Cisco IOS Embedded Event Manager as a Security Enabler
Cisco IOS Embedded Event Manager (EEM) is a technology that allows a Cisco IOS device to detect an event and perform an action. EEM links events and actions using EEM policies, which are manifested as either configuration-based EEM applets, or EEM scripts that exist as Tcl scripts on the Cisco IOS device.EEM has been successful in many ways; it is recognized as a powerful troubleshooting tool and as a great aid in detecting those hard-to-catch intermittent network issues. Perhaps less well known, however, is that the reactive capabilities of EEM lend themselves very well to the identification of security issues on Cisco IOS devices.Within the realm of security, EEM can be used to instrument the “un-instrumented”.For example, Cisco IOS XR Software contains a security feature known has Local Packet Transport Services (LPTS). Although widely heralded as a fantastic security feature, LPTS does not contain robust reporting capabilities. So while LPTS can be used to protect Cisco IOS XR devices from several types of denial of service attacks, it is impossible for an LPTS-enabled device to alert an administrator that an attack may be occurring. Enter EEM…Every EEM policy identifies an event to detect. The event may be one of over 15 predefined event types, such as the expiration of a timer or the matching of an executed CLI command against a regular expression. Should the desired event take place, the EEM policy will perform the actions specified in the respective policy. In the case of EEM applets, these actions will likely be a sequential series of commands or the generation of a syslog message. In the case of the significantly more powerful EEM scripts, a Tcl script will be executed. The Tcl script can perform nearly limitless tasks on the Cisco IOS device.By using EEM to instrument LPTS, or more correctly using a Tcl-based EEM policy, it is possible for an administrator to set thresholds, automatically examine local LPTS data using show commands, and perform the math required for trending over time. If, or when, a security event occurs against the network device, the EEM policy can alert security staff using an intelligently formed and detailed syslog message. The following is an example of what that message may look like:
lpts-threshold-alerting.tcl: LPTS drop threshold (1000) exceeded for flow type BGP-default on 0/2/0, 3333 drops in last 60 seconds.
A script has been built specifically for this purpose. The video below demonstrates this script in action.This script is available on Cisco Beyond; a user community built by Cisco specifically for collaboration around EEM scripts. Cisco Beyond even has a Security category. It is important to note that the above example using EEM with LPTS is exactly that, an example. There are numerous ways in which EEM, coupled with a little creativity, can aid the security of a network. Other interesting EEM scripts that exist today include Cisco IOS Queue Wedge Detection and Control Plane Policing Baseline Creation.For more general information about EEM, you can refer to the EEM documentation or the configuration guides specific to applets and scripts.