Sunday, November 26, 2006

Housekeeping on other projects (BI, MSSQL)

I am working on implementing a new shared SQL cluster to help improve our Openview tools to run on a better hardware infrastructure. I also hope to leverage that SQL server for Iconclude a workflow tool we are implementing more and more. I am trying to get a proper cleaner server architecture for the tools. I am also adding a high end server for the BI tool to compile the Proclarity cubes going forward.

The server config mgmt race is coming to a close, with Bladelogic seeming to have the win so far. I am working on the final touches of the evaluation.

I am also on the home stretch with the Symantec versus Quest database tools, and hope to wrap that up in the 2 weeks.

That's mostly it on my major projects, I have a lot of other smaller projects including:

  • Qip Integration
  • Monitoring work for better consistency on some of our internal apps
  • Coradiant next gen products
  • Business Intelligence work with Proclarity
  • Syslog integration for Coradiant Truesight and Onaro Sanscreen
  • Trap integration for database tools
  • Coradiant instrumentation of some leased line infrastructure

Network Configuration Management

The other areas we are looking at around the network tools are the Opnet suite for engineering (which is a serious investment for a tool), and the configuration management areas.

We have gotten several demos, and sent our 4 RFPs. Out of the 4 we sent out, we got 3 back. We are trying to get it down to 2 vendors for a POC. This is slightly different than the server side, because I have a much larger team to work with on the POC and the work needed to get it down to a great tool for us. Here is the criteria extracted from the RFP, there will be more on this as we move forward narrowing down the field of 3 (HP OVNCM, Opsware NAS, Alterpoint DeviceAuthority:


Sub Facts

Company Viability and History

Customers of specific product

Revenue Growth FY 05-06

Total Revenue FY 05

Install Base

Financial Customers

Largest Install






Native Eclipse, Visual Studio, or other native IDE






Extensibility and Robustness


Web Services API

NET Java Perl API




Active Directory, TACACS, RADIUS

Granular permissioning

Device Support

Nortel, Cisco, F5, Checkpoint

telnet, ssh, rlogin, snmp, oob

Auto discovery of devices

De-Duplication of devices

Dynamic grouping

Configuration and Usage

Ease of Installation

Reporting (PDF, XML, HTML, DOC, CSV)

Report Delivery

Modeling and Visio support

Support for Perl, Expect, and Shell

Syntax checking

No java or plugin client

Upgrade IOS with verification of hardware support

Change Tracking

Comparison Live to Snap

Change notification to run collection (syslog, snmp)

Generate SNMP traps for changes

Enforcement of peer review before implementation

Complaince templates (SOX, GLBA, etc) with weighted application

Keystroke logging

Tracking of CPU, Memory, Users per device

Asset Management

Contract management

Integration with Cisco Contract site

Cost and Community

Maintenance Fees

List Price

User group meetings

Online user groups

Free development licenses

Managed firewall monitoring services

We are looking at a couple of vendors in the Managed Security Services space (MSS) to do some firewall monitoring for us. Essentially they give us an added line of data security and best practices that we don't already have the capabilities to do. We are testing them on 3 pairs of key firewalls. These products do several things:

  1. Absorb all of our firewall logs to a 3rd party, who does correlation, distillation, and has analysts who look at major events across the customer base.
  2. Send back alarms for critical issues and worms they detect.
  3. Log and report on the data, trends, and how our data compares against the collective whole of their customers.

The two vendors we are looking at have different pros and cons about their technology, methodology, and ability to provide these.

Eventually if this goes as planned and there is a major benefit, which will be easy to prove I believe, then we will roll this out to all major firewalls (of which we have about 70). I will also work on implementing snort IDS systems to help give the MSS more data and provide better visibility to our security events.

Wednesday, November 8, 2006

Configuration Management and Datacenter Automation Status

I have been evaluating the following vendor solutions for the past 3 weeks. We have all 4 of them installed in a small test environment consisting of varying windows systems and technologies running on the systems. We are focusing on current pain points in configuration management, and we are also evaluating technology which we will need in the medium term as well. I am going to review how they are stacking up, as I fill out the matrix of which products are supporting the requirements.


· Monitor and track configuration/policy

o Create policy off Live including patches and settings

o Track compliance to the policy

o Enforce the policy

o Track changes made outside the product

o Prevent the execution of a specific exe or file

· Architecture

o Ability to have proxies in datacenters/envs

o Ability to have decentralized control over envs

o Ability to use a single uni-directional port


o Visualize relationships between servers

o Visualize relationships between server and network

o Track dependencies of servers and websites

o Configuration Management Interoperability

· Manage users and services

o Manage local users across servers

o Replicate credentials to other servers

o Manage services in real-time

o Verify status of services in real-time across servers

o Verify services port usage

· Usability

o How easy is the product to administrate

o How easy is the product to use

o How easy is the product to configure and setup

· Software asset collection

o Collect software revision and install details

o Collect how often and for how long software is used

· Hardware asset collection

o Collect data via DMI or Standard Protocol

o Collect detailed information

· Reporting capability

o Export to PDF,XLS

o Report on compliance, changes, and activity

o Open database with views that make it easy to query

· Software Deployment

o Support for MSI, RPM, and Sun Packages

o GUI for creating Packages

o Search and replace

o Reverse engineer files into packages

o Rollback

o Notifications via SNMP and SMTP

o Download patches, deploy, and rollback patches

o Create a policy of patches

· PXE deployment

o Provision OS and policy in one job

The products we are reviewing are (in order of the installs):

CA – DSM, Cendura, and CMDB – The CMDB is the glue between the other components. The suite is very well done, and does a good job in general. There is not as granular policy control as some of the others. There is also not a good package of supported configurations in the DSM product. So far I would rank them 2nd or 3rd place. We still have more evaluation work to do on the products.

Bladelogic – Operations Manager – The product is excellent and extensible easily. The downsides are complex security model, and the UI is not great. They don’t have a solid CMDB strategy. I would rank this product in 1st place so far. We still have work to do here as well.

Opsware – SAS, VAM – This product does an excellent job in the CMDB and visualization. The system is scalable and capable as well. The downsides are the complexity of deployment, some instability, and some growing pains as they re architect some of the way the product operates. It doesn’t have as good of a unified shell that Blade has. This product shares the same spots with CA. We still have more evaluations to complete with the product.

HP – Radia – Lets put it this way…. After 2 days, the product hardly ran, and was not usable. I would be working with them today if I hadn’t given up and asked them to stop the POC.

.NET 3.0 and Sysinternals release

While the .NET release info was going out. Microsoft purchased Sysinternals a few months ago, the non-commercial side of the business is an excellent set of tools used almost everywhere now. They are incorporated in many commercial software packages for common tasks and debugging. They have finally moved the content over to Microsoft's site and bundled the tools together:


My favorites: