enterprise change/configuration management and compliance software?
` Gentlemen (and Ren!): ;-) I'm currently investigating options w.r.t. enterprise-wide (over 250 device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software. We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ... So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ? (*)see subject This topic seemed to spark lively debate on efnet, so i thought it appropriate to ask here. Feel free to respond privately (and I will post summaries to the list), or direct. In any case, for the benefit of all, I will post in any case my/our findings. Thanks in advance, jamie rishaw
jamie (j) writes:
` device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software.
We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ...
So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ?
So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ?
Rancid :) (+ and now some home developed stuff)
This topic seemed to spark lively debate on efnet,
The current weather would spark lively debate on most IRC channels. Phil
Well, at Exodus we started talkimg about IASON. In the long run everybody was afraid of IASON. They dared not work on it. Later I developed some bits and parts. When we changed hardware in a small company (200 PCs, 20 servers 5 HP Procurve switches and two routers) IASON would discover the switches as fast as they were powered and would move them to a management network. Operators and management were not amused. IASON was changing passwords and ip-addresses :) That has been the only try. They idea is still a prolog based AI system, learning and knowing every hardware, how it is configures and connected. You move a PC from one location to another because people do move or because a port on a switch has gone dead. IASON reprogrammes switches and ports so you get the same VLAN. Somebody is replacing a switch for whatever reason. IASON finds the new switch and sees the connected pcs and uplinks. It reconfigures the switch so as to replace the old one. You do net even need to mind where everything was connected. IASON can change across vendors. I guess it will take same time - but in the long run we will get it and it will be open source. Kind regards Peter Phil Regnauld wrote:
jamie (j) writes:
` device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software.
We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ...
So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ?
So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ?
Rancid :) (+ and now some home developed stuff)
This topic seemed to spark lively debate on efnet,
The current weather would spark lively debate on most IRC channels.
Phil
-- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
On Tue, Apr 15, 2008 at 2:31 AM, Phil Regnauld <regnauld@catpipe.net> wrote:
jamie (j) writes:
` device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software.
We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ...
So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ?
That was my first thought, but the in the industry I'm currently in (financial), open sourceware for things like this is a definite [fail].
So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ?
Rancid :) (+ and now some home developed stuff)
fail
This topic seemed to spark lively debate on efnet,
The current weather would spark lively debate on most IRC channels.
Phil
haha. depends on the day and what other scandals were ao
There are tons of products out there. You could try looking at Cisco Network Compliance Manager. It supposedly has built-in compliance rules for financial institutions (GLB, SOX, etc). If you want to pay, people will gladly take your money. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of jamie Sent: Tuesday, April 15, 2008 9:35 AM To: Phil Regnauld Cc: nanog@merit.edu Subject: Re: enterprise change/configuration management and compliance software? On Tue, Apr 15, 2008 at 2:31 AM, Phil Regnauld <regnauld@catpipe.net> wrote: jamie (j) writes:
`
device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software.
We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ...
So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ? That was my first thought, but the in the industry I'm currently in (financial), open sourceware for things like this is a definite [fail].
So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ?
Rancid :) (+ and now some home developed stuff) fail
This topic seemed to spark lively debate on efnet,
The current weather would spark lively debate on most IRC channels. Phil haha. depends on the day and what other scandals were ao
Look into Ziptie.org We use Alterpoint's Network Authority. From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of jamie Sent: Monday, April 14, 2008 9:13 PM To: nanog@merit.edu Subject: enterprise change/configuration management and compliance software? ` Gentlemen (and Ren!): ;-) I'm currently investigating options w.r.t. enterprise-wide (over 250 device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software. We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ... So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ? (*)see subject This topic seemed to spark lively debate on efnet, so i thought it appropriate to ask here. Feel free to respond privately (and I will post summaries to the list), or direct. In any case, for the benefit of all, I will post in any case my/our findings. Thanks in advance, jamie rishaw
On Mon, Apr 14, 2008 at 9:13 PM, jamie <j@arpa.com> wrote:
Gentlemen (and Ren!): ;-)
I'm currently investigating options w.r.t. enterprise-wide (over 250 device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software.
We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ...
So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ? (*)see subject
We have several thousand network devices currently in play: mpetach@nowherespecial:/tftp/conf/latest> ls *.conf | wc -l 7419 mpetach@nowherespecial:/tftp/conf/latest> I hand read each device configuration check-in email that goes past to see if there's errors in the configs, security violations, or other WTF-ish elements in the config check-in, and mail back a nag notice to the person who changed the config. Currently, I received between 1900 and 3000 email messages a day. I sleep 3 hours a night.
jamie rishaw
Hope that helps answer your question. Matt
participants (6)
-
Fred Reimer
-
jamie
-
Matthew Petach
-
Peter Dambier
-
Phil Regnauld
-
Yamasaki, Charles