It is ironic that as data centers consolidate, the supporting networking infrastructure is becoming more dispersed in support of far-flung branch offices, remote employees, contractors and business partners. Inevitably, this highly dispersed infrastructure is heterogeneous--comprising many different kinds of networking products from many different vendors. Add to that the blur of acquisitions and divestitures that mash diverse networking elements together as the ink dries on billion-dollar deals and you get intense pressure to improve the ability to see, control and audit a broad range of dissimilar network device configurations.

The pressure to closely manage device configurations also comes from another urgent fact of corporate life: regulatory compliance. While Sarbanes-Oxley has received the most corporate time and resources, there has also been a lot of focus on the Payment Card Industry Data Security Standard (PCI DSS) — and based on the headlines, rightfully so. Unlike many of the prominent compliance regulations, PCI DSS is more prescriptive in what is required of organizations that handle credit card information. The standard has 12 major sections, including PCI DSS No.1, which focuses on the configuration and management of critical networking devices such as firewalls and routers. PCI DSS stipulates several requirements:
A formal process for approving and testing all external network connections and changes to the firewall configuration
A current network diagram that include all connections to cardholder data, including any wireless network connections
Descriptions of groups, roles, and responsibilities for logical management of network components

As data-center consolidation creates ever more complex and distributed networks to reach computing resources, and as compliance dictates demonstrated policies and control, network configuration management solutions are emerging as a critical lynchpin in delivering on the productivity and ROI promises of the new server deployment paradigm.

BIG-PICTURE VIEW OF NET CONFIGURATION MANAGEMENT

Today, the management of network elements such as routers, switches, firewalls, VPN access points and more is generally done by "siloed" tools provided by the equipment vendors. Because most networks feature a preponderance of Cisco equipment, inevitably network engineers will be using a product called CiscoWorks in one form or fashion. However, seldom do these tools span the variety of equipment that now populates global networks and never will they handle another vendor's products — and CiscoWorks is no exception.

Moreover, these tools rely on idiosyncratic command-line interfaces that require network engineers to learn and remember a myriad of arcane protocols, passwords and sign-ons, commands and device architectures. As WAN optimizers and wireless and VPN access points are added to standard routers and switches, the result is a growing Tower of Babel that requires the organization to either staff expertise for each vendor and device type or rely on a handful of network "superstars" to make all but the most trivial changes to the network. Either way, efficiencies gained at the server level from consolidation can easily leak away via network inefficiencies. And given the ad hoc and uncoordinated nature of siloed configuration tools, audit trails and compliance documentation are typically not generated in the heat of servicing the network.

Thankfully, the problem of disconnected and inefficient network configuration management has been recognized and attacked in much the same way that data center management deals with blades and servers. The keys to success for network configuration management are similar to those for server management success:
A CLEAR UNDERSTANDING OF THE OPERATING ENVIRONMENT. For network configuration management, this means automated discovery of a complete view of the Layer 2 and Layer 3 network topology along with an understanding of the attributes of the connected servers and endpoints.
A NORMALIZED VIEW OF THE KEY INTERFACES. In the case of network configuration management, this is a universal user interface that enables a network engineer to make device changes in a heterogeneous environment, independent of the vendor that supplied the product. Since most organizations find that 80 percent of all network changes are tedious, simple tasks, the more of these activities that can be captured in simple-to-use wizards, the more lower-level staff can perform the work.
CONTROL OF ROLES, AUTHORITY AND WORKFLOW. Most organizations want to escalate certain types of network actions for review and approval. To support this control, the network configuration management system must be able to define roles and responsibilities by individual or title, as well as to define authorization procedures to involve senior technical and management staff.
DEFINITIONS OF POLICY AND DESIRED STATE. An example of a common network configuration standard is the CIS Cisco Gold Standard, which outlines settings for Cisco routers and switches consistent with the National Institute of Standard Technology (NIST) recommendations for best practices. Organizations may have their own set of policies for these devices, and the network configuration management product should be able to easily incorporate them.
A MECHANISM TO AUDIT AND REPORT ON COMPLIANCE. As noted above, compliance is forcing formal audit trails and reporting on the networking infrastructure. This requires the codification of configuration policy and settings and the tracking of any changes to the device settings. Any deviation from defined standards must be identified, alerted on and reported.
REAL-TIME ACTION. While compliance mandates may only require accurate reporting on network configuration status, security and risk management is increasingly a real-time proposition. As a result, many organizations are implementing closed-loop network configuration management processes that start with a change to a device setting that alerts the configuration manager, which in turn assesses whether the change is acceptable and if not, returns the device to an in-compliance state.

NEW VALUE TO CONSOLIDATED DATA CENTERS

A network configuration management system that embodies the attributes described above creates consolidated, simplified control of the network that is analogous to what is being automated for the data center. As an example, all routers in the network can be controlled and changed with the same interface, independent of the vendor source. When new devices or equipment are added, automated network discovery detects the event, which results in provisioning consistent with corporate standards. If adjustments in bandwidth are required or traffic must be re-routed, all configuration changes are done centrally, documented and reported.

It is ironic that in the struggle between the network and the servers ("the network is the computer"--no, blades, blades, blades) for the hearts and minds of IT, data-center consolidation is vesting even more power in the network infrastructure. Centralized computing services require extensive and comprehensive pipes to bring far-flung employees, customers and partners to critical business processes. And despite Cisco's dominance, this trend is spawning new vendors with new types of products such as WAN optimizers and wireless connections.

These products accommodate both the desire for ubiquitous connectivity and the need for real-time operation. As businesses invest in data center consolidation and automation, comprehensive, efficient and effective heterogeneous network configuration management has never been more important. ENS