White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

Transcription

1 White Paper Ensuring Network Compliance with NetMRI An Opportunity to Optimize the Network Netcordia

2 Copyright Copyright 2006 Netcordia, Inc. All Rights Reserved. Restricted Rights Legend This document may not, in whole or in part, be photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior consent, in writing, from Netcordia, Inc. Information in this document is subject to change without notice and does not represent a commitment on the part of Netcordia, Inc. Trademarks Netcordia and NetMRI are registered trademarks of Netcordia, Inc. All other company and product names are trademarks of their respective owners. Netcordia, Inc Solomons Island Road, Suite 302 Annapolis, MD Phone: Fax: Netcordia Compliance White Paper i

3 Contents Executive Summary...1 The Impact of Compliance on the Network...2 Sarbanes-Oxley...2 HIPAA & GLBA CFR...2 PCI Data Security Standard...2 Leveraging Best Practices for Compliance...3 Creating a Policy is the First Step...3 Ensuring Configurations Remain Compliant...4 Automation is Essential...5 The Importance of Auditing and Discovery...6 NetMRI Helps Leverage the Benefits of Compliance...7 Summary...9 Netcordia Compliance White Paper ii

4 Executive Summary As the number and type of regulations such as Sarbanes-Oxley, HIPAA, and Basel II continue to multiply and change, organizations are struggling to understand how to comply with the relevant mandates for their industry and geographic territories. With the cost of non-compliance ranging from hefty financial penalties to jail sentences, the topic is top of mind in the boardroom which makes it a critical item on the IT management agenda as well. The network, and in particular network security, is a key area of IT compliance for many regulations since it s used to transport and access electronic information assets, including company and customer confidential data. Critical to preventing unauthorized access are the network device configurations, where one rogue change can provide complete network access to an intruder. Therefore, to ensure compliance and the security of the network, these configurations must be maintained in strict adherence to corporate-defined policies reflecting specific compliance requirements. For large networks, the ability to automatically audit network configurations on a regular or daily basis across the entire corporate network is crucial to ensuring configurations remain correct. Despite the financial penalties of non-compliance with federal and state mandates, there is another good reason to implement compliance measures the associated benefit of optimizing the network. By implementing and regularly checking configurations to ensure compliance with corporate policy, the stability, integrity, and performance of the network can be enhanced. Errors are detected before major problems occur or before the network is compromised. NetMRI, a network analysis appliance from Netcordia, supports continuous auditing of network device configurations against established company standards and processes. It helps companies comply with mandates by vigilantly ensuring that network policies and procedures are followed. Network device configurations are automatically audited every day and network managers are notified about devices that do not meet policy requirements. This white paper focuses on the impact of legislation on network operations, the requirements for network compliance, the parallel optimization benefits companies may experience from the compliance process, and how NetMRI from Netcordia helps companies manage and enforce network compliance with both best practices and official mandates. Netcordia Compliance White Paper 1

5 The Impact of Compliance on the Network Most legislation that impacts the network is focused on corporate accountability, protection of consumer privacy, and the proper procedures to ensure compliance. From an IT perspective, controls and processes need to be put into place, then monitored and enforced to ensure a company complies with applicable mandates. However, it may not be immediately clear the critical role the network plays in compliance with these regulations. Consider, however, that the network is the infrastructure through which all the information assets within the company are transported. Should a router on the network be compromised, sensitive corporate data could be exposed, creating both a security and a compliance breach. If the network is not secured, it could negate all the other data and system protection mechanisms used within IT to ensure compliance, because it offers a way to bypass some of the server-level security controls by hijacking data as it travels across the network. The following are samples of the types of legislation where network security plays an essential role. Sarbanes-Oxley In the wake of Enron and other public company scandals, the Sarbanes-Oxley Act (SOX) was passed to help prevent fraud, misuse, and unauthorized access to any financial information on which public companies base published financial reports. SOX is particularly critical to corporate executives, who must certify that their company s financial systems are secure. Section 404 of SOX contains guidelines about establishing and maintaining an adequate internal control structure and procedures for financial reporting and assessing the effectiveness of procedures. The network must be configured to ensure the protection of the financial data against unauthorized access. HIPAA & GLBA The Health Insurance Portability and Accountability Act (HIPAA) requires that all health care organizations adopt medical information security, privacy, and data standards for patient information. Even companies with records containing employee health care information fall under the purview of the HIPAA regulations. Similar to HIPAA, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard clients private information. Enforcing the proper network security configuration to prevent accidental or malicious reconfiguration is critical for compliance. 21 CFR Part 11 in Title 21 of the Code of Federal Regulations (21 CFR) includes guidelines primarily for the pharmaceutical industry for storing and protecting electronic records and applying electronic signatures. The intent of these guidelines is to ensure that electronic records subject to these guidelines are reliable, authentic and maintained with high integrity. This means the network infrastructure must be configured to ensure data protection. PCI Data Security Standard The Payment Card Industry (PCI) Data Security Standard is intended to protect cardholders credit card account and transaction information. American Express, Diners Club, Discover Card, JCB, MasterCard International, and Visa U.S.A. all issued a requirement for merchants and service providers to comply with the PCI standard as well as pass quarterly and annual audits to help ensure compliance. The purpose of PCI is to protect cardholder information, reduce debit and credit card fraud, Netcordia Compliance White Paper 2

