Network World - Brownfield networks are a challenge under average circumstances and potentially a large insider threat under the worst of circumstances.
Brownfield networks are legacy networks that have been in service for such a long time they resemble the proverbial ball of yarn. Years of design and redesign, combined with a common "just get it running" operational mindset, create an infrastructure where no one person understands the true (not theoretical) network state.
Adding to the challenges are the ongoing flux of operational and personnel shifts that make it hard to keep track of access to critical systems and result in large security, operational and regulatory exposure. An IT employee, for example, may perform a routine change to one portion of the network and inadvertently create a security hole into another part of the network thereby making the entire network vulnerable to a black hat attack.
It isn't uncommon, after all, for someone to open a static route to a restricted resource during a maintenance window, and then forget to remove the route. Now the hole, innocently created, is open and potentially dangerous. Things like this happen all the time, especially where scripts or manual processes exist. To prevent this type of exposure, one might run an audit, but unless you are looking for that exact static route command, you would never know it was in the network.
The industry has started the process of addressing this real headache through the use of Compliance and Auditing tools, which by themselves provide substantial benefit. Compliance checks are designed to parse network configurations looking for the existence of specific configuration commands. In some cases, the query is as simple as, "Does this command exist; if not, notify me." or the reverse "If this command does not exist, notify me." The benefits are a clearly documented audit log, verifying configuration state, yet it does not represent the true network state.
The audit challenge is two-fold. First the audit is often a query using specific command syntax, meaning you have to know specifically what you are looking for and second, you have to ensure you use the correct vendor syntax as the audit criteria. As a result, compliance auditing alone does not address the exposures companies face due to years of legacy processes and impulse changes.
Critical to making a clean sweep, are intelligent, abstracted deletion routines. Imagine an implementation where, instead of viewing network configurations as CLI blobs, you instead represent same in a well formatted XML structure. This XML structure organizes your configurations with beginning and ending tags (e.g., <interface (abc)> </interface (abc)>).
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
