Sunday, November 26, 2006

Housekeeping on other projects (BI, MSSQL)

I am working on implementing a new shared SQL cluster to help improve our Openview tools to run on a better hardware infrastructure. I also hope to leverage that SQL server for Iconclude a workflow tool we are implementing more and more. I am trying to get a proper cleaner server architecture for the tools. I am also adding a high end server for the BI tool to compile the Proclarity cubes going forward.

The server config mgmt race is coming to a close, with Bladelogic seeming to have the win so far. I am working on the final touches of the evaluation.

I am also on the home stretch with the Symantec versus Quest database tools, and hope to wrap that up in the 2 weeks.

That's mostly it on my major projects, I have a lot of other smaller projects including:

  • Qip Integration
  • Monitoring work for better consistency on some of our internal apps
  • Coradiant next gen products
  • Business Intelligence work with Proclarity
  • Syslog integration for Coradiant Truesight and Onaro Sanscreen
  • Trap integration for database tools
  • Coradiant instrumentation of some leased line infrastructure

Network Configuration Management

The other areas we are looking at around the network tools are the Opnet suite for engineering (which is a serious investment for a tool), and the configuration management areas.

We have gotten several demos, and sent our 4 RFPs. Out of the 4 we sent out, we got 3 back. We are trying to get it down to 2 vendors for a POC. This is slightly different than the server side, because I have a much larger team to work with on the POC and the work needed to get it down to a great tool for us. Here is the criteria extracted from the RFP, there will be more on this as we move forward narrowing down the field of 3 (HP OVNCM, Opsware NAS, Alterpoint DeviceAuthority:

Requirement

Sub Facts

Company Viability and History



Customers of specific product


Revenue Growth FY 05-06


Total Revenue FY 05

Install Base



Financial Customers


Largest Install

Technologies



Windows


Linux


Java


Perl


Native Eclipse, Visual Studio, or other native IDE


XML


MSSQL


Oracle


Mysql


X64

Extensibility and Robustness



Portal


Web Services API


NET Java Perl API


CLI


Open CMDB


DR/HA


Active Directory, TACACS, RADIUS


Granular permissioning

Device Support



Nortel, Cisco, F5, Checkpoint


telnet, ssh, rlogin, snmp, oob


Auto discovery of devices


De-Duplication of devices


Dynamic grouping

Configuration and Usage



Ease of Installation


Reporting (PDF, XML, HTML, DOC, CSV)


Report Delivery


Modeling and Visio support


Support for Perl, Expect, and Shell


Syntax checking


No java or plugin client


Upgrade IOS with verification of hardware support

Change Tracking



Comparison Live to Snap


Change notification to run collection (syslog, snmp)


Generate SNMP traps for changes


Enforcement of peer review before implementation


Complaince templates (SOX, GLBA, etc) with weighted application


Keystroke logging


Tracking of CPU, Memory, Users per device

Asset Management



Contract management


Integration with Cisco Contract site

Cost and Community



Maintenance Fees


List Price


User group meetings


Online user groups


Free development licenses

Managed firewall monitoring services

We are looking at a couple of vendors in the Managed Security Services space (MSS) to do some firewall monitoring for us. Essentially they give us an added line of data security and best practices that we don't already have the capabilities to do. We are testing them on 3 pairs of key firewalls. These products do several things:

  1. Absorb all of our firewall logs to a 3rd party, who does correlation, distillation, and has analysts who look at major events across the customer base.
  2. Send back alarms for critical issues and worms they detect.
  3. Log and report on the data, trends, and how our data compares against the collective whole of their customers.

The two vendors we are looking at have different pros and cons about their technology, methodology, and ability to provide these.

Eventually if this goes as planned and there is a major benefit, which will be easy to prove I believe, then we will roll this out to all major firewalls (of which we have about 70). I will also work on implementing snort IDS systems to help give the MSS more data and provide better visibility to our security events.

Wednesday, November 8, 2006

Configuration Management and Datacenter Automation Status

I have been evaluating the following vendor solutions for the past 3 weeks. We have all 4 of them installed in a small test environment consisting of varying windows systems and technologies running on the systems. We are focusing on current pain points in configuration management, and we are also evaluating technology which we will need in the medium term as well. I am going to review how they are stacking up, as I fill out the matrix of which products are supporting the requirements.

Requirements:

· Monitor and track configuration/policy

o Create policy off Live including patches and settings

o Track compliance to the policy

o Enforce the policy

o Track changes made outside the product

o Prevent the execution of a specific exe or file

· Architecture

o Ability to have proxies in datacenters/envs

o Ability to have decentralized control over envs

o Ability to use a single uni-directional port

· CMDB

o Visualize relationships between servers

o Visualize relationships between server and network

o Track dependencies of servers and websites

o Configuration Management Interoperability

· Manage users and services

o Manage local users across servers

o Replicate credentials to other servers

o Manage services in real-time

o Verify status of services in real-time across servers

o Verify services port usage

· Usability

o How easy is the product to administrate

o How easy is the product to use

o How easy is the product to configure and setup

· Software asset collection

o Collect software revision and install details

o Collect how often and for how long software is used

· Hardware asset collection

o Collect data via DMI or Standard Protocol

o Collect detailed information

· Reporting capability

o Export to PDF,XLS

o Report on compliance, changes, and activity

o Open database with views that make it easy to query

· Software Deployment

o Support for MSI, RPM, and Sun Packages

o GUI for creating Packages

o Search and replace

o Reverse engineer files into packages

o Rollback

o Notifications via SNMP and SMTP

o Download patches, deploy, and rollback patches

o Create a policy of patches

· PXE deployment

o Provision OS and policy in one job

The products we are reviewing are (in order of the installs):

CA – DSM, Cendura, and CMDB – The CMDB is the glue between the other components. The suite is very well done, and does a good job in general. There is not as granular policy control as some of the others. There is also not a good package of supported configurations in the DSM product. So far I would rank them 2nd or 3rd place. We still have more evaluation work to do on the products.

Bladelogic – Operations Manager – The product is excellent and extensible easily. The downsides are complex security model, and the UI is not great. They don’t have a solid CMDB strategy. I would rank this product in 1st place so far. We still have work to do here as well.

Opsware – SAS, VAM – This product does an excellent job in the CMDB and visualization. The system is scalable and capable as well. The downsides are the complexity of deployment, some instability, and some growing pains as they re architect some of the way the product operates. It doesn’t have as good of a unified shell that Blade has. This product shares the same spots with CA. We still have more evaluations to complete with the product.

HP – Radia – Lets put it this way…. After 2 days, the product hardly ran, and was not usable. I would be working with them today if I hadn’t given up and asked them to stop the POC.

.NET 3.0 and Sysinternals release

While the .NET release info was going out. Microsoft purchased Sysinternals a few months ago, the non-commercial side of the business is an excellent set of tools used almost everywhere now. They are incorporated in many commercial software packages for common tasks and debugging. They have finally moved the content over to Microsoft's site and bundled the tools together:


 

http://www.microsoft.com/technet/sysinternals/default.mspx


 

My favorites:

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Filemon.mspx