Undocumented Networks
------------
I can't tell you how many projects I've worked on in which
the customer has little to no network documentation. The
reason for the lack of network documentation is varied. In
many cases this is both the fault of the customer and the
vendor / consultant who designed and implemented the
network. The vendor just does not do it and the customer
does not press hard enough for it. In some cases, technology
consultants do not feel it's important enough or want to
lock the customer into having to call "them" if something
goes wrong or a configuration needs to be changed.
Not only is this poor practice on the side of the consultant, it can have a dramatic affect on the future growth of the customer, increase the costs of future network upgrades and diagnostics, and can negatively impact the security of the customers network.
The Results Of A Undocumented Network
------------
Before I tell you the basic items that need to be documented
with regards to computer networks, I first want to give you
examples of what I have "not" seen documented, and what
problems this has caused.
During one of my past projects, which was primarily to implement a new firewall and to secure many of the internal systems , I ran into some really incredible issues. None of the primary server systems were documented. No one knew what server did what, how much memory, disk space, what type of processor(s), and in some cases, did not know what Operating System was installed. And worse than that, during my initial review, we located three servers in a closet, on a different floor, that no one even knew existed!
Because of the lack of network documentation, no one knew what was suppose to be done to maintain their enterprise Anti-Virus system. When I finally determined what the admin password was to login to the Anti-Virus services, I found that virus signatures had not been updated in over six months. Then we found that the system was not even functioning and nearly 90% of systems on the network were infected with virus and worms (and not the annoying kind either, the destructive kind)
We also found there were four different tape backup servers, and again, because of the lack of network documentation, none of them had been maintained. The customer just kept changing tapes. And do you know what, none of the backup jobs had been running for months. Talk about a false sense of security!
The very last thing I want to talk about is how lack of network documentation and procedures can affect network security. In one case, a customer had a rather expensive Check Point Firewall in place. No documentation was available and the customer had been told that nothing needed to be done to maintain the Firewall. The customer told me that recently, their Internet access had become very sluggish. It took two days to locate the Check Point console password. When I logged in I found that the C: drive had absolutely no free disk space because the Firewall log had consumed it all. This could have been avoided if the Firewall was setup properly in the first place. The Firewall was also about 4 Service Packs behind, and the rules in place were quite inadequate. Not to mention that none of the rules themselves had been documented. And one more thing to think about. If this network had been attacked and compromised, how quickly would we have been able to respond to the attack if so much of the network was undocumented? It would have been a disaster.
Basic Network Documentation
------------
Here is a basic set of items that should be contained in
network documentation:
All server hardware and operating systems should be documented, including the physical locations and what primary, secondary, etc.. purpose they serve. All key service accounts an login account user-id and password's should be documented and stored in a safe location, maybe a company lockbox or vault, or use something like KeyPass to store them. A visual diagram of the network layout, even from a high level, should exist no matter how small or large the network is. Products like WhatsUpGold can assist with this or you can create a Visio diagram of the network. Procedures on how to maintain the network technology, including Operating Systems, security related services, backup and disaster recovery (business continuity), and firewall technologies should exist.
Additionally, you should document and secure all Operating System and application licensing. This is something that is very often overlooked and is imperative if you have to recover from a disaster situation in which the rebuild of systems is necessary. Other information to have documented is key contact information. For instance, who do you call if your Internet connection goes down? Who do you contact if your offsite web services are not functioning? Do you have a third party that maintains your Domain Name Services (DNS)? If you have custom applications, do you know exactly who you must call if there is a problem?
The above is just the basic items that need to be documented within a computer network. There are many more aspects to network documentation.
Who Needs To Document Their Network
------------
In a nutshell, anyone who has a computer network, home
office, small office, or large office, should have an
adequate level of network documentation and procedures to
follow in order to maintain the network. If you have
invested in network technology, don't you want to keep your
investment safe, sound, and performing at it's peak?
Conclusion
------------
If you are a customer, and have a systems integrator or
consultant working on a new network implementation or
upgrading an existing one, demand that they provide you with
complete network documentation. Even if it costs you extra
you should request it. It will save you a lot of time and
money in the future. And, it may actually keep your business
from experiencing long periods of down time.
You may reprint or publish this article free of charge as long as the bylines are included.
About The Author
------------
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many
technology & security articles, some of which have been
published in nationally circulated magazines & periodicals.
If you would like to contact Darren you can e-mail him at
Darren.Miller@ParaLogic.Net. If you would like to know
more about computer security please
visit us at http://www.defendingthenet.com.