Liberating network management: Your first line of cyber defense

Cybersecurity breaches are an all-too-common and ever-evolving threat that every organization should be prepared for. But as digital ecosystems evolve to support new innovations and an increasing number of connected devices, so does the complexity of managing and securing critical network infrastructure.

Each new remote data center or SD-WAN router brings with it a new vector for attacks that could hijack an entire ecosystem and hold it hostage. This means that while malicious actors continue to grow in sophistication, the chances for them to exploit common vulnerabilities like config errors, bad updates or clicked ransomware links also multiply exponentially.

If organizations and their networks are not resilient, they can find themselves suddenly scrambling when a breach occurs. Adding fuel to the fire, the costs of an outage can be catastrophic. In fact, a recent Opengear survey revealed that nearly 1/3 of organizations lose over $1 million due to network outages each year.

This year alone, we’ve already seen many major incidents impacting enterprises, critical industries and major social movements alike. For instance, hackers exploited a major directory traversal bug, massive breaches to healthcare systems sent them back to paper-based operations, and election data sharing software has been targeted by phishing scams.

What can be done to prevent attacks and protect sensitive data and critical infrastructure? One of the first and most critical steps to improving security is to ensure network management operates independently from the production network.

This practice not only ensures the keys to the kingdom remain safe and only in the hands of those who should have access, but also can help future-proof an organization’s entire network, reduce operational costs such as truck rolls, and greatly increase resilience across the network to reduce outages and improve uptime.

The case for liberating networks

Managing the network on the primary production network is a recipe for disaster, yet all too often is an afterthought for those managing a network. When network management is housed alongside user data traffic and control commands, organizations expose themselves to attacks from anywhere or anyone that can connect to a vulnerable device. Making matters worse, management can quickly get locked out during disruptions and cyber-attacks, meaning outages last longer and have a greater impact on total costs. Even something as simple as a malicious Twitter link, for example, can open the door for data theft, malicious code or lengthy downtime periods.

By implementing a separate network management connection to reach console ports, called out-of-band (OOB) management, network admins or engineers can reach any edge or core location in a network, no matter the status of the production network. This simple step can improve visibility into the status of devices, enable real-time problem resolution to improve remediation, and ultimately thwart a security breach.

“Is LTE right for me?”

When establishing a separate management plane, one of the most common questions stakeholders ask is, “Should I use a cellular connection or not, and if I use a cellular connection, will it be secure?” The answer is yes, a cellular connection can be highly secure, as long as precautionary measures are taken, such as IPsec VPN tunnels and other protocols.

Of course, there are other options too. Some might use a cable modem, while others might use a second Ethernet interface built on a separate network entirely. However, a cellular network is generally more flexible, especially for geographically dispersed networks, and is simpler to use and scale. By utilizing a 4G LTE connection, organizations can also benefit from a plethora of smart capabilities, such as proactive monitoring and alerts, automatic failover and near-instant remediation.

Cellular also enables instantaneous setup, especially when compared to other methods. For instance, it could take weeks to install an MPLS circuit for your independent management plane, but a cellular, data plan is very easy to activate and can be done in hours from a remote location.

A “smart” management plane

Separating the management plane to protect core data center operations has always been critical for network security and management. But as IoT and other innovations increase the need for edge computing, organizations now have to manage a plethora of geographically dispersed network nodes which can act as additional points of failure or vectors for a malicious actor to breach.

A more edge-heavy environment also means the costs of downtime and truck rolls will rise, while vulnerabilities increase. Therefore, those who can implement a separate management plane with smart capabilities will have a competitive advantage.

These capabilities include the ability to implement and quickly improve upon network automation functions – a key factor in costs savings and reducing human error. This can be done on a separate management plane with the inclusion of tools that support NetOps (or DevOps for networking), like Ansible, GitHub, Puppet and Chef for configuration; Docker and Kubernetes for storage; Splunk for monitoring and alerting; Google, Microsoft Azure and AWS for cloud management; and Python and other APIs for coding.

By providing these tools on a separate management plane, organizations can rapidly and securely roll-out applications for always-on remote provisioning and NetOps automation. This means continuous event logging and back-up procedures can all be automated, and new site configurations can be completed instantaneously via processes like zero-touch provisioning, which eliminates needs for on-site setup.

What are you waiting for?

While a capable separate network management plane greatly increases network resilience, there are still those who haven’t adopted such an approach. For many, the value of the technology is not evident until its need is necessitated by crisis. For others, they may try to make do with a legacy OOB server that is not scalable, has very limited capabilities, or relies on outdated firmware.

Large organizations and small to mid-sized enterprises alike can all fall prey to complacency in regard to network resilience. Hacker sophistication and our dependence on digital environments continually increases, so why open the door for downtime and breaches that can spell disaster? Those who act sooner rather than later will be better equipped to handle today’s and tomorrow’s security vulnerabilities.

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.