“You’re either the one that creates the automation, or you’re getting automated.”
— Tom Preston-Werner, the co-founder of GitHub.
The truth about embracing network automation: it’s not a matter of “if,” it’s a matter of “when”. According to the 2019 State of Network Automation Report, conducted by Juniper Networks, 96% of respondents (with over 400 respondents from across the USA) are on an automation journey.
What is Network Automation?
Network automation can mean different things to different people. We will start with a definition defined by Gartner.
Gartner defines the network automation market as tools that automate the visibility, troubleshooting, reporting and maintenance of virtual and physical network device configurations, supporting opportunities to lower costs, reduce human error and improve compliance with configuration policies.
This definition reflects the type of automation that Indeni provides for security infrastructure, with visibility and troubleshooting being our primary focus.
Different Types of Network Automation
In reality, there are many daily monotonous tasks that you can automate, from infrastructure configuration to lifecycle operations. Some of the tasks are simpler to automate and some are more common than others. In this blog post, we will look at a broad array of tasks that you can automate, with a focus on managing your security infrastructure. We will discuss factors you should consider to help prioritize the many different network automation tasks or to find the best solution for your organization. Hopefully, this will offer some insights into how you can start your automation journey.
1. Network Provisioning
Configuring and deploying your devices, physical or virtual, are perhaps the most commonly understood network automation use cases. The task is repetitive in nature and the likelihood that you are dealing with a large volume of devices makes this an ideal problem for automation. In fact, it was cited in the 2019 State of Network Automation Report that configuration management tooling has the highest adoption rate for automation. Many enterprises are already using these tools to make bulk configuration changes to network devices to help them save time and reduce errors associated with manual updates. The report also indicated network provisioning including deployments and configuration was the bottom of the list of daily work tasks. This is interesting because a common network automation pretense is that provisioning ought to be automated first and yet it is not a daily responsibility for many. If network provisioning is not where network operators are spending their time, you should perhaps look beyond configuration management from a return on investment perspective.
2. Firewall Policy Management
Unlike routers and switches, managing firewall rules is typically a daily task as many new applications are deployed regularly that require firewall rule updates. According to Gartner, “through 2023, at least 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.” Many Enterprises deploy these purpose-built tools to centrally manage their firewall rules. These tools help to identify redundant, overlapping, and conflicting rules based on usage across a multi vendor environment. Many of our customers use Network Security Policy Management tools along with Indeni to manage their security infrastructure today.
3. Monitoring & Troubleshooting
As mentioned above, network provisioning is at the bottom (32%) of the daily task according to the 2019 State of Network Automation Report. Network monitoring is at the top (71%) of the Network Operations Day-to-Day Responsibilities list. This finding aligns with what we’ve heard from our customers. Automating time consuming tasks makes the most business sense. Incidentally, automating troubleshooting is the primary use case Indeni focuses on.
When an issue is detected, Indeni will automatically apply device-specific domain knowledge to the problem and perform analysis to accelerate root cause analysis. Applying domain knowledge is key to determining what relevant information needs to be collected while the problem is happening so an accurate diagnosis is possible. Automatically investigating a problem has an additional benefit, as it enables us to provide you with very detailed and prescriptive remediation steps to accelerate resolution. To learn more about how Auto-Triage works, you can read this blog post.
Our Auto-Triage capabilities are developed by our community of experts. By bringing expertise from our community, security vendors, and Fortune 100 customers, we are able to gather the most relevant and important device knowledge. Crowdsourcing provides a mechanism to bring together ideas and expertise that would not otherwise be available.
When you are ready to start your automation journey, the most important factor to consider is whether you want to do-it-yourself or you want to have automation capabilities out-of-the-box to bootstrap your effort. Speaking from our years of experience, you should not underestimate the challenge to translate knowledge into reality. It would be worth your time to evaluate the pros and cons of build versus buy.
4. Configuration Drift
This is to ensure that all the devices and services are configured and running as intended. A common use case is to ensure that you adhere to your organization’s gold standard configuration. For example, an administrator accidentally disabled SecureXL resulting in an outage several weeks later.
When considering a solution for your firewalls, configuration drift cannot be just taking a snapshot of a desired configuration state and comparing current configuration against the historical configuration snapshot. Firewalls are typically deployed in a clustered environment. The normal operation is to first make a configuration change in the backup firewall, failover from the primary to the backup firewall, then make the change to the primary firewall. It is important to understand the context in order to chain these events together to avoid false positives.
5. Security Compliance
Applying baseline security standards across your security infrastructure is a foundational practice for every organization. This is another very common automation use case supported by many automation tools with multiple built-in compliance frameworks such as Payment Card Industry Data Security Standard (PCI DSS), Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), etc. The tools raise an alert if the guidelines are violated. Reports are generated automatically for audit purposes.
With hundreds of firewalls deployed in your environment, keeping up with security vulnerabilities can be a time consuming task. Vulnerability assessment should be another use case supported by your automation tool. The solution should continuously keep up with vulnerability issues published by the firewall vendors and proactively prioritize the vulnerability issues based on criticality.
This includes updating software, including rollback of software if required. While this is another task that can be automated, we have previously studied the behaviour of firewall upgrades and concluded that there was no evidence that customers would rush into upgrading the devices even after the vendor released a security advisory and upgraded release for multiple major versions. Our recent Check Point Deployment Trends Report for 2020 also suggested that only 40% of the Check Point devices we monitored have gone through an upgrade since the beginning of 2020 despite the fact that they were running a software release that has reached the end of support. In 2019, only 18% of Check Point firewalls were upgraded. We also concluded that our customers tend to avoid the unknown risks of upgrades by accepting current known risks such as end of support or known vulnerability issues. If your administrators are not spending the time on upgrades, you should consider if automating this task has the desirable return on investment your organization demands.
7. Ongoing Maintenance
Ongoing maintenance tasks such as SSL certificates, Licensing, EOL maintenance are often ad hoc and manual. While these tasks are not daily tasks, they are often easily forgotten. Automating ongoing maintenance tasks is straightforward to implement and it prevents unexpected failures related to certification or license expiration.
How Indeni Enables Network Automation
Adopting network automation will significantly simplify your security infrastructure operations. Our Auto-Detect and Auto-Triage capabilities can take a few things off your plate or help you save the day. To summarize the key benefits of Indeni’s secure infrastructure automation solution are:
- Optimize the performance of the security infrastructure. Active monitoring combined with auto-triage streamline IT operations enabling you and your team to deliver optimal security services at the desired quality to the business.
- Automate data enrichment to save you time for these otherwise time-consuming tasks. Now you have more free time for more strategic tasks.
- Work more effectively. Indeni automation modules will surface useful and actionable information that will immediately facilitate your work.
If you are new to Indeni, let us bootstrap your network automation initiatives, download a free trial today.