Infoblox NetMRI AdvisorTM

Release 1.1
Administrator Guide
Copyright Statements
© 2018, Infoblox Inc.— All rights reserved.The contents of this document may not be copied or duplicated
in any form, in whole or in part, without the prior written permission of Infoblox, Inc.
The information in this document is subject to change without notice. Infoblox, Inc. shall not be liable for
any damages resulting from technical errors or omissions which may be present in this document, or from
use of this document.
This document is an unpublished work protected by the United States copyright laws and is proprietary to
Infoblox, Inc. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of
this document by anyone other than authorized employees, authorized users, or licensees of Infoblox,
Inc. without the prior written consent of Infoblox, Inc. is prohibited.

Trademark Statements
Infoblox, the Infoblox logo, NetMRI and Advisor are trademarks or registered trademarks of Infoblox Inc.
All other trademarked names used herein are the properties of their respective owners and are used for
identification purposes only.

Company Information
http://www.infoblox.com/contact/

Supported Platform Models

Hardware: IB/NT-1400-MRI, IB/NT-2200-MRI-*, NT-4000-MRI-*
Virtual: IB/NT-V-MRI-*

Document Updated: February 27, 2018

1.0 Introduction ....................................................................................... 1
1.1 Common Vulnerabilities and Exposures .................................................... 1
1.2 The NetMRI Advisor Client and Service..................................................... 1
2.0 NetMRI Advisor Service Operation ................................................. 3
3.0 Tuning Vulnerability Thresholds ..................................................... 4
3.1 The Common Vulnerability Scoring System............................................... 4
3.2 Policy Creation Threshold Adjustment ....................................................... 4
3.3 Policy Removal Threshold ......................................................................... 6
4.0 Network Vulnerability Assessment ................................................. 7
4.1 Deploying Advisor Policies to Target Groups............................................. 7
4.2 Deploying Multiple Policies ........................................................................ 8
5.0 Custom Views ................................................................................. 10
5.1 The PSIRT Vulnerability View .................................................................. 10
5.2 The Device Lifecycle View ....................................................................... 12
5.3 Editing Custom Views .............................................................................. 12
6.0 Vulnerability Update Notifications ................................................ 14
6.1 Configuring Email Alerting ....................................................................... 14
6.2 Configuring a Custom Advisor Alert ......................................................... 15
7.0 Reporting ......................................................................................... 18
7.1 Importing the Standard Advisor Reports .................................................. 18
7.2 Customizing the Advisor Reports ............................................................. 19
7.3 Copying a Standard Report ..................................................................... 19
8.0 Changing the Advisor User ID or Password ................................ 22
8.1 Updating Client Authentication................................................................. 22
8.2 Update the Advisor client’s access credentials ........................................ 23
8.3 Verifying Client Communication ............................................................... 23
Glossary of Terms and Abbreviations ................................................... 25
Table of Figures ....................................................................................... 26
1.0 Introduction
NetMRI Advisor is an add-on service which assists enterprises in monitoring and maintaining
network and security infrastructure based on released Common Vulnerabilities and Exposures,
(CVEs), and vendor product lifecycle announcements.
When used in conjunction with an Infoblox NetMRI system, the advisory service automatically
creates tailored policies and rules which can be used to identify vulnerable equipment on the
managed network or networks.
The Advisor also provides online views, reporting, and data export of equipment lifecycle status,
with discrete device-level tracking of vendor end-of-sale and end-of-support information.

1.1 Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures comprise a standardized dictionary of common
identifiers for known cybersecurity vulnerabilities1.
The CVE identifiers make it easier to share data across separate network security databases
and applications, allow for interoperation between security and management tools, and provide
a reliable baseline for evaluating the risk mitigation coverage.

1.2 The NetMRI Advisor Client and Service

To provide NetMRI with capabilities for the acquisition and retrieval of vendor security advisory
and device lifecycle information, the configured NetMRI system hosts an instance of the NetMRI
Advisor client, which is subscribed to Advisor Central Service.
The Advisor client is a small software module, which is installed in the NetMRI system’s resident
“sandbox” virtual machine.

