Three network device management tools strut their stuff

See correction at end of review

Managing 50 network devices can be a challenge; managing 5,000 is nigh impossible, and many networks today exceed even that figure. If all the devices are from a single vendor, the job becomes somewhat simpler, but how many network managers have that luxury? In most large network environments, heterogeneous hardware is the rule, and simple tasks such as changing SNMP strings, implementing and verifying best-practice guidelines, and managing configuration changes across the enterprise become enormous headaches.

Many network administrators rely on custom tools — perhaps a collection of Perl scripts — to manage devices en masse. Although this may be appropriate for some enterprises, others are clamoring for a better mousetrap. Three companies are looking to provide that very thing.

Rendition Networks’ TrueControl 3.0, AlterPoint’s DeviceAuthority Suite 2.0, and Tripwire’s TND (Tripwire for Network Devices) 3.0 all aim to be the network device management tool of choice. All three offer centralized management of heterogeneous network devices, supporting network devices from multiple vendors.

This is no easy feat. The management tools for different vendors vary wildly. From Cisco-style command-line interfaces to Web-based configuration tools, every vendor has its own view of how a device should be managed. Making a tool that brings all these disparate configuration paradigms together is a challenge.

Tripwire for Network Devices

TND follows similar rules to Tripwire’s system-configuration control offerings. The overriding concept is configuration baselining. When a device is added to the inventory, its current configuration is downloaded and marked as a baseline configuration. Administrators add devices manually or by building and importing a CSV (Comma Separated Value) or XML file.

By polling devices and receiving SNMP traps, TND detects configuration changes and takes the appropriate action. You can configure TND to send notifications of changes to administrators by e-mail, pager, or console, and you can have it restore the baseline configuration to the device when a change is noted, all but preventing unauthorized changes to a device. TND’s device compatibility is limited compared to the other offerings, but it accurately inventoried all the devices in the lab with the exception of a Dell PowerConnect 3300 switch.

After you have determined a baseline configuration, TND lays out subsequent deviations from that baseline for further inspection by administrators. TND focuses on making it easy to restore a device to its baseline status rather than having to step back through configuration changes, although this is also possible. Furthermore, TND doesn’t offer many features found in DeviceAuthority and TrueControl, such as the ability to script configuration changes and to generate detailed reports. You must resort to database queries to display data on changes to network devices.

The Web-based interface is somewhat foreboding and is frequently tedious when adding devices and configuring rules and actions. Interface compatibility isn’t an issue; TND worked without problems with Internet Explorer 6, Mozilla, and Safari. From this interface, devices can be grouped and linked from group to group, allowing you to organize them by make, model, vendor, and so on. One drawback: You can’t view more than one group at a time; expanding one collapses another. On the plus side, when digging into a device’s change history, you can highlight differences between the baseline and current configuration in a side-by-side view.

If TND is judged by its stated goal of detecting and managing changes to network device configurations, then it lives up to its billing. But when compared with DeviceAuthority and TrueControl, it doesn’t match up.

DeviceAuthoritySuite

AlterPoint’s DeviceAuthority Suite is a mix of Web and Win32 tools, many of which go beyond network configuration management. DeviceAuthority installs a MySQL MaxDB database, an update tool, and a Web-based auditing and inventory tool, which is delivered by the JBoss app server. Unfortunately, the interface is only compatible with Internet Explorer 5.5 or later.

The inventory tool is fairly well laid out, offering most of the suite’s configuration auditing features. From this interface, it’s possible to manage the device inventory, define events, schedule device scans, view highlighted configuration comparisons, and run reports. You can add devices to the inventory manually or via a wizard, and you can import them en masse via a simple delimited text file with device IP addresses and hostnames or via a CSV file (template provided) that contains additional information about each device such as model, access protocol, and log-in credentials. Finally, you can sort and filter device entries by several variables, including device model, make, status, and user-defined class.

DeviceAuthority offers the broadest device support of all three products I tested. It found and accurately inventoried every device in the lab with the exception of the Dell PowerConnect 3300.

The reporting facilities of DeviceAuthority are fairly complete. There are a handful of stock reports available, such as device configuration changes during the past week and inventory reports by vendor. Custom reports are created via a wizard in PDF, CSV, HTML, text, and XML formats. Reports can be e-mailed to admins on a scheduled basis or can be sent manually.

