Today's network devices are very powerful and rich in features. Prior to the deployment of devices in their networks, administrators must configure them to provide the functionality and levels of security they need to operate effectively. As circumstances and conditions in their networks change, administrators are required to make periodic adjustments to these configurations to ensure their continued efficacy. Network monitoring of conditions can exist within external sources, including packet monitoring systems, intrusion detection systems, intrusion protection systems, antivirus/antispyware monitoring systems, Cisco NetFlow/sFlow® analyzers, and others. sFlow® is a registered trademark of the InMon Corporation. These external systems can generate alerts when violations to their individual policies occur.
For convenience, the following glossary provides acronym definitions of terms to be used: AD—Active Directory; ANS—Adaptive Network Security; AS—Anti-Spyware; AV—Anti-Virus; CLI—Command Line Interface; DHCP—Dynamic Host Control Protocol; DLP—Data Loss Prevention; DNS—Domain Name System; DPI—Deep Packet Inspection; Endpoint—Any device that connects to the network that is not considered part of the network infrastructure; HTTP—HyperText Transport Protocol; IDS—Intrusion Detection System; IP—Internet Protocol; IPS—Intrusion Protection System; LAN—Local Area Network; NAC—Network Access Control; NBAD—Network Behavior Anomaly Detection; NID—Network Infrastructure Device; NMS—Network Management Systems; PC—Personal Computer; PDA—Personal Digital Assistant; RADIUS—Remote Access Dialup Service; SIEM—Security Information and Event Management; SNMP—Simple Network Management Protocol; SOAP—Simple Object Access Protocol; SSH—Secure Shell; TELNET—Teletype Network; VPN—Virtual Private Network; WAN—Wide Area Network; WWW—World Wide Web; XML—Extensible Markup Language; and MIB—Management Information Base.
Generally speaking, network devices can allow for their configuration by supporting protocols such as HyperText Transfer Protocol (HTTP), Teletype Network (TELNET), Secure Shell (SSH), Simple Object Access Protocol (SOAP), Simple Network Management Protocol (SNMP), and others that are sometimes proprietary to a specific vendor. HTTP supports World Wide Web (WWW) interfaces comprised of web pages that are accessed through industry standard web browsers such as Microsoft® Internet Explorer® or Mozilla® Firefox®. Microsoft® and Internet Explorer® are registered trademarks of the Microsoft Corporation, and Mozilla® and Firefox® are registered trademarks of the Mozilla Foundation Corporation. TELNET and SSH allow administrators to access a command line interface (CLI) language that defines a set of commands used to read from and write to the device. SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It is used to provide programmatic access to device functions and data. SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
Devices that are found on a network fall into many categories based upon the functions they offer. Major functions include network access, monitoring, security, storage, services, and endpoint usage. Network access devices, such as switches, routers, wireless access points, VPN gateways, etc. comprise the basic network. Each of these device types will be referred to as a Network Infrastructure Device (NID). Devices that allow network monitoring, such as Network Management Systems (NMS), provide visibility into how the various NIDs and applications found on a network are operating, and collect and report on historical data gathered for those devices and applications. Devices that provide security functions can allow or prevent network access to individuals based on numerous factors including identity, health status, network usage characteristics, time-of-day, etc. Some control the point of access while others monitor the network for suspicious activity on an ongoing basis. Storage systems provide storage services to other systems and users of the network. Services is a broad category that encompasses a wide variety of devices and applications such as DNS, DHCP, email, RADIUS and more. Many devices cross boundaries and offer functions that fit into two or more of the above categories. Lastly, endpoint usage refers to all devices on the network that do not fit into one of the other categories. These include basic network users accessing the network with laptops, desktops, PDAs, IP phones, gaming consoles, specialized industrial or heath equipment, etc.
With existing technologies, administrators have only limited ability to automate actions based on a diverse set of inputs. They may have a Network Management System (NMS) deployed in order to provide visibility into their network and provide a vehicle for simplified device configuration. They may have security surveillance products deployed to alert them if undesirable behavior occurs in the network. They may have individual vendor specific tools that enable them to automate some basic tasks based on inputs received from specific devices. They may have endpoint technologies deployed to monitor compliance. However, as IT budgets continue to shrink, it is increasingly difficult to maintain an adequately sized and trained staff to perform the continuous monitoring and control required by these diverse systems.
What is needed is a system and method to provide robust automation of these monitoring and control functions to protect the integrity of the network; freeing administrators from ongoing and repetitious tasks, enabling them to focus on more challenging issues requiring their creativity.