Formulator gathers and stores configuration files from network-infrastructure devices in an on-board Oracle database. From the same database it controls and tracks operator access to the infrastructure. Access to Formulator for administrators and users is supported by HTTPS (HTTP Secure), telnet and SSH (Secure Shell). The appliance proxies network-infrastructure access to assigned users, keeping passwords secret. And it provides a choice of read and/or write access to specific devices based on assigned user-access rights.
Users and operators access Formulator via an internal database, TACACS+, RADIUS or RSA SecurID. When the internal database is used, Formulator can audit CLI keystrokes. If one of the other external access methods is employed, Formulator can proxy access to network infrastructure and create an audit trail of who made changes and what was changed.
Additionally, entire configurations can be gathered, stored and restored automatically. You can view and compare current and previous configuration versions for one device or compare configurations among many devices. Furthermore, you can configure multiple Formulator appliances in a mirrored failover architecture to protect against a single point of failure.
Setting Up Control
I tested Formulator in our NWC Inc. labs in Green Bay, Wis. After inventorying routers and switches in Formulator and setting up access and passwords, I opened a telnet into the appliance. This dropped me into a character-based menu from which
I was able to use Formulator's command "CONNECT " to attach to a network switch. Formulator dropped me onto the switch in enable mode-- no need for additional logons.
Formulator's Web interface gives administrators access to all of the device's functions and connections to all network devices. Although the interface is easy to navigate, it is slow--too slow to use all the time. To leverage the CLI interface, I had to learn Formulator's command line. Fortunately, the character help was good, and the CLI proved much faster than using the Web interface.
You'll need to set up three types of groups: users, devices and actions. User groups list users as members; device groups, devices. Action groups define specific Formulator actions, such as "get config," "create user" and "list config." The list is long and divided into reading configurations, writing configurations and Formulator administration.
To control and manage access to infrastructure configurations you must create permissions. I gave a group of NWC Inc. lab personnel both read and write permissions on routers and switches in our three labs. I created another permission for Syracuse University network engineers, letting them read and write switch configurations and routers on their network. I kept administration rights to Formulator.
Mixing It Up
One of the Formulator's most useful features is its ability to track all keystrokes issued in a configuration session on a network router or switch. In addition, an on-board log records the dates and times of any commands issued by any operator connecting to the device through the proxy.
After retrieving a configuration from a device, Formulator automatically gives it an ID, compares the configuration to the prior configuration and notes any differences in the log. Formulator also can associate a tag with each configuration--a powerful tool for correlating configurations and infrastructure function. For example, a tag of "fallback" could be assigned to a device's configuration prior to a change. If you need to abort the planned change, the configuration could be reapplied to the device by calling "fallback." All config changes are logged, and notification of configuration changes can be sent to a predefined administrator or group via e-mail.
|
Good
• Tracks and manages infrastructure access
• Uses CLI and Web interface
• Operators can connect using telnet and then audit keystrokes
Bad
• Web interface can be tedious
• Not all devices supported
Vendor Info
Formulator 200, starts at $25,000. Gold Wire Technology, (781) 398-8800. www.goldwiretech.com
|
Additionally, a resolve list shows configuration records not entered in the database. This is useful if a device is added to the database with a name other than the DNS entry assigned to the primary interface.
I hit a roadblock during my tests: I could not download a configuration from a Cisco 7400 router. I knew it wasn't an IOS version problem, but I doubted the problem was with the 7400 router, as our 7413 device was reachable. This glitch wasn't surprising: Every time I've tested configuration products, I've come across a device that wasn't supported. In this case, Gold Wire's tech support was responsive and had me try a number of workarounds. I ran out of time, however, and the issue is unresolved.
Despite minor problems, Formulator offers a well-thought-out way for administrators to secure network infrastructure without having to deal with each piece of vendor equipment. And you won't have to significantly change the way you operate.
Bruce Boardman is executive editor of Network Computing, testing and writing about network management and systems. Write to him at bboardman@nwc.com.
Post a comment or question on this story.
RSS
