Automating management and the road to secure compliance
V. Balasubramanian looks at the case for automated device configuration management
Balasubramanian: Device configuration can be automated to great effect.
Enterprises depend on network availability. In heterogeneous networks, administrators face numerous challenges in managing device configurations, carrying out changes, and in minimising network downtime triggered by human errors.
Ensuring that device configurations remain compliant to various standard practices and regulations could help. This can be automated.
The components of the network backbone are quite complex and varied. There are hundreds or even thousands of mission-critical edge devices such as switches, routers, firewalls and others from dozens of hardware vendors. Enterprises spend massively on network infrastructure and employ skilled professionals to manage and administer it. Often just a few administrators manage a large infrastructure.
Even a few minutes of network outage could have a ripple effect on profits. And as business needs grow, network complexity increases exponentially. Administrators must ensure network availability, security and reliability, optimal performance, capacity and utilisation of the network.
Business needs change constantly and administrators must respond. Yet configuring network devices is a sensitive and time-consuming task. Many configuration changes are repetitive and labour-intensive jobs, such as changing passwords and access control lists.
Even minor errors in configuration changes to devices in production may cause outages. So network administrators must spend a lot of time configuring these devices, perhaps ignoring strategic network engineering or administration needs.
Enterprises everywhere must not just follow standard practices, internal security policies, stringent government regulations and industrial guidelines, but also demonstrate that policies are enforced and network devices remain compliant. They then must continuously monitor the changes carried out.
While making changes, most document the proposed changes. They log in to each device separately and make the change. If the configuration changes do not work, they will return the configuration to its previous working state by undoing the changes previously recorded.
In enterprises with many devices, administrators instead develop custom scripts to push configurations to multiple devices. With the enormous diversity of hardware vendors, the administrators develop numerous custom scripts to suit the syntax of each device type.
Some juggle with fragmented tools to do specific tasks in configuration management. They correlate the output from each tool manually.
Some administrators have a haphazard way of making changes to live equipment, without any management plan. When errors in configuration cause a network outage, they often wish they could move the configuration back to a proper working version. Instead, they find themselves manually troubleshooting the cause.
The manual way suffers serious limitations. Administrators spend much of their precious time doing repetitive, time-consuming configuration tasks, leaving little time for strategic network administration plans and tasks.
There is no way to apply configuration changes to many devices in one go. Administrators have to log on to each device or, at best, execute many custom scripts to get the work done.
As devices multiply, administrators find it harder to respond to the business priorities that require frequent configuration changes, often leading to errors.
A trivial error in a configuration could let in hackers. Yet the traditional approach has no way to check configurations before deployment for security. It is also hard to control the access to device configurations based on user roles. There is no way to prevent unauthorised configuration changes either.
When something goes wrong due to faulty configuration or a security breach, tracing what has happened to a particular individual becomes almost impossible. There is also no provision to monitor and ensure compliance to government regulations, industry best practices and standards.
Network Change and Configuration Management (NCCM) products
NCCM offerings are designed to automate all device configuration management. Changing configurations, managing changes, ensuring compliance and security are all automated.
By complying to vendor best practices and compliance policies, enterprises can avoid many network security issues. Administrators can automate the entire compliance monitoring process: on demand, automatically at regular intervals and whenever a change is made. Violations would immediately be escalated.
Comprehensive compliance reports can be generated for submission to compliance auditors. In the case of violation, remediation tips may be offered.
During planned configuration changes, administrators can check the syntax of the configuration changes before uploading them to the device.
Administrators can reduce manual errors and prevent unauthorised changes. When something goes wrong, they can get to the cause in minutes or simply roll back the setup to the previous working version.
Compliance to best practices will just become a way of life, allowing enterprises to make the best of their network infrastructure, increase network uptime and reduce degradation and performance issues.
V. Balasubramanian is a marketing analyst at ManageEngine