1. WHITE PAPER
Network Configuration Management
An Innovative, Additional Layer of Security
Chief Technology Officer
Network Configuration Management
2. Network Configuration Management An Innovative, Additional Layer of Security
TABLE OF CONTENTS
II. Integrating Configuration Management with Your Security Strategy
III. Addressing Network Vulnerabilities using Configuration Management Solutions
IV. Improving Policy Compliance, Network Maintenance, Secure Access and Capacity Management
V. Adding Another Layer of Intrusion Detection to Your Security Infrastructure
VI. Leveraging Configuration Forensics Information to Prevent Malicious Attacks
3. Network Configuration Management An Innovative, Additional Layer of Security
With the increased number of cyber attacks and the overall complexity of enterprise networks today,
IT professionals are challenged with the daunting task of protecting networks from known and
unknown malicious activity. To combat network security issues, many organizations are deploying a
layered security architecture that spans from the Internet to the desktop. The typical network
security solutions companies deploy today include ... Firewalls, Intrusion Detection Systems,
Virtual Private Networks, Anti-Virus Solutions, etc. Many organizations also utilize vulnerability
assessments, penetration tests and other means to identify network security issues.
While traditional security solutions and services are being deployed to protect the network, devices
continue to fall victim to attacks. Many organizations are looking outside the “security application
box” to other solutions that can more effectively secure, manage and maintain critical devices
throughout the network. One particular application category IT professionals are turning to is
Network Configuration Management.
Network configuration management solutions are specifically designed to automate the process of
changing, securing and managing devices throughout the enterprise. The reason companies have
turned to network configuration management solutions is because of the direct correlation between
properly configured devices and network security. Whether configuration changes are introduced
through malicious attacks, manual update errors, or network product defects, devices can become
vulnerable and place your business at risk.
This white paper explains how proactive, intelligent configuration management solutions arm
organizations with a new, enhanced layer of network security. In addition, this document will explain
how configuration management solutions dramatically reduce the time, resources and dollars required
to properly configure, monitor and manage devices throughout a heterogeneous network.
4. Network Configuration Management An Innovative, Additional Layer of Security
II. Integrating Network Configuration Management
with Your Security Strategy
Defining and deploying an enterprise network security strategy is a priority for every senior level IT
professional. By going through this detailed process, a company defines the security policies, access
privileges, password requirements, maintenance updates, traffic flow ... basically every policy and
mandate that is required to secure the network and more importantly, the applications and services
that drive the business. Defining and implementing the right security strategy and policies is the
foundation on which you build and deploy the security solutions and network devices that will be
used to protect the enterprise. A solid security strategy must also include the means by which to cost
efficiently monitor and detect network vulnerabilities and deploy device configuration changes to
address those vulnerabilities throughout an organization.
By leveraging a configuration management solution as part of your security strategy, you arm IT
professionals with device security and intrusion response functionality that is not found in traditional
security solutions. Additionally, network configuration management solutions provide organizations
with a disciplined, change management methodology that ensure IT professionals can only make
changes that comply with the enterprise security policies.
Configuration management solutions enable IT professionals to ...
1. Identify Vulnerabilities Throughout the Network
2. Define Network Security Policies
3. Automate the Deployment of Security and Device Configuration Updates
4. Inform IT of Network Intrusions and Unauthorized Configuration Changes
5. Arm Management with Critical Security and Device Configuration Forensics Information
Throughout the Network
Inform IT of Network Configuration Capture Critical Security
Intrusions and Improper
Management and Device Configuration
Automate the Deployment
of Security and Device
5. Network Configuration Management An Innovative, Additional Layer of Security
III. Addressing Network Vulnerabilities using
Configuration Management Solutions
The first thing an IT professional asks when a network vulnerability has been identified is ...
“what segment of my network is affected and what devices will be impacted?” While most companies
document a snapshot of their network at one time or another, in all likelihood, that snapshot becomes
out of date days after it was produced. Without a real-time view of the network and a well documented
history, IT professionals must spend precious time understanding the current state of their infrastructure
before they are in the position to answer this simple question.
Access Important Network Configuration Documentation
Configuration management solutions arm IT professionals with real-time documentation and device
configuration change history necessary to understand network vulnerabilities and dramatically reduce
the meantime-to-repair. By accessing accurate network documentation through a configuration man-
agement solution, IT professionals can quickly identify what systems have been impacted and the
configuration history of those devices before the vulnerability was introduced.
