In a guest article, Christian Köckert, Technical Lead Pre-Sales at NetBrain, describes how greater network infrastructure automation can help meet legal requirements and increase the security of critical infrastructures.
Security of supply in modern society is unthinkable without smoothly functioning IT systems and components. For example, disruptions in the energy, food, water, transport and health sectors can sometimes have life-threatening consequences for parts of society. This makes it clear that both private and public life depends on the functioning of critical infrastructures. How vulnerable these infrastructures are in our modern society has been shown in the case of terrorist attacks and wars and, for example, in the recent natural disaster in the Ahr Valley.
Critical infrastructures: KRITIS
In Germany, organizations and institutions in energy supply, information technology and telecommunications, transport and traffic, health, water, nutrition, finance and insurance, state and administration, and media and culture are counted among the critical infrastructures. The legal basis for protecting these sectors that are particularly worthy of protection is the Ordinance on the Determination of Critical Infrastructures (BSI-KritisV), which came into force on May 3, 2016.
The KRITIS Ordinance obliges operators of critical infrastructures to adequately secure the IT required to provide their essential services according to state of the art and – unless other detailed regulations exist – to have these security measures checked at least every two years.
Meet regulatory requirements more efficiently with network automation
In particular, companies that belong to one of the KRITIS sectors must take appropriate measures to ensure adequate protection of the information technology of critical infrastructures – as required by law. In addition, proof of this must also be provided. However, many organizations still find it challenging to implement the specifications needed for IT security. Automated network management can help here.
Because for many companies, it is already a problem to determine whether their network is adequately protected and whether legal standards are being complied. But only if those responsible know their network and all weak points exactly can they secure it accordingly.
In addition, although many companies comply with the legal requirements, they sometimes find it difficult to prove this both internally and in the case of official audits. This condition is mainly due to outdated network infrastructure documentation, as automated solutions are often lacking. As a result, there is also a lack of understanding and insight into the network and security infrastructure. But to ensure the success of compliance audits and to stand up to regulatory scrutiny, it’s time to introduce new solutions, procedures and controls.
Complete overview of the network
To eliminate weak points in their infrastructure, those responsible for security must first obtain an up-to-date and complete overview of the network. However, manual documentation of the existing network infrastructure is a time-consuming and costly process that only provides limited configuration data. In most companies, the network plans are therefore never up-to-date.
However, if IT managers lack an up-to-date and detailed view of their network, they cannot react quickly enough in the event of a problem to prevent something worse from happening. This condition can therefore pose a significant security risk. On the other hand, a network automation solution makes it possible to get a comprehensive, just-in-time overview of the entire network infrastructure at any time – even in multi-vendor and hybrid environments (physical/virtual/software-defined). In this way, hundreds of hardware models and network components such as routers, switches, firewalls, load balancers, wireless access points, etc., can be analyzed and visualized. For example, to validate the paths of data transmission and to assess the security situation along the critical routes of the applications,
Comprehensive information display for the network
When information about the network infrastructure is scattered across different tools, getting a complete overview is even more challenging. However, documenting the detection of problems, attacks or security breaches in the network and reacting to them immediately becomes a challenge when using different tools.
Network automation solutions like NetBrain provide a RESTful API framework that integrates other network management solutions like monitoring, security, ticketing and logging systems. The information from the various integrated tools is brought to a common denominator regardless of data source, quantity or format. It can be visualized in a central location in a dynamic network map and used for company-wide analyses.
Comprehensive documentation at the push of a button
Comprehensive documentation is one of the most critical steps in compliance with legal requirements. Network documentation includes the network’s topology, the underlying policies such as firewall rules, access lists, policy-based routing, and abstraction layers in software-defined networks. However, with increasing complexity due to the server and network virtualization, this task can no longer be managed manually.
Network automation solutions typically have profound network discovery and dynamic mapping capabilities. This allows the network topology and the underlying network design to be analyzed, all components in the network to be visualized, and a needs-based network plan to be created. In this network plan, IT managers can display any network component with neighbours and display individual data traffic. The detailed network plans, status reports and analyzes of the network design can be created automatically and updated at the push of a button. This means that those responsible no longer have to create documentation and diagrams manually; they are available on-demand at any time in the required level of detail.
Proactive protection through automation: compliance checks & change management
To uncover potential security vulnerabilities, IT teams must analyze every configuration on the network. This is usually done manually via CLI or with custom scripts. However, checking the arrangements manually is very tedious. And the custom scripts only marginally speed up the process, as the scripts require constant customization and require scripting skills that are not negligible. Modern network automation, on the other hand, can check each network configuration against a set of predefined compliance rules:
· Are the device passwords encrypted?
· Are the permissions set correctly?
· Are timeouts (timeouts) configured?
· Are the manufacturer’s default settings still used?
If a device does not work in compliance, the software reports this.
Closing security gaps is often a manual and, therefore, prolonged process. Network automation can also help here by quickly and reliably automating critical processes for security. With an additional change management module, the necessary changes are implemented in an ITIL-compliant manner.
Disturbances in network operation can never be ruled out per se. Therefore, it is essential, especially in the area of critical infrastructures, to detect errors in the network as quickly as possible and to eliminate the cause of the problem. Intent-based automation (IBA) makes an essential contribution to accelerating this process. The functionality of the network is defined by tasks and intentions, for example, the delay-free transmission of IP telephony. The IBA is used to validate that the network is performing its duties proactively. In addition, this approach detects disruptions before they impact the business. If an error is detected, a root cause analysis is initiated immediately.
For the operators of critical infrastructures, it is still a significant challenge to meet the regulatory requirements in terms of IT security. Many processes in the network area are still carried out manually in many places, which requires a large number of personnel on the part of IT teams and drives up network operations costs. Modern network automation solutions offer a way out here, with the help of which both the network documentation can be created with just a few clicks and security gaps in connection with the company network can be countered proactively. The early identification of network errors and their immediate elimination with the help of intent-based automation are also indispensable for Kritis companies to deal with disruptions in good time and thus to take account of the requirements of the legislator. Therefore, network automation solutions contribute to the protection and trouble-free operation of critical infrastructures.