IDS, IPS, SASE and other new technologies are gaining more and more attention, but automation is important for the security of modern networks. Let’s see how automation should be used to improve network security.
Sound Network Device Security Practices
Effective network operations depend on people, processes, and technology triads. You need the right people with the right skills and the ability to do the job effectively, the right policies and processes, and the right technology to make it happen. Automation is a technology that allows you to create repeatable processes to validate and enforce network policies.
By automating the process of device discovery and configuration verification, you can improve network security by preventing devices and configurations from accidentally leaving security holes open. In other words, the goal of automation is to ensure that network policies are applied consistently across the entire network. Forgotten and insecure routers can be exploited by malicious attackers.
When each device on the network is discovered, the automation system downloads its configuration and matches it with the configuration rules that implement the network policy. These policies range from simple non-security policies, such as device naming criteria, to important security policies such as authentication controls and access control lists. Automation systems help deploy and maintain configurations that reflect policies.
(There is a policy that is not reflected in the device configuration. Minimize variability in network design. For example, a branch network deployment is a single network that includes details such as device, operating system and interfaces Specified by design This approach greatly simplifies automation and facilitates good network security.
Application of automation
You need to know all the devices in your network because you can’t manage what you don’t know. Security teams may not want to scan the network because of the alarm traffic they generate, but this is the only way to identify everything on the network.
The scanning system should check the default credentials which can be easily guessed. Network scans can use brute force ping scans, but a better approach is to use neighbor tables created by many protocols. Routing neighbors are used to find other subnets, and ARP and switch MAC address tables advertise Layer 2 data link neighbors. You can automate this network discovery using open source tools such as: nmap Or various salespeople. Note that you do not need to do a full network discovery before starting the other phases of automation.
Network Configuration and Change Management (NCCM) systems can use network inventory to automate the backup of network device configurations to a central repository. The NCCM system must include an automated mechanism to verify configuration changes. This is sometimes referred to as configuration drift.
Then, for each type of device, create a baseline configuration to make sure that the network policy is applied. An automated configuration audit system is required to identify configurations that do not match defined policies.
Of course, you need to fix any configurations that don’t comply with the policies you set. This is where the more advanced products benefit. Look for products that can intelligently remove setup instructions or add new components. For example, to make changes to an ACL for certain products, you must follow a specific set of steps to get the results you want. Also look for products that do not claim control of the entire configuration. You need something that only handles the configuration section that you want to manage and leaves the rest of the configuration in place. This is an important feature for adopting automation in a step-by-step process.
As automation is adopted, you may want to eliminate manual configuration changes and perform all device configurations through an automated system. The sooner you reach this point, the better. This greatly improves the security of your network infrastructure.
OK, I think you’ve embraced automation and network security is covered, but how do you know you’re getting the results you want? This requires validation testing. Scan your network from the global Internet for products that check for security holes in your network and computer systems. Think of these products as outsourced automation.
Within the network, use automation to check the status of the network. This is different from a configuration audit which only verifies that the deployed configuration is the one you want to deploy. For example, are the set of BGP neighbors in the correct and established state? Is the spanning tree root bridge correctly placed in the topology? Does the Network Time Protocol work well with the right set of peers? Can the internal system access the internet when it needs to be quarantined? Is this some kind of backwards test? Consider performing a regular network health check.
How much does network automation cost?
The cost of a network automation system is not significant and depends on many factors, including the size of the network, the complexity of the network, the skills of the personnel, and the products to be deployed.
It’s difficult to sell hundreds of thousands of dollars in product purchases or CEO subscriptions per year, but you may face the consequences of the breach instead. It can be helpful to talk about full-time costs for employees and point out the savings from not having to deal with ransomware or data theft. Also note that automation reduces the number of outages and adapts to changing business environments, making business operations more stable and agile.
Another potentially useful approach is to describe automation in the context of business risk management. Often, it doesn’t take much effort to use an external security scanner to identify security holes or to use network detection tools to find unmanaged devices that pose a risk to your business. Automation can easily be turned into a competitive advantage that is worth the investment.
Copyright © 2021 IDG Communications, Inc.