Network configuration management looks after the set up of your network devices. Changes to the settings on a device can undermine your network security and damage the privacy of your users. So, keeping track of those settings is very important. The firmware that operates your network devices is also a potential security weakness of your system.
Equipment manufacturers constantly revise the firmware and release updates and patches to block newly-discovered exploits. So, keeping that firmware up to date is very important.
On small networks, checking each device for its configuration is a boring manual task.
When your network grows, you will find it impossible to keep track of the settings of all of your devices. Remember, the changes needed to weaken your security might just be one factor in hundreds of settings that you would have to scour through. That can mean lots of pages to see all of the device settings and you are never going to remember the status of every single variable that controls how each of your network devices behaves.
So, installing a configuration management tool is unavoidable. Unlike many types of network management tools, it is very difficult to find a decent configuration manager. There are not that many options available. So, we have dug deep and picked out ten options that will fulfill all of your network configuration management needs. Here is our list of the best network configuration management tools:
- SolarWinds Network Configuration Manager (FREE TRIAL)
- ManageEngine Network Configuration Manager
- Net LineDancer
- TrueSight Network Automation
- Device 42
- Lan-Secure Configuration Center
- WhatsUp Gold Network Configuration Management Add-on
Configuration managers enable you to keep track of the statuses and operations of your network devices. So a configuration manager needs to:
- Establish a configuration baseline
- Backup configuration snapshots
- Monitor for unauthorized configuration changes
- Enable settings rollbacks
- Distribute firmware updates
Those are the basic functions that you need from a configuration manager. Some nice extras are:
- Auditing for standard compliance
- Bulk configuration updates
- Firmware patch management
- Customizable user accounts for teams
The list we created, making sure to cover all the essential requirements of a configuration manager turned up some star finds. These go above and beyond your basic configuration needs to provide you with a wealth of features. Take a read through the descriptions of each of these suggestions.
SolarWinds offers the industry leading Network Configuration Management solution. This tool is built on the company’s Orion platform, which is a common platform for a suite of system administration tools. So, the Network Configuration Manager will dovetail with other SolarWinds systems administration tools. If you are in the market for a complete network management system, the Network Automation Manager package would suit you. This includes the Network Performance Monitor and the NetFlow Traffic Analyzer to keep tabs on the availability of your network equipment. The Network Configuration Manager ensures that your network devices don’t get tampered with and that you can roll back from mistakes made when adjusting their settings. Added to those functions are a switch port mapper, an end-user tracker, a WAN performance monitor, and an IP address manager.
So, SolarWinds is able to offer you a complete solution. This is a suite of monitoring programs that are suitable for a large network. If you already have network monitoring software on site and you only want to get a configuration manager, then the SolarWinds offering is still a very good system. The SolarWinds Network Configuration Manager covers all of the priorities that you need to keep control of your network devices.
The installation process includes a system scan that discovers all of your devices and stores snapshots of their current configurations. From then on, when you want to alter the configurations of your devices, or just want to update one, you make those changes through the manager tool. The configuration manager is able to interact with a long list of device brands, so you don’t have to worry about restricting your equipment purchases to one vendor in order to keep your configuration management simple. That said, the tool does have a few more features that work with Cisco equipment than it can provide for the products of other manufacturers.
The Cisco enhancements include the integration of checks with the Cisco National Vulnerability Database into audit sweeps. This gives you very powerful alerts to shortfalls in security that can be obliterated quickly with a patch, an update, or an adjustment in the settings of a network device. If you have a Cisco Adaptive Security Appliance, the SolarWinds Network Configuration Manager gives you insights into the device’s settings and helps you manage and audit access control lists. The configuration manager will check for updates and patches to your ASA’s firmware and install them automatically. You get a similar service if you have a Cisco Nexus. The Network Configuration Manager will help you update and audit its access control lists and give you virtual defense context support for parent/child relationships.
The automation of network configuration tasks means that you don’t need to take equipment offline or work overnight when you need to alter the settings of your network devices.
The auditing module of the Network Configuration Manager let you demonstrate compliance with security standards. You will be able to spot unauthorized configuration changes and roll them back instantly with this tool. You can even automate the correction of those changes as well as a lot of other routine device management tasks.
The Network Configuration Manager maintains a database of configurations for each device. This well-organized, indexed, and searchable archive makes it really easy for you to manually locate a config file should you need to replace a piece of equipment and get all of the settings of the old device uploaded onto the new one. The tool can even monitor the lifecycle of a device and notify you when it is nearing the end of its service life.
The dashboard for the Network Configuration Manager has access control and you decide which user accounts get access to which information in the console. You can also choose not to give access to this tool to certain members of your team.
The description of this tool here covers all of the bullet points in the introduction that list the basic and exceptional configuration management features that you should look for. You will notice that there is one feature that the tool doesn’t cover: patch management.
Strictly speaking, patch management is usually the responsibility of a separate tool. This is the case with the SolarWinds division of responsibilities. However, there is a fully-compatible Patch Manager module available from SolarWinds that will keep the firmware of your network devices up-to-date.
SolarWinds offers you a 30-day free trial of the Network Configuration Manager and the Patch Manager, which install on the Windows Server environment. The same free 30-day trial offer is available for the Network Automation Manager deal.
ManageEngine is a contender for SolarWinds’ crown as the leader in the network admin software industry. The company sells a series of separate modules that can also fit together and interact to create a unified infrastructure and IT service quality monitoring system. The company’s Network Configuration Manager is a very comprehensive solution to help you ensure the integrity of your network devices. The tool is compatible with multi-vendor environments. It is able to manage configurations for switches, routers, and firewalls plus any other network device type that you have on your system. The tool is designed in compliance with the network change, configuration, and compliance management (NCCCM) standards.
Start off by backing up the configuration of all of your network devices into storage in the Network Configuration Manager. This process is automated for you. The ManageEngine tool includes a lot of automated processes that will relieve the burden of maintaining the configurations of your network devices. The next phase of operation is a constant sweep of devices to look out for any unauthorized configuration changes. You can set up actions to be performed automatically when configuration variance is detected.
You can get reports on the differences between the configurations of similar devices and decide on a set of configuration policies, applying different policies to different device types. Once you have standardized the configurations of your equipment, you can update your config backups, giving you a set of standard settings that you can automatically apply to new devices. The update service of the Network Configuration Manager can also be applied in bulk.
The backup store is also useful when you need to roll back from accidental changes or configuration changes that impair performance and need to be reversed.
The configuration management system includes a logging function, which records the users who make changes to the settings of network devices. Those accounts can be suspended automatically, and the information you get out of the logs will show you if a user account has been compromised.
The dashboard for the ManageEngine Network Configuration Manager is very attractive and includes a number of visualization devices to help you spot changes quickly. The console can be adapted for user roles, which makes this a good system for teams supporting a network.
The final benefit of the configuration manager is its ability to poll for patches and updates for the firmware of your network devices. When new software is available, the manager will roll it out and update all appropriate devices. So, you get an integrated patch manager with this tool.
This system is better suited to middle-sized and large networks. The software installs on Windows and Linux. There is a free version of the Network Configuration Manager, which is limited to two devices. There probably aren’t many networks out there that only have two devices on them, but this offer would be suitable for a test environment. If you decide to buy, you can try out the system first for free on a 30-day trial.
ConfiBack is also known as Configuration Backup. This software is free of charge and available from the Sourceforge website. You can install it on Windows, Linux, and Mac OS. This is a configuration manager that would fit a small business to protect its network devices. This tool is not nearly as sophisticated as the previous three options on this list. However, if you have no money for a configuration manager, getting ConfiBack is a much better option than going without.
You need to prompt the system to back up configurations for devices. However, you can schedule the back up process to take place regularly. Change detection is an interface-supported manual process. You need to back up the current version of a device and then compare it to the original backup with a diff command. This process synchronizes the lines in two files and outputs those lines that are different. The results of this utility are saved to a text file.
The ConfiBack software is an open source project, so you can comb through the programming code if you want. This openness is a common method of ensuring users that there are no hidden security weaknesses in programs and that they do not contain hacker code.
The free ConfiBack software doesn’t include any user authentication procedures and it doesn’t have a patch manager module.
WeConfig is billed as a configuration manager for industrial networks. The tool is a product of Westermo, which makes durable network equipment for shop floor environments. The configuration manager is really only meant for Westermo devices. However, it also works with the network equipment of other manufacturers because it relies on the universal SNMP system.
Anyone can download the WeConfig software for free from the Westermo website. The tool installs on Windows environments. After installing the software, you need to tell it to scan the network. This will compile a network map and log all network devices in the WeConfig database. You can reorganize the network map manually if the display of icons is a little cluttered. Once you are happy with the layout, you can lock it to prevent anyone from accidentally moving or deleting elements. Each icon is a link to details about the device that it represents and an Analysis view shows graphs on the operation of the network equipment on your network. The device database won’t update automatically; you have to issue a scan command again whenever you want the inventory updated.
The configuration manager allows you to command the storage of the configuration of a device to a file and load a configuration file onto a device. You can delete or edit configurations on a device.
The WeConfig system requires a lot of manual intervention. However, this service enables you to store copies of configurations. In order to check for alterations to device configurations, you would have to task a copy of the current configuration and do a file comparison with the store of the original settings. In order to introduce your own automated procedures, you could set up the collection and comparison of configuration file versions in a batch job.
The features of WeConfig include some useful basic network monitoring functions. However, data gathering is only performed on demand, so you won’t get alerts on unexpected conditions. The interface doesn’t include any user authentication and you can’t adapt the dashboard, so this is not a tool that you would distribute to a team of administrators. This tool is suitable for small networks.
Another free configuration manager that you could try is called rConfig. This tool is available from the GitHub website. GitHub makes the code of the tool available so you can check through it for security weaknesses or even adapt it to write your own version. The software runs on CentOS and RHEL Linux.
The tool is able to detect all of your network devices and you can command it to copy off the configurations of each into files. The recording of configurations can be scheduled, giving you a regular view of statuses. All actions can be performed on all devices, on categories of devices, or on individual devices.
The checks on changes in configurations require some manual intervention and are based on a file comparison model. You can distribute configurations from the file store out to devices. Again, this can be broadcast to all devices, an update of just one category of device, or to an individual device. You can set policies in the rConfig system and use the Configuration Compliance Manager to check that all the configurations on your network comply with those specifications.
A shortfall of rConfig in comparison with other tools on this list is that it doesn’t include any user authentication, so it should only be installed on one secured computer. This means that the tool is only suitable for small networks and not those that are managed by a team.
Net LineDancer, which is also known as NetLD, is not free to use, but you can try it on a 30-day free trial. Net LineDancer has all of the features that you need from a configuration manager. It automatically logs all devices and takes a snapshot of their configurations to establish a stored baseline. Subsequent configuration sweeps can identify changes to each device. Those comparisons can also be made on demand.
The stored configuration files can be re-loaded onto equipment in bulk, by device type, or individually. The software can manage thousands of devices and the monitoring processes can be automated through the tool.
Reporting features of the tool log the users that make changes to the settings of devices. An addition to the software can help you monitor VLANs and VMs. Net LineDancer installs on Windows Server versions and also on CentOS and RHEL Linux. A second product from LogicVein is called Net StreetDancer. This is a cut-down version of Net LineDancer, which covers 80 percent of the capabilities of Net LineDancer. Net StreetDancer, which is also called NSD and netSD, is free to use.
Net LineDancer and Net StreetDancer cover all of the essential functionality that you need from a configuration manager. However, it doesn’t include the higher features that you would need for a team-maintained system – it doesn’t have access controls. These two systems also don’t include any patch management functions. Net LineDancer and Net StreetDancer would be ideal for small networks.
BMC Software recently changed the name of its network monitoring tool from BladeLogic Network Automation to TrueSight Network Automation. This newly-revamped package is worth a look if you are in the market for a configuration manager.
BMC has done a very nice job with its new configuration system because it has paid attention to the standards requirements with which many data-driven businesses have to comply in order to win contracts and keep to service level agreements (SLAs). Configuration standards are dictated by “policies.” The system ships with pre-written policies that guarantee compliance with a range of system integrity requirements: NIST, HIPAA, PCI, CIS, DISA, SOX, and SCAP. There doesn’t seem to be a pre-written policy for GDPR yet.
If you are contractually or legally bound to enforce one of these standards, you will be greatly aided in your duties by TrueSight Network Automation. Not only does the system list the settings that network devices need in order to comply with a given standard, it enforces those requirements. This method will save you a lot of time reading through standards document and trying to work out how to translate the requirements into device settings.
The system starts off by scanning the system, logging all devices, checking for compliance, and adjusting device settings. After that, the monitor will back up all configurations. TrueSight will continue to scan and prevent any changes or alert you when they happen. You can restore standard configurations manually, but the automated option of TrueSight will perform that task for you.
The console of TrueSight Network Automation can be allocated in sections to different user groups. This will allow you to make different dashboards available for different team members.
Changes to configurations and updates to firmware can be rolled out in bulk. The system will detect new patches and updates and alert you to them; these will then be installed automatically on all relevant devices with your approval.
TrueSight Network Automation has a companion module, called TrueSight Vulnerability Management. This optional extra will scan for security threats and block them. It also keeps in touch with vendor sources and the NIST National Vulnerability Database to detect for security weaknesses and alert you to the need to patch the system when a relevant solution is made available. This vulnerability monitoring applies to servers as well as to network devices.
The tool can be installed on Windows Server and RHEL and Ubuntu Linux. You have to pay for this network configuration software. Although BMC offers free trials for some of its products, there aren’t free trial periods available for True Sight Network Automation or TrueSight Vulnerability Management.
Device42 is an impressive combination of infrastructure management modules. The tool includes IT asset management, IP address management, data center infrastructure management, and configuration management. If you operate a data center whether for in-house services or as an external provider, you should pay attention to this configuration management option. The accompanying functions of this tool make it extremely interesting for data centers.
The Device42 system is available for on premises installation or as a cloud-based service. An installation begins by logging an inventory of your equipment and backing up the configurations of each. The monitor sweeps the network continuously to look out for changes in the settings of your network devices. The tracker not only logs all device settings, it records the firmware versions of each. It also covers the operating systems of your servers and all of the applications and software loaded onto them.
The Device42 facilities are all locked off by authentication procedures. You can add new accounts for individual team members, so this tool would be great for middle-sized and large networks that are team-supported.
Device42 is paid for by a subscription. There are three plan levels for the tool, and fortunately, the configuration management module is included in the Core plan, which is the cheapest version of the software. You can get a look at the system with a free online demo. If you want to go ahead and buy the system, you get a 30-day trial period, so you can back out in the first month and get all of your money back. The software can be installed on Windows, Mac OS and you can get it on Linux computers through a virtual environment. You can also integrate the service with Azure, and AWS online services.
The Configuration Center from Lan-Secure has a no-frills interface, but it delivers a competent configuration management service. The tool has all of the essential capabilities that you need to control the settings of your network devices.
The Configuration Center will scan your system to register all of your network devices and then make backups of their settings. Once this admin phase has been completed, you can examine the configurations of your devices and decide on the correct policies for your company’s sector and data integrity obligations.
The network management software is able to manage a multi-vendor environment and will enable you to update the settings of all devices, specific device types, or individual devices.
The Configuration Center software will periodically check the settings of each device and compare them to the configuration backups it holds in storage. Depending on how you set up the system, the detection of an unauthorized configuration change will either prompt an alert or an automatic rollback to the approved settings held in the backup for that device. Alerts can be sent by email to a team member who has been allocated responsibility.
The tool can manage remote sites as well as the center where all of your configuration backups are stored. Inter-site communications are covered by SSH security.
The software can be installed on Windows. You have to pay for the Configuration Center, but it is very reasonably-priced. You can get a 30-day free trial of the system to assess it before you buy.
WhatsUp Gold is a network management suite produced by Ipswitch. The company offers a Configuration Management module which is available as an add-on to the core network monitoring package. The WhatsUp Gold Total Plus package includes the Configuration Management add-on and also add-ons for network traffic analysis, application monitoring, and virtualization monitoring.
The WhatsUp Gold Configuration Management add-on gives you the capability to maintain the integrity of your network devices. The initial operation of the manager is the collection of statistics in a discovery phase. This collates an inventory of all of your devices and catalogs the configuration of each. This information gets saved in a central store.
Once you have all of that data logged, you can take a look at the status of the settings on each device and make sure that they are all up-to-code. The store enables you to copy the configuration from a retired device to a new one and you can also undo errors created during a configuration alteration exercise. The manager will continue to compare the current configurations of your devices to its reference store, making it able to spot any unauthorized changes. Those changes can be reversed by restoring the official configuration profiles that are stored in the archive.
