Voyence White Paper


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Voyence White Paper

  1. 1. WHITE PAPER Network Configuration Management An Innovative, Additional Layer of Security Authored By: David Schrodel Chief Technology Officer Voyence Network Configuration Management
  2. 2. Network Configuration Management An Innovative, Additional Layer of Security TABLE OF CONTENTS I. Introduction II. Integrating Configuration Management with Your Security Strategy III. Addressing Network Vulnerabilities using Configuration Management Solutions IV. Improving Policy Compliance, Network Maintenance, Secure Access and Capacity Management V. Adding Another Layer of Intrusion Detection to Your Security Infrastructure VI. Leveraging Configuration Forensics Information to Prevent Malicious Attacks VII. Conclusion page 1
  3. 3. Network Configuration Management An Innovative, Additional Layer of Security VOYENCE I. Introduction With the increased number of cyber attacks and the overall complexity of enterprise networks today, IT professionals are challenged with the daunting task of protecting networks from known and unknown malicious activity. To combat network security issues, many organizations are deploying a layered security architecture that spans from the Internet to the desktop. The typical network security solutions companies deploy today include ... Firewalls, Intrusion Detection Systems, Virtual Private Networks, Anti-Virus Solutions, etc. Many organizations also utilize vulnerability assessments, penetration tests and other means to identify network security issues. While traditional security solutions and services are being deployed to protect the network, devices continue to fall victim to attacks. Many organizations are looking outside the “security application box” to other solutions that can more effectively secure, manage and maintain critical devices throughout the network. One particular application category IT professionals are turning to is Network Configuration Management. Network configuration management solutions are specifically designed to automate the process of changing, securing and managing devices throughout the enterprise. The reason companies have turned to network configuration management solutions is because of the direct correlation between properly configured devices and network security. Whether configuration changes are introduced through malicious attacks, manual update errors, or network product defects, devices can become vulnerable and place your business at risk. This white paper explains how proactive, intelligent configuration management solutions arm organizations with a new, enhanced layer of network security. In addition, this document will explain how configuration management solutions dramatically reduce the time, resources and dollars required to properly configure, monitor and manage devices throughout a heterogeneous network. page 2
  4. 4. Network Configuration Management An Innovative, Additional Layer of Security II. Integrating Network Configuration Management with Your Security Strategy Defining and deploying an enterprise network security strategy is a priority for every senior level IT professional. By going through this detailed process, a company defines the security policies, access privileges, password requirements, maintenance updates, traffic flow ... basically every policy and mandate that is required to secure the network and more importantly, the applications and services that drive the business. Defining and implementing the right security strategy and policies is the foundation on which you build and deploy the security solutions and network devices that will be used to protect the enterprise. A solid security strategy must also include the means by which to cost efficiently monitor and detect network vulnerabilities and deploy device configuration changes to address those vulnerabilities throughout an organization. By leveraging a configuration management solution as part of your security strategy, you arm IT professionals with device security and intrusion response functionality that is not found in traditional security solutions. Additionally, network configuration management solutions provide organizations with a disciplined, change management methodology that ensure IT professionals can only make changes that comply with the enterprise security policies. Configuration management solutions enable IT professionals to ... 1. Identify Vulnerabilities Throughout the Network 2. Define Network Security Policies 3. Automate the Deployment of Security and Device Configuration Updates 4. Inform IT of Network Intrusions and Unauthorized Configuration Changes 5. Arm Management with Critical Security and Device Configuration Forensics Information Identify Vulnerabilities Throughout the Network Inform IT of Network Configuration Capture Critical Security Intrusions and Improper Configuration Changes Management and Device Configuration Forensic Information Solutions Automate the Deployment of Security and Device Configuration Updates page 3
  5. 5. Network Configuration Management An Innovative, Additional Layer of Security III. Addressing Network Vulnerabilities using Configuration Management Solutions The first thing an IT professional asks when a network vulnerability has been identified is ... “what segment of my network is affected and what devices will be impacted?” While most companies document a snapshot of their network at one time or another, in all likelihood, that snapshot becomes out of date days after it was produced. Without a real-time view of the network and a well documented history, IT professionals must spend precious time understanding the current state of their infrastructure before they are in the position to answer this simple question. Access Important Network Configuration Documentation Configuration management solutions arm IT professionals with real-time documentation and device configuration change history necessary to understand network vulnerabilities and dramatically reduce the meantime-to-repair. By accessing accurate network documentation through a configuration man- agement solution, IT professionals can quickly identify what systems have been impacted and the configuration history of those devices before the vulnerability was introduced. Deploy Critical Device Configuration Changes Configuration management solutions not only assist IT professionals during the troubleshooting process but also help to solve the problem at hand. Many times, new vulnerabilities are discovered requiring IT to deploy widespread updates to security policies and device configuration changes. Having a configuration management solution that supports security policy templates that enables IT professionals to quickly update the policy and apply the change to every device that is impacted by the policy. Vulnerabilities can be introduced through network attacks, manual errors, even by personnel changes within the IT department itself. What happens when an employee leaves or a partner decides to move on and work with a competitor? This single event creates a serious security vulnerability, and to address this issue the IT department must deploy new passwords and access privileges to potentially thousands of devices throughout the enterprise. Most IT organizations are already running at capacity dealing with ongoing projects and service requests. When passwords or password policies must be changed it can take days if not weeks to manually update the devices. Even if scripts are used to expedite the process, different scripts must be written for thousands of different devices that come from a multitude of manufacturers. page 4
  6. 6. Network Configuration Management An Innovative, Additional Layer of Security Without a solution that can automate these manual and resource intensive processes, other critical initiatives are delayed and this can have a devastating impact on the overall performance of the business. As you can see, whether changes are made manually or through the development and deployment of custom scripts, what sounds like a simple task (i.e. updating password settings) can be monumental. A configuration management solution enables a single IT professional to “re-secure” every device on the network in minutes, thus greatly reducing the overall risk to the business. page 5
  7. 7. Network Configuration Management An Innovative, Additional Layer of Security IV. Improving Policy Compliance, Network Maintenance, Access and Capacity Management Ensure Policy Compliance Many companies have security policies in place, however communication of these policies through an organization is both time consuming and subject to interpretation. As a result, policies are rarely complied with or validated and thus several devices on the network become vulnerable. With a configuration management solution, organizations can automatically conduct security and device setting verifications on a regular basis. The benefits are two fold, security policies are easily updated and constantly validated with minimal time and effort; and IT professionals have more time to focus on strategic projects that will have a positive impact on the business. Maintain and Update Thousands of Devices Maintaining and updating devices on a consistent basis plays a critical role in network security. If an organization does not deploy security patches, roll passwords, update Access Control Lists (ACL), etc. then the likelihood of a device going down increases substantially Case in point. Recently, Cisco systems announced a vulnerability in their IOS Router software making it highly susceptible to Denial of Service (DoS) attacks. One way of preventing the DoS on a Cisco Router was to update the ACL on every router across the enterprise until the appropriate IOS could be identified and tested. The problem was, it would take days if not weeks to manually apply this type of fix. Using a configuration management solution, companies were able to push the ACL update out to all the appropriate devices within minutes. This is just one example of how an intelligent, automated configuration management solution enables companies to quickly eliminate devastating network security vulnerabilities throughout the enterprise. Secure Management Domain Access One of the biggest risks to network security is from inside the firewall by current employees and contractors. For example, telnet and SNMP are common access methods for monitoring and updating network devices. These protocols can be “snooped” if the network device can be accessed. To combat this, many companies create management domains to limit the risk of unauthorized access to network devices. Management domains dictate where and what type of traffic is able to traverse from one domain to another. Typically, access lists are applied to network devices that restrict access to specific IP’s or ranges of IP’s. IT professionals use “jump servers” to access the network devices. Jump servers are systems that are accessible from outside the management domain, but are part of the management domain. If the path from the user’s desktop to the jump server is not also secured, the management domain can still be compromised. page 6
  8. 8. Network Configuration Management An Innovative, Additional Layer of Security Management Domain Management Domain Voyence Device Server Voyence Device Server Secure Connection Secure Connection Voyence Application Server The diagram above illustrates how the VoyenceControl! system enhances management domain security. The Voyence device servers are configured in the management domain and access to network devices is initiated from these servers. IT professionals access the VoyenceControl! product from a desktop client through the application server. All communication between the client and the application servers occur over an encrypted channel. The application server communicates to the device server through encrypted channels as well. Changes initiated from the VoyenceControl! application or through Telnet or SSH access are all passed through these encrypted channels all the way to the device server. This limits the risk associated with snooping of network packets to only those packets flowing in the management domain, thus dramatically reducing the risk of interior attacks. Role of Network Utilization Systems in Network Security Understanding the “normal” utilization characteristics of a network is critical to detect and respond to certain types of attacks on a network infrastructure. Capacity planning systems are an excellent way to monitor and track utilization patterns. SYN Flood or Denial of Service attacks can take down or at least render parts of a network useless during the attack. Flooding traffic, malicious or not, can usually be controlled quickly through the use of access lists to block initiators of traffic or specific traffic types if it can be detected and notification to the appropriate IT professionals takes place. Once the utilization is understood, thresholds canbe placed in the capacity planning system to alert IT of abnormal utilization and pre-designed control policies can be quickly deployed through the configuration management system to address the problem. page 7
