February 20, 2008

Updating the infrastructure

The infrastructure isn't infrastructure anymore, let's face it. Infrastructure should be something you do work into: it's not supposed to change as fast as what it contains. That's what we once had.
Routers should be able to go on for years, firewalls should not need continuous patching, switches should be something you buy, deploy and forget.
This is not true anymore,and the sooner we realize it the better.
We have firewalls based on stock operating systems, and they need patching or face hacking. We have manageable switches with 802.1x interoperability, and they need updates too. We have Windows based NAS servers, which - no surprise - need patching.
Some weeks ago, Oglesby and Pianfetti posted an insightful article on virtualization.info about VMware patching. I agree with most of the article: hypervisors are not rock solid items with no need for patching. But, I add, there is not such thing as "evergoing infrastructure" anymore.

As the boundary between "infrastructure" and "application level stuff" gets thinner and thinner and the number of functionalities offered skyrockets we have to think about patching and updating everything in IT. Take a look at the exploits in bugtraq concerning switches, firewalls and routers and you get the picture.

Long gone is the time where you could afford to deploy things and go on with work. As complexity grows, we need new approaches at patching management.

Virtualization can do great things on the server side, but network and infrastructure virtualization is still in its childhood (despite the stories vendors tell). Even patch management in servers is a long way to go (even if some interesting tools like VMTS patch manager, xVM Ops Center and Update Manager are showing up. Until then, we'll have to rely on vendor-specific infrastructure update tools.

Many layers of infrastructure = many vendors.
1 tool per vendor + many vendors = a big mess.
We badly need a new way to think about updating: what about a centralized tracking tool able to manage, issue warning and push updates in the whole infrastructure? Does something like that exist? Let me know, or drop me a line if you want to start developing it.

The next time you build an infrastructure, be sure to ask yourself "How am I going to patch and manage this?".