The challenge of configuration drift in a network
Modern networks contain hundreds of thousands of devices and potentially millions of endpoints. This represents an enormous attack surface to defend. A key part of ensuring a network is not vulnerable to attack is to check that the configuration of each networking device (firewall, switch and router) is set up and maintained to match both network policy and functional intent. Unfortunately, ensuring that every device maintains a secure configuration at all times can be a major challenge due to configuration drift.
What is configuration drift?
Configuration drift occurs when configurations fall out of compliance with network policy resulting in a difference between the desired and actual state of the network. Either as a result of benign or malicious activity. This difference is where exploitable vulnerabilities can creep in to the network – resulting in significant business risk if not monitored closely. These misconfiguration vulnerabilities will persist through every patch upgrade until they are detected and corrected by a network engineer. This is why configuration drift needs to be assessed and mitigated within daily cyber hygiene processes.
What causes configuration drift?
Changes to the configuration that are unplanned or undocumented may cause configuration drift. Most of this activity is not malicious in intent, it could be caused by changes made to devices as a result of updates or adding new devices to the network. Inadvertent changes, caused by human error, could cause conflicts in firewall rules which leave them vulnerable to attack as just one example.
“Human error creates the biggest threat. Technicians can inadvertently misconfigure devices, opening up holes. We need to go back and validate configs.” DISA
Establishing a baseline
Although preventing configuration drift completely may not be possible, there are actions you can take to minimise the impact and identify misconfigurations in order to rectify them as quickly as possible. One of the most important of these actions is to establish a baseline of what the configuration should be. This means that when devices are being audited, they can be checked against that baseline to ensure any misconfigurations or changes are highlighted and can be remediated if necessary. Best practice is to audit the configuration of every networking device – firewall, switch and router – against this baseline, every day. This way, configuration drift can be identified early, and remediated.
The importance of configuration management is highlighted in risk management frameworks such as NIST 800-171 which has a section on configuration management including a requirement to monitor, approve, or disapprove, and log all changes to organizational systems. Configuration management is a fundamental part of risk management for network devices.
Monitoring configuration drift with Nipper
When carrying out a Nipper audit, there is the option to produce a raw configuration report, as well as raw change tracking. The latter requires a previous Nipper report to use as a baseline. This report will highlight any changes detected between the device’s current raw configuration and a previously saved raw configuration report, allowing any configuration drift to be quickly identified and prioritised for remediation according to Nipper’s risk criticality score.
Discover how easy it is to run configuration reports against a device’s configuration baseline with Nipper.