The audit process is automated, as are the restoration procedures that need to be implemented once unauthorized configuration changes are spotted. You can roll out any official changes en mass, by device type, or individually. The automated processes of WhatsUp Gold include barring users in the event of an unauthorized change. You can set up limited access to the Configuration Management tool, which requires user authentication, so you can limit its availability to just a few members of your sysadmin team.
The audit and security functions of the Configuration Management add-on enable you to implement, confirm, and report on compliance with network integrity standards. These may apply to service contracts or form a requirement for a bidding process when you seek to win new clients. The Configuration Management add-on even includes a patch management function that will ensure all of your device firmware is kept up to the latest version. That’s another requirement for data protection standard compliance.
You have to install WhatsUp Gold before you can have the Configuration Management tool from Ipswitch. WhatsUp Gold primarily monitors the health of network devices and servers. If you want to get network traffic analysis and configuration management, but you are not interested in the other add-ons that are included in the WhatsUp Gold Total Plus package, you can opt for the Network Admin’s Bundle, which just includes those two add-ons together with the WhatsUp Gold Premium plan.
WhatsUp Gold and its add-ons install on Windows Server environments. This solution is suitable for middle-sized and large networks. You can get a 30 day free trial of WhatsUp Gold and the Configuration Management module.
Configuration security issues
You will notice a few mentions in the text above of network integrity standards. Networks are increasingly coming under attack from hackers who want to access the personal details of real people that might be on them. Failure to secure the personal details of customers, staff, subscribers, or sales leads can end up getting your company sued. Data breaches are becoming a big headache for IT companies and configuration monitoring is an important part of keeping data safe.
The security standards that you might be asked to follow include:
- SOX – the Sarbanes-Oxley Act auditing standard in the US
- PCI-DSS – the Payment Card Industry Data Security Standard
- HIPAA – Health Insurance Portability and Accountability Act in the US
- PHI – Protected Health Information, which is the standard produced by HIPAA
- CIS – the Center for Internet Security, which produces security standards in the US
- DISA – Defense Information Systems Agency in the US requires security compliance
- NIST – National Institute of Standards and Technology, which produces cybersecurity standards
- SCAP – the Security Content Automation Protocol
You are likely to come across one of these standards or protocols produced by agencies in the above list when administering your company’s network. If your company sells services or products, the security of your network and the data it holds become important to your customers. If your customer is the military, a government agency, or a financial institution, the imposition of procedural standards for data security is even more likely.
So, you will eventually face the obligation to implement a network integrity protocol and that is going to involve configuration management. Even if you haven’t yet faced a contract that includes data security clauses, implementing comprehensive configuration management will enable you to report to the boss that you are already compliant no matter which of these security standards suddenly needs to implement in order to win a big contract.
The recently implemented General Data Protection Regulation (GDPR) in Europe needs to be addressed and controlling your network devices is part of that effort. The settings on your network equipment need to be tracked because small changes can help intruders get into your network and also cover their tracks. Following the recommendations of the government of the European country that you operate in will guide you to the necessary measures that you need to implement in order to protect your company from GDPR litigation. For example, the UK government has produced the Cyber Essentials and Cyber Essentials Plus standards, which are certified and will help you show that you have taken every possible measure to protect data.
Selecting a configuration management system
You will find some very comprehensive systems in this list and some worthy contenders that cost little to no money. When you select a configuration management system for your network, you will need to consider the system requirements, particularly the operating systems that the software can run on in order to narrow down your choices.
The size of your network and the availability of funds will be other important considerations that will guide you towards the right configuration management tool for your company. The ability to try out a system on a free trial or the offer of a money-back guarantee should help you narrow down your assessment. If you can try before you buy without obligation, you will be more confident to install software. Otherwise, you might discover too late that it is difficult to use or inappropriate for your configuration management needs.
The field of cybersecurity is becoming very hot right now. However, don’t limit your network protection to just internet-facing equipment and measures. Sometimes, firewalls, attack protection services, and intruder detection systems fail. Your second line of defense lies in the control over the settings of your network devices and a policy to keep all firmware and operating systems up-to-date with the latest system updates and patches.
The comprehensive automation offered by many of the tools in this list means that you won’t need to spend too much time covering device configuration management. So, even if you run the network for a small company, there are no excuses for not implementing configuration management and change control on your network.
Have you implemented a configuration management system for your network? Which manager did you choose, and why? Leave a message in the Comments section below to share your experiences with the rest of the community.