Network configuration is establishing a network’s controls, flow, and operation. Network configuration management (NCM) is responsible for the setup and maintenance of your network devices along with the firmware and software they have installed. Changes to the settings on a device can undermine your network security and damage the privacy of your users.
So, keeping track of those settings is very important. The firmware that operates your network devices is also a potential security weakness of your system configuration. Equipment manufacturers constantly revise the firmware and release updates and patches to block newly-discovered exploits. So, keeping that firmware up to date is very important.
Regardless of the size of your network, it inevitably becomes difficult to track the firmware on each device, so installing a network configuration management tool is a must.
Here is our list of the best network configuration management (NCM) tools:
- SolarWinds Network Configuration Manager EDITOR’S CHOICE Top of the line configuration manager that runs on Windows Server. It will manage all makes of network devices but has extra functionality for Cisco equipment. Download the 30-day free trial.
- FirstWave Open-AudIT (FREE TRIAL) An automated asset discovery tool that creates a hardware, software, and firmware inventory and stores device configurations. Installs on Windows Server and Linux.
- ManageEngine Network Configuration Manager (FREE TRIAL) Written to network change, configuration, and compliance management (NCCCM) standards, this tool can run on Windows Server or Linux.
- ConfiBack Named as a contraction of “configuration backup,” this tool is free to use and runs on Windows, Linux, and Mac OS.
- WeConfig Free configuration manager for industrial networks.
- rConfig Free configuration management tool that runs on Linux.
- Net LineDancer NetLD runs on Windows Server and Linux. Its services include automatic device discovery and monitoring.
- TrueSight Network Automation Compliant with a list of data security standards, this tool installs on Windows Server and Linux.
- Device 42 Available for installation or as a Cloud-based service, this tool monitors your network constantly for device errors as well as protecting and updating configurations. Runs on Windows and Mac OS.
- Lan-Secure Configuration Center After autodiscovery and device config backups, this monitor will prevent all unauthorized changes to the setup of your equipment.
Network Configuration Manager Criteria
Network configuration managers enable you to keep track of the statuses and operations of your network devices. So a NCM tool needs to:
- Establish a configuration baseline
- Backup configuration snapshots
- Monitor for unauthorized configuration changes
- Enable settings rollbacks
- Distribute firmware updates
Those are the basic functions that you need from a network configuration management tool. Some nice extras are:
- Auditing for standard compliance
- Bulk configuration updates
- Firmware patch management
- Customizable user accounts for teams
The best network configuration management (NCM) tools
The list we created, making sure to cover all the essential requirements of a configuration manager, turned up some star finds. These go above and beyond your basic configuration needs to provide you with a wealth of features
What should you look for in network configuration management tools?
We reviewed the market for network configuration management software and analyzed the options based on the following criteria:
- A service that is able to discover all network devices and log them in an inventory
- A scanner that reads in all device settings and presents them in a dashboard screen for standardization
- A utility that takes an image of standard-setting and applies it to all relevant devices
- A configuration backup service that will restore approved settings on a device after tempering
- An action log that is available to system security auditors
- A free trial for a risk-free assessment period or a money-back guarantee
- Value for money that is represented by useful functions that will improve efficiency
Take a read through the descriptions of each of these suggestions.
SolarWinds offers the industry-leading Network Configuration Management solution. This tool is built on the company’s Orion platform, which is a common platform for a suite of system administration tools. So, the Network Configuration Manager will dovetail with other SolarWinds systems administration tools. If you are in the market for a complete network management system, the Network Automation Manager package would suit you. This includes the Network Performance Monitor and the NetFlow Traffic Analyzer to keep tabs on the availability of your network equipment. The Network Configuration Manager ensures that your network devices don’t get tampered with and that you can roll back from mistakes made when adjusting their settings. Added to those functions are a switch port mapper, an end-user tracker, a WAN performance monitor, and an IP address manager.
- Standardizes settings
- Stores an image
- Monitors for tampering
- Restores settings
- Automates onboarding
So, SolarWinds is able to offer you a complete solution. This is a suite of monitoring programs that are suitable for a large network. If you already have network monitoring software on-site and you only want to get a configuration manager, then the SolarWinds offering is still a very good system. The SolarWinds Network Configuration Manager covers all of the priorities that you need to keep control of your network devices.
The installation process includes a system scan that discovers all of your devices and stores snapshots of their current configurations. From then on, when you want to alter the configurations of your devices, or just want to update one, you make those changes through the manager tool. The configuration manager is able to interact with a long list of device brands, so you don’t have to worry about restricting your equipment purchases to one vendor in order to keep your configuration management simple. That said, the tool does have a few more features that work with Cisco equipment than it can provide for the products of other manufacturers.
The Cisco enhancements include the integration of checks with the Cisco National Vulnerability Database into audit sweeps. This gives you very powerful alerts to shortfalls in security that can be obliterated quickly with a patch, an update, or an adjustment in the settings of a network device. If you have a Cisco Adaptive Security Appliance, the SolarWinds Network Configuration Manager gives you insights into the device’s settings and helps you manage and audit access control lists. The configuration manager will check for updates and patches to your ASA’s firmware and install them automatically. You get a similar service if you have a Cisco Nexus. The Network Configuration Manager is also a network software updater that will help you update and audit its access control lists and give you virtual defense context support for parent/child relationships.
The automation of network configuration tasks means that you don’t need to take equipment offline or work overnight when you need to alter the settings of your network devices.
The auditing module of the Network Configuration Manager lets you demonstrate compliance with security standards. You will be able to spot unauthorized configuration changes and roll them back instantly with this tool. You can even automate the correction of those changes as well as a lot of other routine device management tasks.
The Network Configuration Manager maintains a database of configurations for each device. This well-organized, indexed, and searchable archive makes it really easy for you to manually locate a config file should you need to replace a piece of equipment and get all of the settings of the old device uploaded onto the new one. The tool can even monitor the lifecycle of a device and notify you when it is nearing the end of its service life.
The dashboard for the Network Configuration Manager has access control and you decide which user accounts get access to which information in the console. You can also choose not to give access to this tool to certain members of your team.
The description of this tool here covers all of the bullet points in the introduction that list the basic and exceptional configuration management features that you should look for. You will notice that there is one feature that the tool doesn’t cover: patch management.
Strictly speaking, patch management is usually the responsibility of a separate tool. This is the case with the SolarWinds division of responsibilities. However, there is a fully-compatible Patch Manager module available from SolarWinds that will keep the firmware of your network devices up-to-date.
- Built for medium to enterprise size networks, with features designed to streamline troubleshooting and revert config settings quickly
- Can automatically discover new devices on the network and provide templated health reports for immediate insights upon installation
- Offers configuration management, allowing teams to quickly backup and restore changes that may have impacted performance
- Can monitor settings for unauthorized changes and specific teams or managers
- Not designed for home networks, this is an enterprise tool built for system administrators and network technicians
SolarWinds offers you a 30-day free trial of the Network Configuration Manager and the Patch Manager, which installs on the Windows Server environment. The same free 30-day trial offer is available for the Network Automation Manager deal.
SolarWinds Network Configuration Manager is our first choice. An astounding tool for improving the reliability of your network. Ready to deploy out of the box support for an impressive list of network devices and vendors. It’s hard to beat the Config-to-Config Diff View and the Configuration Change Automation features.
Get 30-day Free Trial: solarwinds.com/network-configuration-manager
OS: Windows Server
FirstWave Open-AudIT is an IT asset management and auditing tool that includes strong configuration management services.
- Device discovery
- Configuration snapshots
- Asset locator
- Compliance auditing
A key feature of the FirstWave system is the auto-discovery service. Open-AudIT scans a network and logs every connected device in an asset inventory. The inventory is stored in a database and includes details about each piece of equipment such as the make, model and operating system. When a device is discovered, the system runs audit scripts to document the operating system and identify all of the installed software. This creates a software inventory that supports license management.
The configuration management section of Open-AudIT visits each discovered device and takes a snapshot of its settings. These settings are stored in a database, called Baselines. Once a baseline has been established for each device type, it is possible to compare the settings for all devices of that type and highlight any discrepancies.
The discovery process can be scheduled to suit any requirement, further making it possible to compare the settings on the same device over time. This illustrates any unexpected changes that have been made. The Baselines system can also be used to reimpose standard settings if a device experiences a disaster or is replaced.
The asset inventory is made available in the system dashboard as a list of devices with click-through details available. Discovery processes can reach out to the Cloud, identifying company resources there, and they are also able to identify assets on remote sites. The tool can plot asset locations on a real-world map. This system is based on Google maps and is zoomable. Each location is indicated by a marker that can be queried to see how many devices are on the site.
The service is able to identify assets that are housed together in a rack. Each element is documented individually and then the rack itself is also scanned for its services. The Open-AudIT service is able to produce a rack visualization that indicates the relative positions of assets held in each rack. It is also possible to group assets by room and by floor.
The Open-AudIT system is delivered as on-premises software and is available for Windows Server and Linux or it can be used online through a cloud service. It can also be installed over a hypervisor to create a virtual appliance.
The package is charged for on an annual license with a rate set in bands of devices to be monitored. There are three editions of Open-AudIT, which are Community, Professional, and Enterprise. The Community edition doesn’t have many features but it is free to use. The Professional edition is also free to use to monitor up to 20 devices – great for evaluation purposes.
- Offers autodiscovery to immediately map and discover new devices
- Has a free version, great for smaller networks or more in-depth trials
- Offers automated device discovery and config recovery
- Detailed filtering options for historical data analysis
- Capacity tracking helps sysadmin track inventory and makes networks changes based on usage
- Can take time to fully learn and utilize all features in the platform
The full complement of utilities is only available in the Enterprise edition. This is the only bundle that includes the configuration management service. Cloud discovery and rack visualization are also reserved for the Enterprise edition. However, automatic device discovery is included in every package.
ManageEngine is a contender for SolarWinds’ crown as the leader in the network admin software industry. The company sells a series of separate modules that can also fit together and interact to create a unified infrastructure and IT service quality monitoring system. The company’s Network Configuration Manager is a very comprehensive solution to help you ensure the integrity of your network devices. The tool is compatible with multi-vendor environments. It is able to manage configurations for switches, routers, and firewalls plus any other network device type that you have on your system. The tool is designed in compliance with the network change, configuration, and compliance management (NCCCM) standards.
- Device backup
- Security scanning
- Automatic configuration restoration
Start off by backing up the configuration of all of your network devices into storage in the Network Configuration Manager. This process is automated for you. The ManageEngine tool includes a lot of automated processes that will relieve the burden of maintaining the configurations of your network devices. The next phase of operation is a constant sweep of devices to look out for any unauthorized configuration changes. You can set up actions to be performed automatically when configuration variance is detected.
You can get reports on the differences between the configurations of similar devices and decide on a set of configuration policies, applying different policies to different device types. Once you have standardized the configurations of your equipment, you can update your config backups, giving you a set of standard settings that you can automatically apply to new devices. The update service of the Network Configuration Manager can also be applied in bulk.
The backup store is also useful when you need to roll back from accidental changes or configuration changes that impair performance and need to be reversed.
The configuration management system includes a logging function, which records the users who make changes to the settings of network devices. Those accounts can be suspended automatically, and the information you get out of the logs will show you if a user account has been compromised.
The dashboard for the ManageEngine Network Configuration Manager is very attractive and includes a number of visualization devices to help you spot changes quickly. The console can be adapted for user roles, which makes this a good system for teams supporting a network.
The final benefit of the configuration manager is its ability to poll for patches and updates for the firmware of your network devices. When new software is available, the manager will roll it out and update all appropriate devices. So, you get an integrated patch manager with this tool.
- Offers firmware vulnerability management alongside configuration monitoring
- Can immediately alert when changes occur inventory or configuration changes are made
- Can neatly organize networks, devices, and infrastructure to support multi-site use
- Offers access control to help enforce compliance standards
- Available for Windows, Mac, and Linux systems
- Is a full-service monitoring platform that can take time to fully explore all options available
This system is better suited to middle-sized and large networks. The software installs on Windows and Linux. There is a free version of the Network Configuration Manager, which is limited to two devices. There probably aren’t many networks out there that only have two devices on them, but this offer would be suitable for a test environment. If you decide to buy, you can try out the system first for free on a 30-day trial.
Related: Best Linux Patch Manager
OnWorks ConfiBack is also known as Configuration Backup. This software is free of charge and you can install it on Windows, Linux, and Mac OS. This is a configuration manager that would fit a small business to protect its network devices. This tool is not nearly as sophisticated as the previous three options on this list. However, if you have no money for a configuration manager, getting ConfiBack is a much better option than going without.
- Free to use
- Back up device configurations
- Good for small networks
You need to prompt the system to back up configurations for devices. However, you can schedule the backup process to take place regularly. Change detection is an interface-supported manual process. You need to back up the current version of a device and then compare it to the original backup with a diff command. This process synchronizes the lines in two files and outputs those lines that are different. The results of this utility are saved to a text file.
The ConfiBack software is an open-source project, so you can comb through the programming code if you want. This openness is a common method of ensuring users that there are no hidden security weaknesses in programs and that they do not contain hacker code.
- Very lightweight tool – can run on practically any machine
- Easy installation and setup – access via a simple web interface
- Highly customizable through Python scripting
- No CLI management is available
- Not ideal for large environments
- Lacks support for team logins with access control
The free ConfiBack software doesn’t include any user authentication procedures and it doesn’t have a patch manager module.
WeConfig is billed as a configuration manager for industrial networks. The tool is a product of Westermo, which makes durable network equipment for shop-floor environments. The configuration manager is really only meant for Westermo devices. However, it also works with the network equipment of other manufacturers because it relies on the universal SNMP system.
- Designed for shop floor equipment
- Network scanning and logging
- Backup and restore configurations
Anyone can download the WeConfig software for free from the Westermo website. The tool installs on Windows environments. After installing the software, you need to tell it to scan the network. This will compile a network map and log all network devices in the WeConfig database. You can reorganize the network map manually if the display of icons is a little cluttered. Once you are happy with the layout, you can lock it to prevent anyone from accidentally moving or deleting elements. Each icon is a link to details about the device that it represents and an Analysis view shows graphs on the operation of the network equipment on your network. The device database won’t update automatically; you have to issue a scan command again whenever you want the inventory updated.
The configuration manager allows you to command the storage of the configuration of a device to a file and load a configuration file onto a device. You can delete or edit configurations on a device.
The WeConfig system requires a lot of manual intervention. However, this service management enables you to store copies of configurations. In order to check for alterations to device configurations, you would have to task a copy of the current configuration and do a file comparison with the store of the original settings. In order to introduce your own automated procedures, you could set up the collection and comparison of configuration file versions in a batch job.
The features of WeConfig include some useful basic network monitoring functions. However, data gathering is only performed on-demand, so you won’t get alerts on unexpected conditions. The interface doesn’t include any user authentication and you can’t adapt the dashboard, so this is not a tool that you would distribute to a team of administrators. This tool is suitable for small networks.
- Sleek and simple interface – easy to navigate
- Focused heavily on config automation and provisioning
- Uses simple yet intuitive visualizations to map device relationships and dependencies
- Designed for industrial environments – some features may not be applicable for smaller networks
- Can have a steeper learning curve when it comes to automating tasks
Another free configuration manager that you could try is called rConfig. This open-source tool is available from the GitHub website. GitHub makes the code of the tool available so you can check through it for security weaknesses or even adapt it to write your own version. The software runs on CentOS and RHEL Linux.
- Free to use
- Configuration storage to file
The tool is able to detect all of your network devices and you can command it to copy off the configurations of each into files. The recording of configurations can be scheduled, giving you a regular view of statuses. All actions can be performed on all devices, on categories of devices, or on individual devices.
The checks on changes in configurations require some manual intervention and are based on a file comparison model. You can distribute configurations from the file store out to devices. Again, this can be broadcast to all devices, an update of just one category of device, or to an individual device. You can set policies in the rConfig system and use the Configuration Compliance Manager to check that all the configurations on your network comply with those specifications.
A shortfall of rConfig in comparison with other tools on this list is that it doesn’t include any user authentication, so it should only be installed on one secured computer. This means that the tool is only suitable for small networks and not those that are managed by a team.
- Completely free and open source for Linux systems
- Offers continuous monitoring and autodiscovery of new devices and hosts
- Can push new configurations as well as take backups of each device’s settings
- Lacks paid support, bugs and issues may go unresolved for long periods of time
- Would like to see better visualization options for device relationships
Net LineDancer, which is also known as NetLD, is not free to use, but you can try it on a 30-day free trial. Net LineDancer has all of the features that you need from a configuration manager. It automatically logs all devices and takes a snapshot of their configurations to establish a stored baseline. Subsequent configuration sweeps can identify changes to each device. Those comparisons can also be made on-demand.
- Stores an image of each configuration
- Free version available
The stored configuration files can be re-loaded onto equipment in bulk, by device type, or individually. The software can manage thousands of devices and the monitoring processes can be automated through the tool.
Reporting features of the tool log the users that make changes to the settings of devices. An addition to the software can help you monitor VLANs and VMs. Net LineDancer installs on Windows Server versions and also on CentOS and RHEL Linux. A second product from LogicVein is called Net StreetDancer. This is a cut-down version of Net LineDancer, which covers 80 percent of the capabilities of Net LineDancer. Net StreetDancer, which is also called NSD and netSD, is free to use.
Net LineDancer and Net StreetDancer cover all of the essential functionality that you need from a configuration manager. However, it doesn’t include the higher features that you would need for a team-maintained complex system – it doesn’t have access controls. These two systems also don’t include any patch management functions. Net LineDancer and Net StreetDancer would be ideal for small networks.
- Available for both Windows and nix operating systems
- Supports many integrations to centralize config management
- Supports Cisco PnP devices
- The interface can feel crowded, especially in larger environments
BMC Software recently changed the name of its network monitoring tool from BladeLogic Network Automation to TrueSight Network Automation. This newly-revamped package is worth a look if you are in the market for a configuration manager.
- Standards compliance policies
- Automatic configuration correction
BMC has done a very nice job with its new configuration system because it has paid attention to the standard requirements with which many data-driven businesses have to comply in order to win contracts and keep to service level agreements (SLAs). Configuration standards are dictated by “policies.” The system ships with pre-written policies that guarantee regulatory compliance with a range of system integrity requirements: NIST, HIPAA, PCI, CIS, DISA, SOX, and SCAP. There doesn’t seem to be a pre-written policy for GDPR yet.
If you are contractually or legally bound to enforce one of these standards, you will be greatly aided in your duties by TrueSight Network Automation. Not only does the system list the settings that network devices need in order to comply with a given standard, it enforces those requirements. This method will save you a lot of time reading through standards documents and trying to work out how to translate the requirements into device settings.
The system starts off by scanning the system, logging all devices, checking for compliance requirements, and adjusting device settings. After that, the monitor will back up all configurations. TrueSight will continue to scan and prevent any changes or alert you when they happen. You can restore standard configurations manually, but the automated option of TrueSight will perform that task for you.
The console of TrueSight Network Automation can be allocated in sections to different user groups. This will allow you to make different dashboards available for different team members.
Changes to configurations and updates to firmware can be rolled out in bulk. The system will detect new patches and updates and alert you to them; these will then be installed automatically on all relevant devices with your approval.
TrueSight Network Automation has a companion module, called TrueSight Vulnerability Management. This optional extra will scan for security threats and block them. It also keeps in touch with vendor sources and the NIST National Vulnerability Database to detect security weaknesses and alert you to the need to patch the system when a relevant solution is made available. This vulnerability monitoring applies to servers as well as to network devices.
The tool can be installed on Windows Server and RHEL and Ubuntu Linux. You have to pay for this network configuration software. Although BMC offers free trials for some of its products, there aren’t free trial periods available for True Sight Network Automation or TrueSight Vulnerability Management.
- Comes with numerous pre-configured workflows to start managing configs right away
- Can set automated standards that help maintain compliance for standards like HIPAA, PCI DSS, NIST, and SOX
- Can automatically recover devices to their last known “good” state
- The interface is fairly bare-bones and tougher to navigate than competing products
Device42 is an impressive combination of infrastructure management modules. The tool includes IT asset management, IP network address management, data center infrastructure management, and configuration management. If you operate a data center whether for in-house services or as an external provider, you should pay attention to this configuration management option. The accompanying functions of this tool make it extremely interesting for data centers.
- SaaS or on-premises
- Configuration backup
- Settings protection
The Device42 system is available for on-premises installation or as a cloud-based service. Installation begins by logging an inventory of your equipment and backing up the configurations of each. The monitor sweeps the network continuously to look out for changes in the settings of your network devices. The tracker not only logs all device settings, it records the firmware versions of each. It also covers the operating systems of your servers and all of the applications and software loaded onto them.
