News > Features
Enhance network security using a change and configuration management strategy
CCM Concepts, Process, Policy and SolutionsAugust 25th, 2006
by Debra Littlejohn Shinder
Your network infrastructure may have been carefully planned and all changes meticulously documented—but unfortunately, that isn’t the norm. The typical business network “just grew that way,” and IT administrators may not be able to answer such questions as exactly which assets (servers, workstations, routers, switches, and other connectivity devices) are deployed, how each is configured, and what changes have been made over the past years or even months.
Not having documentation of network changes and configurations can
present a security risk; you may have systems that are wide open to attack
because they’re running on default configurations or changes have been
made to their settings that make them vulnerable. Therefore, an effective
change and configuration management strategy is a key part of your
network security plan.
CCM concepts
A change and configuration management strategy generally involves constructing and maintaining a database that contains baseline information, along with changes made, for IT assets that include:
> Operating systems
> Applications
> Databases
> Networking devices
The CCM process
The goal of a good CCM strategy is to ensure that changes to network and system configurations are planned, consistent, reliable, and documented. You can accomplish this by establishing policies with a step-by-step process for implementing changes. We recommend doing the following:
1. Write a proposal for changes to be made.
2. Assess risks and costs involved in implementing the changes.
3. Set an implementation schedule.
4. Review and formally accept the proposal (with any amendments).
5. Implement it.
A formal process helps to control “configuration drift,” which results from an accumulation of undocumented changes that can result in unknown security risks.
The CCM policy
Obviously, it won’t be possible to follow such a formal process for every change (for example, a small change to a server’s settings). However, your CCM policy should require that the process be followed for all large-scale changes that affect the operation of the network. Some examples include:
• Upgrading servers to a new operating system
• Deploying a new security technology, such as IPsec or smart card authentication
• Upgrading your internet connection from a T1 to a T3 line
• Changing to a different ISP
Note: The policy should also make allowances for changes that need to be implemented on an emergency basis. For example, if your internet connection suddenly goes down, you may need to move the network to a backup provider immediately, without going through the formal change process.
For non-emergency changes, change requests should be submitted in writing. Your policy should specify who’s authorized to give final approval for change requests. This may be different for changes at different levels of complexity and cost.
Commercial CCM solutions
A good CCM solution will be able to track configurations and changes across the enterprise, including diverse environments that run a multiplicity of hardware platforms, operating systems, and applications and devices from many different vendors.
CCM Solutions
Microsoft includes CCM solutions in Windows 2000 Server and Server 2003, as well as more robust offerings in Systems Management Server (SMS), but if your network includes systems running non-Microsoft operating systems, you may need a more comprehensive CCM approach from a third party.
Related courses
Certified Ethical Hacker
Learn how to scan, test, hack and secure you own systems so you can take the necessary steps to secure them.
CISSP (Certified Information Systems Security Professional)
This course focuses on the 10 core subject areas fundamental to the understanding of security for CIOs,
managers, and engineers.
