Configuration Management

How Network Teams Can Stop Being Spooked by Ghost Configuration

Dalton Smith

Senior Solutions Engineer ‐ Itential

How Network Teams Can Stop Being Spooked by Ghost Configuration
Share this:
Posted on October 24, 2023

One of a network team’s most frequent and important responsibilities is ensuring network configuration is built, implemented, and enforced properly across their ENTIRE hybrid cloud network. That means managing a lot of policies and configurations across multiple domains – data center, cloud, SD-WAN, etc. If something is configured incorrectly, it can be scary, especially on Fridays (the 13th).

There are a lot of things network teams know can go wrong in their network. But what about the things they don’t even know about? Things that can only be seen when they want to be seen… things that tend to hide in the dark… and things that can haunt your network infrastructure unknowingly… ghost configuration, BOO!

Ghost configuration is one of the spookiest aspects of managing a network. It can hide in plain sight, it can cause trouble without you knowing, and most importantly — it can haunt your network.

Most network teams don’t even think about ghost config until they’ve encountered a full torso apparition and need to call in the Ghostbusters. But it’s too late. By then, the ghosts in your configuration have manifested themselves into a full-blown network haunting. So the question is, how do you hunt down the ghosts in your network configuration BEFORE they spook you?

Why Ghost Configuration Is So Spooky to Network Teams

The term ghost configuration sounds spooky by nature, which is pretty accurate. But what does it actually mean? Let’s level set and define it so you understand how to find it.

Network teams are responsible for implementing a standard configuration (a process also known as configuration compliance) across their network. Sometimes, for testing, troubleshooting, or other time-bound reasons, teams can end up adding rogue configuration that often goes unnoticed or forgotten. The rogue configuration ends up staying on your device, inevitably creating a ghost config that is only found when it’s actively hunted down.

There are typically three types of ghost configuration you can encounter on a haunted network:

  1. Inadvertently forgotten configuration that was added for testing or troubleshooting purposes. While this seems harmless at first, it could actually end up being detrimental. A prime example is a rogue filter or access list configuration that was left on a device that could allow the wrong traffic through or block the right traffic from coming in. You can equate this to the Stay Puft Marshmellow Man, cute on the outside but full of terror on the inside.
  2. Nefarious configuration left by someone who shouldn’t be on your network. Someone could be purposely leaving bad configuration on your network such as creating a pinhole to allow bad traffic in. You can equate this to Slimer, purposely causing havoc everywhere here goes.
  3. Busy network teams not correcting configurations, thinking they are harmless. Someone often notices that certain “harmless” configurations are not correct, but it takes too long to determine what the right information is, and there are more pressing things happening on the network. You can equate this to Casper, a seemingly friendly ghost, but a ghost nonetheless that can grow and cause problems later.

While many types of ghost config seem harmless in intent, over time they have the opportunity to cause harmful and unintended consequences that can bring risk to your network — shutting down good traffic, letting in bad traffic, setting your time server off, and much more. (Queue the sPoOoOkY soundbite.)

Ghostbusting Your Network

Now comes the fun part – how do we bust these unwelcomed ghosts in our networks?

The first step is to determine if it’s even a real ghost or not. It may not be part of your Golden Configuration, but it could still be a necessary piece of configuration that someone added without documentation on why. When you find something that seems a little ghostly, you must first investigate and validate if that config is a real ghost or real config.

Whether it’s a policy change, routing change or something different, you must ensure that by busting that ghost configuration you don’t cause any unexpected effects, reversing the intended effect of this change. If you remediate that change without validating whether it’s needed first, you might end up breaking things in a way you didn’t predict (which is why ghost config is so common in the first place).

Who You Gonna Call? Itential Network Automation

Just like most scary things, human nature is to avoid ghost config. Especially if you don’t have the right weapons to help you overcome that scary thing.

It is inevitable that ghost configuration haunts every network (yes, even yours). At Itential, we have the tools you need to bravely take on those spooky spirits hiding in your network. Think of us as your proton pack, finding and trapping your ghosts so you can successfully contain and eliminate them. Our network configuration management capabilities make it easy to set up automation to detect and alert you if any ghosts appear in your configurations so you can determine if they’re real ghosts or real config. If something turns out to be a spooky ghost, you can then set up automations to quickly and automatically remediate.

The next time you see a ghost In your network, who you gonna call? Itential!

To learn more about our network management capabilities, click here, or watch this overview demo to see it in action.

Itential Configuration Manager Overview
Dalton Smith

Senior Solutions Engineer ‐ Itential

Dalton Smith is a Senior Solutions Engineer at Itential, where he helps customers achieve network automation and orchestration at scale for an array of use cases. Leveraging over two decades of experience, including 11 years leading network teams at Nokia, Dalton is passionate about finding solutions that modernize and make networking more efficient for his customers.

More from Dalton Smith