  9. 9. Network Configuration Management An Innovative, Additional Layer of Security IV. Adding Another Layer of Intrusion Detection to Your Security Infrastructure Industry analysts estimate that over 50% of all network outages are device configuration related. These configuration errors can be introduced through accidental human error; or by intentional, malicious activities. Knowing that a change has occurred is the first step in understanding an outage. A configuration management system that automatically detects configuration updates and versions the configuration repository can provide IT with quick resolution capabilities, but more importantly, notify IT of a possible external attack on the network. For example, suppose a hacker cracks the password of an externally accessible network device. One of the quickest ways to gain access to the rest of the network is to update the configuration of the device. A configuration management system can detect that a change has occurred outside of the normal change process and send a critical alert to appropriate systems and people. Network configuration management systems should also enable IT professionals to quickly identify change as well as rollback to the previous state and deploy the updates necessary to block future unauthorized access to the device. VI. Leveraging Configuration Forensics Information to Prevent Malicious Attacks Network configuration management solutions capture and maintain real-time and historical views of network devices. This information enables IT professionals to determine the source of errors down to the exact time and user, rollback or recover the desired network configuration, and adjust change processes to reduce the risk of repeating the error in the future. It also provides a great source of information when investigating a breach in security helping to pinpoint the exact cause and events that enabled the breach. With automatic configuration audit tracking, IT professionals have access to more timely diagnosis and disaster recovery data. With access to both real-time and historical views of the network, IT professionals have everything they need to “re-set” the network and make network configuration changes in a more cost effective, intelligent and timely manner. page 8
  10. 10. Network Configuration Management An Innovative, Additional Layer of Security VII. Conclusion While Intrusion Detection Systems, Firewalls and other solutions play a critical role in securing a network, configuration management solutions deliver additive functionality that make these devices even more effective. Omni Consulting Group recently conducted a survey where 3,000 U.S. business executives said gaps in network security cost their companies 5.7% of revenue on an annual basis. Organizations that leverage configuration management solutions to further reduce security gaps, not only save money but also contribute dollars to the bottom line. Configuration Management Security Enhancements Benefit A systematic method for designing, • Maximizes return on network investment by deploying and managing change to 20% asset recovery network configurations Real-time, network connected asset discovery, • Reduces total cost of ownership by 25% configuration control, and knowledge mining A secure, automated and auditable approach • Reduces mean time to repair by 20% to change management • Improves network configuration accuracy through proactive verification and validation • Manages and improves change control Responsive capacity forecasting • Controls expenses by identifying resources to reallocate resulting in 20% reduction in unnecessary or redundant bandwidth growth Granular, insightful, and proactive resource • Provides precise predictions through 30 utilization analysis and reporting second polling • Saves time with automated procurement planning and budgeting page 9
  11. 11. Network Configuration Management An Innovative, Additional Layer of Security Below is a quick snapshot of the security enhancements intelligent and proactive configuration management solutions can deliver ... The benefits of leveraging configuration management solutions go far beyond enhancing security. Configuration management solutions also enable organizations to: > Maximize the return on network investments by 20% > Reduce the Total Cost of Ownership by 25% > Reduce the Mean Time to Repair by 20% > Reduce Overexpansion of Bandwidth by 20% To learn more about network configuration management solutions and how they enable companies to enhance network reliability and availability go to www.voyence.com. About Voyence: Founded in 2000, Voyence provides solutions that enable enterprises to dynamically plan, configure and manage complex networks. In today's network-enabled business environment, the Voyence Solution™ provides proactive visibility into the utilization of resources thereby equipping its customers with effective cost containment strategies and optimizing their investment in existing network infrastructure. At Voyence, we focus on the critical network management processes of Design Management, Change Management, and Capacity Management. 1801 North Glenville Drive Richardson, TX 75081 phone 972.759.4000 fax 972.759.3998 salesinfo@voyence.com www.voyence.com page 10