Policy-Driven Network Configuration Management Critical to Network Security
(Originally published in Information Week)Manual processes to managing device configurations often create gaping security holes!Today’s enterprises face unprecedented cyber-security threats. New breed of cyber-attacks are constantly evolving even as enterprises continue to bolster their defenses. Though cyber-attacks happen through myriad ways, attackers always look for easy holes in network devices like switches, routers, firewalls and other devices on the perimeter to gain illegal access to the network. Due to lack of processes, unknowingly, we tend to simplify the job of intruders.
Enterprises make huge investments on procuring network infrastructure and employ highly skilled professionals to manage and administer the network infrastructure. Typically, a few administrators manage a large infrastructure. The configurations of network devices are crucial from the standpoint of network security. The configurations contain sensitive information such as access credentials, SNMP settings, ACLs and others. Business needs are in a constant state of flux and administrators are required to respond to the needs often by changing the configurations of network devices, which is a sensitive and time-consuming task. It requires specialized knowledge, familiarity with all types of devices from different vendors, awareness on the impact of changes, precision and accuracy.
Unfortunately, most of the enterprises – big and small, rely on manual processes for Network Configuration Management. Manual operations to carry out configuration changes are fraught with the risk of errors that result in network downtime. In addition, a trivial error in a configuration could have devastating effect on network security giving room for hackers and malicious users. When the number of devices grows, administrators find it difficult to respond to the business priorities that require frequent configuration changes and possibilities of committing errors become bright.Let us consider some real-world scenarios to illustrate how manual processes to managing network configuration changes create gaping security holes in the corporate network:Flaws in security settingsAssume that a department in your organization requests a temporary relaxation in the Access Control List (ACL) of a router in production to attend to an urgent business requirement. How do you handle this case?
Normally, in most of the enterprises, such requests are immediately accepted and the change in ACL would be deployed. But, due to lack of processes, the change/relaxation will not be rolled back even after the completion of the business requirement. The relaxation will be forgotten and will stay on forever inviting hackers to gain illegal access to the network.
If the relaxations in security settings like in ACLs, SNMP community and routing protocols are not properly handled, intruders could easily gain access and expose confidential data, divert traffic to a fraudulent destination and even sabotage network operations.
If you manage a large number of network devices, enforcing a manual process to take care of the security controls in device configurations will be cumbersome and error-prone.Rapidly responding to security alertsAssume the scenario below:

- The Cisco Product Security Incident Response Team (PSIRT) publishes an important security alert
- Releases an advisory suggesting firmware upgrade of routers
- The security issue on hand is quite serious, urgent and cannot be ignored
- Impact assessment of devices suggests firmware upgrade of more than 1500 routers to be done immediately
- collaboration among the administrators
- consistency in rolling out configuration changes
- For end-of-life (EOL) models, the vendor may not offer support – your router/switch may hang or witness performance deterioration. You may want to raise a support ticket, but the vendor might not be in a position to help due to end-of-support;
- the device (say, a firewall) might face security vulnerability for which you cannot expect a patch from the vendor;
- and numerous other issues might crop in from time to time even if the device is working properly at present.
Comments