Why Network Documentation Is So Important

Undocumented Networks
------------
I can't tell you how many projects I've worked on in which the customer has little to no network documentation. The reason for the lack of network documentation is varied. In many cases this is both the fault of the customer and the vendor / consultant who designed and implemented the network. The vendor just does not do it and the customer does not press hard enough for it. In some cases, technology consultants do not feel it's important enough or want to lock the customer into having to call "them" if something goes wrong or a configuration needs to be changed.

Not only is this poor practice on the side of the consultant, it can have a dramatic affect on the future growth of the customer, increase the costs of future network upgrades and diagnostics, and can negatively impact the security of the customers network.

The Results Of A Undocumented Network
------------
Before I tell you the basic items that need to be documented with regards to computer networks, I first want to give you examples of what I have "not" seen documented, and what problems this has caused.

During one of my past projects, which was primarily to implement a new firewall and to secure many of the internal systems , I ran into some really incredible issues. None of the primary server systems were documented. No one knew what server did what, how much memory, disk space, what type of processor(s), and in some cases, did not know what Operating System was installed. And worse than that, during my initial review, we located three servers in a closet, on a different floor, that no one even knew existed!

Because of the lack of network documentation, no one knew what was suppose to be done to maintain their enterprise Anti-Virus system. When I finally determined what the admin password was to login to the Anti-Virus services, I found that virus signatures had not been updated in over six months. Then we found that the system was not even functioning and nearly 90% of systems on the network were infected with virus and worms (and not the annoying kind either, the destructive kind)

We also found there were four different tape backup servers, and again, because of the lack of network documentation, none of them had been maintained. The customer just kept changing tapes. And do you know what, none of the backup jobs had been running for months. Talk about a false sense of security!

The very last thing I want to talk about is how lack of network documentation and procedures can affect network security. In one case, a customer had a rather expensive Check Point Firewall in place. No documentation was available and the customer had been told that nothing needed to be done to maintain the Firewall. The customer told me that recently, their Internet access had become very sluggish. It took two days to locate the Check Point console password. When I logged in I found that the C: drive had absolutely no free disk space because the Firewall log had consumed it all. This could have been avoided if the Firewall was setup properly in the first place. The Firewall was also about 4 Service Packs behind, and the rules in place were quite inadequate. Not to mention that none of the rules themselves had been documented. And one more thing to think about. If this network had been attacked and compromised, how quickly would we have been able to respond to the attack if so much of the network was undocumented? It would have been a disaster.

Basic Network Documentation
------------
Here is a basic set of items that should be contained in network documentation:

All server hardware and operating systems should be documented, including the physical locations and what primary, secondary, etc.. purpose they serve. All key service accounts an login account user-id and password's should be documented and stored in a safe location, maybe a company lockbox or vault, or use something like KeyPass to store them. A visual diagram of the network layout, even from a high level, should exist no matter how small or large the network is. Products like WhatsUpGold can assist with this or you can create a Visio diagram of the network. Procedures on how to maintain the network technology, including Operating Systems, security related services, backup and disaster recovery (business continuity), and firewall technologies should exist.

Additionally, you should document and secure all Operating System and application licensing. This is something that is very often overlooked and is imperative if you have to recover from a disaster situation in which the rebuild of systems is necessary. Other information to have documented is key contact information. For instance, who do you call if your Internet connection goes down? Who do you contact if your offsite web services are not functioning? Do you have a third party that maintains your Domain Name Services (DNS)? If you have custom applications, do you know exactly who you must call if there is a problem?

The above is just the basic items that need to be documented within a computer network. There are many more aspects to network documentation.

Who Needs To Document Their Network
------------
In a nutshell, anyone who has a computer network, home office, small office, or large office, should have an adequate level of network documentation and procedures to follow in order to maintain the network. If you have invested in network technology, don't you want to keep your investment safe, sound, and performing at it's peak?

Conclusion
------------
If you are a customer, and have a systems integrator or consultant working on a new network implementation or upgrading an existing one, demand that they provide you with complete network documentation. Even if it costs you extra you should request it. It will save you a lot of time and money in the future. And, it may actually keep your business from experiencing long periods of down time.

You may reprint or publish this article free of charge as long as the bylines are included.

About The Author
------------
Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at Darren.Miller@ParaLogic.Net. If you would like to know more about computer security please visit us at http://www.defendingthenet.com.