Backup of Critical Device Configurations

We've seen the following scenario repeatedly: An organization's IT or engineering staff has full access to all router, switch, and firewall configurations, which they change periodically as needed. Suddenly, one of the device configuration files is lost due to hardware or software failure. This time, they have spare hardware, but the staff realizes that the last known good copy of the configuration is six months old! No one remembers all the changes made over the last six months, and they are now scrambling to restore service.

This is an often-overlooked aspect of disaster recovery and security, but an easy one to remedy. Most network management packages provide a mechanism for backup and archiving of device configuration files. Some even provide a difference engine, which will archive the changes made to configuration files each time a change is made, thereby giving you a continuous audit trail of changes in your configurations.

If you don't run a commercial network management package, there are scores of open source tools that will perform these and many other network management functions. Table 4-3 lists a few of these packages.

You may wish to store complete configuration files with passwords stripped out for quick access by operations or engineering personnel, while encrypting configuration files for long- term storage (including passwords, MD5 hashes for routing peers, and so on) to be used for disaster recovery.

You should develop a simple backup strategy and schedule for all of your network devices, or incorporate these backups into your existing strategy and schedule. The frequency is dependent upon the size of your network and upon the frequency at which you make changes to configurations.