Network administrators are responsible for critical business infrastructure. Their time is often divided between maintaining existing services, monitoring operations, planning future deployments, and addressing the all too common "unexpected" problems. One way for network managers to keep their focus on high‐value business operations is to automate critical operations such as configuration management. Automation can help achieve compliance, detect policy violations, and improve the time and cost of deploying new assets.
Challenges to configuration management arise in large networks with complex architectures. In addition, business drivers that lead to infrastructure changes compound the difficulty of tracking configurations and ensuring they are up to date. Network and systems administrators must address these challenges through specific operations, such as discovering assets, patching and updating, and planning future use and redeployment.
A fundamental challenge facing systems and network administrators is maintaining an awareness of the state of the network and devices on the network. Three aspects of typical business networks make this task difficult:
Any one of these factors can increase the difficulty of maintaining configurations but together they compound the problem even further.
Businesses are driven to become more efficient; today, efficiency often comes coupled with technologies for generating, analyzing, storing, and transmitting information. In many industries, virtually every employee works with devices that IT departments have to maintain. Add to this responsibility the management of the large number of servers that run everything from mission‐critical applications to development and test environments. These systems are interconnected with a network infrastructure that is comprised of many devices distributed throughout offices, branches, and other business operation sites. Network and systems administrators will find it difficult to maintain proper configuration on all of these devices without some form of automation support. The travel time alone required to make desk‐side visits to patch desktops can lead to the need for additional staff to keep up with the growing number of endpoint devices. In addition to the large number of devices in some organizations, there are a variety of device types, each of which can require different levels of configuration support.
A typical business network is a heterogeneous collection of servers, desktops, mobile devices, storage devices, switches, routers, and other components. Desktops and laptops may be relatively homogenous, for example, running one of the two latest desktop operating systems (OSs) from Microsoft with a standard suite of office productivity applications, a couple of Web browsers, and endpoint security software. Different users, however, require different applications. Designers and graphic artists may have a suite of design tools; software developers will have integrated development environments, back-office staff may run legacy client‐server applications as well. In spite of the relative similarity across end user devices, there is enough variety among applications to make updating and patching more difficult that it would appear at first glance.
Servers can reflect similar levels of diversity. Even when IT departments standardize on commonly used server configurations, it is not uncommon to have multiple generations of server hardware running in the same data center. Older servers that can no longer support the load of mission‐critical applications may be repurposed to provide file or print services. Unlike desktops, servers may run different OSs with a Windows Server OS used for email and directory services while relational databases and application servers run on a distribution of the Linux OS. The network that links these servers and end user devices brings its own challenges from a configuration management perspective.
Networks are like road systems in that they are designed to move something (information or vehicles) as efficiently and reliably as possible with the understanding that there will be varying demands for capacity. In cases where traffic flow is relatively light, traffic patterns are simple. As the volume of traffic increases or the interconnection between roads becomes more complex, so does the road design, with one‐way streets, traffic signals, on ramps and exit ramps, highway interchanges, and other specialized designs put in place to meet demands to keep traffic moving. Networks have analogous mechanisms in the form of routers, switches, local area networks (LANs), virtual LANs (VLANs), and wide area networks (WLANs) to keep data transmitting as efficiently as possible. As Figure 1 shows, network design has implications for configuration management.
Figure 1: Networks can span LANs and WANs and include physically distributed but logically related virtual networks.
Network structure can sometimes help simplify configuration management, for example if all servers on a single VLAN require the same type of configuration. Similarly, when devices require consistent configurations but are physically and logically dispersed, manual configuration management can be more challenging.
Of course, it is not just technical aspects of IT that make configuration management challenging, there are business aspects as well.
Business drivers lead to frequent, sometimes near constant, change in network infrastructure. These business drivers originate for a variety of reasons:
In theory, an efficient business will allocate resources, including IT resources, in the most productive manner possible. In practice, lack of detailed knowledge about utilization rates, effective impact of potential changes, and the ability to reallocate resources efficiently diminish management's ability to realize potential benefits of reallocation. Automated configuration management can help eliminate some of these drags on the efficient allocation of resources.
Network managers and administrators have a wide array of responsibilities, and configuration management is just one of many. With this single responsibility in mind, there are four key challenges facing network administrators and managers:
Fortunately, configuration management automation can assist with all of these challenges.
Depending on the rate of change in network infrastructure, keeping an accurate inventory of assets can be quite challenging. The problem stems from changes in physical assets and changes in the configuration of physical assets. For example, new servers can be added to an inventory while others are retired. The net number of servers may actually stay the same but there are likely significant differences between the servers that were added and those that were retired. Even when the physical assets do not change, their configurations can change significantly. A server that may have run a Windows Server OS as part of a Microsoft Exchange cluster might be reallocated to provide network services, like domain name services running under Linux. Changes in desktop and other end user devices can be even more frequent although probably less dramatic than an OS change.
One of the advantages of an up‐to‐date asset inventory is that it can help streamline the process of updating and patching by identifying devices running software that needs patching. If a vulnerability is found in a particular version of a Web browser, only client devices running that version need to be patched. The inventory can be used to assess the scope of the patching task at hand and prioritize based on business requirements.
Patching and updating is a short‐term process but network managers and administrators have to consider longer‐term asset allocations as well. Optimal allocation of assets depends on knowing what assets are available, what business requirements are met by which assets, what new requirements will be established in the near‐term and mid‐term, and what new equipment will be required to meet those needs. Redeploying existing assets can help keep capital expenditures down. In order to make knowledgeable decisions about redeployment, systems administrators need detailed information about devices in their infrastructure.
Many businesses must comply with industry or government regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) in the retail industry and the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare arena. It is not unusual to be required to be in compliance and to be able to prove you are in compliance with a regulation. Here again, the ability to automatically generate detailed inventory of assets and their configurations can save substantial manual effort that would otherwise be required for this documentation.
Configuration management can be a manually intensive and expensive operation. Network infrastructures are growing in complexity and businesses continue to adapt to new opportunities, market downturns, and other external pressures on the organization. Network administrators and managers are essential to supporting business operations and their work in asset management, maintenance, planning, and compliance are part of those support services. Configuration management is demanding but it does not need to be time-consuming or labor‐intensive.