Part one of a three-part series by guest Terry Slattery, CCIE #1026, NetCraftsmen
“If you can’t measure it, you can’t manage it.” – Peter Drucker
This famous statement from one of corporate management’s visionaries pretty much summarizes the importance of good inventory for network configuration management. You must know what’s in a network before you can manage it. The inventory should be complete and accurate. If you miss tracking a device, then they can allow a black hat attacker to gain unauthorized access to the network. In addition to knowing your network devices like the back of your hand, you will also want to identify rogue devices – unauthorized network hardware, firmware or software like wireless access points and switches under desks. As many network executives, architects and operations teams know, these can be real-world vectors for enabling dangerous cyber-attacks or data theft.
The process of conducting network inventory consists of several steps, typically performed by different systems:
- Device discovery
- Hardware and software inventory
- Using the inventory data to drive best practices
Device Discovery
Network devices can be identified in several ways. Manually tracking assets is one way, but it doesn’t scale up very well. It also opens the network up to the installation of unauthorized devices.
A better method is to use a network discovery tool like nmap. Many simple automated tools use brute force device discovery mechanisms like ping sweeps. Ping sweeps won’t work in the huge address space provided by IPv6.
The best method, which will work for both IPv4 and IPv6 networks, is to use SNMP or the command-line interface to query network devices and discover neighboring network devices. This mechanism identifies network devices like routers, switches, firewalls, and load balancers. Each neighboring device can be either a network device or an endpoint like a workstation, mobile device, or server, so the system needs to focus on identifying the network devices. The ideal system starts with a few seed routers, then identifies neighboring network devices by their presence in routing tables, address resolution tables, and switch forwarding tables.
Ideally, the network discovery process should be run once a week to identify devices that join and leave the network. Network connectivity problems can make devices unreachable, so an additional means are needed to verify that a device has left the network.
Hardware and Software Inventory
The next network inventory step is to query each network device for its specific hardware and software information. Hardware information should include model numbers and revisions. Information about the modules in modular devices is useful for those times when a module contains a serious defect. A good example is the clock chip defect that resulted in the recall of products and modules produced by several vendors. Just like hardware, software should include the main operating system and any microcode versions, where it exists.
Using Inventory Information
The value of inventory comes from using it to drive best practices that make networks more secure and easier to manage including:
- End of Life and End of Support – Identify hardware and software that are no longer supported by the vendor and scheduling them for refresh/replacement. This requires a system that can query vendor EoL/EoS databases.
- Identify variations in deployments – Reduce variations in building-block network designs. Fewer variations simplify purchasing, configuration management, and troubleshooting.
- Improve network security – Identify security vulnerabilities in network device operating systems. Note that firewalls are not sufficient to protect against malware that manages to make it inside the network. The system needs to track vendor security announcements and security vulnerabilities (CVEs) that open your network to attack. Cyber-attacks range from denial of service attacks to data loss and ransomware. A security report should be produced at least weekly and used to drive improvements to network security.
- Identify rogue devices – Devices that are not authorized to be in the network, such as wireless routers and switches located under desks. The system should report potential network devices that are found but for which access credentials (SNMP and CLI) are invalid.
- Manage operating systems and configurations – Reduce the number of operating system versions, which, in conjunction with standardized hardware configurations, is necessary to standardize software configurations.
For example, one customer had 400 Cisco devices. The inventory found that there were 70 different OS versions across the 400 devices, pointing to a lack of standardization. This frequently happens when the network grows over time and each device is installed with the OS version that was on the delivered hardware. Operating System inconsistencies can result in obscure problems that are difficult to diagnose.
The Benefit of Gluware
Gluware Intent-Based automation software is able to perform a dynamic inventory of multi-vendor network hardware and software and then use that information to drive the fundamental best practices described above. Gluware also provides 3rd party API integration with network vendors (Cisco® currently) enabling the ability to perform an assessment of the inventory for SmartNet status, EoL/EoS and current PSIRTs (security advisories).
The next articles will cover important configuration management functions.
Interested in learning more?
- Video demonstration of the Gluware Device Manager in action
- Video demonstration using Gluware to perform 3rd party assessment
Try Gluware for yourself – Request a Test Drive
