Network Infrastructure Protection

Through Automation
@DaveSignori
Senior Director, Product Management
Agenda
• Discovery and Automation
• Hardening Device Configurations

• Vulnerability Management – CVE/PSIRT

• Life Cycle Management

• Configuration Analysis

• Use Case – ROI Analysis

Discovery and Automation
 Authoritative Discovery
What IP and MAC
Network IPAM / CMDB
When Appear

What Subnet/VLAN

Device Attributes Discovery

DNS hostname

User Ensuring Accuracy

Where has it been

Block

New (sync) Single Source of

Add a Network
Truth
Add IPs New (sync or
remediate)
Drop a Network Inactive (report)
Drop IPs Inactive (sync
or report)
Switch Port to Host X
Conflict (sync)
Misconfiguration
Infoblox Discovery and Network Automation
The Foundation of a Secured, Controlled Network

Network Automation Infrastructure

Visibility
Protection
• IPs, MACs, & Hostnames • Network in-sync with IPAM
• Subnets & VLANs • Remediate Rogue & Compromised
• Device and End Host Attributes End Hosts
• When and Where Attached • Capacity Management
• User Context • Asset Management
• Topology Views • Security Compliance Enforcement

Any Platform
Public

Wireless Virtual Hybrid

Wired Private
SDN Networks
Cloud

On-Prem Public
End Host Vulnerability Management Integration
Infoblox and Rapid7

Authoritative
Network
Network Database
Discovery

Notifications of
Changes &
Malicious Events

Authoritative IP Address Management with Nexpose

Network Insight

Infoblox can help with device discovery, notifying Rapid7 when new device joins the
network, so that Rapid7 can then immediately scan that device.

Key Capabilities Benefits

- Asset Discovery and Management - Context-based action
- Malicious Event Based Scanning - Security orchestration
- Compliance and Audit - Improved efficacy of security investments already made
NAC Integration
Infoblox and Cisco ISE
Switch Port Management
Track free, available,
and unused ports

Provision Switch Ports

Capacity planning &

management

Track connected
endhosts

Remediate rogue or
compromised endpoints

Insight Mobile App

Hardening Device Configurations
The Complex Compliance Landscape
Internal directives, policies; Mandatory external regulations (HIPAA, PCI DSS)

• Landscape is vast

• Regulations and mandates change frequently

• Translating requirements to concrete IT policies

is complex

• Requirements can come from various sources

Challenges in Maintaining Compliance
Diversity of Change and Reporting and
Infrastructure Variability Audit
• Manual, siloed processes to • Hard to identify risk and
• Cumbersome and time consuming
managing compliance across violations easily
to manually keep up with constantly
varied architectures
changing requirements • No context about violations
• No unified visibility: No way of
• Leads to errors • Manual auditing
knowing what devices are
connecting to the network • Takes away valuable resources
• Data is distributed and at risk
(HIPAA, PCI DSS)

“Corporate & IT compliance managers continue to struggle managing their compliance programs using manual methods & tools.”

Gartner, Market Guide for Corporate Compliance and Oversight Solutions, April 2016
Configuration Compliance Management
Embedded compliance
rules

Customizable best
practice templates

Manage multiple
policies

Proactive violation
detected

Multiple remediation
options

Current and historical

views
Vulnerability Management
CVEs / PSIRTs
Vulnerability Management
Vulnerability Management
 Policy Subscription Services
Security Policy Audit, Device Vendor Vulnerability Audit and Life Cycle Management

• EmpoweredAdvisorTM helps ensure your network is secure,

compliant, and up-to-date.
– Add-on service for NetMRI customers that provides a constantly-updated, curated feed of a
manufacturer’s security advisory content (i.e. PSIRTs) and life cycle management announcements
(i.e. EOS, EOL)
• Always-On Analysis of Security Advisories
• Timely Alerts on the Advisories that may affect your network
• Take Remedial Action, with Streamlined Processes
• Tight Integration with NetMRI Core Features

• Configuration Policy Service

̶ DISA STIG Policy Updates
Lifecycle Management
End of Life (EoL), End of Support (EoS), …
 Life Cycle Management
EoL, EoS, and Status

Subscription

Maps to network
inventory

Sorting, filtering and

reporting

Multi-vendor
Configuration Analysis
Configuration Analysis
~300 out of the box configuration checks
Unique pre-packaged
expertise

Identifies common
misconfigurations

Customizable alerting

Recommended
remediation options

Understand concept of
the network

Network Scorecard
views
Configuration Analysis
Default Passwords Being Used
Sample
Daylight Savings Time Compliance
Security
High Config Activity
related
Issues Config Collection Disabled
Config Running Not Saved
Corrupt IOS Image File
Device Recently Restarted
Downstream Hub or Switch
Rogue DHCP Server Detected
Vendor Defaults Found
Weak Community String
Wireless AP Broadcasting SSID
Case Study
ROI Analysis
Before and After Network Automation
Metric Before Automation With Automation Comment
Inventory
Number of devices 12000 13000
Number of new devices per year 500 500 New environment could cause spike
Time spent deploying a new device (minutes) 60 60 config and OS - auto-remediation takes care of the last 5 or 10% of config
Time spent managing device maintenance contracts (minutes) NA NA
Time spent decommissioning devices (minutes) NA NA
Time spent generating inventory reports (minutes) NA NA
Configuration Search 16 hours 30 min

Standard Change
Number of standard changes per device per year 8 to 10 8 to 10 Doesn't include routine changes (i.e. port description)
Time spent making a standard change per device (minutes)(1 device) 5 15
Time spent making a standard change per device (minutes)(multiple) 5 ~0 ROI only in mass changes (6 out of 10 are individual)
30 but you have to know what you
Number of minutes to detect a change are looking for real time or < 1 minute
Time spent generating change tracking reports (minutes) Only TACACS Future

Compliance
250 config items 3 times a week. 48
Number of compliance checks per device per year 10 config items 365 times a year config items in real time.
Time spent to check compliance per device (minutes) 30 ~0
Time spent correcting a compliance violation per device (minutes) 30 Auto-remediation (0) or < 1 minute
Time spent generating compliance reports (minutes) 4 to 6 hours 3 to 5 minutes

Configuration Management
Real time but once a week forced and
Number of configuration backup cycles per year 365 second to pick up failure.
Time spent backing up a device configuration 0 0

Security
Time spent applying a vendor security advisory example: quarter 4 hours

OS Provisioning
Number of times OS is provisioned per device per year 1 1
Time spent deploying an OS per device 60 15 to 20 (individual) Deploy en masse and schedule reboots
 CUSTOMER SUCCESS STORY
Infrastructure
Protection

U.S. Health Challenges:

Insurance • Hours spent on manual processes for audit, enforcement, and reporting

Federation • Lack of efficiencies for pushing out network changes

• DISA STIG policies constantly being updated
Market Health Insurance
• Keeping tools up-to-date with latest network technologies and equipment
Audit, Enforcement,
and Reporting on
Desired Network
Outcome Infrastructure Infoblox solution:
compliant to DISA
STIG Policies NetMRI, EmpoweredAdvisor, and DISA STIG Subscription Service

Outcome:
• Automated means for auditing, enforcing, and reporting on DISA compliance, CVEs, and
network equipment lifecycle events
• Automated means for pushing global changes
Thank You
@DaveSignori
[email protected]