«

Mats Bredell wrote:
> Hansang Bae wrote:
>
>
>>Mats Bredell wrote:
>>
>>>It's not particularly difficult to do, just have a programmer write
>>>some Tcl scripts. I've done this as a subcontractor at IBM, the tools
>>>I developed can easily extract data from around 5,000 devices per
>>>hour. The difficult task, which takes most time, is getting working
>>>passwords to the devices.
>>
>>It's not as easy as it sounds. Before you can get *to* the
>>information, you need a seed file with all the IPs. That in an of
>>itself can be a chore. Then you have a problem of different devices
>>reporting things differently. Then you have problem of different
>>devices not being able to provide the info one is after (serial number
>>comes to mind).
>
>
> Actually, it's not that difficult. The tool I made was able to handle the
> following devices:
>
> * Cisco IOS, CatOS, IOS/700, Kalpana, PIX, WebNS and Vxworks
> * 3Com Superstack, Linkbuilder and Linkswitch
> * Checkpoint Firewall-1 and SecurePlatform Linux
> * IBM AIX and MRS
> * Linux Redhat
> * Network Systems CDA
> * Nokia AlchemyOS, AP and IPSO
> * Nortel Baystack, BCC, Centillion, MCP and Passport
> * Olicom switches
> * Sun Solaris
> * Symantec Enterprise Firewall
> * Symbol AP
>
> The tool extracts metadata and configuration, and performs an audit of the
> configuration by comparing it to the security policy. The data is collected
> by using telnet, ssh, http, SNMP or serial console. It handles both cli
> based and VT100 based devices.
>
> /Mats
>
Which is why TCL is a better choice than perl - much easier to reverse
engineer - which you will need to do at times even if you are the one
who wrote it

Ben wrote:

> Mats Bredell wrote:

>> The tool extracts metadata and configuration, and performs an audit of
>> the configuration by comparing it to the security policy. The data is
>> collected by using telnet, ssh, http, SNMP or serial console. It handles
>> both cli based and VT100 based devices.
>>
> Which is why TCL is a better choice than perl - much easier to reverse
> engineer - which you will need to do at times even if you are the one
> who wrote it

This was the first time I used TCL, it was an interesting experience. TCL
was a natural choice since everything started out using Expect. But I
really like the way TCL is able to handle lists of data, that's nice when
you're trying to parse a configuration file.

/Mats

--
Mats Bredell
Uppsala, Sweden

Ben wrote:

> Mats Bredell wrote:
>> Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
>> enabled on the devices I was working on (either that or they didn't know
>> the community strings).
>>
> Also the Cisco MIB DOES vary between different chassis making it
> unreliable for some types of data.
>
> I have to totally agree - a set of TCL or Perl scripts is a great way to
> go. Of course it's much simpler if you start with a list of all the
> devices.

The first version of the tool did a simple telnet to the device and was able
to figure out what kind of device it was, but I removed that function when
making a new version of the tool.

There were also problems with bugs in a lot of network devices. Certain
Nortel Baystacks had an IP stack that was so unstable that it crashed after
about 5 connects. That's a huge problem when you're debugging the scripts
and making lots of connections.

/Mats

--
Mats Bredell
Uppsala, Sweden