Moderator: This episode of SolarWinds® TechPod™ is brought to you by Network Configuration Manager. Find it at OrangeMatter.SolarWinds.com. At SolarWinds headquarters in Austin, Texas, this is SolarWinds TechPod: Tech Talks. Today we’re talking compliance. Our first guest is SolarWinds certified subject matter expert with 20-plus years’ experience, focusing on providing information technology services and expertise to many branches of the federal government and military, who has worked with a wide range of tech and tools including Microsoft, IOS, Nexus, Junos, Solaris, WhatsUp Gold, HP US, and of course SolarWinds. Welcome Director of SolarWinds Engineering, Eric Hodeen.
Eric: Yes. My name is Eric Hodeen, I’m a SolarWinds enterprise architect.
Moderator: Now you’ve probably heard of my next guest before. She has worked in the health care federal and application engineering field during her 15 years of working as a network manager and as a SolarWinds senior application engineer for more than nine years. Let’s welcome SolarWinds, Security Content Architect, Destiny Bertucci.
Dez: Hi everybody. I’m Dez also known as Destiny Bertucci. I’m a security content architect for SolarWinds. Some of you may know me, some of you may not, but we’re here today to discuss a lot of compliance. All right, Eric, let’s dive in.
Moderator: Network compliance and management can spiral out of control quickly and while standardization can make a major impact, here’s what Dez and Eric had to say about simply not having the time.
Dez: So Eric, I don’t know about you, but I know standardization has really helped me in the past, especially if there’s a device that’s down and you have thousands of devices of which that are going on. And I can strictly look at the naming schema and be able to tell you where the location is, what the devices, and if it’s a primary or a secondary device that’s on there. And that’s just one of the things, right, with standardization that can really save your bacon, you know, per se. But one of the major things though is that, you know, what about particular changes and all these people with all their spreadsheets. I mean those really make an impact in the 80s, right? It’s like we can’t keep up with those, can we? We’ve have to be able to have like fast changes. We need to know what those real time changes are and we need to also be aware of like what the compliance could be around these.
Eric: Yes, exactly. How much time does one really need to do compliance? Well, if you’ve never done compliance before, it could take a while. But if you use NCM to automate your compliance, it’s only going to take a fraction at a time. I remember I was on this one instance of SolarWinds and the organization had 12 to 15 personnel ready to make their network compliant. Well they were mainly checking every single device, every, you know, 500 devices. That’s going to take a long time. It took them about six to nine months. Where you automate with NCM, have two or three people, and take about two or three months.
Dez: Definitely. And then like if one of the major things with compliance, that I always like to make sure that people know, is that compliance does not make you secure and secure does not mean that you’re compliant by any means. But sometimes we just need that standardization checkbox, right? Like we just need to be able to say, “Hey, these compliance rules of which that are out there from either a PCI level, from a HIPAA level, or even if we’re talking about federal side and we want to talk about DISA STIGs, things that come across there.” Those are the things that we have checkboxes implemented in standardization for. Those are easy low hanging fruit that you can help use with NCM automation with the compliance reports, right? Like we were able to apply these to our network devices of which that we are seeing. We are able to see immediately the impact if there’s a Critical, if there’s a Warning, if there’s something that’s out of scope and then we have the printable, you know, actual report in as well as we can email it to our bosses to make sure that everyone is aware of things of which that we need to work on.
Dez: So that creates a task list that creates things in which the network team can resolve and they’re automatically doing that out of the box with NCM, applying it to their network from day one. Like from the day that they had that in, they’re able to apply those and see what’s going on so that they can have tasks lists. So instead of waiting four months to figure out if you’re compliant or not, you’re looking ahead in the four months fixing and resolving the issues that you found when you ran the report.
Eric: Correct. Identifying industry best practices. Do you need to know if you’re running SSH or Telnet? Are you running SNMP v.3 vs. SNMP v.2. Do you even have a banner on your devices? I mean, I’ve heard stories in the past, I’m sure you have as well, where a hacker just simply got into the corporate network because there was no banner on the device and the law couldn’t do anything about it because there’s nothing telling that person that he was not allowed to be there.
Dez: Exactly. And it’s little things like that that seems so easy, but it’s also because it’s so easy, it gets kind of pushed to the side as being mundane and just not getting implemented. And I actually know a guy who had an audit and it was a blog and banner was not present and he got deducted on his actual bonus. Then you don’t want to be like that. You want to be able to have that automated. You want to be able to have those conversations with your team and you want to be able to fix those, right? Like you want to be able to automate those processes. If you’re out of standardization, you can use the compliance reports to change your naming schema because you can do the automatic remediation on there. You’re also able to, to set it up to where you can do manual remediation so that you can help to do those and NCM offers you config change templates as well.
Dez: So it takes the time out of that, right? Like you’re able to visualize, be able to see the information, which that you’re doing in the compliance reports, and then run different tools within NCM, the Network Configuration Manager, to help you to be compliant quickly and automated through jobs, configuration templates, IOS firmware updates, the list kind of goes and on, right? Like that’s just one of the great things and how senior design really saves you, but it’s also the time consuming, like just craziness that NCM just takes away. I like to call it the 500-pound gorilla in the room, right? Like it’s literally your network team that you didn’t know you had by just even having network configuration manager.
Eric: So true Destiny. So true. Being able to identify those bits and pieces of configuration within your networking devices, you know, whether it’s routers and switches, firewalls, load balances, so on and so on. Being able to verify those snippets, like I said before, SSH, NTP, interfaces, you know, you want to make sure your interfaces follow corporate standards, company’s standards, you know, STIG standards. But you know what, you need all those bits and pieces to check off correctly, so you have your artifacts for your compliance framework, whether it’s DISA STIGs, or RMF, HIPAA, NERC, so on and so forth. You need those small bits and pieces for the artifacts for your audit.
Dez: Definitely I couldn’t agree more.
Moderator: When your devices are spread out across a number of locations, monitoring and auditing can become challenging. So, when is the perfect time for you to reevaluate your tools?
Dez: To reevaluate your tools. That’s always like something that I always get asked is, “When’s the time we should reevaluate? When are we actually making sure that we have all of our locations being monitored, when can we set up the auditing, when is all this stuff going to happen?” And it always seems so challenging and crazy out there, but it actually isn’t. We have people who set up their network configuration manager. You add in your devices. You set up a monitoring protocol that you do for your connection profiles. You apply it onto there. You download the configuration files. You’re automatically going to be able to do a CVE vulnerabilities every night around 2 a.m. it’ll come down there and it will actually check your IOSs, make sure what’s going on there for any vulnerabilities. You’re able to, out of the box, there’s so many different, available compliance reports for you that you can run.
Dez: Then once you start getting into the capabilities and you’re wanting to really evaluate your tools is, “Are they customizable?” That’s something that I usually try to figure out on, especially if I’m evaluating tools and what I need or what I don’t need. And it usually comes down to customization and “Am I able to use something that’s an attribute or a custom property that helps me to hone-in on devices easily?” So, if I’m wanting to do mass changes or if I’m wanting to gather things from a compliance report, if I’m wanting to send out to compliance report to using variables, if I’m wanting to use alerting. I would have to say that one of my major focus points on a route when to reevaluate a tool is when I figure out there’s something that I couldn’t do in the moment that I really needed it and I know that sounds weird, but that is one of the things. If I’m not able to do it quickly in the moment that’s when I’m like, “Well, can this tool do it?”
Dez: It may. It may take a little bit of a workaround, but is there something that makes this easier? Is there something that doesn’t make this easier? I personally find that I can do most of the information in which that I need to do with the network configuration management tool from SolarWinds currently. There are several other network configuration management tools that are out there. They have similar kind of ways that they like to do things, but a lot of the times are simplistic on that they do downloads, backups, right? Like that’s, that’s major importance with your network configuration manager tools. But I feel like you should always reevaluate when you’re having to manually go to devices individually. That’s where you’re hung up, right? Like that’s still a problem. And if you can only grab a few or you have to individually click devices, that’s a problem.
Dez: If you’re having to set up 30,000 different rules because you don’t have the variables or the necessity, that’s a problem. If you don’t have it to where you have an actual one-pager of like you know, PerfStack™ for instance, I’m able to see all my network configurations, I’m able to see my network performance, I’m able to see any of the applications, the QOEs that are coming across there from one page. That’s important. So, I think that everybody has their limit point. That’s what I like to call it. And it’s usually out of frustration that I start reevaluating, because if you’re using a tool right now and you’re evaluating other tools constantly, it’s not the right tool for you in my eyes.
Eric: Destiny that that is true. That is true. Nowadays, we’re getting so many more products on the market. Even the same vendors that were used to, whether it be the Cisco, Juniper, and the Palo Alto, that type of vendor. They’re coming out with new OSs, new models, new features, new requirements, just new technology altogether. So, you know, we had the vendors pushing out new product and then now we have to go back behind them and figure out how do we make this compliance with the way that our guide or a framework is presently laid out. The DISA STIGS, they update every quarter. Some do every six months, so on and so forth. Okay. So now, once we figured out how to make our devices compliant and to reiterate what you said before, you know, being compliant is not secure, being secure is not compliant.
Eric: This is so true because some of this new technology, they’re using old technology, old protocols to make their device work. So, once we do have our compliance, it’s out there, then you know, SolarWinds, we have THWACK®, the online community. I’m always out there on THWACK asking folks, “Hey, how do you go about making this sort of a technology compliant these days?” You know, the DISA STIG says this, or HIPAA says this, NIST says we have to do it a different way. What we want to do is we want to make that compliant. We want to be on the level and make sure we get all of our artifacts in a row.
Dez: And that goes back to the customization. That’s something that sometimes people don’t understand about the compliance reports is, how easily they are to be customized. And you have to think of it as a pyramid scheme, is what I always tell everybody. And it’s because your rules are at the bottom. Your rules will create your policies and your policies you grab will create your report. So you can literally take all the out-of-the-box rules, grab them, create your own policies, grab policies of which that you want that are actually customized to your security plan, your security and information that you need to keep track of and be compliant with, with your own company, and then create a report that’s tailor made for you. Right? Like that’s something that I think people who do take advantage of that and the compliance realm of Network Configuration Manager just absolutely go over the moon for, but it’s that tiptoe, right?
Dez: Like they just want to tiptoe into it and you start off with the out-of-the-box, you get a little bit comfortable with it, you’re able to see that you can manually update or you know, remediate. Then you can set up some automation like login banners. I always tell everybody, like one of the major things to start off with this login banners, right? Like make that be an auto-remediation. Don’t worry about that. Run that thing at night. Make sure that you have your login banners on there and then just tailor-make it to your actual security policies so that it’s relevant to you and you use it and you know that you’re compliant. Because that’s going to help you to be more secure, but that’s also going to help it to, when you’re getting secure, to know that you’re actually doing it along the lines of your security policy and you’re still following the compliance on the backside.
Eric: Correct. Also, I did want to mention that I started using NCM about 10 years ago when SolarWinds acquired it and started putting it into the Orion Platform. And back then it didn’t have some of the features that it had today, some of the look and feel, some of the features and characteristics of NCM. Nowadays, some of the boxes are larger. We have customizable items on there in order for us to make it more visibly appealing to our audience.
Dez: Oh, it’s 100%. It’s always changing, right?
Eric: I love it because with SolarWinds, you can actually put in a feature request and say, “Hey, I’d like for SolarWinds to do this.” Instead of having to go out and buy a new product to display it better for you, put a feature request into SolarWinds and you know, put it on the THWACK community and lo and behold, there you go.
Dez: I have to agree with that. So that definitely tells us, you know, if you’re reevaluating tools, sometimes it may not be a reevaluate, right, like it may just be like going to THWACK and asking the questions of, “Hey, can we get this added in?” And you most likely if other people are wanting to do that, then you’re going to be a part of a Beta program at one point that you’re going to say, “Hey, that’s my feature!”
SEGMENT BREAK: Haven’t registered for this year’s THWACKcamp™? There’s still time. This year, THWACKcamp will include entertaining Ask Me Anything sessions with our SolarWinds Head Geeks™ and exclusive content from our guest speakers. Claim your unlimited seat at THWACKcamp.com now.
Moderator: Tool reevaluation can call for reporting capabilities to track changes. Here are some ways Dez and Eric keep track of any changes.
Dez: All right, so we’ve talked a lot about the reporting capabilities and things that are coming in there and we’ve talked a lot about remediating too, but I think what scares people sometimes is being able to acknowledge there’s been change in the first place, right? Because you have to have the audit trail. Everybody loves the paperwork. Am I right?
Eric: Yeah, paperwork, paperwork, paperwork.
Dez: I just love it. Now the, the main thing is that one thing that I love about NCM is that it does track, it tracks the audit events, it tells you who’s made changes and where you’re able to customize that as well to have like one, two, three layers of approval so that you have audit changes that can be tracked. We also have a reporting function that will actually show you what’s been changed in by who, and then while you’re doing these changes, we have something in the product that’s called real time change notification.
Dez: So it’ll download the config compare and actually show you the difference of what’s going on within those two configs. So, when you’re remediating, it’s not like, “Oh my gosh, I remediated and something went wrong.” That’s what NCM’s basic foundation is made on, right, is the whole downloading and backing up your configs. So, we have a standardization of your baseline, your actual running, your startup, if you have a different name, like if you have multi-context devices, we have those that you can list out separately in different forms. So, we have you covered not only for disaster recovery, but when you’re making these remediations or you’re implementing a security policy, right? And you’re making these compliance changes that actually, you know, maybe you implement it and then the security team came in and they’re saying, “Ah, you know what, after we implemented that, you’re actually less secure. So, we need to revert that.”
Dez: You’re able to do that with NCM as well. So, it’s a give and take program that allows you to grow and learn with it, as well as it helps you to adhere to your security policy at the level that you’re at. Right? Like from beginner all the way up to an expert level, we’re helping you to monitor and get your reporting capabilities, track those changes, and be there along with you step by step. We have you covered if something goes wrong, you can back it back up from where you were at.
Eric: That is correct. Also, with the approval change system that NCM offers, you can designate when you want that change to happen, whether it’s overnight or during the middle of the day on a Saturday or so. And then with the automated reports, you can have those emailed to you or your executives and then your network operations center can view report dashboards live on their screens.
Dez: Definitely. And I like to use that tool not only for just like, you know, auditing events, but I use that as a learning tool. So like, even if there’s like new networking people that are coming in and their basic level, level one, tier one, whatever you want to call them, the newbie guy that’s coming in fresh, you know, just excited out of either college or just got a CCNA/CCNP, he’s excited, he’s on your team. That’s a verification for a fat finger or a quick mistake, right? So, it’s like one of those things where I can see, I love that. It shows me the script that’s wanting to be ran. It’s showing me the devices of which that it’s wanting to go to. I can put another set of eyes on it because most of your problems with network outages is a human error.
Eric: Correct. Wrong sub net mask, wrong default gateway, access lists is spelled incorrectly.
Dez: It’s the little things that if you just had that one little checkbox of an extra eye or even two sets of eyes, right? Because we can go up three layers in. So, it’s one of those things that it’s kind of a peace of mind as well as a training tool to help people to be like, “Oh, you’re right. I should probably check that twice before I hit the send button. Before I send it up to the next level, I should probably verify this.” And then they kind of get it in their head to do some extra checks because we should do extra checks when we’re doing things. But having those extra eyes, nobody’s perfect, except me. No, just kidding. But when we do those things, it helps us all to be cohesive, it’s a learning environment, and it’s something that did not cause a network outage. It was stopped. So that’s a win. I don’t care how you look at it. That is a definite win.
Eric: I totally agree.
Moderator: When trying to take the pain out of compliance, Dez and Eric also have a few solutions that might help.
Dez: Oh man. Eric, do you want to take this one? How do you take the pain out of compliance?
Eric: Well to take the pain out of compliance, you do a little bit each day. Whether it’s an hour or two in the morning, over your first cup or three or coffee, that’s fine. Whether it’s reading or researching or responding to technology challenges and issues within your environment that is applicable to your compliance framework. A little bit each day. You’re not going to conquer the world in a day. It’s going to take time in the beginning. Little by little, you’ll evaluate your requirements, then you’ll implement, integrate, and then you’ll be reporting on your compliant requirements.
Dez: Yeah, I have to definitely say for compliance, I think for me to take the pain out of it is to just remember that you don’t make network changes every day of your life, right? So, it’s one of those things of take your top with your security policy. What are the top compliance issues? What is your extremes? Right? Start with your extreme, your Critical, and work your way down the list. But don’t worry because, like I said, we don’t make configuration changes on mass networks every day that are crazy and going to knock you out of compliance. Run the report, start with them, have tasks, take them one by one, be able to implement them, run the report again, make sure that you’re compliant, and then you just go from there. We always work from Critical down to low level and then once you get all the red gone, you’re working on the yellow, you can work on the green.
Dez: But then you just have your compliance reports set up to run once a week just to give you that verification that “Hey, things are going well right now and we’re okay.” And that helps you to not only have the confidence in the compliance work of which that you’re implementing, it also really helps you to understand compliance as you’re going through the rules and understanding what you have to remediate and working with your security team. I feel like if you work with the security team, you have that less pain anyway in the compliance because you’re helping to meet a deadline that your security team probably has already and you’re learning how to be more compliant for when you’re implementing configs in the future and altogether there’s less out of compliance that’s going to happen because of the learning as you’re going through these.
Eric: That is correct Destiny. While we were talking today, I was just kind of going back in my head a little bit and one last thought I had was, you know, a compliant network equals your fulfilling corporate and industry policy, standardized configurations, baselining your configurations, reducing your troubleshooting time, and also your satisfying a disaster recovery or a coop policy or procedures plan. So, having a compliant network, you’re hitting five major items that you’re going to need for your compliance framework.
Dez: Oh, 100%, I have to agree with that. Thanks for having me on here guys. It was a pleasure talking to you. I mean I know I get excited about a compliance, but I mean I may be a little weird, it’s fine but thank you guys so much. I’m Destiny Bertucci.
Eric: Thank you everybody. It was a great time talking with you today. I love compliance as much as a Destiny does Maybe a little bit more. But I’ve had a great time here today and feel free to look me up on THWACK.
Moderator: On behalf of TechPod, I want to thank you both for visiting with us today and thank you for listening. We’ll catch you on the next episode of SolarWinds TechPod Tech Talks. If you haven’t already, please remember to subscribe, rate, and review us wherever you listen to podcasts.