Scott - do you guys use this as well:
http://www.opnet.com/products/itsentinel/ITSentinel.pdf
I noticed you are from target and they list target as a customer. from
their site it looks like they started out as a predictive analysis sort of
thing, but also have some config mgt, possibly added later??? If you do
use it, can you comment on it?
thanks!
On Fri, 8 Apr 2005, Network.Security wrote:
> OK, I'll bite.
>
> We use Rendition (now Opsware) for config mgmt. of our network stuff and
> the change detection / archival function has already saved my butt a
> number of times. Our engineers gripe about the Big-Brother aspect, but
> per the quasi-rant about SOX / CISP / PCI it's a fact of life now for
> any SEC-filing corp at a minimum.
>
> I realize this is somewhat OT for this list, but SOX (in general)
> shouldn't really matter to network admins (network meaning L1 to ~L4),
> as SOX is all about altering the financial data. As a network person,
> you can certainly see all of that data, but you can't change it (packet
> injection doesn't count, most apps pick up on that sort of activity even
> if they don't know why they know :) For that you need to be a server
> admin / DBA, so for true network people, we don't really care. (Loose
> generalization there. Re: caring)
>
> As for Opsware, their SOX report is static. It doesn't tell you
> anything. It's just text so the tool offers no value to that.
>
> Now, CISP / PCI on the other hand, that's the project funding behemoth
> you've all been waiting for. If you need money, say it's for PCI and
> poof-like-magic, here's the cash to make it happen. PCI has some fairly
> strict requirements that are defined to the network level regarding open
> ports, encryption schemes, use of clear-text, etc. Tools like Opsware
> can help enforce or at least notify on those data points.
>
> Re: free tools, I think we've all heard of RANCID as a config-o-monitor
> (I personally am CVS debilitated and have not yet been able to make it
> work on any platform). Big companies do not like free tools. That's
> why Linux was not making progress in large enterprises until we could
> start paying for it (aka Red Hat). If they can't get maintenance /
> support for something that the business needs, it's not coming into the
> environment. This makes sense, though not really from a "help us stay
> on the cutting-edge of technology aspect".
>
> Opsware and Voyence (we demo-ed them) both do some configuration
> templating so that if you are building out CPE, you can have it make
> your router configs or whatever, but for already installed networks, the
> templating is not valuable. I'm all about the configuration policy
> piece, I want to know how many of my devices don't have enough ntp
> servers configured, that sort of thing or down the road to make sure my
> QoS policies are consistent across the board. But that's all to get me
> to a point in time where everything is "right", it doesn't help me
> deploy new services all that differently than my perl scripts did
> before.
>
> What I think you are talking about is an application aware network
> provisioning system. Something that is aware of all possible
> topological paths between endpoints and is smart enough to know how to
> configure all the hops / connections in between the two to make
> something happen. Like a DOS mitigation system or punching holes
> through a series of firewalls or configuring multi-hop VPN tunnels.
> Yeah, that doesn't exist as far as I know. Or more to the point, I'm
> sure these tools could do that, but the work required on the front-end
> won't end up saving you anything on the back-end. Oh and it has to be
> vendor-agnostic. Heh.
>
> That market is more in the NetDoctor or related simulation style
> configuration analyzers that do the what-if type stuff or there are a
> couple other QoS policers out there that do something similar, but they
> are niche market tools for QoS only and appliances at that.
>
> So to your question, No would be my answer, there isn't something like
> that out there today, there are point solutions that solve particular
> aspects of the overall issue, but nothing end-to-end.
>
> BTW, Opsware and others would love to see this list if it grows and
> utilize it as a tool for soliciting industry-wide customer feedback. I
> would suggest consideration of that either for it or against (I don't
> really care) and noting it in the policy.
>
> Scott.altman@target.com
>
>
References:
|
|
