Give Your Brownfield Network a Clean Sweep

Brownfield networks are a challenge under average circumstances and potentially a large insider threat under the worst of circumstances.

Brownfield networks are legacy networks that have been in service for such a long time they resemble the proverbial ball of yarn. Years of design and redesign, combined with a common “just get it running” operational mindset, create an infrastructure where no one person understands the true (not theoretical) network state.

Adding to the challenges are the ongoing flux of operational and personnel shifts that make it hard to keep track of access to critical systems and result in large security, operational and regulatory exposure. An IT employee, for example, may perform a routine change to one portion of the network and inadvertently create a security hole into another part of the network thereby making the entire network vulnerable to a black hat attack.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Brownfield networks are a challenge under average circumstances and potentially a large insider threat under the worst of circumstances.

Brownfield networks are legacy networks that have been in service for such a long time they resemble the proverbial ball of yarn. Years of design and redesign, combined with a common “just get it running” operational mindset, create an infrastructure where no one person understands the true (not theoretical) network state.

Adding to the challenges are the ongoing flux of operational and personnel shifts that make it hard to keep track of access to critical systems and result in large security, operational and regulatory exposure. An IT employee, for example, may perform a routine change to one portion of the network and inadvertently create a security hole into another part of the network thereby making the entire network vulnerable to a black hat attack.

It isn’t uncommon, after all, for someone to open a static route to a restricted resource during a maintenance window, and then forget to remove the route. Now the hole, innocently created, is open and potentially dangerous. Things like this happen all the time, especially where scripts or manual processes exist. To prevent this type of exposure, one might run an audit, but unless you are looking for that exact static route command, you would never know it was in the network.

The industry has started the process of addressing this real headache through the use of Compliance and Auditing tools, which by themselves provide substantial benefit. Compliance checks are designed to parse network configurations looking for the existence of specific configuration commands. In some cases, the query is as simple as, “Does this command exist; if not, notify me.” or the reverse “If this command does not exist, notify me.” The benefits are a clearly documented audit log, verifying configuration state, yet it does not represent the true network state.

The audit challenge is two-fold. First the audit is often a query using specific command syntax, meaning you have to know specifically what you are looking for and second, you have to ensure you use the correct vendor syntax as the audit criteria. As a result, compliance auditing alone does not address the exposures companies face due to years of legacy processes and impulse changes.

Critical to making a clean sweep, are intelligent, abstracted deletion routines. Imagine an implementation where, instead of viewing network configurations as CLI blobs, you instead represent same in a well formatted XML structure. This XML structure organizes your configurations with beginning and ending tags (e.g., <interface (abc)> </interface (abc)>).

You now have the context of all configuration information relevant to a particular interface (or anything else of your choosing). Now imagine a simple delete request where you say, “Delete interface (abc).” You no longer have to know what is configured on that interface, how much or how little; the delete routine removes everything resulting in a highly intelligent house cleaning mechanism without the requisite burden of knowing everything that was configured, interface by interface, box by box.