January 1999

Policy-Enabled Networking: What's It All About?

BY TONY RYBCZYNSKI

While policy management filters have been features of routers for years, they have not been widely used. But now, with routers acquiring Quality of Service (QoS) capabilities, policy management may soon become less of an option and more of a necessity. That's because instituting QoS complicates network operations, inasmuch as it involves mediation among various, and sometimes conflicting, network requirements. Basically, the challenge is to balance various claims on network resources, and to satisfy demands by users and network managers (and application developers) for higher levels of network security, predictability, and availability.

From the user's point of view, policy management is about receiving appropriate treatment from the network, which is especially important in the case of business-critical applications. From the network operator's point of view, policy management is about minimizing the complexity of end-to-end management and security. It is possible, however, to think of policy management in more general terms. For example, we could say that policy management - or policy-enabled networking - is about the allocation of network resources to best support business needs.

REVIEWING BUSINESS NEEDS
Let's step back and examine the challenges enterprise managers face when they're obliged to accommodate users' demands while maintaining the integrity of their networks.

Security: There is a need to control which users have access to which applications. With the growth of extranets and virtual private networking, the network manager faces the difficult task of meeting internal and external security requirements while still providing easy and timely user access to network resources.

Bandwidth Utilization: Bandwidth, particularly in the wide area, is an expensive resource. Even when bandwidth may be relatively abundant and inexpensive (as in campus networks), traffic peaks and failure conditions drive the need for prioritizing bandwidth across applications.

Application Predictability: As the quest for improved price/performance drives network convergence onto unified network infrastructures, network operators find themselves with additional responsibility. That is, they need to allocate network resources to meet the needs of time-sensitive data and emerging real-time voice, video, and multimedia applications. Since not all applications are equally business critical, the network operator has to ensure that policy guidelines are established and enforced.

Administrative And Network Management Complexity: As organizations implement new applications, the number of administration systems in the network increases. As a result, the simple task (conceptually) of moves and changes becomes a nightmare across multiple configuration databases.

SATISFYING BUSINESS NEEDS
To accommodate user demands while maintaining network integrity, network managers must find a way to bring predictability and control to business-critical applications. One way is to build networks that are automatically aware of who is trying to do what. Such networks correlate information about each user and the application being run, taking into account the security attributes of users and applications, business priorities, and the near-real-time operational state of the network.

All of this information is used to determine if the user is authorized to run the application, and if so, what priority the user should receive and how much of network resources (for example, bandwidth) should be allocated. For example, the user surfing the Internet may be given a lower priority than the person running a mission-critical application

But how do we handle information about users and applications and network characteristics and business priorities? How do we distill all this information into resource allocation imperatives? The answer is policy management.

POLICY MANAGEMENT
Policy management includes three fundamental functions:

• Provisioning or configuring the network switches and routers.
• Enforcement of the provisioned policies.
• Verification (or auditing) of network operation.

In more general terms, policy management is an implementation of a set of rules or policies which dictate the access and use of resources on a per user, application, or company basis to meet established business objectives. It is essentially focused on providing end-to-end QoS (bandwidth, latency, priority) and security (authentication, authorization, auditing).

POLICY MANAGEMENT COMPONENTS
As it evolves, policy management will provide the enterprise with a simple, unified solution to better meet business needs. Underneath the unified surface, however, policy management will evidence several distinct components, including advanced directories, policy servers, policy clients, and policy-enabled network elements.

Advanced Directory: An advanced directory has as its goal the consolidation and linking of disparate directories (which have typically emerged over time) into what is, in effect, a single, global directory. In such a scenario, the directory becomes a key component of the network. Policies, user information, network configuration data, and network addresses can all be found in this "central" location. The central directory must have the ability to be distributed (for avoiding the need for a megaserver), replicated (for improved performance), and partitioned (isolating more secure information).

The benefits of creating this virtual central directory (virtual in the sense that the directories are linked together to appear as one) can be significant. For example, labor costs related to administration and management may be substantially reduced.

Recognizing the significant potential benefits of unified directory services, several vendors have recently introduced directory products designed to meet the demands of policy-based networking. Some of the competing solutions include Netscape's Directory Server, Novell's Directory Service (NDS), Microsoft's Active Directory, ICL's i500 Directory, Sun Microsystems' Sun Directory Services, and Banyan Systems' Streetalk, to name just a few. While a unified directory is clearly the end point, establishing an initial directory system around some basic policy management needs is a realistic starting point.

