Abstract: Network configuration management (NCM) is an important part of network device administration. Software updates, compliance, backups, integration with the rest of the Network Operations Center software stack… all are critical elements of a network configuration manager. However, legacy solutions are starting to limit NCM effectiveness due to a lack of automation. As such, industry experts such as Gartner are recommending that modern NCM solutions be built on automation.

---

Table of Contents

---

Network configuration management is a set of tools or capabilities that support network engineers in performing their day-to-day roles in managing the lifecycle of network devices. Network configuration managers are meant to improve team efficiency and reduce manual errors that result from the tedious task of device administration.

Legacy NCM platforms were derived from network management solutions which slowly added network configuration capabilities. Over time, managing devices extended to managing device configurations, and so tools known as network configuration managers evolved to help network teams accomplish their network configuration tasks.

Today, however, NCM software has changed.

NCM built on automation

According to Gartner’s “Market Guide for Network Automation Platforms,” released in Q4 2023, network configuration management capabilities are now standard requirements for a network automation platform. Gartner’s inclusion of NCM in their Network Automation category suggests that modern NCM architecture must be built on automation.

Driven by the need of network teams to keep pace with business demands, automation now plays a critical role in delivering NCM capabilities to market. In 2023 research sponsored by BackBox, 92% of network operations and security professionals said there are more network updates needed than they can keep up with.

The pain of not being able to keep up with the needs of the organization and evolving infrastructure is real and getting worse. According to Uptime Institute’s 2023 Annual Outage Analysis, configuration management failure is the most common cause (45%) of major network-related outages, with human error and management failures contributing to a considerable number of outages. Additionally, digital infrastructure outages are becoming more expensive with more than two-thirds of all outages costing more than $100,000.

Automation helps scale network teams and their ability to deliver change management across the network in a reliable manner. At the product level, automation also scales functionality across the network and performs better than legacy NCM solutions.

Network Configuration Management features

To better understand why automation has become so important to NCM solutions, it’s useful to look at the “must have” functions of network configuration management for the modern enterprise in light of the complexity and urgency that network teams now face in their roles.

• Device discovery. Device discovery is the first step in onboarding devices into an automation platform. Discovery can happen in several different ways, from importing a text file of IP addresses to scanning a range of IP addresses to connecting to a CMDB (like ServiceNow) and importing network devices. Once imported, a device inventory is automatically generated, giving a detailed view of the makeup of the network that can be used to track configuration changes, manage device lifecycles, or perform vulnerability management.
• Disaster recovery. Device backups are the most common starting point for network configuration management solutions. It’s important to understand though that the needs of network teams go far beyond simply backing up device configurations. A backup solution must make reliable backups, meaning each backup should be validated, ensuring that it can be restored. A backup that’s not restorable, or that is questionable, should trigger a notification to network administrators for investigation. In truth, it’s not the backup that matters anyways… it’s the restore process. The restore should be reliable, fast, and able to restore to bare metal in the event of a complete device failure. Backups should have the option to be encrypted and stored off-site with simple file management so that backups are readily available to restore in a crisis when every second counts.
• Software updates. Software updates are complicated and time consuming, and also one of the most important things that network engineers can do to keep their networks safe. A network configuration manager should integrate backups simply into the software update process to ensure that there’s a recent backup in case the team needs to roll-back after a failed update. Update automations should be HA-aware, meaning updates to a high-availability pair should be done automatically and without downtime. Updates should support multi-step updates in the event that an update needs to be performed across multiple versions of software. And, updates should be simplified for both network devices like routers and switches, and security devices like firewalls.
• Change management. The network configuration manager should audit all changes to the network, whether they’re done manually or through automation. Changes should be groomed back into compliance when they differ from the expected standard configurations. Configuration search is used to explore configurations and to look for specific configuration items. In the event of a known vulnerability, for example, administrators should be able to find vulnerable configurations and remediate them.
• Executing complex network operations. With automation all tasks can be automated without writing any code, no matter how trivial or complex, as long as they can be accomplished either at the command line interface (CLI) or via the API. Automation of tasks has huge time saving benefits. For example, updating a firewall license on Palo Alto firewalls is reduced from 10 hours of manual work to 30 minutes of automation work, including creating the automation.
• Continuous compliance. Whether your devices need to comply to industry standards, or simply the standards that your organization puts in place as preferences, a network configuration manager is responsible for continuous compliance – ensuring that devices start and stay compliant with your requirements. These solutions often include support for industry best practices like CIS Benchmarks, DISA STIGs, HIPAA, PCI DSS, and more. Compliance also involves checking the network for vulnerabilities to make certain that there are no known vulnerabilities exposing the network. Finally, managing the lifecycle of devices to remove devices that are approaching end of life (EOL) and no longer get security updates is an important compliance activity.
• Problem solving. Device backup histories can be used as a powerful tool for troubleshooting, allowing you to compare changes over time or, better yet, prevent configuration drift by notifying administrators of changes before they become a risk to the organizations.

