Network configuration management: an innovative, additional layer of network security.With the increased number of cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. attacks and the overall complexity of enterprise networks today, IT professionals are challenged with the daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin task of protecting networks from known and unknown malicious activity. To combat network security issues, many organizations are deploying a layered security Layered security is a new term used by information protection and online security vendors that describes the practice of leveraging several different point security solutions to protect the digital identities and information of consumer, enterprise or government environments. architecture that spans from the Internet to the desktop. The typical network security solutions companies deploy include firewalls, intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. , anti-virus software anti-virus software n → Antivirensoftware f , etc. Many organizations also utilize vulnerability assessments A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. , penetration tests A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, and other means to identify network vulnerabilities. While traditional security solutions and services are being deployed to protect the network, devices continue to fall victim to attacks. As a result, many organizations are looking outside the "security application box" to other solutions that can more effectively secure, manage and maintain critical devices throughout the network. One particular application category IT professionals are turning to is Network Configuration Management. Network configuration management solutions are specifically designed to automate the process of changing, securing and managing devices throughout the enterprise. Companies are turning to network configuration management solutions because there is a direct correlation Noun 1. direct correlation - a correlation in which large values of one variable are associated with large values of the other and small with small; the correlation coefficient is between 0 and +1 positive correlation between properly configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: devices and network security. Whether configuration changes are introduced through malicious attacks, manual update errors, or network product defects, devices can become vulnerable and place your business at risk. By leveraging a configuration management solution as part of your security strategy, organizations can arm IT professionals with device security and intrusion response functionality that is not found in traditional security solutions. Additionally, network configuration management solutions provide organizations with a disciplined, change management methodology that ensure IT professionals can only make changes that comply with the enterprise security policies. Configuration management solutions enable IT professionals to: * Identify vulnerabilities throughout the network * Define network security policies * Automate the deployment of security and device configuration updates * Inform it of network intrusions and unauthorized configuration changes * Arm management with critical security and device configuration forensics See computer forensics. information [FIGURE 1 OMITTED] Addressing Network Vulnerabilities Using Configuration Management Solutions The first thing an IT professional asks when network vulnerabilities have been identified is "What segment of my network is affected and what devices will be impacted?" While most companies document a snapshot of their network at one time or another, in all likelihood, that snapshot becomes outdated just days (if not hours) after it is produced. Without a real-time view of the network and a well-documented history, IT professionals must spend precious time understanding the current state of their infrastructure before they are in the position to answer this simple question. Access Important Network Configuration Documentation Configuration management solutions arm IT professionals with the real-time documentation and device configuration change history necessary to understand network vulnerabilities and dramatically reduce the meantime-to-repair. By accessing accurate network documentation through a configuration management solution, IT professionals can quickly identify what systems have been impacted and the configuration history of those devices before the vulnerability was introduced. Deploy Critical Device Configuration Changes Configuration management solutions not only assist IT professionals during the troubleshooting Troubleshooting is a form of problem solving. It is the systematic search for the source of a problem so that it can be solved. Troubleshooting is often a process of elimination - eliminating potential causes of a problem. process but also help solve the problem at hand. Many times, new vulnerabilities are discovered. This quick discovery immediately enables IT to deploy widespread updates to security policies and device configuration changes. Having a configuration management solution that supports security policy templates enables IT professionals to quickly update the policy and apply the change to every device that is impacted by the policy, often before any real damage can be done. Vulnerabilities can be introduced through network attacks, manual errors, even by personnel changes within the IT department itself. What happens when an employee leaves or a partner decides to move on and work with a competitor? This single event can create serious security vulnerabilities, and to address this issue the IT department must deploy new passwords and access privileges to potentially thousands of devices throughout the enterprise. Most IT organizations are already running at capacity dealing with ongoing projects and service requests. When passwords or password policies A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. must be changed it can take days, if not weeks, to manually update the devices. Even if scripts are used to expedite ex·pe·dite tr.v. ex·pe·dit·ed, ex·pe·dit·ing, ex·pe·dites 1. To speed up the progress of; accelerate. 