Directory Enabled Networking
A Technology Guide
Abstract
As networks continue to expand and interact, the problems
involved in controlling them from an enterprise point of view
expand accordingly. In addition, the need to gather effective
information on a timely basis is a critical success factor for
any enterprise competing in today's overheated economy.Two
trends are obvious: the need to simplify the users' contact
with the network and the need to simplify the technical
management of the network, including bandwidth management, and
the expansion and introduction of new technologies. In this
technology guide, we describe a cost-effective solution to
both of these problems: Directory Enabled Networking.
Introduction
Networks are expanding at an accelerating, indeed alarming,
rate.With the universal adoption of Internet standards, there
is increasing pressure on organizations to interconnect all of
their isolated LANs into unified intranets and/or extranets.
In addition, virtually any computing device can be tied into
an enterprise network.
As savvy businesses exploit new applications involving
e-commerce and e-business, network managers and architects are
required to make more and more information available across
multiple platforms. As if that were not enough, the explosion
of available networking and computing offerings requires a
means to seamlessly connect these vastly different
technologies both physically and logically. Even if that is
done, there is the serious problem of balancing the
conflicting bandwidth demands of different applications. Some
require fast but bursty pipes while others can accept a more
relaxed transmission mode.The enterprise needs a mechanism of
mixing and matching the global needs of all enterprise
applications so that appropriate service is maintained
consistent while minimizing the cost of providing those
services.
As an example, consider the annoying problem that the
Widget Corporation is facing.Widget is an international
organization that has monthly meetings of its eighteen branch
vice presidents from around the world. Since the cost of air
travel is substantial and escalating, and it is grueling for
each senior executive to travel around the world for these
meetings, and since the lost productivity of these air-bound
executives is enormous, another solution was needed.
The obvious candidate was videoconferencing. But while this
technology would solve the problem, the cost would be
prohibitive.Widget could not afford to install a separate,
global videoconferencing network just for 12 meetings a year.
So, the IT department at Widget suggested another solution.The
department had just finished testing a PC-based
videoconferencing system that could run over the company's
existing global network.The only catch was that the video data
packets had to be given top priority; video demands high
bandwidth so that the video feeds remain acceptable to
viewers. Widget needed to find a way to give the senior
executives' traffic top priority around the world, through
many different parts of their network, once per month on an
arbitrarily scheduled basis, just for the duration of the
teleconference, whose length, of course, cannot be predicted.
But how could they do it? Their solution was Directory Enabled
Networking (DEN). As will be described, DEN enables the entire
enterprise network to give the highest priority to this single
application on the dates and times specified so that all
necessary resources are given to these data packets first.
When the conference is over, the global network reverts to its
normal operation.All of this happens on an automatic basis
without human intervention, thanks to DEN.
The need to access data corporate-wide is an even more
pressing problem than accommodating the vice presidents at
their monthly meetings.As organizations evolve from multiple,
unconnected client-server LANs into a single, interconnected,
enterprise-wide network, the mission-critical data that drives
the company remains isolated on local LAN databases, even
though the network itself is physically integrated. If data is
isolated, likely in different formats on different
architectures and generally not available on an
enterprise-wide basis, then the effective use of cutting-edge
applications is significantly compromised because the relevant
data cannot be accessed in a timely manner.
Correspondingly,the company that can harness this data will be
the company that succeeds in the net-intensive 21st century.
This presents the network manager with two major problems:
managing increasing complexity of the network while satisfying
demands for simplicity from the outside. As increasingly
sophisticated e-commerce applications are launched, the
enterprise network will come under another threat to
efficiency-the quick search for relevant information.
Information needs to be located using different approaches.
Getting the right information quickly and in a useful format
is already becoming an important issue, and the enterprise
that deploys an effective solution to such retrieval will have
a significant market advantage over those doing business in
the traditional manner.
Unresolved Enterprise-Wide Networking Issues
It is clear that enterprise networks need mechanisms that can
provide two basic services: simplification of network access
for end-users and the capability to make relevant information
available to the appropriate people at the right place, at the
right time, while minimizing business costs.When this
universal access is available, however, there are many
potential problems related to the inability of the network
elements to properly coordinate the data repositories
throughout the network. Some of these problems are:
- No Control Over Bandwidth Allocation.
Applications need different bandwidth depending on their
nature. For example, an application may need to transmit
video data at a precise but unpredictable instant. If the
network cannot quickly allocate the necessary bandwidth,
the application will not achieve its intended purpose. If
the network can dynamically allocate bandwidth on an
as-needed basis, its applications will run effectively,
the bandwidth will be allocated efficiently and the total
cost of network ownership will be significantly reduced.
- No Control Over Latency. Applications can also
have specific latency needs. E-mail for example, does not
normally need expedited treatment. On specific occasions
though, a message might need priority status to be sent
through the network as quickly as possible. Most
enterprise networks do not permit transient resetting of
application bandwidth parameters and may not even allow
static priorities.
- Costly, Slow Administration and Management. If
the management of the network is decentralized, network
management will become fragmented. Fixing problems will
take much longer, increasing the cost of component
downtime.The problem of configuration management becomes a
very expensive proposition. Consider the problem of
updating a piece of software that runs on hundreds of PCs.
If this is not automated, the cost of individually
updating each of those PCs becomes astronomical.
- Lack of Consistent Security. When diverse
components are connected, the problem of security
increases significantly. The network must have a
consistent security policy. For example, there should be
only one password per entity throughout the
organization.Virus protection should be automatically
provided and there should be an audit trail to verify
compliance. Consider the problems that the organization
would have if a trusted supplier suddenly became a
corporate enemy. If the appropriate protections were not
taken globally at the same time, that supplier could
access parts of the network that were not informed of the
change in protection.A consistent security policy that can
be implemented instantly organization-wide would save
potential embarrassment and possible economic loss.
- Lack of Consistent Network Policy. If there is
not a central repository for network policy, each local
administrator will allocate bandwidth and priorities on an
ad-hoc basis.This means that the overall policy will not
be synchronized or globally optimized. Guarantees cannot
be given to applications and their execution will either
fail or be seriously compromised.
- No Control Over Users. Networks cannot restrict
user access during critical times. For example, if the
network were supporting the video feed for the monthly
videoconferences, it would be prudent to restrict
non-essential e-mail and web searches until the bandwidth
had been released. Similarly, when users access the
network remotely, most corporate networks will not perform
additional security checks or keep an audit trail of the
user's activities. Most networks will permit local
"hogging" of the bandwidth. If a specific
department suddenly floods the network with bandwidth
requests, other departments will suffer an unnecessary
degradation of service
- Slow Corporate Response. The world of the 21st
century moves at Internet speed.The enterprise must react
to changes at the same rate. If the network cannot respond
in a timely manner, business advantage may be lost. In
addition, if changes are to be made, they must be made
quickly. Failing to do this will yield the advantage to
competing organizations.
- Inaccurate Data. Because customer data can be
spread over hundreds of different local databases, a
single change may not be propagated to other relevant
databases. For example, if the manager of a local database
is informed that a customer's address has been changed,
the new address may not be propagated to other databases
resulting in lost correspondence or delays in collecting
accounts.
- Unnecessary Duplication of Data. Duplicate data
represents a significant cost to the organization. It
costs to collect the data each time it is recorded
separately and if changes are made at a local database,
these may not reflected in a timely manner. Having a
single store for data items reduces the cost of owning
that data and prevents inconsistent use of stale versions.
- Incompatible Data Formats. The data stored in
various databases will likely be in different formats.
Requiring applications to understand and convert each of
these formats will increase the cost of modifying those
applications and errors in data conversion. If there were
a way to transparently map data into a consistent format
for the application, no changes would be necessary.The
cost of application maintenance would drop dramatically.
As an example, consider the way local databases might
represent postal codes.The nation of origin of the
database determines the local format-American, Canadian,
English, etc.An application that has the format
automatically mapped would require no modification.
Similarly, when a new country was added to the network, no
changes to any application would be necessary.
- Lack of Personalization. A key to doing business
in the 21st century is to be able to personalize the
enterprise's approach to each customer. When a customer
places an order, it is imperative that all of the
information associated with that customer be available to
all interested applications at the time of entry. If it is
not, then not only sales, but also customers may be lost.
Value of Properly Integrating Directories and Database
Repositories
Having these complex enterprise-wide network problems resolved
is worthwhile considering the value to the organization.A
solution that can solve these problems in a cost-effective
manner will provide real payback to the organization.The cost
of the solution will be justified by an increase in business
and by a decrease in network cost of ownership.The following
views illustrate the value of solving these problems.
- Fast Corporate Response. Moving in Internet time
is mandatory in today's business environment. Being able
to quickly integrate a new technology into network
applications increases opportunities for revenue
generation. Likewise, the ability to quickly ramp up
operations in order to seize new business opportunities
greatly depends on being able to scale the network in a
consistent, evolutionary fashion. In addition, being able
to reset the parameters of network bandwidth and latency
on-the- fly means that the enterprise network can respond
in real-time to these needs, expediting priority requests
from mission-critical applications. As this is being
written, a category four hurricane is approaching the
shore of the southeastern USA. A top-priority e-mail
message suggesting appropriate action for all employees in
the affected region had better not be delayed by some web
browser checking out the local sports news.
- A Policy-Based Enterprise Network. This enables
priority-based decisions to be made on a globally
optimized basis. For example, if a mission-critical
application suddenly demands massive bandwidth for an
important transmission, web applications will be either
slowed down or disabled until the priority application is
finished.When the priority bandwidth is no longer needed,
these less-important applications can soak up the free
bandwidth as needed. Thus the organization can guarantee
that the appropriate policy is deployed. In addition, that
policy should be capable of being modified on a moment's
notice.
- Fast, Cost-Efficient Administration and Management.
Network management that is logically centralized is much
more cost effective. Configuration management is easily
rationalized and faults in the network can be quickly
isolated and corrected.
- Consistent Security Policy. This enables all
customers and employees to have their own passwords and
control lists logically centralized.When a security
clearance changes, it is changed in one spot and the
entire organization sees that change. Similarly, the same
virus protection program can be run corporate-wide on any
incoming e-mails or file transfers.
- Accurate Data. If data is more consistently
accurate, then mistakes in billing, addressing, etc. may
not occur as frequently.This can save a significant amount
of time and expense. In M. Hammer's account of the
reengineering of Ford's Account Payable process 1 , he
found that 75% of staff work involved correcting invoices
that had inaccurate, manually entered data. Using accurate
data resulted in significant staff reductions, and not
only was a significant amount of money saved, but the
invoice-cycle time was reduced from weeks to days, with a
related increase in supplier satisfaction and a much
better cash flow.
- Single Data Storage. Having data stored in a
unique location reduces the costs of duplicating storage.
In large organizations, this is significant. In addition,
there is an expense associated with collecting data, so
having it collected only once reduces that cost. It also
increases customer satisfaction when data doesn't have to
be reentered multiple times.These capabilities are also
valuable internally. It is estimated that a typical
company has about a 20% personnel turnover per year. Being
able to instantly update all of the related corporate
database from a single data entry simplifies network
administration.
- Logically Compatible Data Formats. This enables
applications to have a single view of all of the corporate
data.The decrease in maintenance costs will be
substantial.
- Customer Personalization. Being able to logically
relate all of the information associated with a single
account allows an organization to provide more
personalized targeted service to that customer.This
inevitably leads to increased sales and increased loyalty.
Directory Enabled Networks
A Directory Enabled Network (DEN) is a cost-effective and
efficient way of achieving the benefits described above.A DEN
enables the network manager to configure the entire network so
that the bandwidth and latency allocations for the
organization's application portfolio can be dynamically
managed in the most effective manner for the entire
organization.The allocation of these two critical resources is
done on a global basis taking into consideration all of the
needs of the enterprise. DENs also rationalize the day-to-day
management of the entire enterprise network. For example,
configuration control is centrally located.Thus if the
company's routers need an upgrade to their firmware, a
DEN-based application can keep track of the installation
process, providing progress reports and proof that all of the
upgrades have been performed.A DEN also enables a user to
correlate the different characteristics of each individual
database repository in such a way that different applications
can effectively use relevant data from anywhere in the
organization, regardless of its physical format. It separates
the logical properties of abstract concepts such as security,
bandwidth allocation, latency guarantee, quality of service
demands, etc., from the physical components of the enterprise
network. DENs have two main components: the Directory and the
Policy Server.
Directory
A directory in this context is a mechanism to store and
retrieve information about cross-referenced data. Directories
are common devices in society. Simple physical examples
include the telephone directory and the Yellow Pages.
Directories are also commonplace in software.There are used to
locate user files, network addresses, and many other entities.
Technically, a directory is a mapping from a search string
to a resultant string. In the case of the telephone directory,
it maps a person's name and possible street address to a
telephone number. Note that the country and area codes are
implicit in the phone book listings.
Directory Enabled Networking correlates all LAN directories
and integrates them into a single centralized logical entity.
It also provides automatic-mapping mechanisms to switch back
and forth between different data formats. DEN formally
separates parts of the network into separate entities, such as
the Policy Server, the Directory Server, the Application
Server and anything else that would benefit from logical
and/or physical separation.
The X.500 Directory Project
The first attempt to define a global, open standardized
directory was the X.500 Directory Services Standard, which was
promulgated by a combined technical sub-committee of ISO/CCITT.
(CCITT has been renamed the ITU.) Initially driven by the need
of the world's telephone companies to provide a directory
service for the e-mail standard, X.400, it was intended that
the directory would automate the world-wide White and Yellow
Page telephone directories. However, the ISO participants
quickly realized that the standard would be applicable to a
far-wider range of applications, particularly in the area of
distributed applications running over various lower
architectures.As a result, the standard took more than a
decade to develop.There are three official versions-1988, 1993
and 1997-representing increasing complexity. But that
complexity has resulted in a standard that is very difficult
to implement in an industrial-strength instantiation.
Schema Descriptions
The individuals who developed the X.500 standard quickly
realized that there were many more ways to address entities
than just by their names. So the concept of schema
descriptions of entries was introduced.A schema is a formal
way of defining how data is to be organized and represented
from a logical, physically independent viewpoint. When each
participating site is given the schema for an entry, it can
store and retrieve local data relating to an X.500 request
locally and can transmit that data to other sites when
requested. Thus, one of the important standards activities was
to define a universal set of common schema that every
participating directory would understand, and permit
cooperating directories to exchange schema among themselves.As
an example, an e-mail name would be common universally. But a
local organization might have schemas that were private to its
extranet.
The X.500 Directory
The entire X.500 directory service is referred to as the
'Directory' even though there may be many (possibly millions)
separate servers holding parts of the overall directory data.
Directory contents are attribute-based and the fundamental
directory entity is an entry.An entry is a collection of
attributes that has a unique name (called the Distinguished
Name).The schema describes the form that these attributes can
take. If cooperating directories understand each other's
schema, they can exchange data even though the local
individual representation may be quite different. These names
are hierarchically organized in a tree structure. Each of the
entries has a 'type' definition and one or more values
associated with that type.Types are typically mnemonic strings
like "email" for e-mail addresses. An e-mail
attribute might be "jjones@sympatico.ca" for
example.The required attributes needed in an entry are
controlled by a special attribute called an objectclass.
The directory can store information related to network
entities, their attributes and current status, IP addresses,
e-mail locations and a host of related information.
With this capability, for example, a local PC could request
the services of a color printer on the network for printing
out a color document. In this example, the directory would
respond with the address of the closest available printer,
queue the request and inform the client. Since its schema
describes the client's data, the directory could invoke a
translation program if the printer could not accept the data
in that particular form. With these capabilities, its clear
that X.500 can serve as the unifying factor that enables
Directory Enabled Networking. As long as the appropriate
schema is defined, LANs can be interconnected and applications
can invoke translation programs whenever necessary.
In addition to enabling access to network devices based on
their abstract attributes, X.500 has a corollary definitionÑthe
X.509 universal security standard, which is the certificate
authentication portion of X.500.
LDAP
The X.500 standard, however, is so massive and resource
intensive that efficient implementations, such as using X.500
for dynamic routing in a network, are difficult.To address
this question of efficiency, a stripped down version of the
X.500 access protocol called LDAP (Lightweight Directory
Access Protocol), which avoids the heavy overhead mandated by
the X.500 standard, was developed in the early 1990s.This
version is now accepted by all major vendors and has emerged
as the most likely standardized directory services access
protocol.
LDAP is neither a directory nor a database. It is an access
protocol that works in conjunction with other facilities such
as relational database software. LDAPv3 (RFC 2251) is the
latest version of the standard and, in addition to defining a
basic access protocol, defines an information model that is
hierarchically organized in terms of its entries, which are
structured according to their attributes and specific values.
That is done by defining a schema for common standard values
such as people, organizations and countriesÑvalues, for
example, that one would need to facilitate e-mail. LDAP is
fully compatible with standard X.500 and has been adopted by
all major directory vendors, forming the infrastructure for
true directory interoperability.
LDAP defines standard operations that clients can use in
accessing, updating and massaging data in a directory
environment. In addition to defining how its functions are to
be mapped onto TCP/IP, it also supplies a standard set of
function calls and definitions that application programs can
use to access the directory.
LDAP and the Internet
Work is also underway to formally integrate Internet directory
information into LDAP (RFC 2247, 2377). In parallel with the
X.500 development, the Internet has the same need to find and
interconnect millions of servers.This was solved on the
Internet by developing a simplified directory services
protocol called the Domain Name Service (DNS) that quickly
locates IP server locations. Integrating the two services is a
critical part of a Directory Enabled Networking.
DMTF and the Common Interface Model
It is not enough, however, to simply use LDAP to create a
Directory Enabled Network. Schemas have to be defined among
all cooperating directories on the network.This requires a
universal set of common definitions that can be used by all
networks.
This problem has been addressed by the Distributed
Management Task Force (DMTF), which has defined a Common
Information Model (CIM).The CIM is a standard object-oriented
model that formally represents objects in terms of instances,
properties, relationships, classes and subclasses. The
Directory Enabled Network initiative, which is an ad-hoc group
of DMTF consisting of more than 70 companies, has worked out a
specification for modeling functionality and management of
network elements and services.The DEN LDAP work is closely
aligned with CIM and is approved by the DMTF. But this
alignment only defines the exchange and publication of common
schema. One of the areas not addressed by LDAP is replication,
i.e., the ability to provide for backups in case of a single
directory component failure. Since replication is mandatory
for robust Directory Enabled Networking, LDAP has defined an
interim solution, LDUP (LDAP Interchange Format).An IETF task
force is currently defining the LDAP
Duplication/Replication/Updating standard that will provide
for automatic replication services. Several RFCs have been
released and the final definition should be available by the
beginning of the year 2000.
The Policy Server
The Policy Server is the second critical component for DENs.
It enables what has been called "policy-based
networks," enterprise-wide networks that can
automatically provide different service levels to different
classes of users or applications depending on their varying
bandwidth, latency, security and priority requirements,
etc.The Policy Server can have either static or dynamic
policies.The network administrator sets these and indeed, one
could imagine an intelligent agent also doing the resetting on
an as-needed basis.
Some examples of static allocations are:
- Groups of users are permitted/denied access during
certain times of the day, week, month or year. For
example, a university might restrict student access during
normal business hours or restrict administrative access
during the last week of classes.
- Particular applications are always given highest
priority when run. The e-mail coming from the office of
the CEO always jumps to the head of any queue, for
example.
- The Registrar's department always gets 90% of the
network during the first week of registration.
- A user always has the same e-mail address regardless of
where she is at any given time.
- The Accounting Department is always given 25% of the
total network bandwidth regardless of general traffic.
Allocations can also be dynamic.When a certain condition
is met, the corresponding policy is invoked. Examples
include:
- If bandwidth utilization of all kinds exceeds 50%, then
general web access is denied.
- If the aggregate usage from a single department exceeds
a high-water mark, then no further usage is permitted from
that department.
- If a vice-presidential videoconference is scheduled,
then all other traffic is delayed.
- If a user accesses the network from a remote location,
then appropriate authentication is performed and an audit
trail maintained.
Directory Enabled Networks
Directories of all sorts are being deployed throughout the
business enterprise today. We can expect the number of
enterprise directory deployments to increase dramatically over
the next few years.As an example, IDC estimates that the
installed base of Microsoft's Active Directory will increase
from three million in 1999 to six million in 2003, and NDS to
grow from one million in 1999 to three million in 2003.
A key element of the Directory Enabled Networking approach
is to separate the physical details of the network from the
logical attributes of the application area. Having to memorize
specific references such as IP addresses or even telephone
numbers is an indication of a hard-coded technological
solution, which does not scale, is expensive to maintain and
is fraught with the possibility of errors.
 |
| A DEN solution with these attributes would
drive down operating costs, lower the costs of expansion
and make the entire network more responsive to
delivering the right information to the enterprise's
users in a fast, efficient manner. |
The DEN, therefore, should have certain fundamental
attributes and characteristics:
- It should enable the network to rapidly reconfigure
itself in changing business or technical climates.
- It should enable the network to work with other
platforms.
- It should have the capability to be self-managing.
- It should be scalable.
- It should be fault-tolerant.
- It should allow the network to recognize people and
applications by their pertinent attributes and
characteristics, not numerical sequences like IP
addresses.
- The network should be essentially invisible to the end
user.
- It should reduce the cost of ownership of the network by
reducing the complexity, expense and knowledge required to
build and operate it.
Directory Enabled Networks provide growing organizations
with the ability to automatically manage the business
enterprise.They enable the management of the network to be
based on the business processes of the organization and/or the
application demands, not on the physical details of the
hardware. Consider an example of a large organization as
illustrated in Figure 1.
Figure 1 illustrates the complexity of the connections.This
enterprise network contains a large number of devices, ports,
protocols, user applications and services.All of these
elements hold information relating to their configurations,
operation status and relationships.They also produce useful
information during their operation. Network directories
provide a mechanism to centralize and effectively use the
network information available at a system level to maintain
abstract service agreements.
Objectives of Directory Enabled Networking
As Directory Enabled Networks are being built, it is important
to focus on the reasons for their use and development.A
Directory Enable Network is used to:
- Implement abstract policy rules that are divorced from
the specific details of device/vendor implementations
- Simplify system configuration and device control
- Centralize knowledge of dynamic network elements
- Create dynamic bindings with the Network Operating
System
- Reduce the total cost of ownership through reduced
troubleshooting time, simplified network administration
and reduction of network complexity
- Provide for multiple directory server interoperability
across a multivendor environment
- Provide the foundation of policy management and
accounting applications
- Bring the promise of the single user logon challenge
closer to reality
Directory Enabled Networking makes it possible to implement
new applications and services such as voice/video/data
convergence, virtual private networks, policy-based
networking, service level agreements, usage-based accounting
and billing, IP multicast, etc.
Separation of the Physical from the Logical Network Figure
2 shows the logical operation of the network, separated from
the physical network illustrated in Figure 1.
Here the applications, including voice and video, are
highlighted. As we have mentioned, the two critical components
that enable the logical features to be mapped onto the
physical are the Policy Server and the Directory Server, shown
on the left of the illustration.The Policy Server contains the
rules by which the enterprise wants the network to run.The
Directory Server contains the mapping information that enables
the mapping from logical, application-oriented characteristics
onto actual physical devices. Note that the interior engines
that serve the network, switches and routers use the directory
for instructions.
Directory Enabled Networking enables complex rules that
allow the network to perform as intended to be defined
andimplemented. For example, DEN allocates priorities in web
traffic and prioritizes voice and video. Each organization has
its own unique setting of these priorities, which are captured
in the policy server.