1
https://cve.mitre.org/about/

1 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 1 – NetMRI Advisor Client/Server Configuration.

The NetMRI Advisor client automatically maintains device vendor security advisory rules and
policies, as well as providing continual updates to vendor lifecycle data for supported network
elements under management.

2 ||| Infoblox NetMRI Advisor Release 1.1

2.0 NetMRI Advisor Service Operation
The NetMRI Advisor service client updates the NetMRI system on an ongoing basis, through a
refresh procedure that consists of 5 functions:
1. The Advisor client requests a unique list of known device models and active
software/firmware versions from the NetMRI system.

2. The client then queries the Central Advisor Service for CVE Advisories and Lifecycle
Announcements that implicate the device models and software versions on the
network,

3. The client creates or adjusts NetMRI rules and policies to align them with the latest
available information, and if enabled, sends notification of the changes,

4. Older rules and policies that no longer apply to the network2 are automatically
pruned or adjusted, and

5. Lifecycle information is added to the NetMRI system’s database for devices that have
been implicated in a vendor announcement of end of sale or support.
The Advisor service allows the NetMRI system to present a consistent and up-to-date
representation of the vendor security advisory and lifecycle information for supported devices on
the network.

2
For example, if Cisco IOS version X.Y was known vulnerable to a given CVE policy, and the last device
operating this version was updated or retired, the associated rule will be deleted from the NetMRI system
as no longer applicable.

3 ||| Infoblox NetMRI Advisor Release 1.1

3.0 Tuning Vulnerability Thresholds
The NetMRI Advisor service allows the administrator to set thresholds to fine tune automatic
vulnerability policy creation and maintenance to suit the Enterprise’s risk tolerance and security
posture.
Advisor’s tuning is done according to the industry standard Common Vulnerability Scoring
System.

3.1 The Common Vulnerability Scoring System

The Common Vulnerability Scoring System3, (CVSS), provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities, through a standard
measurement system that allows for repeatable and accurate assessment of risk severity on a
scale of zero to ten.
CVSS measurements are especially useful in the prioritization of vulnerability remediation
activities and in calculating the severity of vulnerabilities discovered or suspected.
In addition to the numeric CVSS scores, a qualitative severity ranking is used which maps score
ranges onto a severity rating from Critical to Low, as shown in Table 1;

Severity Rating Threshold Range

Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0.0 – 3.9

Table 1 – CVSS Version 3 Severity Ranges

The Advisor service creates CVSS thresholds, which are set up as Custom Fields in the NetMRI
database, and are tunable through the system GUI.

3.2 Policy Creation Threshold Adjustment

The main Policy Creation filter is called PSIRT_Severity_Threshold, which sets the
minimum severity policy that Advisor will create on the NetMRI system.
For example, setting a value of 4.0 will enable creation of Medium, High, and Critical ranked
policies, while filtering out those of Low severity levels.
Setting a value of 0.0 will allow creation of all applicable policies for the network, regardless of
CVSS score or ranking.

3
CVSS, Version 3, https://nvd.nist.gov/vuln-metrics/cvss

4 ||| Infoblox NetMRI Advisor Release 1.1

To adjust the threshold in the NetMRI GUI, select Network Explorer, Inventory, “All Devices”,
and type in the hostname or IP address of the NetMRI system, as shown in Figure 2.

Figure 2 - Selecting the NetMRI system from Inventory

Next, click on the IP Address link for the device to open the Device Viewer for the NetMRI
system, and select Device/Network Explorer, Custom Data from the menu on the right.

Figure 3 - Adjusting Advisor Policy Thresholds

5 ||| Infoblox NetMRI Advisor Release 1.1

Hover the mouse over the Gear icon to the left of the threshold, and click “Edit” from the context
menu;

Figure 4 - Setting a Custom Severity Value

To commit the updated setting, click either button Save & Close, or Save.

