Friday, August 27, 2010

Backing up the Infrastructure Configs


If you are anything like me, you tend to forget about protecting the very fabric that ties everything together for your environment, the infrastructure components: firewalls, routers, switches, etc. To some extent this is understandable as these devices have become extremely reliable and, in most organizations, there is not the same degree of change within the infrastructure space as other areas. Even if you can understand it, the underlying fact is that when the infrastructure has a problem, everyone has a problem.
Luckily, most of the infrastructure devices in the industry are still using text configuration files to control their hardware. This coupled with the relatively low degree of change makes infrastructure backups a relatively simple task.
One very successful approach to infrastructure backups is about as "old school" as it gets: Back them up manually. Simply have a policy (one that you actually do, not one that you ignore) of saving a text copy of the config to a specified location each and every time that you make a change. It is then a simple matter of making sure that the prescribed location is copied to some media that is available offsite in the event of a total disaster. That's it, a pretty safe solution. The major risk of failure in the system is someone not following the policy, which is usually concentrated around staffing changes and significant change events, so auditing is relatively easy.
For those of us that are apt to forgetting about the infrastructure in the first place, relying on our memories to perform the task that will save us come equipment failure time is not normally the best course of action.
Luckily, there are some automated systems to help save us from ourselves.
For the small environment with < 20 devices, there is the free version of Kiwi Cat Tools. If you need to protect more than 20 devices, they have a full version for $750 that supports an unlimited number of devices although they recommend using it only for up to 100 devices. To see details on using Cat Tools, simply take a look at their features page. The nice part of Kiwi's solution is that they are not married to any single hardware vendor and it is a simple, task-based interface that doesn't have a huge learning curve. It also has the ability of notifying you when the effective configuration has changed on a device via email; a feature that comes in handy in discovering unexpected changes either intentionally made by other admins and not communicated or the notorious "Oops, I forgot to save the config" demon. Overall, the system is pretty simple to use once you play with it and there is plenty of help available both from the vendor in terms of support contracts and other support forums. Just make sure to schedule a DB backup task, so you have an offline copy available and make sure you have a copy of the installer in your DR kit so you can read the config DB in the event of a disaster.
For larger environments there are other options such as SolarWind's Orion Network Configuration Manager, Cisco's Cisco Configuration Assistant, and I am sure others. I am not going to spend a ton of space looking at each one of them as the tool you use is not as important as simply getting the information backed up. The last thing anyone want to try to do during an outage is try to fumble through which ports on a switch were on which VLAN or which VPN key a particular link should have been using.

No comments:

Post a Comment