Utopian Management Goals
There is no shortage of information on network management goals; depending on the book you pick up, you'll find mention of many different types of management. Most stem from the International Organization for Standardization's (ISO) definitions of network management, which include the following five areas:
- Performance management Considerations around the maintenance and measurement of performance levels. (Polling the throughput on your Internet router is a form of performance management.)
- Configuration management Considerations around the provisioning and ongoing maintenance of IT resources and the tracking of configuration changes. (Gaining access to a router to make configuration changes is a form of configuration management. Patching a host is another.)
- Accounting management This is related to performance management. Here, you are using performance measurements and tying the utilization back to the specific users and groups consuming the resources. (Using a function such as IP accounting to determine the users consuming the resources of your VPN gateway is an example of accounting management.)
- Fault management Systems designed to detect and potentially resolve faults somewhere in the network. (A simple ping probe to test the reachability of a critical server and page you in the event of a failure is a form of fault management.)
- Security management Management functions designed to enforce your security policies and prevent, detect, and potentially remediate security incidents on the network.
Unfortunately, although these five categories are useful to consider the broad range of management elements, there is substantial overlap in the "security management" section. Security management as defined by ISO can include fault, accounting, performance, and configuration management, which make up the other four categories. Turning to more practical definitions, as a security architect, you often care about two things: first, ensuring that the management functions that are necessary on the network are implemented in as secure a manner as possible; second, ensuring that your security system operates at its full potential by taking advantage of whichever security management functions are available. This should meet the ultimate goal of ensuring that you are notified of security failures and that you are able to tell if your security system is functioning properly.
The former is a matter of understanding the device-hardening and management protocol options available to the systems of interest to the networking staff. The sections in this chapter titled "Protocol Capabilities" and "Secure Management Design Options" help you answer these questions when combined with the information discussed in Chapter 5, "Device Hardening."
The latter includes all the elements of the former and also has additional considerations to ensure that the security information is presented in as usable a manner as possible. By combining the information in the rest of this book with the information contained in this chapter, particularly the "Network Security Management Best Practices" section, you will be well equipped for this task.
NOTE
The core elements of network security management covered in this chapter certainly comprise elements of all the five management types earlier identified. To be more practical, security operators are most concerned with the secure configuration of the device (from provisioning through software maintenance) and the accurate reporting of security events to the management network. These two elements are the focus of this chapter's network security management conversation. A host of other supporting tools can help accomplish vulnerability assessment, attack confirmation, and user management, which are not discussed in this chapter. In my experience, getting the core configuration and monitoring elements right is hard enough without introducing additional tools that must be maintained.
If network security management did everything we hope it would, we would merely input our security policies into the software, and the system would take care of everything else. Oh, to be so lucky! Attacks would be identified and countered, systems not in compliance with policy would be brought into compliance or quarantined on the network, and in the unlikely event of an intrusion, the damage would automatically be contained, and forensic analysis and system refresh would instantly occur.
Unfortunately, though improvements are being made, network security management is still a very manual process with the best tool to effectively deal with security issues still being the human mind. There are tools and protocols out there that make this easier, but today, before any critical decision is made in network security, there is a human in front of a computer making it happen.