(Originally published in Information Week)
Manual processes to managing device configurations often create gaping security holes!
Today’s enterprises face unprecedented cyber-security threats. New breed of cyber-attacks are constantly evolving even as enterprises continue to bolster their defenses. Though cyber-attacks happen through myriad ways, attackers always look for easy holes in network devices like switches, routers, firewalls and other devices on the perimeter to gain illegal access to the network. Due to lack of processes, unknowingly, we tend to simplify the job of intruders.
Unfortunately, most of the enterprises – big and small, rely on manual processes for Network Configuration Management. Manual operations to carry out configuration changes are fraught with the risk of errors that result in network downtime. In addition, a trivial error in a configuration could have devastating effect on network security giving room for hackers and malicious users. When the number of devices grows, administrators find it difficult to respond to the business priorities that require frequent configuration changes and possibilities of committing errors become bright.
Let us consider some real-world scenarios to illustrate how manual processes to managing network configuration changes create gaping security holes in the corporate network:
Flaws in security settings
Assume that a department in your organization requests a temporary relaxation in the Access Control List (ACL) of a router in production to attend to an urgent business requirement. How do you handle this case?
Normally, in most of the enterprises, such requests are immediately accepted and the change in ACL would be deployed. But, due to lack of processes, the change/relaxation will not be rolled back even after the completion of the business requirement. The relaxation will be forgotten and will stay on forever inviting hackers to gain illegal access to the network.
If the relaxations in security settings like in ACLs, SNMP community and routing protocols are not properly handled, intruders could easily gain access and expose confidential data, divert traffic to a fraudulent destination and even sabotage network operations.
If you manage a large number of network devices, enforcing a manual process to take care of the security controls in device configurations will be cumbersome and error-prone.
Rapidly responding to security alerts
Assume the scenario below:
- The Cisco Product Security Incident Response Team (PSIRT) publishes an important security alert
- Releases an advisory suggesting firmware upgrade of routers
- The security issue on hand is quite serious, urgent and cannot be ignored
- Impact assessment of devices suggests firmware upgrade of more than 1500 routers to be done immediately
Network administrators working on production networks involving a large number of network devices would have often faced a situation similar to the one above.
Effectively managing risk is an important aspect of network security. But, manual process for reacting to security alerts is not only time-consuming, but also error-prone. In the above example of rolling out firmware upgrade on 1500 devices, even a fairly big team of network administrators will require several man days to accomplish the task manually, during which the network would remain largely vulnerable to attacks.
In multi-member work environments, network administrators often have to access and deploy configuration changes to devices in production. This requires:
- collaboration among the administrators
- consistency in rolling out configuration changes
As outlined above, most of the enterprises rely on manual processes for Network Configuration Management. That means, all administrators get access to all the devices and deploy configuration changes as per their own style and preferences. In the absence of collaboration and consistency, manual approach to deploying configuration changes might lead to security vulnerabilities.
In addition, allowing all administrators to roll-out configuration changes to live equipment would be disastrous. Especially, when someone who is not so familiar with various syntaxes attempt to carry out changes, it is always prudent reserve such changes for review and approval by senior administrators. In other words, role-based controls are vital for allowing administrators to carry out changes. In the traditional, manual approach there is no way for such access controls and approvals.
When a device vendor announces end-of-life for a particular device model, it is highly important to assess the potential risks associated with using the device.
- For end-of-life (EOL) models, the vendor may not offer support – your router/switch may hang or witness performance deterioration. You may want to raise a support ticket, but the vendor might not be in a position to help due to end-of-support;
- the device (say, a firewall) might face security vulnerability for which you cannot expect a patch from the vendor;
- and numerous other issues might crop in from time to time even if the device is working properly at present.
So, network management experts always advocate replacing devices that have reached end-of-life status. In addition, the IT regulations that lay stress on network security, put a cap on using outdated models to ensure that the network remains in top shape.
If a device that is working very well is categorized as end-of-life by the vendor, it would be prudent to de-link it from production and redeploy it for development or testing purposes.
Well, it is highly important to replace the end-of-life models. But, when you have so many devices, how do you track the maintenance details? How do you know a particular device had reached end-of-sale or end-of-life or end-of-support?
Policy-driven, Automated Approach – The Way Out
The best solution to overcome these problems and ensure network security is to automate the entire life-cycle of Network Configuration Management. Network Change and Configuration Management (NCCM) software solutions like ManageEngine DeviceExpert help in achieving a policy-driven, automated approach that takes care of minimizing many of the risks as listed above. Changes to device configurations could be continuously monitored from the standpoint of network security, in fully automated fashion.
Administrators can define policies containing standard security settings or security standards for the device configurations. The security standards will comprehensively define the settings that are allowed, that are not allowed, the traffic filtering settings, protocols and other vital controls and the NCCM solution will check the configurations for compliance to the policy defined. Violations would be immediately escalated.
NCCM solutions also help in applying security upgrades on multiple devices in fully automated fashion without requiring manual intervention.
End-of-Life status of devices could be automatically tracked and you can ensure that your devices remain in top shape, always. Access to the configurations could be controlled based on roles and approval workflow could be enforced for changes, which helps in preventing unauthorized changes.
Apart from helping in minimizing risks, eliminating manual errors and bolstering security, the automated approach helps save cost, time and resources thereby enabling administrators to concentrate on other productive aspects of Network Management.
The original article/video can be found at Policy-Driven Network Configuration Management Critical to Network Security