To best visualize how an enterprise network has changed over the past few years, all an administrator must do is open their network traffic monitoring tool and view the drastic shift in data flows across the LAN, WAN, and network edge. While a significant portion of these data flow shifts have occurred due to modified work-from-home policies over the past 18 months, other changes came about through planned cloud and edge computing migrations. Adapting to these changes elevates the importance of network configuration audits.
Why? In many instances, network administrators correctly adjusted switching, routing, and firewall configurations to conform to how users and devices now communicate. But while these configuration modifications were made, the removal of old and obsolete commands can linger. Although these configurations can lay dormant and many are benign from a performance/security perspective, they can create confusion that often leads to missteps down the road. For this reason, it has become more critical than ever to perform a thorough network configuration audit so that obsolete configurations can be removed to ensure that the network can be easily understood and trusted by all network operations and administration staff. Let’s look at some examples of where out-of-date configurations are commonly found to give you a head start on your network auditing process.
- Switches: Virtual LANs (VLANs) that have either been consolidated or are no longer needed tend to stay in switch configurations longer than necessary. This is especially true in data centers that have been downsized due to migrating apps, data, and digital services to cloud computing platforms. Trunked uplinks that manually specify which VLANs can traverse the connection should also be reviewed and pruned, if necessary.
- Routers: While most networks use dynamic routing protocols to automatically maintain an up-to-date view of the most optimal paths across a network, it’s not uncommon to find static routes configured on one or more routers/layer 3 switches. Over time, these network destinations change or move – yet the static routes are forgotten. This can lead to a situation where the IP subnet listed in the static route is reused somewhere else in the corporate LAN or WAN. If this occurs, it can result in parts of the network not being able to access the newly formed subnet. Similarly, access lists and policies are commonly configured on routers to restrict who can reach devices on a particular subnet. Even if the network or switch virtual interface (SVI) is removed, access list configurations might remain. This can clutter the router configuration, sometimes confusing administrators that manage them.
- Firewall rules: By and large, firewall configurations are more closely monitored and maintained compared to network switches and routers. However, some administrators opt to disable firewall rules and interfaces as opposed to deleting them outright. While this is an understandable practice as the ability to quickly re-enable the configurations is a matter of a few clicks – disabled configurations have a way to stay for weeks, months, or even years. This can lead to a scenario where administrators could inadvertently enable a disabled command on accident, leading to unnecessary threat exposure.
- Site-to-site VPN tunnels: When it comes to VPN tunnels, configuration issues take on one of two forms. The first is when a site-to-site VPN setup is disabled/deleted on one side of the tunnel while the configuration remains enabled on the other. This issue can easily be resolved by identifying the defunct VPN configuration commands and deleting them. Another common site-to-site VPN audit issue is when administrators build multiple tunnels for networks with the same source and destination endpoints. When these are identified in an audit, it is mostly resolved by consolidating networks that can be accessed between locations into a single site-to-site tunnel configuration.
Have a plan, execute and document!
Because of the massive shift in how enterprise networks are used today compared to just a few years ago, there are likely any number of configurations on a network appliance that are no longer needed and are ripe for removal. The key for those that wish to perform network configuration audits is to come in with a specific game plan with which to methodically execute. Additionally, proper audit and change control documentation must be created with the purpose of documenting what configurations were earmarked for deletion and why. This creates an audit trail that can be referenced in the event that an in-use configuration command was accidentally removed.