NX-API Security

[Matthew Bystrzak]

Hello everyone, 

We have just migrated our datacenter to an all(well primarily) nexus environment with roughly 30 9Ks running in NX-OS standalone mode.  I've currently been using an SSH script that I wrote to automate some of my regular tasks.  As you all know, NX-OS provides a much better way to get this data through the NX-API using HTTP calls but there are some serious security implications by enabling the API for use.  For example, the API when enabled becomes available through every SVI on the router which if publicly exposed is a big problem from a security perspective.

So I'm curious to see what others are doing, if anything, to secure the API connections.  Ideally the requirements I have are locking down the ability to manage the device to specific source IP addresses.  Similar to adding an access-class to VTY line for restricting SSH access.  Second, I need to enable the API ONLY on the management interface.

I certainly understand using the API requires authentication and can be restricted to using HTTPS so it's encrypted, but in order for me to gain approval to enable the API I need to come up with a list of compensating controls. 

Thanks all for any time you put into this thread.  It is much appreciated.

[James Luther]

If you're happy with the security controls you have in place for SSH then you could use NETCONF over SSH.  But depends where you're executing your scrips.  For Linux / Python then it's just as easy as nx-api.

James

--
You received this message because you are subscribed to the Google Groups "network.toCode()" group.
To unsubscribe from this group and stop receiving emails from it, send an email to networktocod...@googlegroups.com.
To post to this group, send email to networ...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/85dd0571-f7ca-4cc6-bb2a-a6a865de9525%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Bystrzak]

Thanks, James.  That's a fair point and I do like that idea.

Hypothetically though, let's say that I needed to use NXAPI.  Granted, there are always many ways to accomplish the same goal so this "Need" is obviously false.  But I would be interested in thoughts specifically on the hardening the API.

Matt

On Sunday, July 24, 2016 at 8:46:13 AM UTC-4, James Luther wrote:

If you're happy with the security controls you have in place for SSH then you could use NETCONF over SSH.  But depends where you're executing your scrips.  For Linux / Python then it's just as easy as nx-api.

James

On Sunday, 24 July 2016, Matthew Bystrzak <matthew....@gmail.com> wrote:

Hello everyone, 

We have just migrated our datacenter to an all(well primarily) nexus environment with roughly 30 9Ks running in NX-OS standalone mode.  I've currently been using an SSH script that I wrote to automate some of my regular tasks.  As you all know, NX-OS provides a much better way to get this data through the NX-API using HTTP calls but there are some serious security implications by enabling the API for use.  For example, the API when enabled becomes available through every SVI on the router which if publicly exposed is a big problem from a security perspective.

So I'm curious to see what others are doing, if anything, to secure the API connections.  Ideally the requirements I have are locking down the ability to manage the device to specific source IP addresses.  Similar to adding an access-class to VTY line for restricting SSH access.  Second, I need to enable the API ONLY on the management interface.

I certainly understand using the API requires authentication and can be restricted to using HTTPS so it's encrypted, but in order for me to gain approval to enable the API I need to come up with a list of compensating controls. 

Thanks all for any time you put into this thread.  It is much appreciated.

--
You received this message because you are subscribed to the Google Groups "network.toCode()" group.

To unsubscribe from this group and stop receiving emails from it, send an email to networktocode+unsubscribe@googlegroups.com.