Deploy Critical Device Configuration Changes
Configuration management solutions not only assist IT professionals during the troubleshooting
process but also help to solve the problem at hand. Many times, new vulnerabilities are discovered
requiring IT to deploy widespread updates to security policies and device configuration changes.
Having a configuration management solution that supports security policy templates that enables
IT professionals to quickly update the policy and apply the change to every device that is impacted
by the policy.
Vulnerabilities can be introduced through network attacks, manual errors, even by personnel
changes within the IT department itself. What happens when an employee leaves or a partner decides
to move on and work with a competitor? This single event creates a serious security vulnerability,
and to address this issue the IT department must deploy new passwords and access privileges to
potentially thousands of devices throughout the enterprise.
Most IT organizations are already running at capacity dealing with ongoing projects and service
requests. When passwords or password policies must be changed it can take days if not weeks to
manually update the devices. Even if scripts are used to expedite the process, different scripts must
be written for thousands of different devices that come from a multitude of manufacturers.
6. Network Configuration Management An Innovative, Additional Layer of Security
Without a solution that can automate these manual and resource intensive processes, other
critical initiatives are delayed and this can have a devastating impact on the overall performance
of the business.
As you can see, whether changes are made manually or through the development and deployment of
custom scripts, what sounds like a simple task (i.e. updating password settings) can be monumental.
A configuration management solution enables a single IT professional to “re-secure” every device on
the network in minutes, thus greatly reducing the overall risk to the business.
7. Network Configuration Management An Innovative, Additional Layer of Security
IV. Improving Policy Compliance, Network Maintenance,
Access and Capacity Management
Ensure Policy Compliance
Many companies have security policies in place, however communication of these policies through
an organization is both time consuming and subject to interpretation. As a result, policies are rarely
complied with or validated and thus several devices on the network become vulnerable. With a
configuration management solution, organizations can automatically conduct security and device
setting verifications on a regular basis. The benefits are two fold, security policies are easily updated
and constantly validated with minimal time and effort; and IT professionals have more time to focus
on strategic projects that will have a positive impact on the business.
Maintain and Update Thousands of Devices
Maintaining and updating devices on a consistent basis plays a critical role in network security. If
an organization does not deploy security patches, roll passwords, update Access Control Lists (ACL),
etc. then the likelihood of a device going down increases substantially Case in point. Recently, Cisco
systems announced a vulnerability in their IOS Router software making it highly susceptible to
Denial of Service (DoS) attacks. One way of preventing the DoS on a Cisco Router was to update
the ACL on every router across the enterprise until the appropriate IOS could be identified and
tested. The problem was, it would take days if not weeks to manually apply this type of fix. Using
a configuration management solution, companies were able to push the ACL update out to all the
appropriate devices within minutes. This is just one example of how an intelligent, automated
configuration management solution enables companies to quickly eliminate devastating network
security vulnerabilities throughout the enterprise.
Secure Management Domain Access
One of the biggest risks to network security is from inside the firewall by current employees and
contractors. For example, telnet and SNMP are common access methods for monitoring and updating
network devices. These protocols can be “snooped” if the network device can be accessed. To combat
this, many companies create management domains to limit the risk of unauthorized access to network
devices. Management domains dictate where and what type of traffic is able to traverse from one
domain to another. Typically, access lists are applied to network devices that restrict access to specific
IP’s or ranges of IP’s. IT professionals use “jump servers” to access the network devices. Jump servers
are systems that are accessible from outside the management domain, but are part of the management
domain. If the path from the user’s desktop to the jump server is not also secured, the management
domain can still be compromised.
8. Network Configuration Management An Innovative, Additional Layer of Security
Management Domain Management Domain
Voyence Device Server Voyence Device Server
Secure Connection Secure Connection
Voyence Application Server
The diagram above illustrates how the VoyenceControl! system enhances management domain security.
The Voyence device servers are configured in the management domain and access to network devices
is initiated from these servers. IT professionals access the VoyenceControl! product from a desktop
client through the application server. All communication between the client and the application servers
occur over an encrypted channel. The application server communicates to the device server through
encrypted channels as well. Changes initiated from the VoyenceControl! application or through Telnet
or SSH access are all passed through these encrypted channels all the way to the device server.
This limits the risk associated with snooping of network packets to only those packets flowing in the
management domain, thus dramatically reducing the risk of interior attacks.
