It also involves the testing of the existing configuration vs known-good policies while simultaneously looking for any configuration that might expose the firewall to security or compliance risk. 

​Configuration management in this context can be summarized as:

• ​Device hardware and software inventory collection
  
• Device software management
  
• Device configuration collection, backup, viewing, archiving, and comparison
  
• Device configuration generation and "push"
  
• Device configuration policy checking
  
• Restore firewall configuration back to a recent good working state
  
• Interwork with fault and performance management to monitor and ensure availability and performance of the firewall platform installations
  

Device hardware and software inventory collection

The first step in being able to manage any system is to have accurate information about that device. Therefore, any good firewall NCCM system needs to also contain related information from a CMDB, e.g. containing up to date inventory information. It should (at minimum) contain a hardware (chassis, daughter cards, memory, etc) and software (OS, Firmware) information that is regularly updated. Once a week at minimum – once a day is preferred, and changes should be tracked even short-term.

Device software management

This refers to the ability to push software updates (patch) the OS/Firmware of the firewall. A best-practice ability is to both patch on a regular basis – we have seen larger enterprises standardly push two updates per year – as well as to have the capability to push emergency bug fix/vulnerability updates on an ad-hoc basis. The NCCM system needs to be able to perform OS and hardware checks such as software checksums, available memory, license compatibility, and so forth as part of the update process. 

Device configuration collection, backup, viewing, archiving, and comparison

One of the most basic tasks of any firewall NCCM solution is to backup the running configuration of the firewall. It should be able to store the backup for any length of time the customer requires as well as any number of historically stored configurations. These historical backups are critical when there is a failure or misconfiguration as they can be used to restore the firewall to a known-good state. They are also very valuable as a troubleshooting tool because you can run a "diff" comparison between one or more configs to look for changes that may have impacted service.

Device configuration generation and "push" 

One of the most common activities that cause network downtime is simple human error when making an "on the fly" configuration change.

Device configuration policy checking

Corporate governance policies such as Sarbanes Oxley (SOX), NERC, PCI-DSS, HIPAA, MiFID II, SAS 70, Basel II, and GDPR have all been introduced to ensure levels of security and integrity are maintained for company financial information and any stored personal details of customers.
However, translating these policies into an actionable firewall configuration can be a huge challenge. For example, the PCI-DSS policy states that the organization will "install and maintain a firewall configuration to protect cardholder data". However, it does not specify what firewall rules to deploy or what type of firewall to use and so forth.
Standards are used to define the policy goals, but they must be turned into a usable configuration which supports the policy standards.
Policy compliance then verifies that policies are implemented and remain operational.
So, compliance is really a continuing process of configuration and verification. A good NCCM tool can help with both aspects of the job. Providing a mechanism to turn the corporate policy or rule into an electronic policy that can be configured on a firewall. The NCCM system must then be able to periodically test the running firewalls to determine if they still adhere to the originally configured policies and no unwanted changes have been introduced.

Conclusion

If you oversee managing firewalls or security devices, then network configuration management may well be worth investigating. Network configuration management provides the tools to give you an audit trail of changes to your firewalls. It can also help with enforcing corporate or regulatory policies much easier. Lack of efficient and effective device configuration management affects the business continuity of enterprises. Manual configurations of devices eat away the time and efforts of the skilled administrators, who are struggling to keep track of configuration changes and as networks grow larger and larger.

Automated NCCM solutions enable network administrators to take total control of the entire lifecycle of firewall configuration management. Changing configurations, managing changes, ensuring compliance and security are all automated. These solutions improve efficiency, enhance productivity, help save time, cost, and resources, and minimize human errors and network downtime.

With a good NCCM solution in place, enterprises can make best use of their firewall infrastructure. They can achieve increased network uptime and reduced security risk.

Thank you to Peter Moessbauer, Strategic Alliance Manager at Infosim for the article