Network configuration management: an innovative, additional layer of network security.With the increased number of cyber attacks and the overall complexity of enterprise networks today, IT professionals are challenged with the daunting task of protecting networks from known and unknown malicious activity. To combat network security issues, many organizations are deploying a layered security architecture that spans from the Internet to the desktop. The typical network security solutions companies deploy include firewalls, intrusion detection systems, anti-virus software, etc. Many organizations also utilize vulnerability assessments, penetration tests and other means to identify network vulnerabilities. While traditional security solutions and services are being deployed to protect the network, devices continue to fall victim to attacks. As a result, many organizations are looking outside the "security application box" to other solutions that can more effectively secure, manage and maintain critical devices throughout the network. One particular application category IT professionals are turning to is Network Configuration Management (1) In a network, a system for gathering current configuration information from all nodes in a LAN. (2) In software development, a system for keeping track of large projects. Although version control, which maintains a database of revisions, is part of the system, a full-blown software configuration management system (SCM system or CM system) automatically documents all components used to build executable programs.. Network configuration management solutions are specifically designed to automate the process of changing, securing and managing devices throughout the enterprise. Companies are turning to network configuration management solutions because there is a direct correlation between properly configured devices and network security. Whether configuration changes are introduced through malicious attacks, manual update errors, or network product defects, devices can become vulnerable and place your business at risk. By leveraging a configuration management solution as part of your security strategy, organizations can arm IT professionals with device security and intrusion response functionality that is not found in traditional security solutions. Additionally, network configuration management solutions provide organizations with a disciplined, change management methodology that ensure IT professionals can only make changes that comply with the enterprise security policies. Configuration management solutions enable IT professionals to: * Identify vulnerabilities throughout the network * Define network security policies * Automate the deployment of security and device configuration updates * Inform it of network intrusions and unauthorized configuration changes * Arm management with critical security and device configuration forensics information [FIGURE 1 OMITTED] Addressing Network Vulnerabilities Using Configuration Management Solutions The first thing an IT professional asks when network vulnerabilities have been identified is "What segment of my network is affected and what devices will be impacted?" While most companies document a snapshot of their network at one time or another, in all likelihood, that snapshot becomes outdated just days (if not hours) after it is produced. Without a real-time view of the network and a well-documented history, IT professionals must spend precious time understanding the current state of their infrastructure before they are in the position to answer this simple question. Access Important Network Configuration Documentation Configuration management solutions arm IT professionals with the real-time documentation and device configuration change history necessary to understand network vulnerabilities and dramatically reduce the meantime-to-repair. By accessing accurate network documentation through a configuration management solution, IT professionals can quickly identify what systems have been impacted and the configuration history of those devices before the vulnerability was introduced. Deploy Critical Device Configuration Changes Configuration management solutions not only assist IT professionals during the troubleshooting process but also help solve the problem at hand. Many times, new vulnerabilities are discovered. This quick discovery immediately enables IT to deploy widespread updates to security policies and device configuration changes. Having a configuration management solution that supports security policy templates enables IT professionals to quickly update the policy and apply the change to every device that is impacted by the policy, often before any real damage can be done. Vulnerabilities can be introduced through network attacks, manual errors, even by personnel changes within the IT department itself. What happens when an employee leaves or a partner decides to move on and work with a competitor? This single event can create serious security vulnerabilities, and to address this issue the IT department must deploy new passwords and access privileges to potentially thousands of devices throughout the enterprise. Most IT organizations are already running at capacity dealing with ongoing projects and service requests. When passwords or password policies must be changed it can take days, if not weeks, to manually update the devices. Even if scripts are used to expedite the process, different scripts must be written for thousands of different devices that come from a multitude of manufacturers. Without a solution that can automate these manual and resource intensive processes, other critical initiatives are delayed which can have a devastating impact on the overall performance of the business. Whether changes are made manually or through the development and deployment of custom scripts, what sounds like a simple task--updating password settings--can be monumental. A configuration management solution enables a single IT professional to "resecure" every device on the network in minutes, thus greatly reducing the overall risk to the business. Improving Policy Compliance, Network Maintenance, Access and Capacity Management Many companies have security policies in place; however, communication of these policies through an organization is both time consuming and subject to interpretation. As a result, policies are rarely complied with or validated and thus several devices on the network become vulnerable. With a configuration management solution, organizations can automatically conduct security and device setting verifications on a regular basis. The benefits are twofold: security policies are easily updated and constantly validated with minimal time and effort, and IT professionals have more time to focus on strategic projects that will have a positive impact on the business. Maintain and Update Thousands of Devices Maintaining and updating devices on a consistent basis plays a critical role in network security. If an organization does not deploy security patches, roll passwords, update Access Control Lists (ACL), etc., then the likelihood of a device going down increases substantially. Recently, Cisco systems announced a vulnerability in their IOS Router software making it highly susceptible to Denial of Service (DoS) attacks. One way of preventing the DoS on a Cisco Router was to update the ACL on every router across the enterprise until the appropriate IOS could be identified and tested. Unfortunately, this could take days if not weeks to manually apply this type of fix. Using a configuration management solution, companies were able to push the ACL update out to all appropriate devices within minutes. Clearly, one can see that an intelligent, automated configuration management solution enables companies to quickly eliminate devastating network security vulnerabilities throughout the enterprise. Role of Network Utilization Systems in Network Security Understanding the "normal" utilization characteristics of a network is critical to detect and respond to certain types of attacks on a network infrastructure. Capacity planning systems are an excellent way to monitor and track utilization patterns. SYN Flood or Denial of Service attacks can take down or at least render parts of a network useless during the attack. Flooding traffic, malicious or not, can usually be controlled quickly through the use of access lists to block initiators of traffic or specific traffic types if it can be detected and notification to the appropriate IT professionals takes place. Once the utilization is understood, thresholds can be placed in the capacity planning system to alert IT of abnormal utilization and predesigned control policies can be quickly deployed through the configuration management system to address the problem. Adding Another Layer of Intrusion Detection to Your Security Infrastructure Industry analysts estimate that over 50% of all network outages are device configuration related. These configuration errors can be introduced through accidental human error or by intentional, malicious activities. Knowing that a change has occurred is the first step in understanding an outage. A configuration management system that automatically detects configuration updates and versions the configuration repository can provide IT with quick resolution capabilities but, more importantly, notify IT of a possible external attack on the network. For example, suppose a hacker cracks the password of an externally accessible network device. One of the quickest ways to gain access to the rest of the network is to update the configuration of the device. A configuration management system can detect that a change has occurred outside of the normal change process and send a critical alert to appropriate systems and people. Network configuration management systems should also enable IT professionals to quickly identify change, rollback these changes and deploy the updates necessary to block future unauthorized access to the device. Leveraging Configuration Forensics Information to Prevent Malicious Attacks Network configuration management solutions capture and maintain real-time and historical views of network devices. This information enables IT professionals to determine the source of errors down to the exact time and user, rollback or recover the desired network configuration, and adjust change processes to reduce the risk of repeating the error in the future. It also provides a great source of information when investigating a breach in security helping to pinpoint the exact cause and events that enabled the breach. With automatic configuration audit tracking, IT professionals have access to more timely diagnosis and disaster recovery data. With access to both real-time and historical views of the network, IT professionals have everything they need to "reset" the network and make network configuration changes in a more cost effective, intelligent and timely manner. Network Configuration Management Solutions Enhance Security, Save Money Figure 2 shows a quick snapshot of the security enhancements intelligent and proactive configuration management solutions deliver: * A systematic method for designing, deploying and managing change to network configurations * Real-time, network connected asset discovery, configuration control, and knowledge mining * A secure, automated and auditable approach to change management * Responsive capacity forecasting * Granular, insightful, and proactive resource utilization analysis and reporting Benefits realized: * Maximizes return on network investment by 20% asset recovery * Reduces total cost of ownership by 25% * Reduces mean time to repair See MTTR. by 20% * Improves network configuration accuracy through proactive verification and validation * Manages and improves change control * Controls expenses by identifying resources to reallocate resulting in 20% reduction in unnecessary or redundant bandwidth growth * Provides precise predictions through 30 second polling * Saves time with automated procurement planning and budgeting While intrusion detection systems, firewalls and other solutions play a critical role in securing a network, configuration management solutions deliver added functionality that further enhances their effectiveness. Omni Consulting Group recently conducted a survey where 3,000 U.S. business executives said gaps in network security cost their companies 5.7% of revenue on an annual basis. Organizations that leverage configuration management solutions to further reduce security gaps not only save money but also contribute dollars to the bottom line.
Configuration Management Benefit
Security Enhancements
A systematic method for designing, * Maximizes return on network
deploying and managing change to investment by 20% asset recovery
network configurations * Reduces total cost of ownership by
Real-time, network connected asset 25%
discovery, configuration control, * Reduces mean time to repair by 20%
and knowledge mining * Improves network configuration
A secure, automated and auditable accuracy through proactive
approach to change management verification and validation
* Manages and improves change
control
Responsive capacity forecasting * Controls expenses by identifying
Granular, insightful, and resources to reallocate resulting
proactive resource utilization in 20% reduction in unnecessary or
analysis and reporting redundant bandwidth growth
* Provides precise predictions
through 30 second polling
* Saves time with automated
procurement planning and budgeting
Figure 2
RELATED ARTICLE: Network Configuration Management Solutions Patch Cisco IPv4 Vulnerability This summer, Cisco announced an IPv4 vulnerability, which made routers susceptible to denial-of-service attacks. When attacked, the router and the network would go down. To avoid this from happening, IT professionals were left with the task of manually reconfiguring and updating Access Control Lists (ACLs) on hundreds if not thousands of routers across a network. Using network configuration management solutions, IT professionals were able to deploy new ACLs and update the IOS system in minutes, not days or weeks. Additionally, when the security breach occurred, network configuration management solutions armed IT professionals with an audit trail of changes that were made and instantly rolled back to the previous device configuration. David Schrodel is chief technology officer at Voyence, Inc. (Richardson, TX) www.voyence.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion