Testing the Policy

/by

The day was already hot with the humidity rising as I entered the data center for our third day of consulting. The NOC was state-of-the-art, dimly lit, with displays showing network status, weather, and news. This was the day we would see the results of testing the network policy for the first time. I knew what to expect, and I knew the engineers would be surprised. It happens every time.

testingNetworks today are incredibly complex: from the more traditional routers with ACL s, and firewalls with their rules, to ever-more-sophisticated load balancers, application-layer firewalls, and virtual environments that comprise more functions than the entire enterprise had just a few years ago. The expansive organic and revolutionary growth of network functions has created an elaborate, interconnected, dynamic maze that is practically impossible for human beings to grasp, much less to determine every possible outcome of communication across it.

That is where automation steps in.

As I mentioned in previous posts, first, you identify zones and then you map them to your network. These two steps are essential to any reasonable security policy. However, that’s not enough. You have to know every day that your network enforces those zones and the inter-zone policies you worked so hard to create. The only way to do that is with automation.

As a guy who has built networks for a very long time, one of my primary reasons for using RedSeal on those networks is to abstract the complexity of all those network elements and show me the current state of the security policy: are there any violations to that policy on the network today?

Just like that hot day I spent in the cool confines of a modern data center, every network I have helped customers and prospects analyze — without exception — has had violations of their policy. Many were approved exceptions. Some were emergency changes. It’s also very common to discover completely unexpected violations. Frankly, you should expect that. The complexity and unexpected interactions are far too great to be able to anticipate all of them without automation like RedSeal.

How do you test your policy?