Gold Standard Configuration for Network Devices

 

Network and security teams in large enterprises spend quite a bit of time defining their “Gold Standard Configuration” for network devices – a checklist of how all of their devices should be configured. Some of the items on the checklist are operational (what hotfix you have installed) while some are for compliance (which users are defined). Either way, it’s apparently very difficult to stay on top of this checklist without indeni, as we’ve discovered from our customers. Items on the list include things like:

  • Software version in use – enterprises try to standardize on certain versions to reduce unexpected events and increase usability (if all of the devices made by a given manufacturer behave the same, it’s easier to manage them). In some cases, they even standardize on certain hotfixes.
  • OS-level settings: users defined, SNMP monitoring and syslog servers, authentication settings, NTP, etc.
  • Hardening: what ports and services are open/accessible.

So, how do we see organizations enforce their Gold Standard Configuration for their network devices?

  1. They write a long Word or Excel document and share it within the team hoping someone will use it.
  2. They write scripts that test some aspects of the gold config. Usually these scripts are written as a hobby and so aren’t maintained very well.
  3. They use tools like SolarWinds’s Orion NCM or TripWire, spending years of their life tuning those tools to look for certain configurations only to need to re-do all that once the product manufacturer decides to release the next major version.

indeni is here to make your life better:

Our software contains a layer that translates the output of queries into structured data. We call this “measurements” internally, but essentially each setting for each device is represented in a database in a manner that is completely agnostic to how it’s represented in the device’s own config files. So, for example, the settings for which NTP server to use appear similar to this for Cisco, Check Point Firewalls, F5 Load Balancers and Palo Alto Network Firewalls alike:
{measurement: ntp_server, host: pool.ntp.org version: 3}

So, that means that all you need to do is tell indeni what the NTP server needs to be, and indeni will regularly check the configuration 24/7/365 of all of your devices (or a group of them) irrespective of the manufacturer of those devices or the software they’re running. When the configuration doesn’t match your gold config, you’ll get an alert as well as see it on a weekly or monthly report. Saving you weeks of your life, every, single, year.

Achieve 99.9999% 45 minutes.

Try indeni

 

Leave a Reply