3.3 Policy Removal Threshold

A second tunable setting in the Advisor service is the Policy Removal Threshold, which defines
the minimum severity policy that will be allowed to remain on the system.
The minimum severity policy deletion filter is called the PSIRT_Low_Threshold.
Any policies with a CVSS score below this value will be removed from the NetMRI system in the
next Advisor update.
Setting the value of the threshold to 0.0 will allow all policies to remain on the NetMRI,
regardless of CVSS score or severity ranking.
The PSIRT_Low_Threshold can be used to remove policies of little anticipated impact, for
example after the network has been assessed and the results reviewed.
Additionally, by temporarily setting a value above 10.0, (i.e. the maximum CVSS score
possible), the Low Threshold may be used to perform a “Policy Reset”, deleting all Advisor-
created policies for a clean restart of Advisor’s CVE management of the NetMRI.
PSIRT_Low_Threshold is tuned in the same manner as the Policy Creation Threshold
described in the previous section.

6 ||| Infoblox NetMRI Advisor Release 1.1

4.0 Network Vulnerability Assessment
In order for NetMRI to evaluate network devices for CVE Vulnerabilities, the Advisor policies
must be deployed against device groups in the network4.
When an Advisor policy is deployed against a device group, the configurations of the individual
devices contained in the group are assessed against the rules associated with the policy to
derive a vulnerability assessment for each device5.

4.1 Deploying Advisor Policies to Target Groups

To deploy discrete policies against multiple device groups, select the Config Management
button at the top of the NetMRI GUI, and switch to the Policy Design Center tab immediately
below, as shown in Figure 5.

Figure 5 - Deploying Policies against Multiple Device Groups

Select the policies of interest from the list on the left. Optionally, a search hint can be entered
into the left search text box6 to filter the list, for example, “PSIRT”, or “2017”.

4
In effect, deploying a policy in NetMRI is akin to activating or enabling it for specific device groups.
5
For more information, see “How Policies Work” in the NetMRI Online Reference Guide.
6
To filter the policy names, the left menu search box will match either plain text partial strings or regular
expression patterns.

7 ||| Infoblox NetMRI Advisor Release 1.1

Select the groups to be evaluated against the policy or policies by clicking the associated
checkboxes in the right hand side panel.
Click the bottom right button labeled Save to deploy and enable the chosen policies.

4.2 Deploying Multiple Policies

To deploy a selection of policies against a single group, select the Config Management button at
the top of the NetMRI GUI, the Policy Design Center tab immediately below, and click the By
Device Groups button at the bottom left, as shown in Figure 6;

Figure 6 - Deploying Multiple Policies against a Device Groups

Select the target group from the tree on the left, and choose the policy or policies to be activated
by clicking the associated checkboxes in the right hand side panel.
Optionally, a search hint can be entered into the policy list text box to filter the list of visible
policies.
The policy list also displays a Last Change Date column which shows the last time Advisor
updated each policy. Clicking on the title of this column will sort the list to show the most recent
CVE Advisories for the network.

8 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 7 - Sorting by Recent Advisories

When the chosen policies have been selected, click the bottom right button labeled Save to
deploy and enable vulnerability assessment.

9 ||| Infoblox NetMRI Advisor Release 1.1

5.0 Custom Views
NetMRI Advisor provides quick access to CVE vulnerability and device lifecycle status for
devices, locations, and groups on the network.
For convenience in navigating and assessing the Advisor information, custom views are defined
in the NetMRI issue analysis screen.

5.1 The PSIRT Vulnerability View

The PSIRT Vulnerability View gives a quick overview of Cisco Product Security Incident
Response Team Advisories that affect devices on the network.
To access the view, click on the top button Network Analysis, and select the leftmost tab for
Issues.

Figure 8 - NetMRI Issues Screen

In the middle bar, click the right side button, Views, to show the menu of defined issue filters,
and click on the item PSIRT Violations;

10 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 9 – Selecting the PSIRT Issue View

The issue list will then refresh, with the PSIRT Vulnerability filter operating and the custom view
fields displayed.
The results can be further filtered by entering a partial match string in the top left search box,
and the columns can be sorted in ascending/descending order by clicking on the column titles.

