3 tips to keep federal networks simple and manageable
- By Jason Williams
- Oct 08, 2014
Most people are familiar with the acronym KISS, which is short for a design principle implying you should “keep it simple, stupid.” Other, less popular, translations of the acronym include “keep it short and simple” and “keep it simple and straightforward.”
However you say it, the principle remains the same. Avoid complexity whenever possible and keep designs to the simplest form allowable. Network architecture and software programs have a way of quickly spiraling out of control and often show the very antithesis of the KISS principle.
It’s easy to see why. Network managers become so caught up in the day-to-day operations of maintaining and securing their networks that they lose sight of subtle changes that could be made or solutions used to streamline operations, saving time and money. To that end, we’ve put together a list of three tips for IT managers and administrators to help them simplify the way they approach management of their federal networks.
1. Consider log management for security and compliance.
Records of all events happening in the agency are being logged now into syslog and event log files across the network. These files contain a wealth of information to limit exposure to intruders, malware, damage, loss and legal liabilities. For example, network managers can track access or changes to files and folders containing personnel records, protected information and other vital information. This log data needs to be collected, stored, analyzed and monitored to secure the network or meet and report on regulatory compliance standards like the Federal Information Security Management Act and the National Industrial Security Program Operating Manual.
Log management for security and compliance should be a key consideration of a sound network management strategy, as it simplifies the data collection process for regulations and standards.
2. Use SNMPv3 security.
The Simple Network Management Protocol (SNMP) exposes management data in the form of variables on managed systems that describe the system configuration.
These variables can be queried – and set – by management applications. Even though SNMP vulnerabilities have been identified, documented and closed by most manufacturers that use SNMP for configuring their devices, improper implementation and use of SNMP can result in potential security risks.
SNMPv1 and SNMPv2 used community strings to provide an elementary security model that enabled basic authentication, access-control and proxy characteristics. Community strings were designed to be simple, but were open text and could be exposed by various mechanisms, such as packet sniffing. SNMPv2c also resolved some of the issues of SNMPv1and v2 with better security using encryption and authentication. With the release of SNMPv3, even higher levels of authentication, encryption and access control are now available.
SNMPv3 architecture introduced a user-based security model (USM) for message security and the view-based access control model for access control.
USM uses the concept of a user for which levels of security, authentication and privacy protocols are configured at both the agent and the manager. Messages sent using USM are better protected than messages sent with community-based security, where passwords can be displayed because they are sent in clear.
With USM, messages exchanged between the manager and the agent have data integrity checking and data origin authentication.
3. Incorporate role-based management.
Role-based management solutions use active directory groups and LDAP to speed configuration and provide access to management tools, information and consoles based upon users’ roles and responsibilities. Use roles that can be clearly defined by organizational function for user access to configuration, reporting, discovery, monitors, policies, dashboards, as well as management and monitoring of services, servers, applications and devices.
Securing the network is an ongoing battle for network managers overseeing government networks. Maintaining the highest possible security requires constant vigilance to ensure data and network integrity. Network managers are provided guidance through the Network Infrastructure Security Technical Implementation Guide (STIG) Version 7R1 for implementing network security on both classified and unclassified networks.
While agency network managers are paying attention to configuring and maintaining access control lists and other security mechanisms on routers/switches, IDS/IPS and firewalls, it’s easy to forget about aspects of network security that can simplify operations and make the network more manageable and efficient.