When it comes to Network Configuration Management (NCM), the field is filled with various solutions. Yet, many network professionals still grapple with common misconfiguration challenges: lack of real-time visibility, escalating costs, cumbersome manual tasks, and the nightmare of compliance issues.
Misconfigurations are a well-known operational and security risk. As a result, many companies have detailed management procedures in place to manage changes that could result in misconfigurations. This is especially true for network engineering or security teams in industries where compliance is regulated such as Telecommunications and Financial Services. Here configuration changes typically have to be documented, reviewed and approved before they’re implemented.
All of this highlights a proactive approach to preventing issues arising from configuration changes. The problem comes in with implementation. Change management best practices can be intricately planned for. But ultimately if there is human involved, even if they are using automation tools, then there is a risk for human error.
The gap that exists lies in being able to easily identify when and where configuration changes have been made and if they’ve been done correctly. Statistics suggest that more often than not, issues that arise come from errors or omissions in configurations.
A recent report highlights that 90% of networks surveyed contained some form of misconfiguration. Additionally misconfigurations accounted for a much higher risk of cybersecurity incidents.
Why is this still the case when network engineers or security teams work so hard to implement configuration management best practices? In this article we highlight several factors that commonly lead to misconfigurations, and why companies need to consider how they can improve their Configuration Management strategy beyond just NCM tools.
Daily Backups and Golden Templates is Not Enough
Every time new equipment is installed, software or systems are changed or upgraded, firewall rules are amended, it results in changes to network systems. Keeping up with all the changes required, particularly relating to configurations, is challenging. NCM tools can help automate daily backing up device configuration. Together with the use of Golden Templates, they can help ensure configuration policies and highlight settings that do not match the Golden Template.
In practice however, there are often valid exceptions that must be catered for, based on location, function, customer, or services provided. With a device-centric Golden Template approach, you quickly end up with a multitude of template variants which quickly become difficult to maintain and reconcile with applicable configuration and security policies.
The other challenge is that in large enterprise or CSP environments, there are likely multiple configuration management tools and Element Management Systems (EMS) that are used to configure devices. Devices may often be configured directly, manually, or via individual scripts.
Having to implement these compliance policies across multiple NCM and EMS systems will become prohibitively difficult to manage and maintain. Similarly generating reports across these environments to identify the devices that require remediation will also be very challenging!
What’s the solution?
SIFF – A configuration change monitoring solution that is specifically designed to collect configuration from network devices (physical and virtual), EMSs, Services / APIs as well as non-network sources (servers, VMs, containers, applications, cloud, etc.) into a single unified repository.
With change activity monitoring it becomes easier to review what recent configuration changes were made. This provides a better starting point, narrowing down what the security or operations teams need to analyze to determine if the problem was caused by a misconfiguration.
Having this information readily available can speed up the time to resolution. It also helps with reporting and compliance with the ability to provide granular detail for security auditing and forensic reporting.
Having the Technology to Support Configuration Change Monitoring Means A Better NCM Strategy
Even with their combined skills and knowledge, most IT, security and network engineering teams are stretched in terms of resources. As much as there are efforts to be proactive, when it comes to having visibility to systems, few tools can provide an overview of everything relating to configurations.
Even if data is available it’s usually siloed within business units, meaning it’s very time-consuming and practically impossible to connect all the dots when troubleshooting.
A study on configuration design and implementation in cloud systems highlighted several implications of misconfigurations. It suggests that these issues could potentially be resolved through technology tools and automation.
The idea is to reduce the impacts of human error. Especially as many changes to configurations are done ad hoc. And it’s a manual process. This makes it difficult to track because the same process isn’t always followed to resolve an issue.
With this in mind, consider the value of having a tool that can monitor and audit all configuration changes. By taking a “manager of managers” approach to configuration data, where configuration data is collected from all sources (devices, EMS, etc.) to a single repository, a unified configuration policy validation process can then be applied to this data.
For example, if a configuration management best practice requires Syslog messages to be sent to a defined location, configuration policy rules should be defined independently of what tool is managing or configuring the device while still accounting for vendor-specific syntax and regional or custom requirements. Instead of implementing the same policies multiple times in each NCM and EMS instance in multiple different ways, a centralized configuration manager-of-managers approach can ensure these policies are consistently implemented and maintained in a scalable manner.
In industries that have to report on change compliance, this consolidation is invaluable. It enables them to actively take measures to reduce risk and operational downtime in a reasonable and efficient manner.
As additional policies are introduced, these can simply be added and associated with the corresponding config sources that they apply to rather than tied to device-specific templates.
In other words, these configuration management best practices are defined and managed directly as policy rules vs. device-specific templates belonging to one NCM or EMS tool.
How Visibility Transforms Network Changes into an Advantage
Having configuration data managed in a central repository enables companies to achieve what was previously overwhelming and unreasonable: Automatically manage and validate configuration changes at scale across the entire enterprise.
This is achieved through integration with other systems and translates into more actionable reporting. When an issue arises, instead of taking a blanket approach and testing everything, teams can first review the overall database. The advantage is that the information is made visible across different business units, eliminating the problem of siloed information.
A common problem that teams face is not knowing which misconfiguration caused an issue or where it originated from. Looking at recent configuration changes, teams can then access the data that identifies if the changes were implemented according to plan.
The benefits are that IT, security, or operational resources are not wasted doing endless testing and the time spent troubleshooting is greatly reduced. With more information to go on, teams can target their efforts to resolve the issue faster. In terms of security and compliance, this approach helps to reduce risk.
In a networking environment where there are so many unknowns that teams have to work around, having a central configuration repository empowers teams to be more effective. SIFF’s goal is to help companies reduce the number of misconfigurations that occur by having greater visibility on configuration data.
Configuration change monitoring should not be limited to just networks. SIFF goes beyond just network configurations to include all aspects of your IT infrastructure, including servers, applications, cloud, VMs, and containers. Now you have the information needed to troubleshoot complex incidents across all silos!
To elevate your NCM strategy with SIFF, as well as gain a comprehensive, agile, and cost-effective solution that meets the diverse needs of modern IT environments, browse for more information.