Network maps, best admin practises and how them saved your ass?

Question

I am reviewing the security of a (quite large) network. There are a some thousands switches, several hundred routers, several hundred access points, tenths of FW, IPS, and so on. PCs and servers are on the bazillion side of the scale.

I have asked the network responsibles (not actual admins) for network maps for weeks and got some very high-level drawings on PPT and a few level-2 visios for some network segments. I had to figure out the location of security elements from config files and monitoring tools that do not cover the whole network.

I have always been told that a good admin needs to keep up to date documentation of his/her realm that being, servers, network or whatever is getting paid to admin. While I was an admin I tried to work by that rule.

So, right now, these resposibles tell me that keeping a network map with some level-3 detail, basic security elements, extra documents about IP addressing and defined VLAN is too much information for them to keep it updated so they decided not to generate that documents and rely on personal knowledge and monitoring tools that partially cover the network.

Personally I feel those are just a bunch of excuses, even with that network size, since it took them weeks to identify crucial information. Even though, I would like to know from the community examples of how these documentation has proven being useful on: - Business as usual management. - Technical events such as networks outages. - Security events.

I never administered a network this size so I might be wrong and the responsibles' point might be valid so, if you think so, could you please give actual examples of how really big networks are documented for admin's sanity and efectiveness?

Which would be valid alternatives to up-to-date network maps?

Answer 1

This is a very interesting topic, as a few years back i had a similar issue with a large corporation that has data centers across the world, most of its data was company oriented and was on private networks.

But to the topic at hand, most large networks that require both, network engineers and network administrators. Network engineers and network administrators are responsible for the timely construction and operation of networks. The engineers and administrators have some functions and requirements that are the same, but most of their functions are very different. Network engineers are responsible for the design and physical construction of a network, This includes the placement of all of the physical equipment such as routers, communication switches and all of the cables and wires used to connect the equipment. That being said i believe the engineers that put this data-center together should have designed blueprints with locations of every device and every wire to start, When a system needs change it should be the network engineers that create the change and document this change even if it is past down the the network administrator to complete the change, otherwise you have ciaos where everyone sets up their section of the data-center the way they want. There must be guild lines set by the company that everyone must follow.

There are many circumstances where on a weekend or night shift some Admin must change something to get the system up from a fault, but this must also be documented.

Most larger companies have policy and procedure that needs to be followed and usually there is a person that directly for the CIO, But at the end of the day the CIO is really responsible for what his department does. Some companies now have a role as Certified Information Systems Security Professional. This person does not work for the IT department but is responsible for reporting any security concerns to the board or CEO, with out a complete understanding of the network in front of him he would not be able to complete his task and the board would hold someone responsible.