For example, years ago, a new service request required a hole to be punched in a single firewall. But, today’s multi-layer approach means that ACLs and rule changes not only affect firewalls, but also integrated routers and switches. When multiple vendors are thrown into the mix, the challenges rapidly start to skyrocket.
The complexity of today’s networks is a challenge, but it is also leading to a new dynamic in IT organisations: a blurring of the boundaries.
Blurring the boundaries
The roles of those responsible for protecting an organisation’s IT network infrastructure have, historically, been clearly defined, with security teams managing the firewalls and network teams managing the routers and switches. But as networks are becoming bigger, broader, and more complex, security teams and networking teams are collaborating, passing tasks from one team to the other.
Collaboration is a good thing. But, the downside is that security teams or networking teams individually are not likely to have the specified knowledge or experience necessary to carry out these “blended” tasks. Involving networking teams in changing rules and ACLs, for example, can take a considerable amount of time and involve a significant risk of error. This risk is further increased when you consider that the networking team is highly unlikely to be familiar with the various subtleties and nuances in syntax used by different vendors.
Security teams, on the other hand, often set internal policies governing best practices that will impact the network team. Challenges and frustration can grow if the network team does not have the expertise or time to implement the actions required of it, and the security team might not be given the auditing information it needs to verify that these actions have been carried out correctly. In addition, due to a potential lack of knowledge, the networking team might be unable to deliver the proof points needed by the security team.
Frustration and challenges
So not only can this situation cause companies costly delays and put networks at risk, it has introduced new tensions for the teams concerned, changing their internal relationships.
We met a security practitioner at an industry tradeshow recently, who told us that he is responsible for his company’s firewalls and ACL rule changes, but that most requests these days require changes to both the firewalls AND the integrated routers. While he can make the changes to the firewalls, he can’t touch the routers, as that’s the job of the network team, and he can only give them the requirements in the hope that they are implemented correctly. And, should something break, the company has different teams with different skills trying to figure out what went wrong.
It might be time then to consider the actions that IT team leaders ought to take in order to help restore the balance between the two teams. Ideally, of course, each team would have all the necessary training and expertise it needed to enable it to work across multiple vendors - to understand their individual syntaxes, and the nuances between network and security devices.
However, this isn’t likely for most organisations.
We would suggest therefore that companies should consider automated network control as a means of reducing the risks, saving time and alleviating the inter-departmental stresses brought about by this situation.
Automating the network
At its most basic, successful network security control depends on knowing what is connected and how it is configured.