Divide and conquer
A collection of new software tools can beat configuration management problems
- By Doug Beizer
- Jan 19, 2009
This past election season might have been all about change, but for information technology managers, change poses multiple challenges.
Configuration changes to servers, routers, desktop computers and other devices could lead to network crashes or, even worse, security breaches.
Networks and computers require changes on a regular basis, which adds to the complexity. IT managers must make patches to systems, install operating system updates and provide users with new applications.
Managing all that manually on hundreds or thousands of computers, servers and other devices is impossible.
The newest configuration management tools not only automate those tasks but also help government agencies comply with myriad federal regulations.
KEEP REMOTE NETWORKS RUNNING
Take as an example an agency of the Justice Department with hundreds of offices scattered nationwide. Employing an IT official at each location to manage updates is impractical and would be expensive.
Instead, the agency installed network management and monitoring appliances in many of its remote offices.
“They’re in the process of rolling out the next phase of infrastructure to make it possible to change network configurations and other devices using our platform,” said Mark Piening, vice president for marketing at Uplogix Inc., a provider of remote management products. He said the agency asked not to be named.
“They don’t have enough IT people to put one in each of those locations,” Piening said. “They want to manage change to make sure the networks are up so that their people can get information about cases, process cases and do research.” Keeping networks configured correctly and operating are the tool’s two main goals, Piening said. A stable network is essential for Uplogix’s Justice client.
The tool provides persistent connectivity to managed devices. It monitors them locally, performing maintenance or recovery tasks as needed and constantly enforcing security policies regardless of the state of the network.
“It lets them make changes without the risk that the changes will break the network,” Piening said. “It eliminates the need to have to fly somebody out there to fix a problem.” One way to remotely change a system is through a console server via a modem connection. But that opens an organization to security risks, he said.
Dedicated management tools provide a much more secure connection between a home office and outlying bureaus.
“Our platform only dials out when there’s an issue,” he said. “So if you break something by pushing a change, then the secure remote management dials back to the network operations center so that the network can access that device and fix it.” Many remote management tools fix problems automatically without human intervention. It is also possible to roll back broken systems to a prior state when everything operated properly.
Starting in 2007, federal agencies’ computers running Microsoft XP or Vista were required to adhere to a strict security configuration mandate from the Office of Management and Budget. The Federal Desktop Core Configuration (FDCC) mandate identifies hundreds of security controls that must be set in a certain way.
The mandate is an effort to block persistent cyberattacks, said Mike Rothman, senior vice president of security strategy at eIQnetworks Inc., a provider of integrated security, risk and audit management services.
“OMB wants the standard configuration mostly to eliminate security variability and try to stop a number of attacks that had been plaguing everybody,” he said.
The mandate covers every government agency including the Millennium Challenge Corp., a government group that strives to reduce global poverty through the promotion of sustainable economic growth.
Systems integrator Iron Vine Security LLC is assisting the organization with configuration issues, said Bill Geimer, Iron Vine’s president.
“Millennium Challenge is required as a government entity to report on its success on FDCC, and we’re audited for compliance with that standard,” Geimer said. “It is kind of a big deal in the federal space to get all of your systems compliant, and it is not easy.” Millennium Challenge selected a configuration and compliance management tool from nCircle Network Security Inc., a company that automates the auditing and compliance aspects of configuration management.
Some management tools require that an agent — a program that performs a small, well-defined information-gathering or -processing task in the background — be installed on every computer in an organization. The tool Millennium Challenge selected does not require an agent; it automatically seeks out every computer on a network and examines its configuration.
“Very often the system that has sort of fallen off your radar is a system that you wouldn’t have an agent on anyway,” Geimer said. “It might be an old legacy machine or something someone introduced in the lab, and that’s why it is nice to have an agentless system. It eliminates the need to have another disciplined process of having that agent installed everywhere.” Configuration tools such as nCircle’s also make it possible to create custom queries for examining an infrastructure.
For example, an agency that is doing a technology refresh can run a query to find all the computers it wants to dispose of. The query can look for a model, operating system or other identifier.
Although configuration is important for protecting a network, Rothman warns against relying on it alone.
“Configuration is one part of a more holistic data and infrastructure protection type of mentality that organizations really need to start to think about,” he said. “Configuration is one of the first things people should do, but that doesn’t mean you shouldn’t be paying attention to what’s happening in your environment, your applications and networks.” Agencies often start with well-configured devices, but over time those configurations break down, Rothman said.
“When they first go in, they have standard builds and they have different ways to build up these machines. But as things change and new applications get deployed, then the configurations kind of get out of control.” Tools that audit networks for those types of changes help agencies stay on top of proper configurations, thereby helping them stay compliant with internal policies and external mandates, Rothman said.
They also allow “you to apply a performance expectation on the internal teams responsible for managing configurations to ensure they’re doing their jobs,” he said.