Hidden Threat on Corporate Nets: Misconfigured Gear
An invisible security weakness is lurking in most corporate networks in the form of millions of lines of code that represent the configuration scripts for all the devices on the network.
Mon, June 08, 2009
Network World — An invisible security weakness is lurking in most corporate networks in the form of millions of lines of code that represent the configuration scripts for all the devices on the network.
With corporate networks averaging 15 devices for every 100 users, ensuring accurate configurations has become a major challenge for network managers. Until now, manual processes or home-grown tools were the only options for configuration debugging.
Enter Telcordia, which is selling a new product called IP Assure that automatically debugs the configurations on IP devices including routers, switches, firewalls and load balancers. IP Assure checks configurations for 750 parameters to ensure accuracy, implementation of best practices and compliance with an organization's security policies.
Rajesh Talpade, chief scientist with Telcordia, says misconfigured network gear is a universal problem. When Telcordia analyzed 1,500 multi-vendor routers, switches and firewalls on eight corporate networks, it found errors in all the devices.
"We’ll ask a company to give us 50 configuration files that we'll analyze at no cost," Talpade says. "We always find something wrong."
Misconfigured network gear represents a major security threat. Gartner estimates that 65% of cyberattacks exploit misconfigured systems.
Network performance and reliability also are affected by misconfigured gear, with Yankee Group estimating that 62% of IP network downtime is due to configuration errors.
The most common configuration mistakes are holes in firewalls, backup links that don't work, VPN tunneling errors that expose data to the Internet, and inconsistent settings that impact quality of service for voice traffic.
"Network managers don't have a good way of checking configurations, and the impact on network security and reliability is not immediately felt," Talpade says.
IP Assure can detect all of these errors and many more, Telcordia says. IP Assure is available as software at $150 per device, or in a software-as-a-service subscription model.
Available for 10 months, IP Assure has already attracted a major customer: the U.S. Securities and Exchange Commission, which is using the software to create an auditing trail to meet its network security reporting requirements.
Telcordia says the problem of misconfigured gear requires a new class of software -- not just the existing Network Configuration and Change Management (NCCM) tools available from HP, EMC, Cisco, BMC and others. IP Assure integrates with NCCM tools, which track changes to network configurations rather than finding errors.
"The differentiators for IP Assure are the depth of the analysis it performs on the configurations…and the breadth of devices we analyze," Talpade says. "Also, we’re completely Web based. We use a distributed model so our data can be accessed by different groups like network administrators, network engineers and the security team over the Web."
Talpade says awareness of the network device configuration problem is growing among CIOs.
"This issue was not well understood a year ago, but now we're seeing that CIOs are more aware," Talpade says. "When we tell them they have 10 millions of lines of code on their networks that are not debugged and not tested, they tend to sit up and take notice.
