Agentless FIM for Detecting Network Configuration Changes

Lavish Jhamb

Dealing with multiple network administrators making frequent configuration changes with a monitoring solution that provides insights into device change without causing resource constraints.

The performance and capabilities of a network device are entirely dependent upon its configuration settings. Understanding the significant impact that a configuration change might have on a network device’s performance, uptime, and overall availability, as well as the importance of configuration change notifications, is paramount. Any unauthorized change to network configurations can introduce significant security vulnerabilities and compliance risks, leaving security teams in a state of disarray.

Why Is It Important to Monitor Changes in Network Device Configurations?

The configuration of a network device generally does not change very often once the configuration is in a stable working state. It is critical to monitor for any activities that involve modifying the configuration or any actions that would be considered high-risk activities. Some examples of high-risk activities are listed below.

  • Modification of access restrictions
  • Modification of authentication or authorization mechanisms
  • Modification of logging procedures
  • Modification of the boot process
  • Creation of new VLANs, tunnels, virtual interfaces, or connections
  • Creation of new accounts
  • Allowing outbound connections from a network device
  • Interface changes
  • Enabling debugging modes
  • Enabling shell access

Whenever a change is made to the configuration of a network device, it is critical for each device to log the exact change and when it occurred. This information is crucial for detecting unauthorized changes to the configuration to prevent security incidents or audit failures.

Security and Compliance Risks

Lacking measures to detect changes in network configurations can result in compliance failures with regulatory standards such as PCI DSS 4.0, HIPAA 2023, CCPA, HITECH, FISMA, GDPR, and many others.

PCI DSS 4.0 Requirement 1.2.2.c states the requirement to “examine network configuration settings to identify changes made to configurations of Network security controls (NSCs).”

The Cybersecurity and Infrastructure Security Agency (CISA) says, “Security teams must review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.”

Configuration changes can be a sign that a device has been compromised. The National Security Agency (NSA) recommends implementing a configuration change control process to detect unauthorized modifications.

The Solution: Qualys FIM for Network devices

Qualys has introduced an all-new Agentless File Integrity Monitoring (FIM) solution designed specifically for detecting configuration changes in network devices such as routers, switches, and firewalls.

Check Out Qualys FIM Alert for Network Configuration Drift

The change event is comprised of three key components:

Timestamp
Captures the last scan time of the network device when a difference is identified against the baseline configuration.

Asset details
Offers comprehensive information about the specific host on which a configuration change is observed.

Side-by-side comparisons
Facilitates a clear visualization of changes by presenting them in a side-by-side format. Modified lines in the configuration are highlighted and color-coded to signify changes, additions, or deletions.

Network Compliance Auditing – CIS, SOX, HIPAA, and PCI DSS

Keeping track of configuration changes is required for auditing purposes. Network Configuration Drift FIM events are retained for at least one year as per most compliance regulation requirements.

Everything You Can Do with Network Configuration Drift FIM Events

Automated Compliance Reports
Allows users to schedule compliance reports detailing network configuration drift events and activities tracked by the FIM system.

Automated Incidents
Qualys FIM offers auto-correlation of events using Qualys Query Language (QQL), allowing you to match network configuration drift events in your environment. This functionality enables the automatic creation of incidents and immediate notifications to designated SOC teams for further review.

This is in accordance with the PCI DSS 4.0 new FIM requirement 10.4.1.1: Automated mechanisms are used to perform audit log reviews.

Integration with FIM Public APIs
Such events and incidents can be accessed through Public APIs and seamlessly integrated with any Security Information and Event Management (SIEM) solution, facilitating additional correlations for comprehensive analysis.

Qualys FIM offers native integration with prominent SIEM solutions such as Splunk, IBM QRADAR, and ServiceNow. This compatibility streamlines your security infrastructure, ensuring smooth data flow and real-time insights.

Risk Reduction with Qualys FIM

By detecting unauthorized access and changes to system files, Qualys FIM reduces risks for:

  • Data breaches, particularly stemming from the misuse of privileged access.
  • Server downtime, caused by unplanned or unauthorized alterations to sensitive network configurations.
  • Compliance failures, resulting from an inability to demonstrate oversight of access and modifications to sensitive data.


Reduce Your Compliance Risk with Qualys File Integrity Monitoring


Share your Comments

Comments

Your email address will not be published. Required fields are marked *