When I ask network teams whether they are enforcing configuration policies, more often than not the reply is an awkward silence. Why?
First, what do I mean by a policy? It’s often thought of as a “Gold Standard” configuration or list of config requirements for network devices. Most network engineering teams have these standards and best practices, born from years of experience managing networks. In some cases, policies are also mandated from external industry or governing agencies such as PCI, DISA STIG, NERC, FERC, or many others. Policy requirements exist to ensure security, reliability, optimization, and consistency of the network. A couple very simple examples include ensuring insecure services are disabled (such as HTTP) and authentication requirements are met on the infrastructure devices.
So why are organizations not actively enforcing these policies? Simple: it’s complicated & time consuming. The concept seems easy enough, but the reality is far from it. Most consider detailed policy enforcement not practical with the exception of infrequent and partial manual checks. The result is recurring, wasted manual effort, security risks, network stability problems, and excessive troubleshooting time.
Perhaps the biggest challenge is that a configuration text file can’t encompass all the complex, conditional situations that arise when testing requirements against a production network. Configuration requirements on the same make and model of device can vary from device to device, interface to interface, or other objects based simply on how the device is used, where it is in the network, what services are enabled, what it is connected to, what protocols are used, or any number of other situational variables.
Further complicating the challenge is that security configuration requirements go well beyond what is contained in the device config file. Two use case examples include ensuring proper OS/Firmware versions, and evaluating rules conditionally with contextual information from SNMP, CLI show commands, or external data sources.
Infoblox NetMRI provides unique capabilities that make dealing with these complex scenarios practical, perhaps for the first time in many cases. All resulting from years of responding to customer feedback and needs. Check out our community site for some examples or simply reach out any time with questions.