Network Config and Management
                      Scott Sadlocha

                      There is so much that should be done, but just isn't. There are a lot of people in IT that know enough to be dangerous, but don't have knowledge to understand when they are being dangerous. With inappropriate access, this can be a very bad thing. Some things to keep in mind are those things which you mentioned already. Shared accounts are a major problem with regard to accountability and should be avoided. Blanket access should not be granted for a simple task, but rather individualized access should be tailored to the user. Another item I have seen is with temporary acccess. Many times there are people that need access temporarily for a specific task or duty, with the idea being that the access will get removed after a set amount of time. Many times, though, that access is never removed. And the process of changing passwords after key employees leave is something that I have only seen done once in over 10 years. It is often just too time consuming and difficult to do.

                       

                      With the Solarwinds systems I have administered, I have attempted to adhere to some of these standards. I have set up groups with varying levels of access, and have set up custom views for those groups. An example would be NCM--I set up a view where our LAN/WAN admins could view and administer their nodes in NCM, I had another view where appropriate IT management and executives could only read the NCM data, and everyone else couldn't even see the Configuration tab. I wish I could do this on a broader basis, but I do, or encourage, as much as I can. Given my newer security based role, I hope to increase my reach with this a bit more.

                      • Re: Rolls and Permissions In Network Config and Management
                        gvtcnoc

                        Dr.

                        Doctor.

                        Doctor, Dr., Doctor.

                        I concur.

                        Anyone can get into anything when the wrong (or right) people don't give a care.

                        • Re: Roles and Permissions In Network Config and Management
                          rgeist

                          depending on what service it is, we use radius or tacacs.  For regular users we use AD authentication.  We do have generic logins for some switches, but they are not to log into important servers or other devices.

                          • Re: Roles and Permissions In Network Config and Management
                            byrona

                            Our company previously used role accounts for many things.  Now that we are having more audits for things such as PCI and SSAE16 we are moving toward using individual accounts for everybody and trying to manage as much of that as possible from a central authentication system.  We also have found NCM to be a huge help when it comes to auditing our network devices to see which accounts exist on which devices.

                            • Re: Roles and Permissions In Network Config and Management
                              Nonapeptide

                              I can give mental assent to the glories of RBAC and the privileges of least permissions, but the problem in my scenarios is that my clients are small, and I'm a consultant that at times looks like an MSP. For small companies, there is not enough bodies in the building to really have a role based breakdown of permissions for a system. Usually it's just one person managing things. Say Sharepoint, or a CRM tool. Or the main tech contact is me - so I have to have ALL the power! And in fact if I wanted to delegate, it wouldn't be possible because no one else wants to have it or can even handle it.

                               

                              So instead, I end up creating a superuser, and maybe... maybe one other user account, depending on the system. It's a bad habit, but in some cases, it's the only habit to choose from. I suppose I will have to learn better if and when I get into larger contracts, clients, or jobs. Until then... sudu su root.

                              • Re: Roles and Permissions In Network Config and Management
                                superfly99

                                We use TACACS for our routers/switches. For Orion, we just use the build in Manage Users and have the default login set to very minimal access. For users, we use AD authentication.

                                • Re: Roles and Permissions In Network Config and Management
                                  rharland2012

                                  RADIUS for some things, AD authentication for others. We also lock down via IP pretty aggressively both at the device/box and firewall, and we're still a small enough shop that this works. Default Solarwinds settings are quite restrictive, with only a couple of global administrators. To be fair, my hard-working colleagues are consumed enough with their own deliverables that I don't hear a lot of clamoring for admin privs on management systems.

                                  • Re: Roles and Permissions In Network Config and Management
                                    Aaron Denning

                                    everyone but our admins get just view rights on everything our security is pretty good here and on most servers even admins have to sudu su just to do what we all need too we just have to use our log in so they know who is messing up.

                                    • Re: Roles and Permissions In Network Config and Management
                                      antwesor

                                      We use AD for roles and permissions in our environment and some special users for things like Patch Management. This way we can track by credentials and AD groups.

                                      • Re: Roles and Permissions In Network Config and Management
                                        nei4352

                                        I am just now setting up Orion with NCM plus other modules.  I am using AD groups, but I think I might need a few AD user entries to get more granular.  TACACS protects most of the devices.  I am planning to use NCM to 'catch' those that aren't!  This was a good discussion, especially for someone just getting set up!  Thanks!

                                        • Re: Roles and Permissions In Network Config and Management
                                          zackm

                                          we use a combination of AD groups and TACACS, depending on the device. Though I will say that we have blanket read-only account for SolarWinds. It makes user management a lot easier when there are literally hundreds of users who look at our environments daily. But there are only a handful of us that have any kind of admin access to those products. And for network gear, every user has their own individual login for auditing purposes.

                                          • Re: Roles and Permissions In Network Config and Management
                                            ElevenB2003

                                            TACACS at my current organization but previously just a small group of people who had the creds for network equipment and domain admin access to everything else.  Since it was a very large organization with a very small group of tech support staff it wasn't hard to figure out who broke/upgraded/changed a system.  I agree that RBAC is the best route to go; as some previous posters have replied - that's not always an option for very small teams.