OK, I'll bite.
We use Rendition (now Opsware) for config mgmt. of our network stuff and
the change detection / archival function has already saved my butt a
number of times. Our engineers gripe about the Big-Brother aspect, but
per the quasi-rant about SOX / CISP / PCI it's a fact of life now for
any SEC-filing corp at a minimum.
I realize this is somewhat OT for this list, but SOX (in general)
shouldn't really matter to network admins (network meaning L1 to ~L4),
as SOX is all about altering the financial data. As a network person,
you can certainly see all of that data, but you can't change it (packet
injection doesn't count, most apps pick up on that sort of activity even
if they don't know why they know :) For that you need to be a server
admin / DBA, so for true network people, we don't really care. (Loose
generalization there. Re: caring)
As for Opsware, their SOX report is static. It doesn't tell you
anything. It's just text so the tool offers no value to that.
Now, CISP / PCI on the other hand, that's the project funding behemoth
you've all been waiting for. If you need money, say it's for PCI and
poof-like-magic, here's the cash to make it happen. PCI has some fairly
strict requirements that are defined to the network level regarding open
ports, encryption schemes, use of clear-text, etc. Tools like Opsware
can help enforce or at least notify on those data points.
Re: free tools, I think we've all heard of RANCID as a config-o-monitor
(I personally am CVS debilitated and have not yet been able to make it
work on any platform). Big companies do not like free tools. That's
why Linux was not making progress in large enterprises until we could
start paying for it (aka Red Hat). If they can't get maintenance /
support for something that the business needs, it's not coming into the
environment. This makes sense, though not really from a "help us stay
on the cutting-edge of technology aspect".
Opsware and Voyence (we demo-ed them) both do some configuration
templating so that if you are building out CPE, you can have it make
your router configs or whatever, but for already installed networks, the
templating is not valuable. I'm all about the configuration policy
piece, I want to know how many of my devices don't have enough ntp
servers configured, that sort of thing or down the road to make sure my
QoS policies are consistent across the board. But that's all to get me
to a point in time where everything is "right", it doesn't help me
deploy new services all that differently than my perl scripts did
before.
What I think you are talking about is an application aware network
provisioning system. Something that is aware of all possible
topological paths between endpoints and is smart enough to know how to
configure all the hops / connections in between the two to make
something happen. Like a DOS mitigation system or punching holes
through a series of firewalls or configuring multi-hop VPN tunnels.
Yeah, that doesn't exist as far as I know. Or more to the point, I'm
sure these tools could do that, but the work required on the front-end
won't end up saving you anything on the back-end. Oh and it has to be
vendor-agnostic. Heh.
That market is more in the NetDoctor or related simulation style
configuration analyzers that do the what-if type stuff or there are a
couple other QoS policers out there that do something similar, but they
are niche market tools for QoS only and appliances at that.
So to your question, No would be my answer, there isn't something like
that out there today, there are point solutions that solve particular
aspects of the overall issue, but nothing end-to-end.
BTW, Opsware and others would love to see this list if it grows and
utilize it as a tool for soliciting industry-wide customer feedback. I
would suggest consideration of that either for it or against (I don't
really care) and noting it in the policy.
Scott.altman@target.com
Follow-Ups:
|
|
