Tuesday 23 March 2010

Network Configuration Management Overview

This guide gives a brief overview of Network Configuration Management, otherwise known as Network Change and Configuration Management, or NCCM.

Why does it matter?
In a large corporate network it is not uncommon to have hundreds or thousands of network devices. If you add up all your switches, routers, firewalls and other network appliances, and then you consider how many lines of configuration settings apply to each one, you can see there is a significant investment in your networks' configuration which needs to be protected.

Contemporary network devices will not only switch and route data, but will vlan, prioritize and shape multi-media traffic in converged networks. The settings and parameters that determine how traffic is handled all forms part of the configuration of the device, and of course, it is vital that all interoperating devices are configured consistently in order to deliver a healthy and reliable network infrastructure.

Of course, the security of your network is dependent on the way your devices are configured. Corporate Governance policies all include Data Security considerations, such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, ISO 27000, CoCo/GCSx Code of Connection and Basel II. These security standards have all been introduced to ensure certain minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers. Your network is inherently vulnerable while default settings are used and it is vital that all known vulnerabilities are eliminated through

Therefore configuration settings for your network need to be backed up, verified for compliance with any corporate governance policy or security standard, and consistency of configs maintained across the estate.
Unapproved changes are the biggest threat to IT Service Delivery and the single most likely cause of failures in IT infrastructures. Any changes that occur outside of established tracking and approval processes are classed as Unapproved Changes and, by definition, are undocumented. No audit trail of a change being made means there is no foothold to start from when troubleshooting a problem. In fact EMA primary research has indicated that greater than 60% of all environment failures would be eliminated if unapproved changes were identified before affecting IT performance.

Unapproved changes are introduced from a variety of sources including security violations, inappropriate user activity, and administrator errors. Even a seemingly benign alteration can have far-reaching unintended consequences to IT security, performance and reliability. Over time, system configurations deviate further and further away from established standards. This is referred to as "configuration drift", and the greater the drift, the greater the risk posed to the reliability of an IT support stack.

The Network Change and Configuration Management Solution
A practical solution to address these requirements is to automate config backups and change tracking, which has given rise to the Network Change and Configuration Management, or NCCM, market.
Change and Configuration Management (CCM) is the process for minimizing configuration drift by ensuring all environment settings are approved and consistent with established standards. CCM is composed of three distinct practices: configuration management which is the creation, documentation and updating of standard settings for all supported IT components; change management which is the process for identifying and approving new configuration settings and updates; and change detection which is an ongoing process of monitoring for inappropriate changes. Achieving compliance objectives for ensuring IT infrastructure reliability requires automated solutions that address all three CCM disciplines.

How does it work?
To date, the development of network device hardware has taken place at a much faster rate than the equivalent development of network management or network configuration management software. In some respects it is understandable - Network Devices didn't need managing or configuring originally as they were black boxes that either passed data or not. It was only with the advent of shared network infrastructures such as Ethernet that the configuration of addresses and protocols became necessary and some consideration made of the network topology to cater for traffic flows and volumes.

Simple Network Management Protocol (SNMP) came to the fore as a technology to address the need for performance, security and accounting statistics from the network, and at the same time, provide a means of changing the configuration of a network too.

As a standard however, anyone who has used SNMP will know that it is anything but consistent in all but the most basic statistics. It is common to find that the manufacturers' 'Management Information Database' or MIB will purport to support certain performance metrics, only to find that different devices from the same manufacturer do not consistently report information via the MIB.

It is a similar story when using SNMP to gather or update configuration data - your version of Cisco Works may work well at backing up your 2950 switch configs but when you next upgrade to 3750 switches, you may quickly find out that Cisco Works suddenly needs an upgrade (at your expense, of course - 'What do you mean, you pay annual maintenance? That is only to maintain your software, not to actually make it keep pace with product range developments!')

Fortunately there are other, more 'open' ways to gather configuration settings from network devices - using TFTP in conjunction with scripted Telnet or SSH Telnet interactions is a consistent and more easily maintained approach that can be applied to all manufacturers and all devices.

All the above change and configuration management tasks can be automated using network change and configuration management (NCCM) software solutions, the best of which will cover desktop PCs together with change and configuration management of your servers and all network devices such as firewalls, switches and routers.