The Device42 facilities are all locked off by authentication procedures. You can add new accounts for individual team members, so this tool would be great for middle-sized and large networks that are team-supported.
Device42 is paid for by a subscription. There are three plan levels for the tool, and fortunately, the configuration management module is included in the Core plan, which is the cheapest version of the software. You can get a look at the system with a free online demo. If you want to go ahead and buy the system, you get a 30-day trial period, so you can back out in the first month and get all of your money back. The software can be installed on Windows, Mac OS and you can get it on Linux computers through a virtual environment. You can also integrate the service with Azure, and AWS online services.
- Can produce automatic topology maps as well as dependency mapping.
- Offers a unique rack-level visualization to help on-site technicians map physical infrastructure to certain services
- Designed for both config management and application mapping
- Initial configuration can be complex and time-consuming
- Would like to see it easier to create custom affinity groups
The Configuration Center from Lan-Secure has a no-frills interface, but it delivers a competent configuration management service. The tool has all of the essential capabilities that you need to control the settings of your network devices.
- Configuration alignment to standards
- Automatic settings rollback
The Configuration Center will scan your system to register all of your network devices and then make backups of their settings. Once this admin phase has been completed, you can examine the configurations of your devices and decide on the correct policies for your company’s sector and data integrity obligations.
The network management software is able to manage a multi-vendor environment and will enable you to update the settings of all devices, specific device types, or individual devices.
The Configuration Center software will periodically check the settings of each device and compare them to the configuration backups it holds in storage. Depending on how you set up the system, the detection of an unauthorized configuration change will either prompt an alert or an automatic rollback to the approved settings held in the backup for that device. Alerts can be sent by email to a team member who has been allocated responsibility.
The tool can manage remote sites as well as the center where all of your configuration backups are stored. Inter-site communications are covered by SSH security.
- Can monitor and prevent changes to hardware settings
- Can discover and backup device configuration automatically
- Uses SSH, Telnet, and SNMP to locate and communicate with devices
- The interface is rudimentary – not ideal for larger deployments
- Very limited mapping and dependency visualizations
The software can be installed on Windows. You have to pay for the Configuration Center, but it is very reasonably priced. You can get a 30-day free trial of the system to assess it before you buy.
Choosing a network configuration management tool
You will find some very comprehensive systems in this list and some worthy contenders that cost little to no money. When you select a configuration management system for your network, you will need to consider the system requirements, particularly the operating systems that the software can run on in order to narrow down your choices.
The size of your network and the availability of funds will be other important considerations that will guide you towards the right NCM tool for your company. The ability to try out a system on a free trial or the offer of a money-back guarantee should help you narrow down your assessment. If you can try before you buy without obligation, you will be more confident to install software. Otherwise, you might discover too late that it is difficult to use or inappropriate for your configuration management needs.
The field of cybersecurity is becoming very hot right now. However, don’t limit your network protection to just internet-facing equipment and measures. Sometimes, firewalls, attack protection services, and intruder detection systems fail. Your second line of defense lies in the control over the settings of your network devices and a policy to keep all firmware and operating systems up-to-date with the latest system updates and patches.
The comprehensive automation offered by many of the tools in this list means that you won’t need to spend too much time covering device configuration management. So, even if you run the network for a small company, there are no excuses for not implementing configuration management and change control on your network.
Have you implemented a configuration management system for your network? Which manager did you choose, and why? Leave a message in the Comments section below to share your experiences with the rest of the community.
Network Configuration Management FAQs
What is configuration management in network security?
Network configuration management involves standardizing the settings of network devices, such as switches, routers, and firewalls to make intrusion more difficult. One tactic that some hackers use to aid their undetected exploration of the network is to alter certain settings on switches. The security aspect of network configuration management requires that any unauthorized changes get rolled back immediately.
How do I check my network configuration?
There are many different aspects to look out for in network configuration. Visit the management console of each switch, check on IP address allocation through an IP address manager, and check on the port statuses of all devices connected to the network. This is a mundane and time-consuming activity that specialist software can achieve more effectively than manual procedures.