On Fri, Jan 23, 2009 at 10:32 AM, Erick Perez eaperezh@gmail.com wrote:
Hi, being an off-topic questions with so many vendors involved I had no definitive place to go to ask but here. So maybe some of the list members have ideas in mind.
Currently we manage several switches,firewalls and MS LDAP and Centos OpenLDAP installations. We are looking for a "man in the middle" or "framework" to manage change on our network devices and LDAP-based servers. So far, using Quest ActiveRoles/Intrust has filled the part of LDAP, where administrators log into ActiveRoles/Intrust system, generate changes (delete OU, users, change passwords, etc) then the request has to be approved by a staff member in Activeroles/intrust. When the approval is sent to the system, the ActiveRoles/Intrust (and not the sysadmin) logs into the LDAP systems and perform the changes. This has proven useful in tracking changes (who did what, when, who approved it). We are looking into a similar solution (Quest Software does not have that for devices) to perform change and control on the routers, switches and firewalls.
Maybe someone can also point me to a mailing list where i can ask the same question?
Most people do change management through trust, but verify, where change requests are submitted, approved, then an administrator implements by hand, and then replies that it was done successfully or not and what the failure was. Then at some point, these changes are verified by someone else and confirmed to been in place.
You could try to automate the verification process by using IDS software to log all the environment changes, then match those up with change requests. Any that happen without a change request were unauthorized and need to be rolled back.
This way you get 2 birds with 1 stone, change management verification and intrusion detection. Couple that with a good backup/restore strategy and you should have the major bases covered.
-Ross