Policy Server: The policy server is the heart of any policy management system. The policy server is responsible for gathering all of the relevant information, making a decision based on the administrator's policies, and then communicating that decision to the network via a policy transaction protocol. The goal of the policy server is to develop a response consistent with the policy, retrieving other data such as network availability or utilization, time-of-day, or service level agreement (SLA) information as appropriate. The response is transmitted to the policy enforcement device (for example, a switch/router) using a policy transaction protocol.

Policy Clients: Policy-enabled clients interact with policy servers. While an administrator sets policies at the user level, policy clients in edge devices recognize only IP addresses. Therefore, policy management is closely tied to IP address management. For example, an IP address management tool can be used to bind a user to an IP address and, through support of the Dynamic Host Connection Protocol (DHCP), keep this address dynamically updated. With this functionality, administrators can define policies according to users or applications that they recognize, while the information is abstracted to an IP address that the edge device will recognize.

Policy-Enabled Network Elements: A policy-enabled network consisting of switches and routers not only provides transport of traffic at the required priority level, but also enforcement of the policy for that traffic. Each device along the traffic's path individually ensures that the policy is enforced locally, relying on a policy server to coordinate the end-to-end policy.

KEY ENABLING TECHNOLOGIES
Directory Enabled Networks (DEN): The DEN initiative is an industry-wide initiative integrating directory services and networks, enabling the development of rich network applications that will operate with a variety of network and directory vendor offerings. DEN defines a way to retrieve and store information about network policies in a database. DEN software then gathers information from multiple directories and matches it with specific policies for devices, users, and applications.

DEN becomes increasingly important as mission-critical business applications are built on general-purpose intranets, extranets, and the Internet. As these applications compete with lower priority applications such as casual Web browsing, DEN will allow prioritization of network resources for specific applications or users. This could, for example, allow payroll data or an urgent customer order to be prioritized (in terms of bandwidth availability) over an employee accessing a Web site.

X.500 Global Directory Service: X500 is a series of standards-based protocols specifying a model for connecting multiple directory services to form one distributed global directory. Local databases hold and maintain portions of the global database, and the directory information is made available via local servers. As such, the user perceives the entire directory to be accessible from the local server.

The X.500 directory is organized under a common root directory in a "tree" hierarchy reflecting organizational requirements. Typically, this hierarchy may be based on geographic or organizational boundaries. Each item or entry in the X.500 directory describes one object (for example, a person, a network resource, or a company). One of X.500's unique characteristics is that, as long as the X500 format is followed, locally established optional attributes are possible, permitting a flexible and more manageable solution.

Lightweight Directory Access Protocol (LDAP): LDAP is a directory access protocol whose purpose is to provide a standards-based mechanism that permits any client, server, or application to access any directory service that supports the LDAP protocol interface. The ultimate goal is to facilitate the integration of new applications making use of directory services. From PCs to networking components, LDAP will simplify and promote the deployment of directory services across enterprise networks.

Policy Transaction Protocols: The policy transaction protocol functions as the intermediary between the policy client and the policy server. It is responsible for transferring the policy request and policy response between these two nodes.

Currently, there are two protocols vying to become the IETF standard for a policy transaction protocol - COPS and DIAMETER. The Common Open Policy Service Protocol (COPS) is a simple query-and-response protocol for exchanging policy information between a policy server and its client (or clients). COPS also has the unique feature of allowing the policy control decision to be communicated between the policy client and the policy server in order to determine the validity of that decision.

DIAMETER enables communication between clients and servers for authentication, authorization, and accounting of various services. One of the unique features of DIAMETER is that it allows the policy to send unsolicited messages to its clients, permitting policy changes to be made and immediately communicated down to the policy client, improving network response times.

WHAT'S NEXT?
Some vendors are stepping up to the policy management challenge by developing integrated frameworks to allocate resources across multi-vendor networks. Typically, such frameworks are achieved by:

• Integrating policies and service level management with existing network management capabilities.
• Incorporating and expanding the breadth of application intelligence features, such as QoS and security across the data networking product.

Policy management is an emerging solution set which enables business-critical networking applications to perform to specific levels for specific users. Policy management greatly facilitates the delivery of reliable, differentiated, scalable, and secure voice and data solutions.

Tony Rybczynski is director of strategic technologies and marketing for Nortel Networks' Enterprise Solutions. This business unit offers a full range of enterprise workgroup, campus, and wide area unified networks, through direct and indirect channels. For more information, visit the company's web site at www.nortelnetworks.com. E-mail questions or comments to the author at [email protected].