Network administrators use a “Golden Config” or configuration policy to ensure the network’s overall health, performance, and security. If this configuration is maintained, risk is minimized, and business continuity is protected. Unfortunately for most enterprises, gradual changes cause the network to “drift” away from the prescribed configuration, introducing risks to security and performance over time. Enterprise networks are dynamic environments comprised of tens of thousands of devices from dozens of vendors that are constantly being updated or changed. Typically these changes are made by engineers seeking to solve a specific problem; they are done ad hoc and are often not recorded. Although highly skilled engineers make these updates to address a pressing issue, each represents an opportunity for errors that take the network out of compliance, potentially introducing serious vulnerabilities. Preventing config drift is critical to network operations and security operations teams responsible for keeping the network safe and reliable. Config drift is frequently the cause of security breaches. The ability to verify changes adhere to the in-policy config is critical to ensuring performance, security, and even successful audits. But how do you do that when there are literally billions of lines of config in every network? IDC states that config drift identification and prevention “cannot be achieved by even the most conscientious of SOC analysts.” (Worldwide Tier 2 SOC Analytics and CloudNative XDR Market Shares, 2021: Rethinking the Cybersecurity SOC Software Stack).
Using our Digital Twin to Eliminate Config Drift with Mathematical Certainty Software support is the only effective way to detect and remediate non-compliant configuration before it causes an incident. Our digital twin uses read-only access to collect configuration and state data from all traditional networking devices like switches, routers, firewalls, load balancers, SD-WAN, and software-defined elements like NSX and HCI. That data is then indexed and becomes searchable. Forward Networks is the industry leader in network assurance and intent-based verification. Our platform is designed to regularly collect detailed L2 – L4 and L7 state and configuration information from the network. Using the Network Query Engine (NQE), engineers can proactively check for non-compliant configurations using custom searches or one of the hundreds of pre-built verification checks.
Network Query Engine highlights missing configurations