Network Configuration & Change Management using StableNet^®

StableNet^® – NCCM & VLM White Paper

Network infrastructure is evolving at an unprecedented rate and management of those systems has become a labor-intensive exercise. Unlike Fault and Performance Management, Network Configuration Change Management and (NCCM) Vulnerability & Lifecycle Management (VLM) have no common harmonized management methods or protocols.

This White Paper will provide you with an insight on how to address these mission-critical tasks in your network infrastructure.

Netflow Monitoring and Analysis Graphic Traffic Visualization

Discovery & Network Inventory

The StableNet^® discovery engine has a unique mechanism. When discovering a network, it intelligently prioritizes each device it discovers and assigns a weight value that automatically maps its hierarchical relationship and overall importance within the network topology. The discovery process includes the capability for extracting all of the devices hardware and software inventory data, including network relationship information.

Section 2.1 of the White Paper provides greater insight into the key features around the hardware, software, and network discovery. Detailed inventory reporting can be produced and scanning of lifecycle and vulnerability announcements can be analyzed and reported against

Device Configuration Backup

The configuration backup functionality of StableNet^® is a fully flexible system that supports multi-protocol access for entry into multi-vendor telecom, service provider and enterprise network infrastructures. Typically, StableNet^® is integrated with your authentication system, i.e. TACACS+, Radius, LDAP, where the access credentials are configured for StableNet^® to gain authenticated access into multi-vendor infrastructures. Device backup file formats supported include text-based configuration, typically found on Cisco, Juniper, Huawei, Brocade, and binary file formats typically found on Ixia, Bluecoat, and F5 infrastructure device types. StableNet^® also supports a number of access protocols in order to ensure every requirement access type is supported, i.e. SSH Telnet, TFTP, HTTP, HTTPS, XML etc.

Device Configuration Backup Key Feature Table:

Feature ID	Feature Type	Feature Description	Feature Supported
#1	Multi-Protocol support.	Multi-protocol functionality is enabled to support multi-access to a multi-vendor infrastructure environment. Protocols supported include: ‘Telnet, SSH-Telnet, TFTP, FTP, HTTP, HTTPS, XML, Perl, SNMP, SCP’	+
#2	Authenticated integration.	StableNet® fully supports authentication integration into industry standard authentication systems i.e. ‘TACACS+, RADIUS, LDAP’ the ability to integrate with other bespoke authentication systems is possible on request.	+
#3	Bulk and scheduled backup functionality.	StableNet® has a comprehensive in-built auto-scheduler whereby the configuration backups of an infrastructure can be configured to requirement & schedule. Backups can range from a single device to bulk backups of specific or entire infrastructures.	+
#4	Additional scripting for CLI command inclusion.	Additional scripting for CLI command inclusion into any backup job can also be fully customized i.e. Performing a series of ‘Show’ commands as part of the backup process for usage, tracking and health purposes.	+
#5	Text file-type supported.	Text file-type backups fully supported. Vendor types that use text based backups include Cisco, Juniper, Huawei, Brocade etc.	+
#6	Binary file-type supported.	Binary file-type backups fully supported. Vendor types that use binary based backups include Ixia, Bluecoat, F5 Networks etc.	+
#7	Archived storage support.	Full support for archiving of all backed-up configuration is optional, storage requirements need to be taken into consideration.	+
#8	Config backup compare.	Powerful compare configuration difference (config-Diff) is an enabled feature within the StableNet® NCCM allowing you to visualize what has been changed from the previous config to date, or simply comparing the start-up config to the running config etc. Additionally, any other pre-scripted config backup captures i.e. ‘Show’ type command config collections can also be compared in order to track usage, health, and degradation over time.	+
#9	Backup process operation notification/alerting.	When a backup job starts, ends or maybe fails operational and service type personnel may be required to be notified. Notification and alerting of backup events can be communicated via Email, SMS (if you have an available SMS gateway), and via the StableNet® GUI & Portal.	+
#10	Reporting & analytics.	Customized configuration backup reports can be created via the reporting theme within the StableNet® GUI. These reports can be HTTP or PDF type reports and are available to view either via the portal dashboard, or by simply opening the PDF document.	+

Configuration Change Management

The management of configuration change across large infrastructures is a policing minefield as engineers will argue that ad-hoc changes will always be necessary to bypass issues, or workaround solutions in order to maintain service availability and operation. While there is an argument around the pro’s and con’s for ‘on-the-fly’ changes, the simple fact remains that infrastructures today can attribute over 40% of downtime to unauthorized change. Therefore, organizations need to transform their policies and processes to implement greater secure control around all changes made to the infrastructure.

Enabling of Real-Time Configuration Change Detection

Configuration compliance policy for SNMP and syslog is essential for the assurance of receiving notifications of changes to device configuration. Unauthorized configuration changes are common practice within all sizes of business and so it is extremely important to have the necessary controls in place to notify and mitigate if a change was committed, what devices the change was committed to, and who performed the change. By having the ability to perform these key actions, you will be able to remediate known changes with ease, control your infrastructure estate with a higher degree of knowledge of what is being changed, correlate actual change configuration with approved change control processes, and maintain a higher level of service availability as a direct result of having this practice in place.

StableNet^® NCCM Structure

Bulk Configuration Change

Automation is the important task in IT operations nowadays. IT managers are always looking for automating repetitive and time-consuming tasks in order to reduce operational cost and improve productivity. StableNet^® NCCM supports you in this task by automating bulk configuration and change management for network devices. Tasks can be scheduled and configuration changes can be executed for individual or groups of network devices. It is possible to alert on configuration change or policy failures and restore a known-good configuration as required.

Policy Checking

Governments and industry regulators require organizations to conform to standard best practices. In order to become compliant with these regulations such as PCI, ISO27001, FCAPS, ITIL, SOX, HIPPA, and others, device configuration should conform to these standards. These standards can range from a number of different requirements such as ensuring the presence, or absence, of certain strings, commands, or values. StableNet® assists greatly with this regulatory requirement automatically checking for compliance to the rules defined. Reports on policy compliance and violations are available out-of-the-box.

Many organizations today have configuration and security policy rules that require compliance checking to ensure consistency with design standards, processes, and directives with internal and external regulators. Using manual processes is not recommended, as it is time-intensive, costly, inaccurate and more importantly, your business could be at risk and open to potential attacks through not having the desired real-time visibility.

The policy compliance and governance engine within the NCCM module of StableNet^® allows corporations to create policies electronically in order to scan/analyze configurations of the infrastructure environment so as to produce accurate and timely compliance and violation reporting analytics.

StableNet^® NCCM Policy Compliance

Configuration policies bring together a set of devices and apply a set of rules. This approach means that an entire service type can have specific policies applied so as to ensure consistent service delivery, change, and compliance. These rules can be based on simple text ‘strings’ to finding items present or missing in configuration files; powerful configuration snippets with ‘section’ matching and ‘regular expression’ searching; or advanced scripting languages (i.e. XML, Perl). Uniquely, the same rule can be created for different vendor hardware using the same identifier, meaning an organization can create a single corporate policy within Infosim^® StableNet^® NCCM to reflect all hardware vendor equipment simplifying reports into a single view. Whether you need to meet PCI, ITIL, FCAPS, ISO27001, SOX, NSA Security Guidelines, or other business continuity or regulatory standards, StableNet^® can help greatly with simplifying the process, drastically reduce your risk, and drive compliance consistency throughout your infrastructure ensuring sustained levels of service availability.