IT Operations Management (ITOM)

Network compliance, security and automation – you know you need it

Network compliance, security and automation – you know you need it



Guest post by Swamy Mandavilli, Functional Architect in the Network Management Center R&D group



First let’s cover compliance. The job of network compliance is to make sure that the network devices such as switches and routers are running the configurations that meet the policies set by the organization. For example, some organizations may not want to run certain protocols on any of their devices. As another example, we were recently talking to one customer who wanted to make sure that every single configuration line met the compliance check. Customers use HP Network Automation (NA) to set their devices to configurations that meet 100 percent of the policies of the organization.


Configuration issues can be very problematic. One of our customers recently had a device running a bad configuration that caused a major outage in their environment. After the problem they needed to make sure that correct configurations were defined so that such a mistake would not repeat, so the configuration of the devices always meets their policies. They're using NA to do an audit check to avoid future failures.


Another aspect of compliance is auditing, making sure you have the correct software and configurations, and knowing who changed a device, what they changed and when.


NA can detect if a direct change to a device happens. NA then automatically, in real time, takes a “snapshot”, which includes obtaining the latest running configuration and storing it in the database (after comparing and concluding that there is indeed a change made). Further, you have the capability to undo the latest change if required.

NA tracks who made the change. You can then run an audit report and understand how frequently things are changing and who is making the changes.


One organization we know of was using in-house written scripts to configure their devices. When it came time for an audit there was no documentation on what changes had been made. Their audit report was said to be about an inch thick with many violations.

         Hear Chris Powers of General Motors talk about his experience with NA.



One aspect of network security is organizations running proper configurations to meet the security standards that apply to them so there won’t be any negative effects to the network. These can be internal or external standards such as HIPAA (Health Insurance Portability and Accountability Act) or SOX (Sarbanes–Oxley Act). The security standards apply to all levels of networking such as firewalls, routers, switches, and so on. Our users use NA to make sure that their network components are as secure as possible.

Another aspect of network security is when a network vendor determines there is a security problem on some combination of OS version, model, or configuration settings, and then provides some recommended configuration or even a patch for it to mitigate the problem. A very common use of NA is to deploy that patch to all the devices that are vulnerable.


You can define compliance policies to make sure that no one runs those OS versions that have vulnerabilities. This is another example of NA’s compliance capability.

Another security issue organizations have to deal with is unauthorized access and changes to device configuration. NA has a very granular definition of who can do what. It has roles and privileges to define who can view only, who can make changes and what types of changes they can perform. NA also enables you to define which devices a user can access. You can separate the network devices into various partitions and define different security controls on those sets of devices and say, “This user can do these operations but not those operations on these devices specifically.”


Partitioning is important for multiple use cases. For example, if you are an MSP (a managed service provider), managing different customer networks, you may have specific users who are responsible for only one customer’s network. You can define who is allowed to see and change only one portion of the whole inventory.


Another use case is that you want to organize based on sites. For example, for this site in a certain city, these are the users allowed to make changes on devices at that site but not in other sites. It could be an organizational division or geographical separation or both. It is completely up to you how you want to divide the devices.



Let’s switch topics to automation. First, a very simple use case. Every company typically has a policy to change passwords every few months. So if you have thousands of devices in your environment, changing them one-by-one is not practical—just based on the numbers. Even if it is possible, if you have resources available, it is error-prone.

By automating, you can perform massive changes in a very simple UI-based approach that’s not error-prone. And the history of the changes is recorded so you can see what was changed, when it was changed, and by whom. If you decide to move back to the previous configuration, an automated restore process is available.

Some of our customers have configurations with thousands lines of configuration, this happens with ACLs in particular.

You can schedule activities, for example, instead of running certain configuration changes or reboot operations at peak time; you can schedule them to happen Saturday night. But the actual request might be entered during regular business hours, a boon for quality of life!

One more use case I will add is triggering a change when a problem is observed. In the first example, I talked about, the user explicitly says, “I want to make this change.” In the second example, a certain problem is observed, and to fix the problem you can run (or have NA automatically run) a command script in response to a recorded NA event, such as an unauthorized configuration change.

We’ve talked about compliance, here’s how you can use automation to help with compliance. If certain compliance violations happen, you can fix the device configuration manually or have it automatically fixed by NA. For example, your policy says you are not supposed to run a certain protocol and NA finds that protocol is running. You can have NA start an auto-remediation process to remove that protocol from the device.

Another advantage of automation is that you can have a change request get approval from your CAB (change advisory board) before the change is made. The approval processes could be using NA’s internal process or NA can be integrated with some other workflow engine such as HP Operations Orchestration.

Restoring a configuration or changing hardware

NA has the capability of bare-metal provisioning. Say you bought a new device and you want to make sure that it is going to run the right software version and have the right configuration. All those things can actually get started even before that device arrives by using a device template. Once the template is configured, as soon as you get the device, you plug it in and apply the image and configuration from the template and then get rid of the old device if you’re replacing one device with another.

As you can see, NA has many benefits for:

  • Network compliance
    • Auditing devices for configuration issues
    • Ensuring your network policies or those of a regulator are applied
    • Remediation when there is a variance from those standards
  • Security
    • Ensuring devices meet security standards and applying security patches
    • Limiting who can make certain changes
    • Tracking what changes were made and by whom
  • Automation
    • Freeing staff time on repetitive error prone tasks for more strategic tasks
    • Detecting configuration changes in real-time and, if set, auto-remediate
    • Provisioning devices from a template even before the device is installed


HP Network Automation software automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration. Start your free trial today.


Tweet to us at @HPITOps and let us know what you think! | Friend HP Software on Facebook | Join our Network Management Solutions group on LinkedIn

  • infrastructure management
About the Author


This account is for guest bloggers. The blog post will identify the blogger.