A lot of marketing material and sales enablement is obviously directed towards upper management, the decision makers. And there are certainly many good reasons to use network automation to increase efficiencies while improving the organization’s bottom line. But a network automation solution will face an uphill battle internally if it truly does not make life easier for the network engineering and operations teams. I was asked to address this recently on This Week in Enterprise Technology (watch my interview below) where the guest and the hosts pretty much become four CLI geeks rapping at happy hour. It was refreshing to hash it out at this level since I’m usually doing ROI analysis and waxing on the challenges and benefits at a companywide level.
Watch the TWIET interview with Dave Signori on Network Automation
First, let’s level set on ‘network automation’ since it can vary in meaning. Specifically, I’m talking about the capabilities of a product like Infoblox NetMRI, which include discovery and mapping, change management, configuration management, policy enforcement, CVE and device vendor lifecycle management, and configuration analysis. If this sounds like a wider list than typical Network Change and Configuration Management (NCCM) capabilities, it’s because it is. As a network automation tool, NetMRI will commonly replace several tools. In addition to these, it synchronizes the discovered data with the Infoblox market-leading IP Address Management (IPAM) system to ensure it is accurate. While it’s on my mind, one of the network analysis issues NetMRI reports on, is default-passwords-in-use (Equifax admin/admin anyone?). When upper management looks at benefits from a tool like this it’s usually at this level:
- I don’t want to fail an audit (PCI, HIPAA, DISA STIG, etc …)
- I want to reduce the amount of time a compromised system is on the network
- I need to ensure I have a change ticket for every change on the network
- I want to reduce the amount of time my team spends doing compliance checks from 30 minutes a device to almost zero
- I want to reduce the exposure time of a device vendor PSIRT from weeks to minutes
- I want to delegate and reduce the time it takes for the standard change process
- I need to find a way to roll out my Software Defined Network (SDN) architecture in stages and still need visibility and change management of the entire environment
Network automation is great at doing these things and when you compare the time it takes to carry out these common operations before and after automation and multiply by your team’s salary, the cost savings is a no-brainer.
But what if you are on the network team and you’re reluctant to hand the keys over. Well, you don’ t need to … until you want to. Let’s start with the Command Line Interface (CLI). First, recall that it was a fat finger that brought down the Amazon S3 service in March and you certainly wouldn’t want to be at the other end of that. But you trust your CLI and scripting capabilities so let’s back into this. What features would a technician hang his or her hat on:
- SSH Proxy: NetMRI provides a proxy CLI capability that allows you to use your favorite terminal emulator (i.e. puTTY, SecureCRT, ssh), records the whole session for later reference or copy to a script, and triggers the automatic backup of the configuration when you’re done.
- Config Backup: NetMRI automatically backs up all configuration changes and reports if a device isn’t being backed up. So just in case your manager hits you up for recent changes or to back something out, you’ve got it at your fingertips. That eliminates worries about forgetting to backup. That archive can be searched extensively and configurations can be compared.
- Scripting re-use: If you’re a CLI or scripting jock, you can run these within the NetMRI job engine. Three different scripting languages are supported including Python. Now you can trigger, schedule, peer review, and/or run scripts on demand. Device groups you run scripts against and device credentials are managed for you.
- Standardization: You’ve been asked to standardize on your configuration settings. How do you easily set rules, audit and enforce? Since you can push change to the masses of devices with scripts, you can standardize on change but to ensure it stays that way, NetMRI has three different policy editors for auditing your configurations. If a violation is detected, NetMRI can raise issues, send notifications and run auto-remediation jobs.
- CVE and Device Life Cycle Management: You’ve been tasked with ensuring there are no device vulnerabilities in the network and to keep your manager abreast of the maintenance status of every hardware and software module. You have four different vendors in the network. You’re basically using CSV exports, email, and device vendor support portal checks. NetMRI automates this with a feed to the vendor sites and use of the discovered data and policy engine. Now you know if you’re vulnerable to CVEs and PSIRTs in minutes and your LifeCycle status is sitting right in the NetMRI device viewer and reports.
So that’s a few things. If you’re still tentative, drop me a line and we’ll rap.