The importance of provisioning network and security resources is often times overlooked. In the course of moving Data Centers from bare-metal infrastructure to virtual machines, most network and systems administrators have opted out of automating provisioning. This article aims to articulate some of the possible reasons why, and ways to get started with automation.
Task validation is higher priority than Provisioning
According to a survey by Indeni and GNS3, operations and engineering are focusing more on ensuring the availability and security compliance of resources. Tasks that focus on boosting network visibility and observing vendor best practice were found to be higher on administrators’ priorities than provisioning. When asked if they use IaaS provisioning in the allocation of network-based resources, only 33% of the respondents said yes. Of these, 28% said they used onsite provisioning while just 21% use cloud-based provisioning. 51% of the administrators interviewed said they combine both methods of provisioning.
Benefits of Automated Network Security Device Provisioning
There are a number of benefits to automationing the provisioning of services to network and security devices. Some of these benefits include:
- Make changes faster
- Enforce policies
- Ensure compliance
- Avoid security breaches
- Reallocation of resources
At the same time there are a number of inhibitors to getting started. To automate the provisioning of a network or security device, the knowledge of the device (eg. Check Point, Palo Alto Networks, Juniper or Radware) and the interdependencies of the network need to be documented, and turned into code. Questions to consider:
- Does the provisioning rules and instructions come from the vendor?
- If the vendor has a robust library out of the box, does that pre-built policy or workflow apply to your environment as is?
- Are all possible scenarios considered? OK to provision changes on every versions of CheckPoint firewalls? OK to complete on virtual and physical machines?
- What happens if X feature is enabled? Disabled?
For these reasons, and many others, administrators want the opportunity to approve a change before it goes into production.
How to get started with automated provisioning
In order to teach a machine the steps to follow, someone must document the steps in the first place. I love this quote from Donald Knuth about a computer:
Many organizations, including MasterCard, OfficeDepot and Pfizer are leveraging the wisdom of the Indeni Crowd to convert historical knowledge into reusable code, and continuously validate that their devices are working as intended.