Managing network configuration changes
Manual processes to managing device configurations often create gaping security holes, warns Bala Venkatramani, marketing manager of IT Security solutions at ManageEngine
Today’s enterprises face unprecedented cyber-security threats. New breeds of cyber-attacks are constantly evolving even as enterprises continue to bolster their defences. Though cyber-attacks happen through myriad ways, attackers always look for easy holes in network devices like switches, routers, firewalls and other devices on the perimeter to gain illegal access to the network. Due to a lack of processes, unknowingly, we tend to simplify the job of intruders.
The configurations of network devices are crucial from the standpoint of network security. The configurations contain sensitive information such as access credentials, SNMP settings, ACLs and others. Business needs are in a constant state of flux and administrators are required to respond to the needs often, by changing the configurations of network devices, which is a sensitive and time-consuming task. It requires specialised knowledge, familiarity with all types of devices from different vendors, awareness on the impact of changes, precision and accuracy.
Unfortunately, most enterprises rely on manual processes for Network Configuration Management. Manual operations to carry out configuration changes are fraught with the risk of errors that result in network downtime. In addition, a trivial error in a configuration could have a devastating effect on network security giving room for hackers and malicious users. When the number of devices grows, administrators find it difficult to respond to the business priorities that require frequent configuration changes and the possibility of committing errors is increased.
Flaws in security settings
Assume that a department in your organisation requests a temporary relaxation in the Access Control List (ACL) of a router in production to attend to an urgent business requirement. How do you handle this case? Normally such requests are immediately accepted and the change in ACL would be deployed. But, due to lack of processes, the change/relaxation will not be rolled back even after the completion of the business requirement. The relaxation will be forgotten and will stay on forever, inviting hackers to gain illegal access to the network. If the relaxations in security settings like in ACLs, SNMP community and routing protocols are not properly handled, intruders could easily gain access.
Rapidly responding to security alerts
If you manage a large number of network devices, enforcing a manual process to take care of the security controls in device configurations will be cumbersome and error-prone.Effectively managing risk is an important aspect of network security. But, manual process for reacting to security alerts is not only time-consuming, but also error-prone. For example, rolling out an urgent firmware upgrade on 1,500 devices, even a fairly big team of network administrators will require several man days to accomplish the task manually, during which the network would remain largely vulnerable to attacks.
In multi-member work environments, network administrators often have to access and deploy configuration changes to devices in production. This requires collaboration among the administrators and consistency in rolling out configuration changes. Most enterprises rely on manual processes for Network Configuration Management. That means, all administrators get access to all the devices and make changes as they see fit. In the absence of collaboration and consistency, the manual approach to deploying configuration changes might lead to security vulnerabilities.
In addition, allowing all administrators to roll-out configuration changes to live equipment would be disastrous, especially if the work is not reviewed by senior administrators. In other words, role-based controls are vital for allowing administrators to carry out changes. In the traditional, manual approach there is no way for such access controls and approvals.
When a device vendor announces end-of-life for a device, it is highly important to assess the potential risks associated with using the device. For end-of-life (EOL) models, the vendor may not offer support — your router/switch may hang or witness performance deterioration. The the device (say, a firewall) might face a security vulnerability for which you cannot expect a patch from the vendor and numerous other issues might crop up from time to time, even if the device is working properly at present.
So, network management experts always advocate replacing devices that have reached end-of-life status. In addition, the IT regulations that lay stress on network security, put a cap on using outdated models to ensure that the network remains in top shape.
If a device that is working very well is categorised as end-of-life by the vendor, it would be prudent to de-link it from production and redeploy it for development or testing purposes.
It is highly important to replace the end-of-life models. But, when you have so many devices, how do you track the maintenance details? How do you know a particular device has reached end-of-sale or end-of-life or end-of-support?
Policy-driven, automated approach — the way out
The best solution to overcome these problems and ensure network security is to automate the entire life-cycle of Network Configuration Management. Network Change and Configuration Management (NCCM) software solutions help in achieving a policy-driven, automated approach that takes care of minimizing many of the risks as listed above. Changes to device configurations could be continuously monitored from the standpoint of network security, in fully automated fashion.
Administrators can define policies containing standard security settings or security standards for the device configurations. The security standards will comprehensively define the settings that are allowed, that are not allowed, the traffic filtering settings, protocols and other vital controls and the NCCM solution will check the configurations for compliance to the policy defined. Violations would be immediately escalated.
NCCM solutions also help in applying security upgrades on multiple devices in fully automated fashion without requiring manual intervention. End-of-Life status of devices could be automatically tracked and you can ensure that your devices remain in top shape, always. Access to the configurations could be controlled based on roles and approval workflow could be enforced for changes, which helps in preventing unauthorised changes.
Apart from helping in minimizing risks, eliminating manual errors and bolstering security, the automated approach helps save cost, time and resources thereby enabling administrators to concentrate on other productive aspects of Network Management.