DEN Improves Network Management
In addition to supplying vastly increased flexibility to the
network, Directory Enabled Networking also reduces overall
network management costs to the organization. It does this by:
- Automating configuration management
- Implementing policy-based user support
- Reducing trouble-shooting time
- Simplifying operations
To put this into context, Figure 3 illustrates an estimate
of the time spent by LAN management personnel in executing
various activities.The directory improves the operations of
75% of these functions.
Automating Configuration Management
Automating configuration management dramatically reduces
costs.As the number of entities that need to be managed grows
throughout the enterprise (possibly into the tens of
thousands), the need to make wholesale changes quickly,
cheaply and without error becomes mission critical. Consider,
for example, the problem of upgrading a version of Microsoft
WordTM on 10,000 different PCs.A
single click of the browser of a Directory Enabled Network can
make thousands of appropriate actions execute immediately
because of the knowledge stored in the directory. It provides
automatic support for hundreds of different vendor products
and new installations can be managed without costly,
specialized and often hard-to-find technical experts.
Directory Enabled Networking can:
- Establish parameters for network operations regardless
of the number of physical devices moved, added or changed
- Quickly and correctly configure router and switch
parameters to guarantee traffic QoS (Quality of Service),
security access policies, or broadcast control
- Enable revision control and verify system and
application configurations
Policy-Based Networking
Directory Enabled Networking can easily implement policy-based
networking. Policies are typically defined in terms of QoS
(Quality of Service) or security parameters. QoS specifies
necessary bandwidth, acceptable latency and the relative
traffic priority as defined by 802.1p, IP ToS etc. Security is
defined in terms of authentication (password control),
authorization (does this entity have the right to access this
resource), X.509 certificates, audits using access control
lists, IEEE SmartCard access and many upcoming techniques such
as retina scanning and fingerprint verification.
Universal Access
Directory Enabled Networking is the repository for the rules
that govern users and their applications, and manages the
mapping of logical needs onto the physical devices available
at that instant. It makes it immaterial how the user
approaches the network.A user can roam around the
organization, use remote models, even cell phones and attach
in each case with the same uniform interface. Directory
Enabled Networking can also control multicasting over the
network. It can set up subnets and selectively enable or
disable multicasting. It can enforce access controls for
subnet membership, specify channels on the subnets and protect
sensitive data streams. It can also define who is allowed to
be a sender and who is not. Note that these changes can be
made on the fly, in one place and take place immediately.
Solves Network Problems
Directory Enabled Networking provides significant advantages
in troubleshooting network problems. Difficult issues such as
service degradations and traffic congestion, which occur more
often than actual hardware downtime and affect many more users
on the network, are hard to find and diagnose.The Directory
and the Policy Rules ensure that performance rules are not
violated.
When hard downtime occurs, DEN is a significant aid in
quickly identifying the offending physical component.
Directory-enabled switches can reduce troubleshooting times by
identifying which users, groups or applications are on the
network.
Single Directory Entry
Directory Enabled Networking can make normal business
functions efficient and error-free. For example, there needs
to only be a single record for each employee in the
organization. All applications needing employee information
would use this record.Thus, for example, changing a phone
number is done once, in one spot and immediately all
applications see the change.All customer records are similarly
rationalized.
Single User Logon
By using several of the above components, a single point of
logon to an enterprise network comes closer to reality.
Directory Enabled Networking facilitates the single user logon
through its use of a directory infrastructure. By using a
single directory entry combined with universal access and
policy-based networking, a user of the network will be able to
log on to the network once, and never need to be challenged
for their identity again. Each application, database, or
resource that the user wants access to will automatically know
this users access privilege, their QoS parameters, and any
other data pertinent to the application.
An Evolutionary Approach to Enabling Directories
It is useful to examine a process that allows an organization
to deploy a Directory Enabled Network. One standardized
approach is to use the following three steps:
Step 1 Policy and Configuration Storage in the LDAP
Directory
First, the organization must define its internal Service Level
Agreements.These SLAs must then be translated into the mapping
QoS and Access Control List Parameters (ACL) parameters.To
affect this, the Policy Manager needs to add a LDAPv3 client
in order to store policy profiles in the directory. Each of
the network switches must be configured to support the QoS and
ACL parameters. It would be helpful if the DEN platform had an
appropriate easy-to-use GUI to enable the simple definition of
a policy parameters. The policies, once entered, are stored as
network objects in a common directory.The Policy Manager then
uses SNMP (Simple Network Management Protocol) to configure
the Policy Rules into the network devices. Details of the
configuration must be stored in the LDAPv3 Directory, and
switches need to be provisioned with a LDAPv3 client and
DEN-based schema.