What should you look for in a Network Configuration Manager?

For organizations that are looking to update and enhance their approach network configuration management, the following are some of the essential capabilities to look for in a network configuration manager in order to make the best decision.

Multivendor support. An NCM solution with support only for some vendors has limited value. Supporting the top 10 or 15 vendors isn’t enough, just as it’s not enough to have better support for network devices as compared to firewalls. NCM solutions should support as many vendors as possible (BackBox supports 180 vendors) and feature parity should exist between network devices, like routers and switches, and firewalls and other security devices.

1-click restores. When it comes to disaster recovery, speed is important. Restoring a device from backup, whether it’s simply rebuilding the device or restoring to bare metal to replace a device, has to be simple, and nothing’s simpler than restoring with a single click. Of course, software and backups should be stored centrally and easily available so that in the event of a disaster, recovery can commence quickly.

Multistep updates. Device updates are complicated, more so when step updates are required to go between the current version and the most recent version of software. An NCM solution based on automation should be able to make these multi-step upgrades seamless, as if it were just a single upgrade step.

Automated compliance remediation. Compliance is a critical component of NCM solutions. Specifically ensuring that configurations are configured to a desired standard, whether that standard is formal like CIS Benchmarks, DISA STIGs, or PCI DSS, or informal (this is how we do things around here). Once configured properly, an NCM solution ensures that the configurations don’t drift from the desired state. Those that drift can be groomed back into compliance. Reporting should be rich and shareable with other teams.

Role-Based Access Control. NCM functionality should be gated based on rights and privileges of the administrator’s role. Control should be fine-grained enough to control administrator activities against the operations they’re performing.

Automation without scripting. When automation involves scripting, it shifts the complexity from managing devices to managing code. This isn’t always an easy trade-off, as managing code requires separate skills and infrastructure. NCM automation should not require, but might optionally take advantage of, Python or any other scripting language. An NCM solution might also offer a no-/low-code approach to automation (as BackBox does), which provides a framework for network teams to create automations quickly and efficiently. There’s often no need to incur the expense and time of involving coding experts.

Rich reporting and notifications. Collaboration is done through reports and notifications. Rich reporting is critical to meet the needs of peers through the organization. Connections to external systems for notifications are important for managing by exception.

API integration. These days, API integration is quickly becoming a core requirement as organizations evolve toward a programmatic approach to network configuration management. Each NCM automation should be accessible from an API in order to integrate with DevOps CI/CD pipelines and enable proactive operational control over the work.

Challenges with typical network configuration managers

Every organization is at a different point in their network configuration management journey, but one thing is certain, that journey will continue. Having capabilities the team will leverage today and likely adopt in the future as a matter of industry best practices is a wise approach. When evaluating NCM solutions it is worth drilling down into the following areas to make sure that the solution will not be hamstrung by the following limitations:

1. They focus on routers/switches and do less well with firewalls and other security devices that if not updated in a timely manner can expose the organization to risk.
2. They focus on what can be done with an administrator at the keyboard, and less on automation of tasks to help eliminate tedious manual administration.
3. APIs are lacking, which prevents network configuration management tasks from being called from external systems and processes for proactive and integrated execution of tasks.

The human side of NCM platforms built on automation

Along with all the functional benefits of automation, there are also very meaningful workplace benefits for network teams using a network configuration manager built on automation.

Eliminate repetitive manual work. One of the most effective ways to use automation is to eliminate manual tasks so that teams are freed up to do higher value and more interesting work. Better yet, network engineers should be able to use the same commands they would when interacting with devices. When they do so inside of the platform, the platform should automate those commands or command sequences with flexibility as to scheduling, logging, and notifications. When the platform works the way your team works, that leads to greater adoption and job satisfaction.

Upskill. Automations should also provide the opportunity for guardrails to be put on operations to upskill junior administrators without adding risk. These guardrails can come in the form of logging, auditing, and video recording of sessions, as well as role-based automation permissioning. Junior administrators gain valuable experience and knowledge to build their credentials. Research finds employees appreciate an organization that helps them grow professionally which leads to better engagement and retention. Skills training opportunities are also a valuable tool to attract new talent.

Do more with less. These days ‘more with less’ is a mantra in many organizations. IT leaders face increasing demands on network administrators but don’t have budgets to add people. Backups with 1-click restore, in particular, are a great example of “fire and forget.” Automations such as this are so trustworthy people feel safe relying on them to happen as they should. When administrators can trust automation to simply work, it’s like they’re doing more than one thing at the same time and productivity increases.

FAQ

1. What is Programmatic NCM?

Everything in BackBox is created with an API-first approach including, importantly, automations. This allows automations to be called as part of a DevOps workflow. For example, before doing an update part of the workflow should be to make the call to initiate a backup to be sure you have a recent restorable backup. In the event an upgrade turns out to be destructive, having a recent backup avoids costly downtime for the organization and a stressful and time-consuming fire drill as network teams scramble to address the problem.

This is what we mean by being programmatic. This approach is in stark contrast to legacy NCM solutions where APIs are mostly used for integration with network management systems, but not for operational control over the network.

2. How does BackBox scale as compared to a legacy network configuration manager?

Legacy NCM takes the approach that network administrators will be working at a keyboard and accomplishing their tasks. They’ve taken a polling approach from a central server out to the network, with tasks being executed sequentially, initiated individually by a human. With BackBox, there’s no polling involved. We distribute the execution of automations out into the network for parallel execution achieving better performance and scale as compared to polling.

BackBox Agents are often used to extend scalability and performance even further. Distributed agents are responsible for executing automations local to their network, minimizing data transfer between networks. For example, a backup might be done at a remote network, with the data remaining at the remote network site rather than being passed back to a central location. Should there be a requirement to store data centrally, the data transfer is separated from the backup process to maximize performance and scalability.

3. What integration is available with ServiceNow?

ServiceNow integration with your network configuration manager is important because it’s a cornerstone system of many network operations centers. It’s the first place people go to find out information about system inventory or open issues, and it’s often used to judge performance by measuring performance KPIs for ticket resolution.

There are two pieces to the integration:

1. Enhanced Discovery. BackBox can use the ServiceNow CMDB for device discovery, so that all new devices entered into ServiceNow automatically become devices in BackBox so that ServiceNow remains a single source of truth on network inventory, and BackBox can fully leverage that source for network configuration management.
2. IT Service Management Integration. BackBox backup automations integrate with the ServiceNow trouble-ticketing system to open or close tickets based on backup status. This eliminates swivel-chair management, where network engineers need to work in two different systems to solve problems. Simplifying the engineer’s job by putting all the information they need to solve a problem is important when time to resolution is critical.

4. I already have NCM, why change?

BackBox implements NCM capabilities on a platform of automation. You would want to change to such a platform if you’re looking to implement automation, at scale and have specific use cases to drive the adoption. Here are a few use cases we see organizations prioritize to make a case for and get started with BackBox.

• Backup: A common use case to get started with automation is backup; many are using their network configuration management solution to help manage backups. So, there’s overlap. However, backups based on automation are more reliable, more scalable, and easier to restore. Backups based on automation can also be included in DevOps workflows to ensure that a backup is always taken before a potentially destructive operation is completed. It’s less about replacing NCM in this case, than it is about expanding what can be done by peeling off some network configuration management use cases from the network configuration manager and implementing them with automation.
• Compliance: Similar to backups, compliance based on automation is easier to implement and doesn’t involve managing configuration files in the same way. Remediation is also a part of the compliance automations to help with grooming configurations back into compliance when they drift.
• Security: Some customers want to extend network configuration management to their firewalls and other security devices and find that current solutions are limiting.
• External factors (like industry consolidation): Importantly, there are some situations where companies are being forced to change their NCM solution. The Broadcom acquisition of VMware is one situation where customers are finding they may not have support for their product, or it’s getting more expensive under Broadcom leadership. These situations provide a great opportunity to rethink NCM, and implement it based on automation rather than based on a legacy approach.

5. If my network engineers don’t have coding skills, how can we leverage automations?

BackBox delivers 3,000 pre-built automations. Additionally, we offer a no-/low-code approach to automation so that network teams can create automations quickly and efficiently. There’s often no need for the expense and time of the Python/Ansible team to get involved.

The value proposition of BackBox also includes support to create automations; there’s no additional professional services retainer or project-based fee required. So, we are able to tackle automation tasks quickly, which is particularly important for one-off tasks and surprises. For example, a customer had just 48 hours’ notice to activate licenses across nearly 100 firewalls.

Working in partnership with the customer, it took the BackBox team 20 minutes to create the automation required and the customer’s internal team a further 10 minutes to import the task, set up a job, and run it. Once the task completed, the platform generated a report to confirm successful execution on all devices.