Paper 11
Simplifying Network Administration Using Policy-Based Management
Why?
Policy has been kicked around for years as the way to solve,
security, network management, and many other networking ills.
This paper, while focused mostly on network management lays out
some of the issues in implementing policy systems.
What Bishop said:
"Security Analysts organize the needs of a site in order to define
a security policy.
From this policy, analysts develop and implement mechanisms for
enforcing the policy.
The mechanisms may be procedural, technical, or physical.
Quick Assessment
Probably not the best paper, but summarizes some of the IETF
and others work.
Main Point:
PBNM provides the means to simplify management,
we just need to figure out how to implement it
(same applies to AI, and Security).
Points:
-
Many pragmatic network operators choose to overengineer
their networks to address any performance concerns rather
than deploy bandwidth-saving QoS.
-
Policy-based administrative architecture, IETF has some very long
RFCs on Policy, policy languages, etc..
-
Policy management tool:
used to define policies to be enforced within the network,
so how should this be done? what languages, format, etc.
-
Policy Enforcement Point (PEP:
a device that can apply and execute the policies
-
Policy Repository:
stores the policies generated by the management tool.
follows the information model specified by the IETF
-
Policy Decision Point (PDP):
responsible for interpreting the policies stored int he
repository and communicationg them to the PEP.
-
Article focuses on the policy management tool.
Simplified via Centralization and Business-level abstraction.
-
Centralization
refers to process of defining all the device provisioning and configuration
at a single point.
A Big Issue:
the PDPs retrieve the policy defined in the technology specific notation
and convert it into the appropriate configuration of the PEP that
can enforce the desired policies.
-
Business-level abstractions
make the job of policy administrator simpler by defining the policies
in terms of a language closed to the business needs of the organization
rather than in term of the specific technology needed to deploy it.
A Big Issue:
So how do you translate between the levels
Policy Management Tool
Supporting Enterprise Extranets using IP-security
extranet allows a business partner to access part of the
enterprise infrastructure, some applications running on
some servers within the enterprize.
Each extranet is associated with exactly one security class.
The security class defines the type of security that needs to
be provided to the traffic flows that form part of the
extranet definition.
Figure 6.
An instance of security policy rule maps an instance of
communication tunnel to an instance of security class.
read page 25.
The problem:
In order to translate the high-level policies shown in Fig 5.
to the low level policies shown in Fig 6, we need to map
the definitions of the extranets to a set of secure
communication tunnels, and then generate the right associations
between the communication tunnels, and the phase one and phase
two parameters and transforms.
Mike Erlinger
Last Modified Tuesday, 11-Apr-2006 09:38:31 PDT