DeviceAuthority Protects Your System Configurations

DeviceAuthority makes no configuration changes. Rather, it inventories, compares and reports on changes to your network infrastructure configuration. The product makes no attempt to normalize configuration data across different vendors or to control configuration access. If you need to monitor configuration changes or you want to compare how a configuration is different between like devices or earlier device configurations, DeviceAuthority is straightforward and useful.

More is Better

The beta version we tested supports Cisco, 3Com, Foundry and Allied Telesis. Cisco is the best covered, in part because of the various versions of IOS, but primarily because of its market share. AlterPoint claims that device support will be added in monthly increments for the foreseeable future and that upcoming support will cover F5 Networks, Nortel Networks (including Wellfleet and Bay Networks), Lucent Technologies, Extreme Networks, Dell Computer, NetScreen Technologies and Adtran. Support for Enterasys Networks reportedly is imminent.

DeviceAuthority comes on a Win32 server (NT4 and Win2k are supported) with a JSP-based console accessible via the included Apache Web server and MySQL database. Installation was easy. The inventory display shows each device by its name, address, model, category and status. DeviceAuthority manages devices by grouping them into user-definable categories. An SNMP OID category would be nice, though, so edge switches could be grouped easily.

We added devices one at a time through a wizard, and it worked fine. Text file import is supported, but only after the device name and IP are entered. Via the wizard, grouping, access user ID and password are added later, which is tedious work. Because we tested a beta release, we weren't able to test it out. However, AlterPoint reps promised that the shipping product imports flat files and supports additional fields such as make, model, OS, user name and password.You can filter the inventory display by device status, type, class, name and category. This helps shorten the list when you're dealing with more than a handful of devices. Once devices are inventoried, device configuration is downloaded into the database. The configuration is then tracked, annotated and compared for changes. We tested this by changing the configuration of a device that already had been inventoried and stored. This created a new version of a particular device configuration. We then were given an option to either commit to the changes and send them to the device or revert to the original configuration. This added step protects against configuration mistakes. Plus, the log noted that someone using our user ID authored the changes.

In the comparison display, two types of changes are shown: those within line numbers and those in the correct position within the configuration. It is very straightforward to find changes and make any necessary fixes to them.

Reporting is clear and concise. Additionally, you can choose between preconfigured reports and custom reports. The canned reports provide enough information about the configuration backups and changes to manage configurations right out of the shrink wrap.

We created custom reports using the wizard. This process was tedious, but we got the hang of it after a while. Still, DeviceAuthority could be improved by simply making the report definition directly editable or by at least adding a Finish button, so that when changes are saved you do not have to walk serially through every report option.

We also created a report showing the changes for the last seven days on a subset of the infrastructure DeviceAuthority was managing. The output is available as text, HTML and PDF. The HTML format has the best visual formatting, and a floating header would make it perfect.DeviceAuthority's scheduled backup of device configuration is another very strong feature. We created a schedule that selected devices we had added to our lab's infrastructure group. Available fields include specific device, host name, make, model, class and OS as targets for configuration backup. Backups worked as advertised.

Look Ma, I Can Still Shoot Myself in the Foot!

DeviceAuthority can't protect from the random hit-and-run--or in our case head-on--collision, so we don't recommend it for operational or helpdesk employees. Configuration syntax checking isn't available, so poorly advised changes or even incorrect formats can be uploaded.

Although access control functionality is offered, DeviceAuthority is basically a flat model with an administrative account and all other accounts. The administrative user is the only one who can add accounts. This means that, short of adding and deleting other users, all users have the same rights to devices in DeviceAuthority's inventory. Such security obviously is not good enough for either an enterprisewide or a service provider solution.

Stand-in or proxy access for the configuration management system is, unfortunately, not included in DeviceAuthority. This means that remote access, even by telnet, is not possible.DeviceAuthority's lack of total access auditing, along with its lack of syntax checking, limits the product's usefulness to workgroups, where configuration management is necessary but access need not be limited. While these drawbacks may make it seem like DeviceAuthority isn't worth using, they do provide a safety net for those users who can be trusted and who know what they are doing. Plus, the price is right.

Bruce Boardman is executive editor of Network Computing, testing and writing about network management and systems. He has 12 years' IT experience managing networks and distributed computing for a financial service provider. Write to him at Bruce Boardman at [email protected].