Figure 10 – PSIRT Issue View

The currently displayed information can be exported to CSV format for use by a spreadsheet or
other application by clicking the top right arrow button .
Clicking on the Title link of any PSIRT issue will open the NetMRI Issue Viewer, which allows
navigation by affected groups, using the left hand menu, and drill down to device details by
clicking the View link in the Details column.

Figure 11 – PSIRT Issue Viewer

11 ||| Infoblox NetMRI Advisor Release 1.1

5.2 The Device Lifecycle View
The Device Lifecycle View allows online browsing and searching of vendor sale and support
terminations for equipment on the network.
This view is available by clicking the top line button Network Explorer, and selecting the leftmost
tab Inventory.
Select a device group from the right-side menu, or “All Devices”.
An Equipment Role Filter is available in the left-side menu.
To review inventory without filtering, select “Devices” in the left-side menu, and click the item
“All Devices”.
In the middle panel, click the top right side button, Views, to show the menu of defined inventory
filters, and click on the item EoX Lifecycle Announcements;
The displayed results can be further filtered by entering a partial match string in the top left
search box, and the columns can be sorted in ascending/descending order by clicking on the
column titles.
The currently displayed information can be exported to CSV format for use by a spreadsheet or
other application by clicking the top right side arrow button .

Figure 12 – Inventory Lifecycle View

5.3 Editing Custom Views

The Advisor custom views can be used as a starting point for further customization of
vulnerability and lifecycle monitoring.
To create a specifically targeted view based on the standard presentations, adjust the filtering,
displayed columns, and sorting as required7.
To register an updated view, click the left-side Views button to open the view operations menu,
and click on Add View, as shown in Figure 13.

7
For details on setting up new Custom Views, see the section Working with Table Information in the NetMRI
online reference.

12 ||| Infoblox NetMRI Advisor Release 1.1

In the Add View dialog, enter a short name and description for the updated view, and click OK.

Figure 13 – Adding a Custom View

13 ||| Infoblox NetMRI Advisor Release 1.1

6.0 Vulnerability Update Notifications
The NetMRI Advisor service can provide user notifications when a new vulnerability policy has
been created, or when an existing one has been updated.
These notifications are sent via NetMRI’s SMTP alerting service when triggered by the Advisor
client.

6.1 Configuring Email Alerting

At the top right of the NetMRI GUI, click the Gear icon , to raise the System Settings window.
In the right hand side menu, select Notifications, and click on System Settings.

Figure 14 - Configure SMTP Server Access

Enter the Hostname or IP address, Port, Username, and Password of the MTA NetMRI should
use for outgoing emails8.
Click the button labeled Save at the bottom of the window to commit the MTA settings.

8
For more information, see Defining Global Notification Settings, in the NetMRI online reference.

14 ||| Infoblox NetMRI Advisor Release 1.1

6.2 Configuring a Custom Advisor Alert
At the top right of the NetMRI GUI, click the Gear icon , to raise the System Settings window.
In the right hand side menu, select Notifications, and click on Subscriptions.
Click on the bottom right button Add Notification.

Figure 15 - Adding a Notification

When the Add Notification window appears, in the Issues section, select “1 New PSIRT Rules
Loaded”, and select the device group “All Devices”, as shown in Figure 16.
To ensure that all Advisor update information is present in the notification, ensure that the
checkbox Summarize is not checked.
Next, select the NetMRI users and fill any other email addresses to be notified of Advisor policy
updates.

15 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 16 - Adding an Advisor Email Subscription

Clicking on the Advanced Settings button, enter the desired information for From Address and
Subject.
For the From Name, enter “NetMRI_PSIRT_Advisories”.
For the Mime Type, select Plain Text9.
Click Save to commit the Advanced Email Settings.
Hit Save again in the Add Notification window to complete the configuration.

9
There is no need to change the Message Text, as the client will update this automatically when sending a
notification.

16 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 17 - Advanced Email Settings

17 ||| Infoblox NetMRI Advisor Release 1.1

7.0 Reporting
The Advisor service comes with standard vulnerability and lifecycle reports, which can be used
as is, or customized as needed.
The reports are shipped in NetMRI’s XML transport format, and can be loaded onto the system
directly from the UI.

7.1 Importing the Standard Advisor Reports

From the main NetMRI window, click the top button Reports, and click the “Import Custom
Report” button at the top right.

Figure 18 – NetMRI Report Gallery

In the import dialog box, select “Choose File” and pick the category to list the report under.

Figure 19 – Custom Report Import

Choose the report XML file to load and click the button labeled Open;

18 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 20 – Choosing Report File

Click Import and wait for the web page to refresh;

Figure 21 – Importing Report XML File

After the page refreshes, the report should show up in the selected Category, and can be run
ad-hoc, or scheduled.

7.2 Customizing the Advisor Reports

The easiest way to create a customized Vulnerability or Lifecycle report is to start with a copy of
one of the standard Advisor versions and modify it as required.

7.3 Copying a Standard Report

From the main NetMRI window, click the top button Reports to view the Report Gallery.
Using the mouse, hover over the report to be duplicated, and click on the link called “Export”.
19 ||| Infoblox NetMRI Advisor Release 1.1
The NetMRI GUI will then export an XML report definition file to your browser’s default
download directory.

Figure 22 – Exporting a Standard Report

To create the modified report, click the “Import Custom Report” button at the top right, and
select the newly exported XML file, as described above in Section 7.1.
Once the file is selected, do the following;
1. Click the button “Import”, as shown in Figure 23,

2. At the prompt window, click “Rename”, and

3. At the file name entry window, type in a new name and click “OK”.

20 ||| Infoblox NetMRI Advisor Release 1.1

 Figure 23- Duplicating a Standard Report

After the page refreshes, the duplicated report should show up in the selected category, and
can be edited by mouse hovering over the item in the Report Gallery and clicking the link “Edit”
to open the Report Wizard10.

10
For more on designing NetMRI reports, see the section Defining Custom Reports in the NetMRI online
reference.

21 ||| Infoblox NetMRI Advisor Release 1.1

8.0 Changing the Advisor User ID or Password
To access the NetMRI API and update data and policies, the Advisor client needs a valid
username and password for an existing account with administrator privileges.
If the Advisor client’s password or user id needs to be changed, use the following procedure to
update the credentials.

8.1 Updating Client Authentication

Using an SSH client, log into the NetMRI Sandbox, and change to the directory;
~/PSIRT/Utilities/BASE64/

Figure 24 – SSH to the NetMRI Sandbox

Using the provided BASE64 utility, convert the new username/password to a BASE64 encoded
string.

[root@sandbox ~]# java BASE64 someuser somepasswd

username someuser
password *****
BASE64 c29tZXVzZXI6c29tZXBhc3N3ZA==

Copy the authentication string, (red text above), to the clipboard.

22 ||| Infoblox NetMRI Advisor Release 1.1

8.2 Update the Advisor client’s access credentials
Edit the file ~/PSIRT/PSIRT_Update.sh, and paste the generated string as the new value of
SNMP_USERAUTH, so it reads as;

# NetMRI userid and passwd, BASE64 encoded

SNMP_USERAUTH="c29tZXVzZXI6c29tZXBhc3N3ZA==";

