How and why automation can improve network-device security

The recent T-Mobile data breach, reportedly facilitated by attackers gaining access to an unprotected router and from there into the network, could have been prevented through the use of network automation.

IDS, IPS, SASE, and other newer technologies get a lot more attention, but automation is critical to modern network security. Here’s a look at how automation should be used to enhance network security.

Sound network-device security practices

Effective network operations depend on the triad of people, process, and technology. You need the right people with the right skills and the ability to do effective work, good policies and processes, and the right technology to make it happen. Automation is the technology that allows you to build repeatable processes to validate and enforce your network policies.

Automating the processes of device discovery and configuration validation allows you to enforce good network security by making sure that your devices and configurations not accidentally leaving any security holes open. Stated differently, the goal of automation is to guarantee that your network policies are consistently applied across the entire network. A router that’s forgotten and left unsecured could be the avenue that bad actors exploit.

Once each device on the network is discovered, the automation system downloads its configurations and checks them against the configuration rules that implement your network policies. These policies range from simple things that are not security related, like device naming standards, to essential security policies like authentication controls and access control lists. The automation system helps deploy and maintain the configurations that reflect your policies.

(There is one policy that isn’t reflected in device configurations: minimizing variations in network design. For example, deployment of branch office networks would be specified by a single network design that includes details like device hardware, operating systems, and interfaces are used for each network link. This approach greatly simplifies their automation, making it easier to enforce good network security.

Applying automation

You must know every device on your network because you can’t manage what you don’t know exists. While the security team may not want network scans because of the alarm traffic they generate, that’s really the only way to identify everything on the network.

The scanning systems should check for easily guessed and default credentials. Network scans can use brute force ping sweeps, but a better approach is to use the neighbor tables that many protocols create. Routing neighbors are used to find other subnets while ARP tables and switch MAC address tables inform you of Layer 2 data-link neighbors. You can automate this network discovery using open-source tools like nmap or a variety of commercial ones. Note that you don’t have to have a complete network discovery before starting the other phases of automation.

A network-change and configuration-management (NCCM) system can use your network inventory to automate the backup of network-device configurations to a central repository. The NCCM system should include automated mechanisms to check for configuration changes, sometimes called configuration drift.

Then for each device type create golden configurations that will ensure your network policies are enforced. You’ll need an automated configuration-audit system to identify configurations that don’t match your defined policies. 

Of course, you’ll need to remediate the configurations that don’t adhere to your defined policies, and this is where more advanced products show their strengths. Look for products that can intelligently delete configuration statements as well as add new configuration elements. For example, making a change to an access control list in some products must follow a specific set of steps to arrive at the desired result. Also look for products that don’t insist on managing the entire configuration. You want one that will manage only the configuration sections that you want to manage and leave the remaining parts of the configuration untouched. This is important functionality for adopting automation in a step-by-step process.

As your adoption of automation progresses, there will come a point when you’ll want to eliminate manual configuration changes and have all device configurations performed through the automation system. The sooner you get to this point, the better. It will significantly improve the security of your network infrastructure.

Validation

OK, you’ve adopted automation and think you have network security covered, but how do you know that you’ve achieved the desired result? This requires validation testing. Look for products that scan your network from the global internet looking for security holes in your network and IT systems. Think of these products as outsourced automation.

Within your network, use automation to validate network state. This is different from configuration audits, which only validate that the configurations that are deployed are what you wanted to deploy. For example, are the set of BGP neighbors correct and are they in the established state? Has the root bridge of a spanning tree been properly located in the topology? Is network time protocol functioning correctly with the right set of peers? Can internal systems reach the internet when they should be isolated, a kind of inside-out test? Consider performing network state validation on a periodic basis.

What does network automation cost?

The cost of network-automation systems is not insignificant and depends on a number of factors including network size, network complexity, personnel skills, and the products you are deploying.

It’s hard to pitch buying products and subscriptions worth hundreds of thousands of dollars per year to business managers, but the alternative is dealing with the results of a breach. You may find it useful to talk about the cost in terms of employee full-time equivalents and point out the savings of not having to deal with ransomware or data theft. You can also note that automation makes business operations more stable by reducing the number of outages and more agile by being adaptable to changing business environments.

Another potentially useful approach is to discuss automation in the context of business-risk management. It often doesn’t require much effort to use an external security scanner to identify security holes or a network-discovery tool to find unmanaged devices that pose a risk to the business. Automation can easily translate into a competitive advantage that’s worth the investment.