Maintaining a secure posture within any enterprise is a difficult task. This task can be particularly difficult on the network infrastructure due to a variety of reasons including software quality and network downtime availability.
Arista’s unique software architecture has often enabled most security patches to be delivered as hot patches that can be applied to a live running system with low to no impact to the network dataplane eliminating some of the most difficult challenges with maintaining a secure software posture.
The only challenge that remains is the effort required to distribute these software patches. In this article, we are going to demonstrate using the CloudVision Portal to apply a security advisory hot patch to a live network in an automated, no impact fashion.
Specifically, in this demonstration, we are going to apply a hot patch for Arista Security Advisory 38 to EOS version 4.20.8M that is vulnerable to CVE-2018-14008.
Shown in the screenshot below is the provisioning screen within CloudVision Portal and a small network that includes 2 spine and 6 leaf switches.
The first step is to create a new image bundle that includes the patch for security advisory 38. Within CloudVision Portal, an image bundle consists of a software image with an SWI extension and optionally include one or more extensions in the form of files with a SWIX extension. The screenshot below shows the current contents of the image bundle library.
Clicking on the + symbol near the top right of the window opens the Create Image Bundle window. Enter an appropriate and meaningful name for the image bundle. In this case, we are indicating the software revision level and the security advisory hot patch in the bundle name.
After entering the name, the contents of the image bundle need to be included. Since we are duplicating the existing 4.20.8M bundle and adding a patch to it, we will first click on the circular CD icon near the top right hand corner to indicate the files that are to be included with the bundle that are already uploaded and present within CloudVision. I have selected the 4.20.8M software image and terminattr 1.5 SWIX which equates to the contents of the currently installed image bundle within this network. Click Add.
The final step in the creation of the image bundle is to add the patch itself. Simply click the file folder button near the top right of the window to bring up a local file browser to upload the patch file and select that file. It will be imported into the bundle. Click Save to complete the creation of the image bundle.
The new image bundle must be applied to devices to create tasks. In this example, I am selecting a container called DC1 that contains all of the actual inherited containers and EOS devices within this network. Right clicking on this container brings up a menu that I can navigate Manage -> Image Bundle.
After navigating the menu to manage the image bundle, the following window is displayed. Select the new patched image bundle and click update.
After selecting the new image bundle, click save on the provisioning screen to save this change. The upgrade tasks for each device will be automatically created. At this point, there are two options. The tasks can simply be run from the task window or the tasks can be bundled into a change control event which gives options around ordering, scheduling, and snapshotting. In this demonstration, I navigated through the tile icon in the top left to the change control workflow window.
Within the change control window, select all of the appropriate tasks. In this example, all of the open tasks are part of the upgrade. Click Add.
The next window allows details of the change control to be changed. A name is mandatory which I have set below to ‘Apply sec adv 38’. I have also changed the snapshot template to a custom template I had created to include the output of the ‘show installed extensions’ command. Optionally, I can order the device upgrades or leave them in parallel. Clicking Execute will start the change control immediately. Clicking Save will allow the change control event to be schedule for a later time but in this demonstration, I will execute immediately.
The execution of the change control only takes a small number of seconds. CloudVision Portal is intelligent enough to recognize that the software image and terminattr extension are not changing and the only difference to be applied is the actual patch.
Pre-change snapshots are taken, followed by the actual copy and installation of the new extension and a post-change snapshot. Clicking the view hyperlink for any one of the snapshots shows the results and differences between the snapshots. I have captured a screenshot of the relevant part of the output that shows that after the change control, the new patch is present and installed on the device.
It is important to note that this example showed a patch being applied in a completely non-disruptive manner on 8 devices. Interestingly, the effort to apply this patch to 200 devices would in fact be the exact same.
CloudVision Portal offers differentiated and meaningful tools for network operations to improve the efficiency of operating large data center networks.