Figure 25 - Changing the Authentication String

8.3 Verifying Client Communication

It is recommended to verify the updated authentication credentials to ensure uninterrupted
service.
To verify the new settings, run PSIRT_Update.sh with a single argument, “test”.
The results should look similar to the below;
[root@sandbox ~]# cd
[root@sandbox ~]# ./PSIRT/PSIRT_Update.sh test
Thu Jun 29 13:42:23 EDT 2017 PSIRT_Update.sh: starting up in /sbuser/PSIRT
Thu Jun 29 13:42:23 EDT 2017 PSIRT_Update.sh: testing connectivity to NetMRI at
192.168.151.32
Thu Jun 29 13:42:24 EDT 2017 PSIRT_Update.sh: connection OK
Thu Jun 29 13:42:24 EDT 2017 PSIRT_Update.sh: testing API access to NetMRI at
192.168.151.32
Thu Jun 29 13:42:25 EDT 2017 PSIRT_Update.sh: authentication OK
Thu Jun 29 13:42:25 EDT 2017 PSIRT_Update.sh: testing access to CVRF Service at ec2-
55-555-555-55.compute-1.amazonaws.com:8888
Thu Jun 29 13:42:31 EDT 2017 PSIRT_Update.sh: authcheck is OK
Thu Jun 29 13:42:31 EDT 2017 PSIRT_Update.sh: CVRF Service online at ec2-55-555-555-
55.compute-1.amazonaws.com:8888
Thu Jun 29 13:42:31 EDT 2017 PSIRT_Update.sh: done.
23 ||| Infoblox NetMRI Advisor Release 1.1
[root@sandbox ~]#

Figure 26 – Verifying the Advisor Client’s configuration

The Advisor client is now current with the updated password.

24 ||| Infoblox NetMRI Advisor Release 1.1

Glossary of Terms and Abbreviations

Term Definition
CVE Common Vulnerabilities and Exposures. A dictionary of common
names (i.e., CVE Identifiers) for publicly known information security
vulnerabilities.
CVSS Common Vulnerability Scoring System. A standard measurement
system for industries, organizations, and governments that need
accurate and consistent vulnerability impact scores.
Deploying Policies NetMRI policies take effect and the rules are evaluated only once they
have been deployed against specific device groups. Once a policy is
deployed, the targeted devices are assessed against the rules
associated with the policy to derive the compliance result.
UI / GUI User Interface, Graphical User Interface
NetMRI Network management Product/Platform offered by Infoblox
Infoblox Company which owns NetMRI product
NetMRI Advisor Infoblox Security Vulnerability and Lifecycle Management Service for
NetMRI.

25 ||| Infoblox NetMRI Advisor Release 1.1

Table of Figures
Figure 1 - NetMRI Advisor Client/Server Configuration. ............................................................... 2
Figure 2 - Selecting the NetMRI system from Inventory ............................................................... 5
Figure 3 - Adjusting Advisor Policy Thresholds ............................................................................ 5
Figure 4 - Setting a Custom Severity Value .................................................................................. 6
Figure 5 - Deploying Policies against Multiple Device Groups ..................................................... 7
Figure 6 - Deploying Multiple Policies against a Device Groups .................................................. 8
Figure 7 - Sorting by Recent Advisories ....................................................................................... 9
Figure 8 - NetMRI Issues Screen ................................................................................................ 10
Figure 9 – Selecting the PSIRT Issue View ................................................................................ 11
Figure 10 – PSIRT Issue View .................................................................................................... 11
Figure 11 – PSIRT Issue Viewer ................................................................................................. 11
Figure 12 – Inventory Lifecycle View .......................................................................................... 12
Figure 13 – Adding a Custom View ............................................................................................ 13
Figure 14 - Configure SMTP Server Access ............................................................................... 14
Figure 15 - Adding a Notification ................................................................................................. 15
Figure 16 - Adding an Advisor Email Subscription ...................................................................... 16
Figure 17 - Advanced Email Settings .......................................................................................... 17
Figure 18 – NetMRI Report Gallery ............................................................................................ 18
Figure 19 – Custom Report Import ............................................................................................. 18
Figure 20 – Choosing Report File ............................................................................................... 19
Figure 21 – Importing Report XML File ....................................................................................... 19
Figure 22 – Exporting a Standard Report ................................................................................... 20
Figure 23- Duplicating a Standard Report .................................................................................. 21
Figure 24 – SSH to the NetMRI Sandbox ................................................................................... 22
Figure 25 - Changing the Authentication String .......................................................................... 23
Figure 26 – Verifying the Advisor Client’s configuration ............................................................. 24

26 ||| Infoblox NetMRI Advisor Release 1.1