6 and identify security issues that could lead to the compromise of cardholder information by imposing strict security standards on how cardholder data is handled and stored. Network security is specifically addressed in the standard. So from a network operations perspective, complying with the majority of the above regulations means ensuring that network security, access controls, and change management procedures are employed throughout the network. Leveraging Best Practices for Compliance Compliance with mandates requires the network infrastructure to be tightly configured and controlled to protect your network from unauthorized access and to protect information in transit between computers. This is certainly something organizations should be doing anyway. That s the lesson that many companies are learning the hard way. Despite the recent hype and hand-wringing, compliance is actually not a new topic for the IT world. There were industry best practices and corporate policies long before the current legislation became law. The IT Infrastructure Library (ITIL ), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, and best practices from major vendors date back more than a decade. Ensuring network compliance with these best practices and ensuing policies was and is how companies with large networks optimize performance, reliability, and security. For example: A Netcordia client, a major power tools manufacturer, has been extensively leveraging best practices since day one, so while its network policies and rules aren t Sarbanes-Oxley-specific, they do enable the company to comply with the regulation. The group has passed its audits with flying colors because it already had the policies in place that formed the basis for compliance. Another Netcordia client, a senior consultant with Chesapeake NetCraftsmen who provides services to a major federal organization, also makes extensive use of best practices. He implements best practices published by vendors, the National Security Agency s configuration guides, and guidelines from the Center for Internet Security in order to ensure that the network passes muster during audits a common occurrence. Implemented in the form of corporate network policies, industry best practices cover such areas as: the set of addresses in use, device naming, event logging, routing protocol configuration, and access list definitions. While not explicitly identified in regulations, these areas are critical to compliance. Creating a Policy is the First Step Ensuring compliance starts with a corporate policy that reflects the necessary requirements for supporting a company s internal policies and applicable external regulations. If an organization hasn t already done so, creating a written policy document is the best way to codify these requirements, which serves the dual purpose of documenting the policy for audit purposes as well as communicating the policy to the network staff. With a policy in place, the network staff uses the policy requirements to create a set of configuration templates, with one template for each device type and function. These templates are then used to create per-device configuration files, which are installed in the networking equipment as it is deployed (or in existing equipment if a massive configuration change is performed.) Netcordia Compliance White Paper 3

7 Figure 1. Policy example and interface In addition, corporate policies might dictate that telecommuters not have local connections to the Internet through which virus attacks could propagate into the corporate network. Policies can affect how Voice over IP (VoIP) is handled, or whether routing protocols use authentication, as well as the contents of access lists used for a variety of purposes. The difference, however, between best practices and compliance with external mandates, is that companies now have to prove they have these processes and protections in place. Until now, many organizations have lacked the ability to enforce and control the policies established for the network. The result is a significant need to verify that policies are properly implemented across the network. The violation of a single key policy could compromise the entire network and potentially the business it supports. Ensuring Configurations Remain Compliant The issue from a compliance perspective now becomes how do we ensure that the configurations were correctly deployed and stay that way? Sometimes network engineers cannot resist the temptation to turn on the latest features, even if the templates don t include these capabilities. Other times, a simple error can be made that would make the network vulnerable to unauthorized access and thus non-compliant. Auditing device configurations to verify that the correct configuration was installed and is operating correctly has typically been a manual process. Even with automated collection of configurations, the process of validating the contents of the configurations was manual as well. But what about large networks with hundreds or thousands of devices? An automated process is the only feasible way to constantly monitor configurations to ensure compliance with corporate policies. Netcordia Compliance White Paper 4

8 A similar problem arises when policy requirements change, causing the templates, and the resulting configurations, to change. The new configurations must be deployed to the affected network equipment and the proper operation of the deployed configurations verified. This again can be error-prone in large networks without automated determination of the effected devices. There s also configuration entropy, where valid configuration changes occurring over time create differences from the templates, and therefore differ from the policies. Manual verification of configurations for hundreds or thousands of network devices is simply not feasible. Automation is Essential Organizations need a tool that automatically checks configurations on a regular basis, to ensure that devices always have the right configuration. NetMRI, the network analysis appliance from Netcordia, audits the network and can validate the network configurations for policy compliance. It is a packaged computer system with integrated software so that it can be quickly installed (typically in less than 30 minutes) and operates with virtually no maintenance required by the networking staff, which improves productivity. Figure 2. NetMRI on the network A global enterprise software provider with a large, far-flung network recognized the need to verify network configurations in order to comply with regulations. The company purchased NetMRI to specifically handle automatic verification. This company uses NetMRI to create policies and ensure configurations comply with them. While the company was already prepared for compliance based upon use of best practices, it needed a way to prove that the network was in compliance. Now, change management control and compliance are handled in one tool, making compliance a straightforward and verifiable process. Part of SOX compliance is being able to track who made a network change, when the change occurred, and details of what took place. Smoothly operating network teams incorporate a change review step in their configuration workflow process. However, the change review is typically a manual process. Netcordia Compliance White Paper 5

9 A better solution is to use the same automated system that verifies the deployed configurations as a tool to check the new configuration prior to deploying it. Of course, any changes to the network configurations should cause the changed configuration to be recorded in a way that allows quick identification of the changes as well as who made the change and when the change was made. The Importance of Auditing and Discovery It s impossible to validate the compliance of equipment and subsystems whose existence isn t known companies with large networks can easily overlook a switch, hub, or router. That s why regular, automated auditing is key to any compliance initiative. A good audit tool such as NetMRI will report all the devices connected to the network as well as their relationships. The relationships between network devices are important because they define subsystems that must operate correctly in order to provide connectivity that s required for business applications to communicate successfully. Rogue devices, such as wireless access points and unauthorized routers or switches, should be identified and removed from the network. The configuration of security on network equipment should also be considered during the audit. Is access to the routers, switches, and other infrastructure equipment properly protected? Does the routing protocol use authentication to prevent the injection of unauthorized routes into the network? This is where compliance with accepted best practices and corporate network policies is important. The audit s discovery mechanism should be efficient and should not impose a significant load on the network. Manual methods have often been used in the past to identify what is on a network, check the operational relationships between devices, and identify the malfunctions. These methods don t work in large scale networks because there s simply not enough time for the network staff to manually collect all the necessary data, analyze it, and produce a useful report. Automated methods often use ping sweeps to scan the network, but that process can generate a significant network load. Therefore, more efficient methods such as those employed by NetMRI should be used for auditing. NetMRI auditing starts with automatic discovery and classification of the devices on the network. SNMP and command line interfaces are used to collect operational and configuration data from the network infrastructure devices. The automated methods used are fast and efficient. The operational data is analyzed and reported up to four times per day, providing pro-active reports on whether the network s subsystems are properly configured and are stable. Relationships between network devices are also analyzed. Malfunctions and exceptions to best practices are reported via Web browser, , or alerts sent to logging systems. Senior network engineers using NetMRI consistently report that it provides them visibility and reports that they cannot easily obtain with other tools. Netcordia Compliance White Paper 6

10 Figure 3. NetMRI audit report Policy compliance is verified by installing key sections of the network s configuration templates into NetMRI. The Configuration Policy Analysis function of NetMRI checks the template sections against the configurations that NetMRI retrieves from the network. Exceptions to the policies are reported in conjunction with the audit results and analysis. Finally, the configurations of all network infrastructure equipment should be archived. The current compliance environment suggests that the configurations should be retained for several years. The reasoning is that an investigation of unauthorized activity within an organization may need to examine the configurations in place at the time the alleged infraction occurs potentially several years may have passed. NetMRI Helps Leverage the Benefits of Compliance While compliance can be a burden, many organizations are finding value in the process as enforcement of best practices delivers additional performance and reliability gains for the network. Daily configuration checks identify devices with non-compliant configurations, so that many undiscovered problems can be rectified before they impact performance, availability, or security. Business continuity is ensured as network redundancy configurations are checked for accuracy. Efficiency gains are another benefit as network engineers leverage automation to ensure policy compliance across large networks rather than relying on manual spot checking. "Organizations need a tool that goes along behind network engineers and checks that everything is correct. NetMRI is like having many, many knowledgeable eyeballs inspecting configurations and then letting you know on a daily basis what s out of kilter. Marty Adkins, Senior Consultant, Chesapeake NetCraftsmen Netcordia Compliance White Paper 7

11 While NetMRI is invaluable as a compliance tool, it also provides what network engineers need to assess and improve the health of the network, preventing major problems down the road and optimizing performance. With NetMRI, difficult to find problems, intermittent outages and unpredictable operational errors are brought to light quickly, saving considerable troubleshooting resources and maximizing network reliability and response time. Unlike traditional systems management tools which generate alerts and error messages when something happens, NetMRI is a proactive network analysis tool that methodically evaluates the entire network on a daily basis to detect potential issues before they become more serious in nature. The NetMRI correlation engine analyzes data and focuses in on the real issues affecting the network, presenting the results as a scorecard with a prioritized, actionable list of tasks. Netcordia Compliance White Paper 8

12 Summary There s no doubt that networks are critical business components and with the advent of regulations, network audit and compliance are now critical functions of the network group. Organizations leveraging best practices can enforce their policies and prove compliance using NetMRI, a sophisticated, automated tool to verify configurations, detect unauthorized devices, and monitor and report on changes to the network. NetMRI from Netcordia is the ideal solution for auditing and ensuring compliance of network configurations with corporate policy and official mandates. In addition to the Configuration Policy Analysis and Network Auditing features essential for compliance, NetMRI also provides network engineers with the analysis and steps required to optimize the performance of the network and applications running on it. Leveraging NetMRI, network engineers can improve the performance, reliability, and availability of the network at the same time they are ensuring compliance. For more information about how NetMRI can help your organization address network compliance, visit or call Netcordia Compliance White Paper 9