Gold Standard Configuration for Network Devices

 

Network and security teams in large enterprises spend quite a bit of time defining their “Gold Standard Configuration” for network devices – a checklist of how all of their devices should be configured. Some of the items on the checklist are operational (what hotfix you have installed) while some are for compliance (which users are defined). Either way, it’s apparently very difficult to stay on top of this checklist without indeni, as we’ve discovered from our customers. Items on the list include things like:

  • Software version in use – enterprises try to standardize on certain versions to reduce unexpected events and increase usability (if all of the devices made by a given manufacturer behave the same, it’s easier to manage them). In some cases, they even standardize on certain hotfixes.
  • OS-level settings: users defined, SNMP monitoring and syslog servers, authentication settings, NTP, etc.
  • Hardening: what ports and services are open/accessible.

So, how do we see organizations enforce their Gold Standard Configuration for their network devices?

  1. They write a long Word or Excel document and share it within the team hoping someone will use it.
  2. They write scripts that test some aspects of the gold config. Usually these scripts are written as a hobby and so aren’t maintained very well.
  3. They use tools like SolarWinds’s Orion NCM or TripWire, spending years of their life tuning those tools to look for certain configurations only to need to re-do all that once the product manufacturer decides to release the next major version.

indeni is here to make your life better:

Our software contains a layer that translates the output of queries into structured data. We call this “measurements” internally, but essentially each setting for each device is represented in a database in a manner that is completely agnostic to how it’s represented in the device’s own config files. So, for example, the settings for which NTP server to use appear similar to this for Cisco, Check Point Firewalls, F5 Load Balancers and Palo Alto Network Firewalls alike:
{measurement: ntp_server, host: pool.ntp.org version: 3}

So, that means that all you need to do is tell indeni what the NTP server needs to be, and indeni will regularly check the configuration 24/7/365 of all of your devices (or a group of them) irrespective of the manufacturer of those devices or the software they’re running. When the configuration doesn’t match your gold config, you’ll get an alert as well as see it on a weekly or monthly report. Saving you weeks of your life, every, single, year.

Achieve 99.9999% 45 minutes.

[button size=”medium” style=”primary” text=”Try indeni” link=”/create-a-smarter-network-in-just-45-minutes-no-agents/””]

 

Related content

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

BlueCat to acquire LiveAction

BlueCat adds LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.