Network configuration auditing is more important than ever

To get the most intuitive understanding of how enterprise networks have changed over the past few years, all operators need to do is open their network traffic monitoring tools and view the dramatic changes in data flows throughout the LAN, WAN, and network edge. While a large part of these data flow shifts have occurred due to remote work over the past 18 months, other changes have occurred through planned cloud and edge computing migrations. In order to adapt to these changes, the importance of network configuration audits has increased.

In many cases, operators have correctly adjusted switching, routing, and firewall configurations to match the way users and devices now communicate. However, while these configuration modifications are being made, the removal of old and obsolete commands can linger for a long time. Although these configurations may lie dormant, and many are benign from a performance/security perspective, they create confusion and often lead to the wrong next action. For this reason, it is more important than ever to conduct a thorough network configuration audit in order to remove obsolete configurations and ensure that the network can be easily understood and trusted by all network operations and management personnel. Let's look at some common examples of outdated configurations that can get you started on the network audit process ahead of time.

[[421306]]

switch

Virtual LANs (VLANs) that have been merged or are no longer needed often stay in switch configurations longer than necessary. This is especially true in data centers that are downsizing due to the migration of applications, data and digital services to cloud computing platforms. Manually specifying which VLANs can traverse connected trunk uplinks should also be reviewed and pruned if necessary.

router

While most networks use dynamic routing protocols to automatically maintain the most up-to-date best paths throughout the network, it is not uncommon to have static routes configured on one or more routers/Layer 3 switches. Over time, these network destinations change or move, and the static routes are forgotten. This can lead to a situation where the IP subnets listed in the static routes are reused elsewhere in the corporate LAN or WAN. If this happens, it can cause parts of the network to be unable to access the newly formed subnet. Similarly, access lists and policies are often configured on routers to restrict who can reach devices on a specific subnet. Even if a network or switch virtual interface (SVI) is deleted, the configuration of the access list may still exist. This can clutter router configurations and sometimes confuse the administrators who manage them.

Firewall

In general, firewall configurations are more closely monitored and maintained than network switches and routers. However, some administrators choose to disable firewall rules and interfaces rather than outright delete them. While this is an understandable practice, as the ability to quickly re-enable a configuration requires only a few clicks, it is possible for a disabled configuration to linger for weeks, months, or even years. This can lead to an administrator inadvertently enabling a disabled command, resulting in unnecessary threat exposure.

The way enterprise networks are used today has changed dramatically from just a few years ago, and there are likely many configurations on network devices that are no longer needed. For those looking to conduct a network configuration audit, the key is to have a specific execution plan in place to methodically execute it. In addition, appropriate audit and change control documentation must be created with the goal of documenting which configurations are designated for deletion and why. This will create an audit trail that can be referenced in the event that a configuration command in use is accidentally deleted.