Infrastructure Configuration Management

Luckily, a new crop of configuration vendors has risen to the challenge of managing multivendor networks. Although not as aggressive in scope as typical PBNM systems, these new systems are worth the money. At the most basic level of system configuration, they replicate much of what can be done through scripts--including archiving, differencing and transferring configs. They also add higher-level functions, such as device access control and configuration auditing.

One big reason for embracing configuration management is compliance ... meeting and mastering the procedures that assure network compliance to SAS-70 (a security standard), ISO 17799 (a broader best-practice production control spec), or the mother of pushy standards, Sarbanes-Oxley (see "Complexities of Compliance,").

Come Into Our Parlor

We asked AlterPoint, Gold Wire Technology, Intelliden Corp., Rendition Networks, Tripwire and Voyence to send their configuration-management products to our Syracuse University Real-World Labs. Rendition, Gold Wire and Voyence did so, but AlterPoint and Tripwire declined to participate, saying they were between releases. Intelliden, one of the most established vendors in this space, also declined, citing a lack of resources.

All the products we tested approach conformance using rules about how configurations should be defined. These rules are compared by the configuration system against running and achieved configurations. For example, lines in a configuration that specify ACLs are compared against a rule or set of rules for that particular device. If a configuration running on a device or stored in the configuration system's database doesn't contain a rule-specified ACL, a rule-violation exception is logged and it triggers notification. ACLs are just one example: Each rule can handle any configuration requirement within a device-specific syntax, for instance, device password encryption or interface duplicity parameters (full and half duplex).