You probably have your own way of doing things when it comes to configurations. Maybe you just have a notepad that you copy and paste config snippets from when you need them. Or maybe you have a notebook app that you keep up-to-date with pages dedicated to switches, routers, or firewalls. You might even be advanced enough that you realize the need for a different system that uses things like Ansible playbooks or Puppet. Whatever your system, it probably works well for you. Until it doesn’t.
One of the things that I’ve seen come up as a problem in a lot of configuration systems is drift. When the reality of what your configuration looks like is different from what you’re expecting, you have a drift problem. The classical example cited by all configuration management companies is what happens when multiple people are making changes all at the same time without rhyme or reason. Configs get applied and the results stick if they work. Pretty soon you run into issues with things being radically different depending upon how many fingers were typing commands.
But that classic example isn’t the only one that can happen. The more likely culprit in these situations isn’t malice or “configuration by committee,” but instead careless inattentiveness. It’s far more common for people to make little changes to a system over time in the effort to test things or try to make fixes than it is to do massive overhauls. It’s also far too common to leave in non-working code because people don’t think it’s causing any harm. Anyone that has ever had to audit a novel-length firewall policy knows this is the case. It’s not what you add that becomes an issue. It’s what gets left behind to cause issues down the road.
Configuration management companies are quick to tell you that you don’t need to worry about config drift. They surmise that if you use their tools, you’ll never have a configuration that’s out of sync. But committing to only using their tools and platforms to make changes is a pretty bold step for admins and engineers that are used to remotely connecting to a device and making a change outside of a planned change window. Familiarity breeds contempt for different things.
Sticky Situation
Enter Gluware. They’re a company that has presented at several events over the years that I’ve been a part of, most recently at Networking Field Day 22. They came with a great presentation about a variety of topics, including configuration drift. Here are a couple of the videos they recorded:
Gluware helps you sort out your drifting issues. Their drift tool takes a snapshot of the configuration of a device and allows you to quickly compare it with the state of the device later on. Want to know if someone was logging in and making changes without checking them into the management system? Gluware can tell you. Want to figure out if your switches are following the approved corporate template for things like updated login and MOTD banners? Gluware Config Drift can give you a report about which devices don’t meet the standard. Exception reports are great when you need to bring things back online.
More importantly, Config Drift helps you stay in compliance with regulations. More and more industries are falling under regulation to keep data safe in transit and at rest. One way to ensure you aren’t violating those regulations is to develop a configuration baseline and keep your systems compliant with it. Gluware Config Drift ensures that, should the system ever fall out of compliance or get a change that could impact your status, you’ll find out right away and be able to revert the change or analyze it to ensure it’s applied as needed.
Bringing It All Together
I admit that I’m guilty of causing config drift. I have made my fair share of modifications outside standard templates. I’ve also had to clean up things after everything has gone haywire. I admit that my own forensic analysis would have been aided with the help of a tool like Config Drift from Gluware. Being able to see the configuration and how it has deviated is a huge win for those that need to keep everything current and compliant.
For more information on Gluware and their Config Drift solution, as well as their other platform features, make sure you check out http://Gluware.com.
