IT Baseline Protection Manual S 2.171 Selection of a suitable system management product
S 2.171 Selection of a suitable system management product
Initiation responsibility: Head of IT Section
Implementation responsibility: Administrators
After the current system situation has been surveyed (see S 2.168 ) and the management strategy determined (see S 2.169 ), a suitable system management system must be selected. Depending on the size of the system to be managed, different implementations may be appropriate here:
For small systems, system management can be handled "manually" by the system administration team.
For small and medium-sized systems, system management can also be performed by a collection of individual tools.
A system management system should be used for large systems.
Today's network-capable operating systems normally already incorporate functions which allow the central administration of users and user groups, for example. In the Unix world, NIS or NIS+ could be named in this connection, for example, while in the Windows world the Windows NT domain concept allows central user administration via the domain controller. Novell also offers similar opportunities with Intranetware. Generally there are also possibilities of running a network-wide policy management system.
In relatively small or medium-sized networks, on the other hand, software management, management of computer configurations and the monitoring of system components are the most pressing problem areas. In this case additional software tools can then be used which can take over the individual tasks. Consideration can be given to using a network management tool, especially in areas that are also covered by the disciplines of network management (configuration management, monitoring).
Various tools could be mentioned for the Windows environment, such as the Novell Zero Administration Kit, which supports administrators in the installation of new computers, the Microsoft Management Console, which provides a uniform centralised view of all administration tools, and the Microsoft Systems Management Server (SMS). The SMS product, for example, offers administrators the following possibilities:
Drawing up inventories of hardware and software components
Installation and distribution of data and applications on network computers
Checking the execution of network applications
Support for the administration of computers via the network
Monitoring of network traffic
SMS is not designed for a heterogeneous environment, however. Moreover, remote maintenance is only semi-automatic and requires an administrator to be available on site, which means that its use is only appropriate for relatively small and geographically compact networks.
In the Unix world, "rdist" is a program that can be used for the administration and distribution of software, for example, enabling software to be installed or updated on remote computers. One feature is that it is possible to pick out from a central software pool precisely those products which staff require to perform their particular tasks and install them on the relevant computers. Other add-on programs, some of them available free of charge (usually from the university world), allow monitoring of the network via SNMP, for example.
Solutions assembled in this way provide a cost-effective alternative for relatively small and medium-sized networks. Generally, though, they are dependent upon a skilled administrator, someone who in some cases may make adaptations to local circumstances with extra programming, or who is able to integrate additional functionality.
Such solutions are unsuitable for larger and very large networks, however, because the functionalities are incorporated in various non-integrated tools. The only practicable solutions for large corporate or agency networks are system management systems. Before any such system is introduced, it should be noted that this generally constitutes a considerable intrusion into the running system and must be well planned. It is not rare for the introduction to take more than 12 months, with investment of at least a six-figure sum for relatively large networks. It is therefore important to choose well suited management system. The following criteria should be taken into account when choosing the system to be procured:
What range of functions does the product offer?
Costs
Purchasing the software
Purchasing additional hardware (in some systems one or more central management servers will have to be purchased)
Installation and operating expenses (in some cases it may even be necessary to employ external staff)
Training of staff
Miscellaneous (e.g. migration costs on an existing platform, adaptation/new development of local software, building work - for example a secure server room)
Safeguarding of investment
To what extent is the system management product scalable (e.g. number of computers expandable)?
Can the platform grow with the company (e.g. number of possible management domains, delegation of tasks)?
What are the migration paths to the platform?
What are the migration paths from this platform to another platform?
Possibility of integration with other products
Which server and client system platforms are supported?
Can an existing network management system be integrated into the system?
Can an existing data backup system be integrated into the system?
What applications from third parties are available for this product?
Reliability and security against failure
Are there any statements or even guarantees as to maximum downtimes?
Is it possible to hot-swap central components?
Does the system have its own backup and recovery mechanism? In the event of failure of the management system, there must be mechanisms for regulated restarting within the management system. These may include the loading of data from a backup and automatic checking of consistency - ideally with the resolution of conflicts if inconsistencies are detected.
Are updates regularly made available? Are they easy to install?
Security: restrictions for accessing management functions
Can access be restricted at the user ID level (which user is allowed to do what)?
Can access be restricted at the component level (which computer is allowed to do what)?
Can access to executable commands be restricted on a user-dependent or system-dependent basis?
Can administration tasks be divided up? For example, can the administration of components be restricted to certain areas (e.g. only the department computers)?
Security: administration of computers via the network
How is remote access secured?
Can remote access be performed using encryption?
Is it ensured that (strong) authentication is required before remote administration is carried out?
Is it possible to restrict the authorisation for remote administration to certain individuals or roles?
Is the user automatically informed of remote accesses?
Security: data integrity, privacy protection
Is the data that is gathered securely stored (access restrictions, encryption)?
Does data transfer between the management components take place on a secure basis (authentication, encryption, protection of integrity)?
Can the type of information that is gathered be regulated (anonymisation, tracking, provability)?
Is it possible to integrate virus scanning programs?
What possibilities are provided for logging?
Can local software loading be monitored or prevented?
User-friendliness
Does it have a graphical user interface (e.g. X-Windows, Motif, Windows interface, Web browser)?
How easy is navigation?
Is the local language supported, or (if the system is used globally) multiple languages?
Are programs easy to execute (also on remote computers)?
How easy is it for the user to adapt the interface?
Is there appropriate indication of exceptions and alarms?
Is monitoring adjustable, including the level of detail?
Is the complexity of network components suitably "hidden" (such that the user does not have to be an expert on the component currently being managed)?
Can all functions be accessed via the same user interface?
Are user guides and online help available?
Ergonomics in the management of complex systems
Are different network protocols, network components and operating systems supported?
How does the platform deal with geographically distributed systems and how are they represented?
How easy is it to integrate new components or to remove components from the system (by autodiscovery or manually)?
Conformity with standards (depending on the environment, conformity with at least one standard may be necessary)
Platforms
Distributed Management Environment (DME) from the Open Software Foundation (OSF)
- Specification of the Desktop Management Task Force (DMTF)
OMNIpoint specification by the Network Management Forum (NMF)
Database
Which DBMSs (database management systems) are supported?
- Is SQL supported as a query language, assuming that the management software includes its own database?
CORBA (Common Object Request Broker Architecture) from the Object Management Group (OMG)
Application Programming Interface (API), in case the company or agency needs to add its own extensions to the management system (e.g. APIs for SNMP, XMP, DMI)
The considerations listed above are meant to be used as pointers in the assessment of management systems. The requirements to be met by the management system should be formulated in accordance with the local conditions and on the basis of the current system situation (see S 2.168 ) and the specified management strategy (see S 2.169 ); these can then be used as K.O. criteria when taking the decision. The above criteria should always be assigned a weighting to reflect local preferences.
It is not usually possible to fully reconcile the requirements that the management system is expected to meet and the services provided by the chosen management system. This means that after a specific product has been selected it is necessary to adapt the existing management strategy to the functional scope of the product.