0% found this document useful (0 votes)

17 views23 pages

NCM Best Practice

Uploaded by

emipauzel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

17 views23 pages

NCM Best Practice

Uploaded by

emipauzel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 23

Introduction

Network conﬁgurations are the backbone of any network. If your

conﬁgurations go down, they drag your entire network along with them,

costing you time and money. In order to avoid such mishaps, it's important

to track conﬁguration changes, have conﬁgurations backed up, and monitor

every nook and corner of your network 24x7. But wait—is it possible to do

all of this manually?

The repetitive, labor-intensive, and error-prone work of manually monitor-

ing conﬁgurations can be mentally and physically draining. In fact, according

to Dennis Drogseth, vice president of IT consulting ﬁrm EMA, "90 percent

of network problems can be traced to conﬁguration errors." While manual

conﬁguration management takes a toll on your business, external factors

like network outages can happen unexpectedly, causing even more damage.

How do you overcome these challenges and make sure your network conﬁg-

urations stay healthy? In this e-book, we'll take a look at some best practic-

es that can help IT admins ensure hassle-free network conﬁguration man-

agement.
Best practices for
better conﬁguration
management

1. Back up network
conﬁgurations regularly
to instantly recover from
network mishaps.
Human error is a major contributor to network disasters and, consequently,

downtime. Even with multiple layers of veriﬁcation at play, faulty

conﬁguration changes can still occur.These incorrect changes can

cause network issues, vulnerabilities, or a full-blown network

outage. Although comparing conﬁgurations with previous
versions and identifying errors is an option, it's time-consuming.
Here's how you can have a readily available fallback mechanism during

outages:

Make sure your running and startup conﬁgurations are in sync to

retain any changes made whenever your network is rebooted.

Perform conﬁguration backups on a scheduled or on-demand basis,

and ensure you have a backup of the latest version at all times.

Mark certain conﬁgurations as the best working conﬁguration based

on their stability and scalability.

During a network mishap, upload the stable version of the

conﬁguration and instantly restore your network.

By having a repository of network conﬁgurations, you don't have to spend a

whole lot of time troubleshooting an issue while the network remains

down.

Did you know?

According to Gartner's analysis, downtime can cost companies $5,600
per minute.
2. Implement role-based
access control (RBAC) to
prevent unauthorized
conﬁguration changes.
Network conﬁgurations are continuously changing in order to cater to new

requirements in your network. These changes can prove to be catastrophic

if not done right, and can even render your entire network inaccessible in

some cases. Here are a few techniques to prevent hazardous conﬁguration

changes by unauthorized users:

Assign roles and deﬁne scope for all technicians in your network.

Restrict certain technicians from accessing critical network devices.

Verify conﬁguration changes made by these users, and bar them from
directly applying those changes without your approval.

By enforcing ﬁne-grained access restrictions on critical network devices,

you can rest assured that your network is completely secure.

Did you know?

US firms have reduced downtime costs by practicing RBAC, saving
$298,000 per employee in the process.—NIST report
3. Keep track of the who,
what, and when of
configuration changes,
and get notified about
each change.
As configuration changes happen on a daily basis, it's difficult to document

every change. If you end up losing track of changes, it can have a major

impact on your network; this is especially true during outages, where you

will be left not knowing which conﬁguration change led to the outage. Let's

look at some of the best ways to manage conﬁguration changes:

Deploy a tool that will record every conﬁguration change that has been
made so you can easily identify and correlate events during an issue.

Maintain a list of all the changes that have been made, along with the
date, time, and name of the user who made the change.

Set up a change notiﬁcation system to get alerted when a change is

made to a particular device.

In case of outages, compare conﬁgurations with previous versions and

identify the change that caused the issue.

Managing conﬁguration changes and keeping track of them will give you the

leverage to keep unnecessary conﬁguration changes or users from

interrupting the otherwise smooth functioning of your network.

Did you know?

Gartner predicted that 80 percent of outages impacting
mission-critical services would be caused by people and process issues,
and more than 50 percent of those outages would be caused by
change/configuration/release integration and hand-off issues.
4. Automate mundane tasks,
and avoid frequent use of
command-line interface
(CLI) scripts.
When the need to fix faulty configurations or make changes in multiple

devices arises, network administrators often ﬁnd it to be physically draining

and time-consuming; imagine doing a simple conﬁguration change such as

enabling Simple Network Management Protocol (SNMP) on hundreds of

switches. On top of that, most admins use the difﬁcult and error-prone CLI

administration method to modify conﬁgurations, which can cause failure in

SNMP settings, misconﬁgurations in switch ports, etc. Here's how you can

ease the process:

Automate conﬁguration changes and set up a mechanism to apply them
in bulk.

Avoid repetitive change application by scheduling command execution

scripts.

Keep track of command execution (including the date and time) by

generating reports, which will be useful in analyzing trends in
conﬁguration modiﬁcation. For example: If your organization changes
passwords once every six months, you can change passwords in bulk,
and having a report about the change will help you identify when
passwords should be changed next.

Conﬁguration change automation can help you streamline labor-intensive

tasks, and works especially well for admins who wish to apply the same set

of changes to multiple devices.

Did you know?

Almost 43 percent of admins surveyed by Red Hat used CLI scripts on
individual devices to carry out changes, and around 48 percent
adopted automation to manage conﬁgurations.
5. Create policies based on
industry and government
compliance standards,
and conduct periodic checks
to prevent loopholes and
vulnerabilities.
With network resource security threats increasing every day, enterprises

have begun to implement standard safety practices and enforce internal

and external security policies to remain compliant with the latest industry

standards. However, many admins forget to carry out periodic compliance

checks, putting their network in danger. Here's how you can ensure your

network is safe from vulnerabilities:

Find out the compliance regulations followed in your country, and
adhere to their rules and standards to avoid violations.

Identify and follow the standards set in place by your organization by

checking with your organization's legal team.

Implement audit policies that track who accesses regulated data, and
keep logs that provide details regarding when, how, and by whom data
was accessed.

Run periodic compliance tests to ensure all devices adhere to the latest
regulations.

Most infrastructure must meet certain standards mandated by the

government. By complying with IT standards like HIPAA, SOX, and PCI DSS,

you can more easily avoid vulnerabilities and data breaches.

Did you know?

When a data breach occurs, companies take an average of 191 days to
realize it has happened. - A study by Ponemon Institute
6. Detect firmware
vulnerabilities in your
network, and periodically
upgrade firmware.
Firmware vulnerabilities can put your business and your
customers’ sensitive data at risk, leading to easy entry for hackers,
diminished sales, loss of reputation, and legal penalties. Many
admins are unaware of the vulnerabilities in their network, and
those that are aware undergo the tedious process of collecting the
vulnerability data of different vendors from external sources.
Here's how you can simplify the process:
Deploy a tool that can identify firmware vulnerabilities in the device
configurations in your environment.

Apply a suitable patch for any identiﬁed issues.

Periodically upgrade ﬁrmware to avoid loopholes.

Conduct vulnerability assessments at regular intervals.

Here are a few steps you can follow during the vulnerability
assessment:

By identifying potential threats in your network and applying

ﬁxes, you can prevent data breaches and ensure your information
is safe and secure.

Did you know?

"Company culture and overall attitude to security is a major
contribution to vulnerability to cyber attack through firmware."
- A study by ISACA
How Network
Configuration
Manager can help
1. Network configuration
backup
Network Configuration Manager provides a simple, affordable, one-step

solution for backing up updated conﬁguration ﬁles.

Here's how you can use Network Conﬁguration Manager's backup

mechanism to beneﬁt your organization:

Back up any number of devices or device groups with a single click, and
view the status of the backup process.

View the devices that have a conflict between running and startup
configurations after every backup, and instantly sync them using the
Sync Configuration option.

In case of a network mishap, upload a stable conﬁguration using

conﬁguration restoration, and bring your network back up and running
in seconds.

Schedule conﬁguration backup tasks, and get alerted when there is an

interruption or failure while backing up conﬁgurations.
2. Role-based access
control
Network Conﬁguration Manager helps you assign user roles and scope,

which can be vital in a multi-user network environment. Let's see how you

can achieve RBAC in your environment with Network Conﬁguration

Manager:

Assign access level roles such as "Administrator" and "Operator."

Deﬁne the scope of access for users to control the changes they can
make to the network.

Receive notiﬁcations when an operator makes a change to any

conﬁguration.

Review the change, and reject or approve it based on your network's

requirements and the necessity of the change.
3. Change management
Network Configuration Manager provides an efficient configuration change

management mechanism to keep you updated on all the changes made in

your network. Using this feature, you can:

See all the changes made in your network, along with the exact date
and time of each change.

View the details of the operator or admin who carried out a particular
change.

Get real-time change notiﬁcations in the form of emails, syslog

messages, SNMP traps, or trouble tickets.

Spot changes between the latest conﬁguration version and previous

versions using Diff View.

Activate the Rollback option on all critical devices, like core routers
and firewalls, to revert undesirable changes.
4. Automation with
configlets
With Network Configuration Manager, you can use configlets to automate

mundane conﬁguration tasks and make changes in multiple conﬁgurations.

Here's how you can achieve automation using conﬁglets:

Remotely upload a configuration file in multiple configurations.

Execute simple commands like changing passwords, enabling or

disabling SNMP, forwarding syslog messages, and changing interfaces.

Execute troubleshooting commands like synchronizing running and

startup conﬁgurations, as well as commands for access control.

Execute complex network commands like uploading OS images or

firmware upgrades, configuring banner messages, and deleting files
from flash.
5. Compliance auditing
Network Configuration Manager helps administrators audit network