Step 2 User-to-Address Mapping and User Mobility
The system management software collects device changes from
the switches using the SNMP protocol. This system manager can
also pipe the system-wide details to third-party management
application and browsers. It enables a global search of
dynamic network elements and users. User-to-address mapping
allows users to move to different computers or access the
network from different locations.The policy rules of QoS and
security still apply. In simple terms it means that data can
be accessed from any computer in the organization.Appropriate
entries in the Directory Enabled Network, for example, allow
employees to be reached through a single phone number
regardless of the actual phone number or location.
Step 3 NOS Directory Integration via Dynamic LDAP
LDAPv3 clients in switches dynamically query the directory for
User Schema.This enables automatic and immediate association
of the organization's policy with the individual. This phase
integrates the entire Network Operating System, providing user
authentication, authorization and auditing trails.
What to Look For in a DEN Product
As the organization begins to consider how best to implement a
DEN network, the offering should be evaluated with these
considerations in mind.
Experience in Directories
Because of the relative newness of the DEN concept and its
complexity, a vendor should be experienced and have
significant history in DEN technology.The vendor should
support an open system, multivendor approach.The product
should be scalable and handle replication appropriately. The
evaluator should look at how directory distribution is handled
and what the performance is like.
Directory Software and Management
The software must be LDAPv3 compliant and the management
platform must be capable of supporting the entire
enterprise-wide operation.
Directory-Enabled Hardware
Policies should be administered and enforced in the hardware
devices with automatic feedback of status information to the
directory.
Directory Professional Services Expertise
The vendor should be positioned to assist in cost-justifying
the Directory Enabled Networking proposal and offer
after-service agreements and pre- and post-sales support to
assist in the deployment and provisioning of the network.
Remaining DEN Issues
Some problems still remain to be resolved with DEN.
Directories can be huge and must, of necessity, be distributed
throughout the network.To maintain performance, it may be
necessary to cache data in local servers, which introduces
synchronization problems with other servers. Local changes
must be propagated throughout the network. If two changes
occur at the same time, synchronization problems need to be
resolved.
Another issue is the above-mentioned problem of
replication. In the DEN, the directory itself can fail.The
X.500 solution is to provide replication in which a selected
subset of the original directory is copied onto a physically
remote backup. If the main server fails, the directory can
recover the data on the replica.There may be several replicas
or the replicas may themselves be replicated.Again, when a
piece of data changes, all of the replications must be
updated.There will be a delay in the network, called transient
inconsistency, until the data is synchronized.There may be
situations where the inconsistencies could affect overall
network performance.
How these details will be worked out is still uncertain.
But these open issues will have to be resolved soon.Another
major challenge is agreement on a standard definition for a
complete schema to be used.The DEN/CIM group has begun this
process and it is hoped that final standard definitions will
be available shortly. Both of these groups now fall under the
Distributed Management Task Force (DMTF).
Summary
The benefits of these DEN characteristics appear in two areas:
total cost of ownership is significantly reduced and accuracy
and response time for end-users are increased enterprise
wide.The economic advantages of Directory Enabled Networking
to the enterprise are clear. It is likely the best solution to
deploy in order to cope with the networking challenges of the
21st century. As networks grow and interwork, the size and
complexity of the addressing task grows greater each day. It
seems clear to industry experts that DEN is not simply a
different way to do things, but is fast becoming the only way
to do things on the network.
Choosing a vendor that best fits with the organization is a
difficult but necessary first step in deploying Directory
Enabled Networking.The field is constantly evolving so
choosing a vendor with a proven track record in the field and
one that has a staged Directory Enabled Networking
implementation approach is mandatory.
|
E-Mail
Related