The remainder of the suite comprises the somewhat ill-named Update Module. Regardless of what the name implies, this tool is in fact a full-fledged network development environment. Modeled on the Eclipse IDE (integrated development environment), Update Module is designed to become the central management interface for the whole network. Some of the features include integrated SSH (Secure Shell) and Telnet clients, a Web browser, and network troubleshooting tools such as PING and traceroute.

Using the Update Module, an administrator can scan the device inventory, select individual devices for management, and define custom scripts for mass device management. In addition to providing a large array of sample scripts, DeviceAuthority can record commands as they are executed and can create an editable script in your choice of Perl, JavaScript, or TCL (Tool Command Language)/Expect. The resulting scripts are clean and easily modified outside of the script-creation tool. In addition to one-off or mass configuration changes, you can deploy mass OS updates from within the Update Module, either on the fly or on a schedule.

DeviceAuthority’s inventory and auditing features are solid but could use a hierarchical device list. The Update Module is a unique and impressive tool, offering a standard environment for heterogeneous network administration in a smooth interface.

Rendition’s TrueControl

TrueControl is the most complete solution among the three I tested. Similar to DeviceAuthority, TrueControl relies on a MySQL MaxDB database, but the application interface is wholly Web-based. The front end is devoid of images and utilitarian, but admins can configure the layout to their liking, specifying their core device groups, favorite reports, and display preferences. The interface is compatible with a variety of browsers, including Internet Explorer 5.5 or later, Mozilla, and Safari.

As with the other products, devices can be manually defined, or imported from a CSV file created from a supplied template. Additionally, devices can be imported from Hewlett-Packard’s HP OpenView.

TrueControl also offers an auto-discovery feature that removes the need for administrators to define makes and models when adding devices. TrueControl contacts the device via all supported protocols and determines the make and model automatically. This process takes time, however; instead of waiting, administrators may prefer to define the device manually.

TrueControl also includes a syslog server that is installed with the package. When devices are added manually or are imported, you can have TrueControl change the configuration of each device to point syslog output to the TrueControl server. In addition to SNMP traps and regular polling, TrueControl can actively monitor each device for changes and can notify administrators when a change occurs. The downside is that the syslog server doesn’t necessarily scale and may cause problems if relied on to handle logging for thousands of devices.

In terms of change management, TrueControl has the edge. By acting as the syslog server, as well as an SSH/Telnet proxy server, TrueControl can mandate that every change made to any device on the network be commented on by the engineer making the change, regardless of device OS or vendor. When a change is made via a script or SSH/Telnet proxy, a prompt is presented to the engineer requesting information. If a configuration change is made outside of TrueControl’s purview, it will be noted in the logs, and TrueControl will send an e-mail to the requisite engineer requesting that a change comment be submitted. For administrators tasked with change management duties on large networks, this is a definite benefit.

Another nice feature of TrueControl is the policy assurance tool. Administrators can define policies for each class of devices and can use TrueControl to monitor adherence. For instance, internal best practices may dictate that certain services are disabled on all Cisco routers and that a loop-back interface exists. TrueControl can then detect and report on policy compliance across the enterprise.

TrueControl takes first place in reporting as well. The default summary report contains just about every data point you need — from device counts by OS and vendor; to change statistics by device, user, and group; to a complete device inventory — all in native Excel format with accompanying graphs. Reports can also be made more granular, highlighting specific device changes over periods of time or noting all devices with different running or startup configurations. These reports can be viewed through the Web interface, or they can be scheduled to be sent via e-mail. 

Like TND and DeviceAuthority, TrueControl had no problem detecting and adding any device in the lab aside from the Dell switches. And as with the other solutions, the device support layer is modular, with Rendition offering free device updates. As for extensibility, TrueControl offers Perl and Java APIs for custom integration possibilities, with API guides available from links on the navigation bar.

Among the three solutions I tested, only TrueControl and DeviceAuthority truly offer centralized control over network device configuration. TND simply doesn’t compare to the others in terms of manageability or features. TrueControl’s deep reporting is a major benefit, and DeviceAuthority’s network development environment could be extremely valuable. TrueControl’s pricing puts it at the top of the heap — nearly double the cost of the others — but it’s arguably worth it. Its policy assurance and extended reporting capabilities make it a more complete solution.

Correction:

In this review, we originally misreported which version of DeviceAuthority Suite we reviewed. The error has been corrected.