In Enterprise software, management consoles get written time and time again to solve various problems. I’ve worked on them when I was an IDS developer at Sourcefire and have used them over my career in network and security management on the user side. I also know most software folks that enter this realm haven’t dealt with actually using these products and tend to recreate bad wheels.
There’s a common set of requests that I have for the ideal management scenarios for centralized management of reporting and policy management. I end up giving this talk several times to various vendors and thought someone might be better off if I documented it ahead of time.
Policy Management
Policy management is the process of managing client configuration and pushing it out to systems. Many consoles tend to do policy role management around view policy, modify policy, distribute policies and create new policies. Many organizations need to be able to set a baseline configuration but then give system administrators free reign beyond that. Active Directory/Group Policy is a great example of designing for the edge every case such as inheritance and controlling it has been thought about. For most though, pay attention to only the computer side of GPOs and you can leave out things like loopback processing. In AD, you assign admits to a GPO and they can manage downwards but they have to (optionally) accept what was assigned above. The big GPO gotcha is there’s no “default configuration GPO” that you can reassign to get yourself out of GPO-induced messages.
Event Reporting
Presumably, your client software has messages to report such as “found virus” or “disk encrypted.” Let the same delegated authority from policy management be able to review the events and take actions on them from a single console. If I have delegated administration, trusting groups not to be able to report on each other is a critical factor is getting people to install your managed software. Don’t make me push people through setting up another server to do their own reporting and then expect the central console to get the reports. This is normally implementable as a mandatory query filter assigned to a role.
Client Identification
Make sure you can handle migrating IP addresses of clients. Microsoft WSUS ClientID is a good example of this: generate a token and identify the unique node by that token. Make sure it’s easy to change the token in case people use things like ghost that won’t alter that token.
There’s a lot of other management gotcha’s I should write about in the future such as Firewalling, Credential management, backup and recovery, and licensing.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment