|
Network change management has approached buzzword status in the operations world. But as common as the term is, the practice it defines is not as prevalent as you would think. While many network administrators pay lip service to the importance of tracking configurations on all of their devices, the disturbing truth is that most are cavalier about this kind of accounting.
"The thing about tracking configuration changes is that most places don't," says Brian Hatch, principal at Onsight Inc. and author of "Hacking Linux Exposed." "Even those that are doing it aren't doing it enough."
As a consulting network administrator, Hatch has worked with companies with as few as 30 network devices and as many as 300. While he sees many colleagues at other companies neglect configuration change management, he embraces the idea of meticulously tracking his device configurations.
Whether or not you keep track of them, your network configurations will change. Your network is constantly adding new devices, new services, and new users, all of which demand configuration changes. Add to that the changes troubleshooting can cause, and you have a constantly shifting network.
And these days even the smallest networks can be a complex jumble of devices, each from different vendors with different configuration standards and interfaces. In this time of IT budget cuts, few operations departments can afford the single vendor approach.
This mix of constant change and varied devices can spell disaster if you don't keep track of configurations. While security is an important factor in committing to meticulous configuration tracking, even more prominent is the risk of increased downtime. One wrong configuration can shut down whole enterprise systems, and without proper accounting, the task of finding the error becomes frightful.
 Keep It Clean
Network change management isn't as tough as it sounds. Some- times it is as simple as keeping clean records.
Standardization. A good network change management strategy depends on a number of actions. One of the first is standardization. By employing standardization throughout the network, you have already made a big step toward keeping track of alterations. Start by developing protocol for configuring each type of device and then implement these with configuration templates. From there, you might even want to try standardizing file naming and IP addressing schemes. Once you have a good knowledge of your baseline, it will be much easier to know how things have changed.
Plan ahead. While tinkering may be fun, ad hoc configuration changes can cost your company money and you your job. Rather than making alterations on the fly, consider implementing a front-end review system for major configuration changes. Even if you work in a one-man IT department, you could benefit from peer reviews. Ask a colleague to look over your configurations for any discrepan configurations for any discrepancies you may have missed.
"The peer review process is extremely important," says Edwin Wargo of R2 Consultants in East-on, Penn. "To have a second set of eyes to review the changes on the front end is probably the best thing you can do to manage change."
Record keeping and backups. If there is a theme to learn from most configuration management plans, it is that good record keeping is critical. Even the smallest companies can benefit from meticulous documentation.
"We have a smaller network with only about 130 users," says Scott Kells of Spokane, Wash.,-based XN Technology. "But we have a running database that we continually keep tabs on. Any time we make changes we input them into the database."
Gold Wire Technology's Formulator combines hardware and software for a high-end network change management system. | Keep text copies of configuration files before and after you make changes. That way you have a copy of the current configuration and one of the previous settings in case the system fails. To cover your bases, make backup copies of your configurations each night.
File centrally. Your configuration backups won't be useful if they are scattered ac-ross the network. File them in a central location to reap the benefits of your change tracking.
"Every time I want to change the host file, I make a change to my text file," Onsight's Hatch says, "then I submit it to the main repository. Now all of the changes are easy to find because they are in one spot."
Relying only on the device system log hurts most in times of need. Should the network go down, it is much easier to troubleshoot at one terminal rather than frantically checking each device.
Make comments. It is easy enough to track changes, but if you don't also keep track of the reasons for these modifications, you aren't finishing the job.
"My biggest suggestion for keeping track of configuration changes is to document your configurations with comments," says Shane Milburn, who administers the 127-device network of Intel's LTD Automation group. "You need to document why things are configured so your colleagues know that there is a reason for each setting."
Scripting. Once you start to regularly back up your files, you can closely monitor changes with the use of scripting tools.
"We have developed some PERL scripts that will go out and grab the configuration file, pull it back to central file, and we can diff them," says David Lawson, a managing consultant at Greenwich Technology Partners.
Many like Lawson and Hatch use scripting tools to compare old and new configuration files for changes. This simple automation tool can prove to be a powerful method for discovering unwanted changes.
Accountability. One last strategy for an effective change management plan is heightened accountability. According to recent studies, nearly 70% of operations departments use shared logins. Unique operator logins can increase accountability and can help you quickly find the source of a change.
Go Commercial
If your department doesn't have the manpower to effectively track changes, you're in luck. A number of companies have developed powerful products that can far surpass homegrown methods for tracking configurations.
Products such as Tripwire (www.tripwire.com), Rendition Net-work's True Control (www.renditionnetworks.com), Gold Wire Technology's Formulator (www.goldwiretech.com), and Alter-Point's DeviceAuthority (www.alterpoint.com) can help automate changes, track configurations, and monitor for unwanted changes. In addition, these tools can help managers pinpoint when changes were made and who made them.
Considering that 31% of network outages are caused by human error, these commercial options can be a welcome alternative. By taking the human element out of change management, companies can save a lot of money with reduced network downtime. These solutions are especially appealing to network administrators who work in heavily regulated industries such as the financial and health care sectors or to those who depend on their network to deal with the public.
As operations manager for Salary.com, John Desharnais began using True Control less than a year ago. Though the company is small, its Web site gets about 20 million hits a month and Desharnais is responsible for keeping his server farms up and running.
"Prior to [True Control] we had our own software that was in place but didn't know how to centralize it," Desharnais says. "We had multiple admins doing multiple configuration checks that weren't being centrally monitored. This has made the daily and weekly auditing processes much smoother."
Keith Logan of First American Flood also sees the benefits of using a commercial product to track changes. Logan is the one-man IT department, managing about 50 devices on his network. Though he could manually track changes, using AlterPoint DeviceAuthority frees time for more important tasks.
Logan says the choice to switch to AlterPoint was simple: "I saw an article about the company and called them up right away because it seemed like the perfect product to fill my needs."  by Ericka Chickowski
|
