Advanced Configuration Validation

Clockspring developed a novel mechanism which assisted a large organization implement cybersecurity measures to better monitor traffic on thousands of network devices across hundreds of sites. Security and Network Operations teams have been working for multiple years to implement updated hardware and configurations to meet the requirements. Network Ops stated the project has been completed and meets all requirements, though Security Ops noticed gaps in their monitoring but have limited staff and visibility to validate the Network staff's claims of completion.

Thousands of devices with hundreds of thousands of network interfaces needed to have their configurations validated to ensure that they were reporting the data correctly to fulfill the monitoring requirements.

With limited staff, seemingly unlimited amounts of configuration data to analyze, and the security of the organization at the heart of the problem, Clockspring was brought in to assess the environment.

Challenge

The major challenge is the lack of visibility between the teams. The Gigamon team had requirements to monitor traffic and were wholly dependent on the network team applying the correct configurations but no way to validate that everything was configured correctly. Queries to the networking team were met with assurances that the correct configs were in place, but the data on the ground was hinting that not everything was configured correctly.

Solution

Clockspring was tasked with performing an enterprise-wide audit of the network devices to ensure that the switching infrastructure was configured correctly to send the required traffic to the Gigamon network devices. To do so the task was split into individual discrete activities:

1. Gather Network Device Configs
• Fortunately, the customer already had a system in place that was storing the latest running configuration of all their network devices which made this process easy. Clockspring simply connected to the API of this system and pulled down each of these configuration files to begin parsing the data.
2. Extract the pertinent data
• Validation needed to be done on a port-by-port basis. Using Clockspring's processor functionality, the data was split with the relevant information stored as attributes that we can then use to validate that the proper configuration was in place.
3. Report on findings
• Once the data was available, it was shipped to the SIEM for easy consumption through a dashboard. This dashboard grouped every device, broke down the configured ports and listed whether each port was, or was not, properly configured to be mirrored to a Gigamon appliance. By sending simple to parse messages to the SIEM, this data can be used by the Network Operations and Security Operations teams for an easy at-a-glance validation of every applicable port on every configured device throughout the network.

Impact

After further review of the now manageable data, it was determined some devices were configured as desired, some devices have a few missing configuration items, while some devices had no appropriate configuration items at all. This allows for easily identifiable gaps with no need for writing custom code or parsers, no additional engineering or project staff to manually review thousands of devices, and all the data can now be refreshed, reviewed, and acted upon on a daily or weekly basis as needed by the organization.

It is possible to use this approach to numerous other configurations across any type of device as well. These could be managing ACLs, SNMP, Routing, or other network-specific configuration items. Perhaps you just want to validate your devices, or a subset of your devices, have 1 or 2 lines present in their configurations monthly. Processing large datasets can be done with ease and is not limited to network devices or configurations, it may be database centric, API centric, or even file system/network shares with tens of thousands of files.

Using Clockspring you can eliminate the need for manual verification, reduce the error rate of this process to near 0, and ensure continuous compliance across your enterprise through an automated process without any custom code to maintain.