Network administrators rely on configuration policies to maintain network health, compliance, performance, and security. Adhering to this configuration minimizes risks and ensures business continuity. However, many enterprises experience “configuration drift.” For a global network administration team, config drift is further complicated by distributed teams, time zones, and geographies.
Configuration drift creates significant vulnerabilities and is a frequent cause of security breaches and outages. As such, preventing it is critical to network and security operations teams.
What Is Configuration Drift?
Let’s start with the basics. What is configuration drift really, and why does it happen?
Many network administrators use a “Golden Config” or master configuration policy to monitor network configuration compliance, network health, performance, and security. If this configuration were adhered to, the network would behave as intended, and security risks would be minimal.
The problem is that networks are rarely static, and the modern hybrid multi-cloud enterprise network consists of thousands of devices (routers, firewalls, switches) and billions of lines of code. Just like a plumber or electrician might make an update to a house to solve a problem without noting it in a master blueprint, network and security engineers often make ad hoc modifications to solve immediate problems, changes that are rarely documented.
“Drift” happens when gradual changes cause the network to “drift” away from the prescribed configuration, introducing risks to security and performance over time. One team might implement changes that other teams are unaware of, complicating troubleshooting when network issues arise, and each update represents an opportunity for human error that takes the network out of compliance.
Staying on Top of Configuration Drift
Network and security teams try to stay on top of configuration drift by conducting regular compliance and security audits, but they can take weeks or longer and introduce more manual work and more opportunities for user error. It’s almost impossible to detect configuration drift unless there’s been a security incident or outage.
The answer, unfortunately, has generally been to add more “useful” tools, but engineers are drowning in data that provides specific details but lacks the context to communicate an overall picture of network health and a comprehensive view of behavior and vulnerability. They need current, actionable data that streamlines decision-making and simplifies reporting.
Precise change tracking can help streamline configuration drift prevention and reduce data noise by providing engineers with specific, actionable data. Network changes can be linked back to specific times and users, and network administrators can track these modifications and revert to previous configurations if problems occur. This type of approach increases overall visibility and breaks down silos across teams as each is empowered to access the network information they need to pinpoint and address any compliance issues.
Improve Net Reliability by Tracking and Verifying Changes
Network digital twins regularly collect state and configuration data from every device on the network to create a virtual, accurate copy of the network, capable of tracing every potential path a packet can take. Additionally, the technology empowers engineers to create verification checks that will alert the Network Operations Center in the event changes take the network out of compliance.
These checks ensure that changes do not break connectivity or conflict with network policy. Each collection is stored as a snapshot, which can be used to track differences that highlight the changes made between collections. This provides administrators with a detailed view of every change made in an easy-to-read format. In the event of an incident, it will be easy to determine which changes were responsible and remediate the issue quickly.
A Final Word on Taming Configuration Drift
A financial institution planned to upgrade its firewalls. They closed the network on Friday night and used a network digital twin to take a snapshot documenting connectivity and network behavior. After the firewall upgrade is completed, the institution takes another digital twin snapshot of the network to see if connectivity has been unintentionally disrupted. In the past, the network team would have to script and test the software manually, and the verification team would test firewalls. Digital twin technology automatically verifies and validates that the network is behaving the same as it was before the upgrade.
This is an automated way to double check that software upgrades don’t break the connectivity and policies of a network and prevent configuration drift. It also provides a historical network configuration analysis that can be used as proof of compliance during a network audit.