Role of Network Utilization Systems in Network Security
Understanding the “normal” utilization characteristics of a network is critical to detect and respond to
certain types of attacks on a network infrastructure. Capacity planning systems are an excellent way to
monitor and track utilization patterns. SYN Flood or Denial of Service attacks can take down or at
least render parts of a network useless during the attack. Flooding traffic, malicious or not, can usually
be controlled quickly through the use of access lists to block initiators of traffic or specific traffic types
if it can be detected and notification to the appropriate IT professionals takes place. Once the utilization
is understood, thresholds canbe placed in the capacity planning system to alert IT of abnormal utilization
and pre-designed control policies can be quickly deployed through the configuration management
system to address the problem.
9. Network Configuration Management An Innovative, Additional Layer of Security
IV. Adding Another Layer of Intrusion Detection to
Your Security Infrastructure
Industry analysts estimate that over 50% of all network outages are device configuration related.
These configuration errors can be introduced through accidental human error; or by intentional,
malicious activities. Knowing that a change has occurred is the first step in understanding an outage.
A configuration management system that automatically detects configuration updates and versions
the configuration repository can provide IT with quick resolution capabilities, but more importantly,
notify IT of a possible external attack on the network. For example, suppose a hacker cracks the
password of an externally accessible network device. One of the quickest ways to gain access to the
rest of the network is to update the configuration of the device. A configuration management system
can detect that a change has occurred outside of the normal change process and send a critical alert
to appropriate systems and people. Network configuration management systems should also enable
IT professionals to quickly identify change as well as rollback to the previous state and deploy the
updates necessary to block future unauthorized access to the device.
VI. Leveraging Configuration Forensics Information to
Prevent Malicious Attacks
Network configuration management solutions capture and maintain real-time and historical views
of network devices. This information enables IT professionals to determine the source of errors down
to the exact time and user, rollback or recover the desired network configuration, and adjust change
processes to reduce the risk of repeating the error in the future. It also provides a great source of
information when investigating a breach in security helping to pinpoint the exact cause and events
that enabled the breach. With automatic configuration audit tracking, IT professionals have access to
more timely diagnosis and disaster recovery data. With access to both real-time and historical views
of the network, IT professionals have everything they need to “re-set” the network and make network
configuration changes in a more cost effective, intelligent and timely manner.
10. Network Configuration Management An Innovative, Additional Layer of Security
While Intrusion Detection Systems, Firewalls and other solutions play a critical role in securing a
network, configuration management solutions deliver additive functionality that make these devices
even more effective.
Omni Consulting Group recently conducted a survey where 3,000 U.S. business executives said gaps
in network security cost their companies 5.7% of revenue on an annual basis. Organizations that
leverage configuration management solutions to further reduce security gaps, not only save money
but also contribute dollars to the bottom line.
Configuration Management Security Enhancements Benefit
A systematic method for designing, • Maximizes return on network investment by
deploying and managing change to 20% asset recovery
Real-time, network connected asset discovery, • Reduces total cost of ownership by 25%
configuration control, and knowledge mining
A secure, automated and auditable approach • Reduces mean time to repair by 20%
to change management
• Improves network configuration accuracy
through proactive verification and validation
• Manages and improves change control
Responsive capacity forecasting • Controls expenses by identifying resources to
reallocate resulting in 20% reduction in
unnecessary or redundant bandwidth growth
Granular, insightful, and proactive resource • Provides precise predictions through 30
utilization analysis and reporting second polling
• Saves time with automated procurement
planning and budgeting
11. Network Configuration Management An Innovative, Additional Layer of Security
Below is a quick snapshot of the security enhancements intelligent and proactive configuration
management solutions can deliver ...
The benefits of leveraging configuration management solutions go far beyond enhancing security.
Configuration management solutions also enable organizations to:
> Maximize the return on network investments by 20%
> Reduce the Total Cost of Ownership by 25%
> Reduce the Mean Time to Repair by 20%
> Reduce Overexpansion of Bandwidth by 20%
To learn more about network configuration management solutions and how they enable companies
to enhance network reliability and availability go to www.voyence.com.
Founded in 2000, Voyence provides solutions that enable enterprises to dynamically plan,
configure and manage complex networks. In today's network-enabled business environment, the
Voyence Solution™ provides proactive visibility into the utilization of resources thereby equipping
its customers with effective cost containment strategies and optimizing their investment in existing
network infrastructure. At Voyence, we focus on the critical network management processes of
Design Management, Change Management, and Capacity Management.
1801 North Glenville Drive
Richardson, TX 75081