At 3:56 PM -0500 4/8/05, Network.Security wrote:
>Now, CISP / PCI on the other hand, that's the project funding behemoth
>you've all been waiting for. If you need money, say it's for PCI and
>poof-like-magic, here's the cash to make it happen. PCI has some fairly
>strict requirements that are defined to the network level regarding open
>ports, encryption schemes, use of clear-text, etc. Tools like Opsware
>can help enforce or at least notify on those data points.
What are CISP and PCI?
>Opsware and Voyence (we demo-ed them) both do some configuration
>templating so that if you are building out CPE, you can have it make
>your router configs or whatever, but for already installed networks, the
>templating is not valuable. I'm all about the configuration policy
>piece, I want to know how many of my devices don't have enough ntp
>servers configured, that sort of thing or down the road to make sure my
>QoS policies are consistent across the board. But that's all to get me
>to a point in time where everything is "right", it doesn't help me
>deploy new services all that differently than my perl scripts did
>before.
If all you're using config generation for is CPE (branch office and
employee home devices, for example), rather than your core systems,
then I don't think you're ever going to reap the benefits that I'm
contemplating. The trick, of course, is moving an existing network
from manually-configured, manually-maintained (and grossly
inconsistent) configurations to automated configurations without
disrupting service. It's hard, but I think it can be done, and is
worthwhile to do so.
>What I think you are talking about is an application aware network
>provisioning system. Something that is aware of all possible
>topological paths between endpoints and is smart enough to know how to
>configure all the hops / connections in between the two to make
>something happen. Like a DOS mitigation system or punching holes
>through a series of firewalls or configuring multi-hop VPN tunnels.
No, I was talking about something more general, although what you're
describing are examples of things ("applications", in a sense) that
you could build on top of what I'm talking about.
>BTW, Opsware and others would love to see this list if it grows and
>utilize it as a tool for soliciting industry-wide customer feedback. I
>would suggest consideration of that either for it or against (I don't
>really care) and noting it in the policy.
Vendors and developers are welcome to participate or lurk here,
although blatant and content-free self-promotion will be met with
ridicule from the audience (their potential customers). If you've
got any technical or product management contacts at various relevant
vendors, please let them know about the list:
http://www.greatcircle.com/network-automation/
-Brent
--
Brent Chapman <brent@greatcircle.com> -- Great Circle Associates, Inc.
Specializing in network infrastructure for Silicon Valley since 1989
For info about us and our services, please see http://www.greatcircle.com/
Network Automation blog: http://www.greatcircle.com/blog/network_automation
References:
|
|
