Even in the most sophisticated network operations groups, knowing whether a proposed change to a router or firewall configuration will have its intended effect without breaking something else is still little more than educated guesswork.
Next week, security risk assessment vendor Skybox Security Inc. hopes to convince network engineers that it can take much of the guesswork out of this process by applying its technology to the change management process before IT workers make changes to production machines.
In launching its Skybox Assure offering, the San Jose, Calif., company will bring to the change management world its ability to look at proposed configuration changes from a risk assessment and access analysis point of view.
Skybox Assure creates a virtual staging environment in which IT managers can test and analyze proposed changes before they implement the modifications on a live network.
This approach allows users to assess and implement configuration changes to firewalls or routers in a virtual model created from a snapshot of the live network, so there is no risk of taking the network down if one of the changes produces an unintended consequence.
Company officials compared the Skybox approach to the technique of sandboxing, which is used by security practitioners to execute potentially harmful code in a contained portion of a machine to observe its behavior. Once an administrator finds a set of configuration changes that works without causing problems, he or she can then push the changes to the individual routers and firewalls.
Although other vendors in the network design and capacity planning industry provide virtual modeling, Skybox Assure is unique in its ability to look at proposed changes from a risk assessment and access analysis point of view, company officials said.
Current Skybox users at WesCorp who evaluated the new Assure offering see it as a "powerful" tool to see what a change does to overall risk exposure, said Christofer Hoff, chief information security officer of WesCorp, in San Dimas, Calif.
"You are able to make very focused decisions that a firewall technician or internal audit staff could be overwhelmed by when you have tens of thousands of assets," Hoff said. "This lets you be very precise and surgical in looking at what a change does and what it ultimately affects. It lets your change management process become much more efficient."
Skybox Assure uses embedded collectors to gather infrastructure, access and security device configurations. It then evaluates access paths, maps dependencies among devices and incorporates the risk exposure of key assets. The data is used to model the network, run access simulations and analyze connectivity paths in context with risk exposures. It allows proposed changes to be deployed without unwittingly violating defined security policies.
The software, which runs on Windows and several versions of Unix, is available now. Pricing starts at $75,000.