The recent T-Mobile data breach, reportedly facilitated by attackers gaining access to an unprotected router and from there into the network, could have been prevented through the use of network automation.\nIDS, IPS, SASE, and other newer technologies get a lot more attention, but automation is critical to modern network security. Here\u2019s a look at how automation should be used to enhance network security.\nSound network-device security practices\nEffective network operations depend on the triad of people, process, and technology. You need the right people with the right skills and the ability to do effective work, good policies and processes, and the right technology to make it happen. Automation is the technology that allows you to build repeatable processes to validate and enforce your network policies.\n\nAutomating the processes of device discovery and configuration validation allows you to enforce good network security by making sure that your devices and configurations not accidentally leaving any security holes open. Stated differently, the goal of automation is to guarantee that your network policies are consistently applied across the entire network. A router that\u2019s forgotten and left unsecured could be the avenue that bad actors exploit.\nOnce each device on the network is discovered, the automation system downloads its configurations and checks them against the configuration rules that implement your network policies. These policies range from simple things that are not security related, like device naming standards, to essential security policies like authentication controls and access control lists. The automation system helps deploy and maintain the configurations that reflect your policies.\n(There is one policy that isn\u2019t reflected in device configurations: minimizing variations in network design. For example, deployment of branch office networks would be specified by a single network design that includes details like device hardware, operating systems, and interfaces are used for each network link. This approach greatly simplifies their automation, making it easier to enforce good network security.\nApplying automation\nYou must know every device on your network because you can\u2019t manage what you don\u2019t know exists. While the security team may not want network scans because of the alarm traffic they generate, that\u2019s really the only way to identify everything on the network.\nThe scanning systems should check for easily guessed and default credentials. Network scans can use brute force ping sweeps, but a better approach is to use the neighbor tables that many protocols create. Routing neighbors are used to find other subnets while ARP tables and switch MAC address tables inform you of Layer 2 data-link neighbors. You can automate this network discovery using open-source tools like nmap or a variety of commercial ones. Note that you don\u2019t have to have a complete network discovery before starting the other phases of automation.\nA network-change and configuration-management (NCCM) system can use your network inventory to automate the backup of network-device configurations to a central repository. The NCCM system should include automated mechanisms to check for configuration changes, sometimes called configuration drift.\nThen for each device type create golden configurations that will ensure your network policies are enforced. You\u2019ll need an automated configuration-audit system to identify configurations that don\u2019t match your defined policies.\u00a0\nOf course, you\u2019ll need to remediate the configurations that don\u2019t adhere to your defined policies, and this is where more advanced products show their strengths. Look for products that can intelligently delete configuration statements as well as add new configuration elements. For example, making a change to an access control list in some products must follow a specific set of steps to arrive at the desired result. Also look for products that don\u2019t insist on managing the entire configuration. You want one that will manage only the configuration sections that you want to manage and leave the remaining parts of the configuration untouched. This is important functionality for adopting automation in a step-by-step process.\nAs your adoption of automation progresses, there will come a point when you\u2019ll want to eliminate manual configuration changes and have all device configurations performed through the automation system. The sooner you get to this point, the better. It will significantly improve the security of your network infrastructure.\nValidation\nOK, you\u2019ve adopted automation and think you have network security covered, but how do you know that you\u2019ve achieved the desired result? This requires validation testing. Look for products that scan your network from the global internet looking for security holes in your network and IT systems. Think of these products as outsourced automation.\nWithin your network, use automation to validate network state. This is different from configuration audits, which only validate that the configurations that are deployed are what you wanted to deploy. For example, are the set of BGP neighbors correct and are they in the established state? Has the root bridge of a spanning tree been properly located in the topology? Is network time protocol functioning correctly with the right set of peers? Can internal systems reach the internet when they should be isolated, a kind of inside-out test? Consider performing network state validation on a periodic basis.\nWhat does network automation cost?\nThe cost of network-automation systems is not insignificant and depends on a number of factors including network size, network complexity, personnel skills, and the products you are deploying.\nIt\u2019s hard to pitch buying products and subscriptions worth hundreds of thousands of dollars per year to business managers, but the alternative is dealing with the results of a breach. You may find it useful to talk about the cost in terms of employee full-time equivalents and point out the savings of not having to deal with ransomware or data theft. You can also note that automation makes business operations more stable by reducing the number of outages and more agile by being adaptable to changing business environments.\nAnother potentially useful approach is to discuss automation in the context of business-risk management. It often doesn\u2019t require much effort to use an external security scanner to identify security holes or a network-discovery tool to find unmanaged devices that pose a risk to the business. Automation can easily translate into a competitive advantage that\u2019s worth the investment.