CentOS - Jan 2009 - OT: Managing change control in servers, LDAP, firewalls and switches question

Hi, being an off-topic questions with so many vendors involved I had
no definitive place to go to ask but here. So maybe some of the list
members have ideas in mind.

Currently we manage several switches,firewalls and MS LDAP and Centos
OpenLDAP installations.
We are looking for a "man in the middle" or "framework" to
manage
change on our network devices and LDAP-based servers.
So far, using Quest ActiveRoles/Intrust has filled the part of LDAP,
where administrators log into ActiveRoles/Intrust system, generate
changes (delete OU, users, change passwords, etc) then the request has
to be approved by a staff member in Activeroles/intrust. When the
approval is sent to the system, the ActiveRoles/Intrust (and not the
sysadmin) logs into the LDAP systems and perform the changes. This has
proven useful in tracking changes (who did what, when, who approved
it).
We are looking into a similar solution (Quest Software does not have
that for devices) to perform change and control on the routers,
switches and firewalls.

Maybe someone can also point me to a mailing list where i can ask the
same question?

thanks,


-- 
------------------------------------------------------------
Erick Perez
Cel +(507) 6675-5083
------------------------------------------------------------

On Fri, Jan 23, 2009 at 10:32 AM, Erick Perez <eaperezh at gmail.com>
wrote:
> Hi, being an off-topic questions with so many vendors involved I had
> no definitive place to go to ask but here. So maybe some of the list
> members have ideas in mind.
>
> Currently we manage several switches,firewalls and MS LDAP and Centos
> OpenLDAP installations.
> We are looking for a "man in the middle" or "framework"
to manage
> change on our network devices and LDAP-based servers.
> So far, using Quest ActiveRoles/Intrust has filled the part of LDAP,
> where administrators log into ActiveRoles/Intrust system, generate
> changes (delete OU, users, change passwords, etc) then the request has
> to be approved by a staff member in Activeroles/intrust. When the
> approval is sent to the system, the ActiveRoles/Intrust (and not the
> sysadmin) logs into the LDAP systems and perform the changes. This has
> proven useful in tracking changes (who did what, when, who approved
> it).
> We are looking into a similar solution (Quest Software does not have
> that for devices) to perform change and control on the routers,
> switches and firewalls.
>
> Maybe someone can also point me to a mailing list where i can ask the
> same question?
Most people do change management through trust, but verify, where change
requests are submitted, approved, then an administrator implements by hand,
and then replies that it was done successfully or not and what the failure was.
Then at some point, these changes are verified by someone else and confirmed
to been in place.

You could try to automate the verification process by using IDS software to log
all the environment changes, then match those up with change requests. Any
that happen without a change request were unauthorized and need to be rolled
back.

This way you get 2 birds with 1 stone, change management verification and
intrusion detection. Couple that with a good backup/restore strategy and you
should have the major bases covered.

-Ross

Erick Perez wrote:
> Hi, being an off-topic questions with so many vendors involved I had
> no definitive place to go to ask but here. So maybe some of the list
> members have ideas in mind.
> 
> Currently we manage several switches,firewalls and MS LDAP and Centos
> OpenLDAP installations.
> We are looking for a "man in the middle" or "framework"
to manage
> change on our network devices and LDAP-based servers.
> So far, using Quest ActiveRoles/Intrust has filled the part of LDAP,
> where administrators log into ActiveRoles/Intrust system, generate
> changes (delete OU, users, change passwords, etc) then the request has
> to be approved by a staff member in Activeroles/intrust. When the
> approval is sent to the system, the ActiveRoles/Intrust (and not the
> sysadmin) logs into the LDAP systems and perform the changes. This has
> proven useful in tracking changes (who did what, when, who approved
> it).
> We are looking into a similar solution (Quest Software does not have
> that for devices) to perform change and control on the routers,
> switches and firewalls.
There was a tool called pancho (http://www.pancho.org/) that claimed to 
to do automated router and switch management, but it seems to no longer 
be supported, and personally, I'd trust a person more than a script with 
that sort of job.  On the other hand, maintaining backup copies of 
configurations before/after changes is something very worthwhile and not 
difficult for anything that has text based configurations.  Just make 
sure that changes are copied back and committed to a central version 
control system like cvs or svn (which you can wrap with viewvc for easy 
display of history and changes).  A tool called rancid 
(http://www.shrubbery.net/rancid/) will automate this for many routers, 
switches and firewalls, and will also pick up any unexpected changes.

-- 
   Les Mikesell
    lesmikesell at gmail.com