2. the process, different scripts must be written for thousands of different devices that come from a multitude of manufacturers. Without a solution that can automate these manual and resource intensive processes, other critical initiatives are delayed which can have a devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. impact on the overall performance of the business. Whether changes are made manually or through the development and deployment of custom scripts, what sounds like a simple task--updating password settings--can be monumental. A configuration management solution enables a single IT professional to "resecure" every device on the network in minutes, thus greatly reducing the overall risk to the business. Improving Policy Compliance, Network Maintenance, Access and Capacity Management Many companies have security policies in place; however, communication of these policies through an organization is both time consuming and subject to interpretation. As a result, policies are rarely complied with or validated and thus several devices on the network become vulnerable. With a configuration management solution, organizations can automatically conduct security and device setting verifications on a regular basis. The benefits are twofold: security policies are easily updated and constantly validated with minimal time and effort, and IT professionals have more time to focus on strategic projects that will have a positive impact on the business. Maintain and Update Thousands of Devices Maintaining and updating devices on a consistent basis plays a critical role in network security. If an organization does not deploy security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. , roll passwords, update Access Control Lists (ACL See access control list. 1. ACL - Access Control List. 2. ACL - Association for Computational Linguistics. 3. ACL - A Coroutine Language. A Pascal-based implementation of coroutines. ["Coroutines", C.D. ), etc., then the likelihood of a device going down increases substantially. Recently, Cisco systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. announced a vulnerability in their IOS (1) (Internetwork Operating System) An operating system from Cisco that is the primary control program used in its routers. IOS is widely used and robust system software that supports the common functions of all products under Cisco's CiscoFusion architecture. Router software making it highly susceptible to Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DoS) attacks. One way of preventing the DoS on a Cisco Router was to update the ACL on every router across the enterprise until the appropriate IOS could be identified and tested. Unfortunately, this could take days if not weeks to manually apply this type of fix. Using a configuration management solution, companies were able to push the ACL update out to all appropriate devices within minutes. Clearly, one can see that an intelligent, automated configuration management solution enables companies to quickly eliminate devastating network security vulnerabilities throughout the enterprise. Role of Network Utilization Systems in Network Security Understanding the "normal" utilization characteristics of a network is critical to detect and respond to certain types of attacks on a network infrastructure. Capacity planning Determining the required future configuration of hardware and software for a network, datacenter or Web site. There are numerous capacity planning tools on the market used to monitor and analyze the performance of the current hardware and software. systems are an excellent way to monitor and track utilization patterns. SYN Flood A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs or Denial of Service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. can take down or at least render parts of a network useless during the attack. Flooding traffic, malicious or not, can usually be controlled quickly through the use of access lists to block initiators of traffic or specific traffic types if it can be detected and notification to the appropriate IT professionals takes place. Once the utilization is understood, thresholds can be placed in the capacity planning system to alert IT of abnormal utilization and predesigned control policies can be quickly deployed through the configuration management system to address the problem. Adding Another Layer of Intrusion Detection See IDS and IPS. to Your Security Infrastructure Industry analysts estimate that over 50% of all network outages A network outage is an interruption in availability of a system due to the communication failure of the network. Network outages cost money directly to the organisation (for example Banks, Airlines, Online Transaction companies); or cost money indirectly to customers ISP, are device configuration related. These configuration errors can be introduced through accidental human error or by intentional, malicious activities. Knowing that a change has occurred is the first step in understanding an outage out·age n. 1. A quantity or portion of something lacking after delivery or storage. 2. A temporary suspension of operation, especially of electric power. . A configuration management system that automatically detects configuration updates and versions the configuration repository can provide IT with quick resolution capabilities but, more importantly, notify IT of a possible external attack on the network. For example, suppose a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. cracks the password of an externally accessible network device. One of the quickest ways to gain access to the rest of the network is to update the configuration of the device. A configuration management system can detect that a change has occurred outside of the normal change process and send a critical alert to appropriate systems and people. Network configuration management systems should also enable IT professionals to quickly identify change, rollback A DBMS feature that reverses the current transaction out of the database, returning the data to its former state. A rollback is performed when processing a transaction fails at some point, and it is necessary to start over. See two-phase commit. these changes and deploy the updates necessary to block future unauthorized access to the device. Leveraging Configuration Forensics Information to Prevent Malicious Attacks Network configuration management solutions capture and maintain real-time and historical views of network devices. This information enables IT professionals to determine the source of errors down to the exact time and user, rollback or recover the desired network configuration, and adjust change processes to reduce the risk of repeating the error in the future. It also provides a great source of information when investigating a breach in security helping to pinpoint the exact cause and events that enabled the breach. With automatic configuration audit tracking, IT professionals have access to more timely diagnosis and disaster recovery data. With access to both real-time and historical views of the network, IT professionals have everything they need to "reset" the network and make network configuration changes in a more cost effective, intelligent and timely manner. Network Configuration Management Solutions Enhance Security, Save Money Figure 2 shows a quick snapshot of the security enhancements intelligent and proactive configuration management solutions deliver: * A systematic method for designing, deploying and managing change to network configurations * Real-time, network connected asset discovery, configuration control, and knowledge mining * A secure, automated and auditable approach to change management * Responsive capacity forecasting * Granular granular /gran·u·lar/ (gran´u-lar) made up of or marked by presence of granules or grains. gran·u·lar adj. 1. Composed or appearing to be composed of granules or grains. 2. , insightful, and proactive resource utilization analysis and reporting Benefits realized: * Maximizes return on network investment by 20% asset recovery * Reduces total cost of ownership by 25% * Reduces mean time to repair by 20% * Improves network configuration accuracy through proactive verification and validation Verification and Validation (V&V) is the process of checking that a product, service, or system meets specifications and that it fulfills its intended purpose. These are critical components of a quality management system such as ISO 9000. * Manages and improves change control * Controls expenses by identifying resources to reallocate Verb 1. reallocate - allocate, distribute, or apportion anew; "Congressional seats are reapportioned on the basis of census data" reapportion allocate, apportion - distribute according to a plan or set apart for a special purpose; "I am allocating a loaf of resulting in 20% reduction in unnecessary or redundant bandwidth growth * Provides precise predictions through 30 second polling * Saves time with automated procurement The fancy word for "purchasing." The procurement department within an organization manages all the major purchases. planning and budgeting While intrusion detection systems, firewalls and other solutions play a critical role in securing a network, configuration management solutions deliver added functionality that further enhances their effectiveness. Omni Consulting Group recently conducted a survey where 3,000 U.S. business executives said gaps in network security cost their companies 5.7% of revenue on an annual basis. Organizations that leverage configuration management solutions to further reduce security gaps not only save money but also contribute dollars to the bottom line.
Configuration Management Benefit
Security Enhancements
A systematic method for designing, * Maximizes return on network
deploying and managing change to investment by 20% asset recovery
network configurations * Reduces total cost of ownership by
Real-time, network connected asset 25%
discovery, configuration control, * Reduces mean time to repair by 20%
and knowledge mining * Improves network configuration
A secure, automated and auditable accuracy through proactive
approach to change management verification and validation
* Manages and improves change
control
Responsive capacity forecasting * Controls expenses by identifying
Granular, insightful, and resources to reallocate resulting
proactive resource utilization in 20% reduction in unnecessary or
analysis and reporting redundant bandwidth growth
* Provides precise predictions
through 30 second polling
* Saves time with automated
procurement planning and budgeting
Figure 2
RELATED ARTICLE: Network Configuration Management Solutions Patch Cisco IPv4 Vulnerability This summer, Cisco announced an IPv4 vulnerability, which made routers susceptible to denial-of-service attacks "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. . When attacked, the router and the network would go down. To avoid this from happening, IT professionals were left with the task of manually reconfiguring and updating Access Control Lists (ACLs) on hundreds if not thousands of routers across a network. Using network configuration management solutions, IT professionals were able to deploy new ACLs and update the IOS system in minutes, not days or weeks. Additionally, when the security breach occurred, network configuration management solutions armed IT professionals with an audit trail of changes that were made and instantly rolled back to the previous device configuration. David Schrodel is chief technology officer at Voyence, Inc. (Richardson, TX) www.voyence.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion