How Configuration Management Tools Address the Challenges of Configuration Management

Systems administrators live a varied life. One minute they might be troubleshooting a drive failure on a server, and the next they may be installing software on a desktop. Not all tasks on the systems administrator's "To Do" list are equally important nor do they all warrant the time that they may require. In that case, it's time to consider automation.

Configuration Management Lends Itself to Automation

Consider assessments that are not so easy to undertake, such as determining how to reallocate servers and how many new servers to acquire based on past and current utilization rates. Capacity planning tasks such as this require judgment informed by experience and knowledge about future plans—an ideal task to give to a systems administrator.

Configuration management, in contrast, is a set of tasks that lends itself to automation. The process involves executing relatively well‐defined assessments and, based on those assessments, possibly altering the state of the configuration of a device. In this case, executing "well‐defined assessments" entails evaluating a relatively small number of criteria (for example, What operating system—OS—is running? What versions of applications are installed? Did a vulnerability scan identify any serious issues?)

The first step in a configuration management process is to understand what assets you need to configure and maintain. If systems administrators had to manually visit every office to catalog every device and collect information about installed applications (down to minor version levels), they would be hard pressed to get other work done, at least not without augmenting the number of systems administrators on staff. Manually tracking assets is especially problematic in cases where there are frequent changes that warrant more frequent updates to the asset inventory. For most businesses that have grown beyond a small number of employees, the prospect of desk‐side visits to collect information on assets is impractical. The tedious and inefficient manual process of tracking assets can be replaced by applications that can query OSs to collect information about a devices configuration or use multi‐platform network management protocols to acquire other asset information.

Key Automated Tasks in Configuration Management

At a high level, there are three key tasks that are automated with configuration management tools:

  • Discovering assets
  • Scripting changes to configurations
  • Reporting on the status of devices and configurations

All three of these tasks are required to sufficiently automate configuration management. Missing even one of these will limit the potential benefit of automating configuration management.

Discovering Assets

Consider the simple network that Figure 1 shows. It appears to be a fairly homogeneous network with several servers and 30 desktop devices. One would think a network this small and this lacking in apparent variety would not need automated discovery—but that would be a mistake.

Figure 1: An apparently homogenous network such as this can quickly become a collection of servers and desktops with slight to significant variations in configurations, even if the servers and desktops all had a standard configuration at one time.

If there was an ideal state at one time in which the servers with similar functions had similar configurations and all the desktops were configured identically, it probably would not last over time. The same holds true for network devices. For example, network infrastructure changes over time, and unless we are careful, we can find ourselves with:

  • Inconsistent firmware updates on network devices, which can create the potential for networking problems that are difficult to detect.
  • Poor tracking of virtual LAN adjustments, which could lead to mismanagement of the VLAN as well as security vulnerabilities.
  • Rapidly deployed switches that are not adequately cataloged and managed with other network infrastructure.
  • Inconsistent password changes that prolong maintenance operations because scripts fail to authenticate correctly or network administrators are forced to track down the latest password.

Automated asset discovery can help identify these kinds of changes, which are expected in most cases. It is difficult to track all possible configuration changes without automation. In addition to the behind‐the‐scenes software configuration changes, asset discovery can help identify network changes. For example, if someone installs an unofficial wireless device in a remote office, it may be difficult to detect without automatically cataloging all devices on a network.

With automated discovery, you can create a map of the network and an inventory of the assets on that network. You can then use that information to drive the application of scripts, which can configure devices as needed.

Scripting Changes to Configurations

Automated discovery helps you understand the state of devices and scripting helps us to change that state. Sometimes configurations are not what they should be because of minor mistakes, such as forgetting to run Windows Update, or because of problems with the device, for example, a device could have been powered off during the time a patch was pushed to the device. In other cases, changes could have been deliberate, such as enabling ftp on a server, even when policy dictates that should not be the case. In other situations, vulnerabilities are discovered in applications and patches must be applied. Whatever the reason, devices can be configured in undesirable ways.

Administrators can create scripts that change the configuration to whatever is desired. One of the advantages of this approach is that scripts are applied consistently. A human might forget a step in a multi‐step process, but an automated configuration tool will not. Of course, the potential downside is that a script with a logic error will apply the erroneous code equally consistently as valid code. Automation tools that provide support for scripting can mitigate this risk.

Reporting on Status of Configuration Changes

After configuration scripts are run, it is a good practice to evaluate and report on the success of the changes. Reports can help identify differences in what you expect and what actually occurred. Some problems that could arise include:

  • Devices were powered off during the script's execution and could not be remotely booted
  • A step in the script required temporary storage space and there was insufficient free space on the device
  • A precondition for a change was not met, such as a dependent component was not installed but was assumed installed by the script
  • The script was designated to run outside of normal business hours but not all devices were updated before the time window closed

Automated configuration helps with three key systems administration tasks: identifying the configuration status of assets, altering those statuses in a controlled manner, and assessing the effectiveness of those changes. Consider a more detailed example of automated configuration management.

Example Task: Update Configuration of Client Devices on VLAN

Let's consider a hypothetical scenario in which a finance department is distributed across a couple of buildings on a large campus. To better isolate the finance department's assets and to keep the department devices on the same logical network, the IT department deployed a virtual LAN (VLAN). When originally deployed, the desktops on the VLAN were all properly configured. Even with devices that warrant additional controls, the configurations of some of the desktop devices change. The annual audit detected these deficiencies, and the IT department was asked to correct the problems.

With an automated configuration tool, the systems managers were able to discover all devices on the VLAN and collect configuration information about each device. They then wrote and tested scripts to correct the configuration problems. The scripts performed (1) checks to make sure the device had the deficiency noted in the audit report, (2) met all the preconditions for making the correction, and (3) performed the remediation action. The script was executed, and the log generated during the process was examined for any potential problems. A new discovery process was run to verify the script had worked as expected and the deficiencies were corrected.

A potentially difficult situation, addressing issues identified in an audit, was made less challenging by automation. In particular, with automated configuration management, systems administrators can:

  • Identify only assets that require changes, thus minimizing impact on other devices and reducing the time network administrator need to complete the task
  • Consistently apply changes and generate a log of the reconfiguration process
  • Report on status to identify any problems that may have occurred during configuration changes

Of course, the same steps could have been executed by staff members but that would have been more labor intensive, more prone to human error, and less comprehensive in reporting on the process and outcome.

Summary

Configuration management lends itself to automation and provides a compelling combination of benefits: reduced cost of maintaining configurations by reducing the manual effort required, improved insight and visibility into the state of configurations, which can help with security and compliance reporting, and the ability to assign more strategic tasks, like capacity planning, to systems administrators.