Post on 18-Dec-2015
Austin Wilson Austin Wilson
Microsoft CorporationMicrosoft Corporation
Directory Enabled Networking Directory Enabled Networking with Active Directorywith Active Directory
What is Directory Enabled What is Directory Enabled Networking?Networking?
Policy-based management of network Policy-based management of network resources and provisioning of servicesresources and provisioning of services Directory is central as it serves to bind Directory is central as it serves to bind
information about users, applications and information about users, applications and network infrastructurenetwork infrastructure
It is the comprehensive term that includes all It is the comprehensive term that includes all technologies needed to make directory-technologies needed to make directory-based control of networks a realitybased control of networks a reality
Directory enabled networking and policy-Directory enabled networking and policy-based networking are synonymousbased networking are synonymous
DEN vs. Directory Enabled DEN vs. Directory Enabled NetworkingNetworking
DEN - DEN - the standardthe standard - is distinct from - is distinct from directory enabled networkingdirectory enabled networking
Directory enabled networking is more Directory enabled networking is more than just DENthan just DEN DEN provides a foundationDEN provides a foundation
Information modelInformation model Directory schema (LDAP)Directory schema (LDAP)
Many implementation issues and other Many implementation issues and other standards for directory-enabled standards for directory-enabled networking are outside the scope of DENnetworking are outside the scope of DEN
OverviewOverviewVision of Directory Enabled NetworkingVision of Directory Enabled Networking
Harness the power of directory services Harness the power of directory services for network management and servicesfor network management and services Policy-based networking: simpler quality Policy-based networking: simpler quality
of service, configuration, and security of service, configuration, and security administrationadministration
Common information model and schema Common information model and schema for network elements and servicesfor network elements and services
Interoperable network services and Interoperable network services and management solutionsmanagement solutions
OverviewOverviewVision of Directory Enabled NetworkingVision of Directory Enabled Networking
DirectoryService
ManagementApp A
ManagementApp B
ManagementApp C
Interoperability provided via Directory Service
OverviewOverviewVision of Directory Enabled NetworkingVision of Directory Enabled Networking
ERP DBFirewallSwitchServer
DirectoryService
OverviewOverviewDirectory Enabled NetworksDirectory Enabled Networks
Logical division of laborLogical division of labor Directory provides point of resource Directory provides point of resource
discovery and defines bindingsdiscovery and defines bindings Networks provide end-to-end connectivityNetworks provide end-to-end connectivity
Policy-based network managementPolicy-based network management Enables unification of network services Enables unification of network services
and management applicationsand management applications Defines and distributes policy and Defines and distributes policy and
bindingsbindings Enables Enables personalized network servicespersonalized network services
StandardsStandards DEN Progress Report DEN Progress Report
DEN Ad Hoc Working Group formed: Dec 97DEN Ad Hoc Working Group formed: Dec 97 DEN spec finished and submitted to DMTF DEN spec finished and submitted to DMTF
for further development: Sep 98for further development: Sep 98 DEN framework is an integral part of DEN framework is an integral part of
Common Information Model (CIM)Common Information Model (CIM) DEN spec incorporated into CIM model in DEN spec incorporated into CIM model in
phasesphases Physical model integrated in CIM v2.1: Oct 98 Physical model integrated in CIM v2.1: Oct 98
(application, device, system and physical)(application, device, system and physical) Logical model integrated in CIM v2.2: Jun 99 Logical model integrated in CIM v2.2: Jun 99
(network and services)(network and services) Policy model: work-in-progress jointly between Policy model: work-in-progress jointly between
DMTF/IETFDMTF/IETF
ApplicationsApplicationsDir Enabled Networking at WorkDir Enabled Networking at Work
Physical infrastructure managementPhysical infrastructure management Static configuration of network devicesStatic configuration of network devices Asset trackingAsset tracking Device and topology discoveryDevice and topology discovery Performance and fault managementPerformance and fault management
Network service managementNetwork service management Quality of Service (QoS)Quality of Service (QoS) Remote access and VPNRemote access and VPN IP securityIP security IP address managementIP address management FirewallsFirewalls
RSVP-enabled RSVP-enabled campus networkcampus network
RSVP-enabled RSVP-enabled campus networkcampus network
Differentiated Differentiated service service network(s)network(s)
QoS QoS (with RSVP and DiffServ)(with RSVP and DiffServ)
Policy: “Yes, you may have Priority Gold” Policy: “Yes, you may have Priority Gold” or “No, you may not have Priority now”or “No, you may not have Priority now”
Service Level Agreement:PHB = EF; TokenBucket = TB2(e.g. equiv to virtual leased line)
Policy Policy serverserver
Client: “May I have Priority, Please”
NetMeeting Client
Data Store
NetMeeting Client
MS Active Directory Server
Auth/Authz Server
MS Active Directory Server
MS IAS Server
NASEdge Router
Edge Router
IPSec
L2TP
Legend:Legend:
VPN VPN (L2TP/IPSec Voluntary Tunnel)(L2TP/IPSec Voluntary Tunnel)VPN VPN (L2TP/IPSec Voluntary Tunnel)(L2TP/IPSec Voluntary Tunnel)
InternetInternet
Radius proxy
Win2000
ArchitectureArchitecturePolicy-based NetworkingPolicy-based Networking
Policy Enforcement Points
PolicyManagement
Console
Policy Decision
Point
PolicyRepository
LDAP
COPS
LDAP
Policy Decision
Point
Directory
SNMP
Policy Proxy
Architecture ComponentsArchitecture ComponentsDirectoryDirectory
Directory stores a variety of informationDirectory stores a variety of information User dataUser data
Authentication and access rightsAuthentication and access rights User profilesUser profiles
Infrastructure dataInfrastructure data Static/start-up configuration for devices (e.g., Static/start-up configuration for devices (e.g.,
routers, switches)routers, switches) Server information (e.g., name server)Server information (e.g., name server)
PoliciesPolicies Conditions, actions, policy rulesConditions, actions, policy rules
Architecture ComponentsArchitecture ComponentsPolicy Management ConsolePolicy Management Console
PoliciesPolicies express business rules express business rules Discipline-specific, perhaps even device-specificDiscipline-specific, perhaps even device-specific QoS policies, remote access policies, IP security QoS policies, remote access policies, IP security
policies, firewall policies, etc.policies, firewall policies, etc.
Policy consolePolicy console Provides an abstraction of rules to create policiesProvides an abstraction of rules to create policies Used to define and edit policiesUsed to define and edit policies Validates policiesValidates policies When appropriate, the policy UI is unified with the When appropriate, the policy UI is unified with the
UI that manages the entities that are the subjects UI that manages the entities that are the subjects of the policy (e.g., users, computers, devices)of the policy (e.g., users, computers, devices)
Architecture ComponentsArchitecture ComponentsPolicy Decision PointPolicy Decision Point
PDP generally takes the form of PDP generally takes the form of policy serverspolicy servers Makes policy selection, gets policy from directoryMakes policy selection, gets policy from directory Makes policy decisionsMakes policy decisions Detects and resolves policy conflictsDetects and resolves policy conflicts Distributes Distributes policy actionspolicy actions based on its decision to based on its decision to
enforcement pointsenforcement points Access/denyAccess/deny Traffic shaping parameters for a QoS policyTraffic shaping parameters for a QoS policy Address filters for a firewall policyAddress filters for a firewall policy
May propagate policies to other serversMay propagate policies to other servers Monitors usage and effectiveness of policy Monitors usage and effectiveness of policy
enforcementenforcement
Architecture ComponentsArchitecture ComponentsPolicy Enforcement PointPolicy Enforcement Point
Network node in the direct path of traffic Network node in the direct path of traffic flow (router, switch, remote access flow (router, switch, remote access server, firewall)server, firewall)
Policy enforcement pointPolicy enforcement point Requests policy-based decisionsRequests policy-based decisions Optionally caches policy decisions for Optionally caches policy decisions for
future usefuture use Processes traffic per policy decisionProcesses traffic per policy decision Relays events to policy decision pointRelays events to policy decision point
Architecture VariationsArchitecture VariationsTwo-tiered ArchitectureTwo-tiered Architecture
Policy Decision Point &Policy Enforcement Point
PolicyManagement
Console
PolicyRepository
Packets in Packets out
LDAP
LDAPDirectory
Architecture VariationsArchitecture VariationsTwo-tiered ArchitectureTwo-tiered Architecture
Device considerationsDevice considerations Requires smarter network devices (LDAP enabled)Requires smarter network devices (LDAP enabled) Direct LDAP interactions with directoryDirect LDAP interactions with directory
Firewall/securityFirewall/security LDAP typically not allowed across firewallLDAP typically not allowed across firewall Need for encryption on some attributes can force Need for encryption on some attributes can force
large number of SSL/TLS connectionslarge number of SSL/TLS connections Global knowledgeGlobal knowledge
Lacks global view of network state to make Lacks global view of network state to make decisions like simultaneous usage controldecisions like simultaneous usage control
LoadingLoading Increased directory loadIncreased directory load Faster decision making and traffic processingFaster decision making and traffic processing
Architecture VariationsArchitecture VariationsThree-tiered ArchitectureThree-tiered Architecture
Policy Enforcement Point
PolicyManagement
Console
PolicyServer
PolicyRepository
Packets in Packets out
LDAP
COPS
LDAPDirectory
Architecture VariationsArchitecture VariationsThree-tiered ArchitectureThree-tiered Architecture
Device considerationsDevice considerations Network devices can be simpleNetwork devices can be simple Devices can be schema independentDevices can be schema independent
Firewall/securityFirewall/security Servers typically in data center, can be securedServers typically in data center, can be secured Existing PEP-PDP protocols are “firewall friendly” Existing PEP-PDP protocols are “firewall friendly”
(DHCP, RADIUS, COPS)(DHCP, RADIUS, COPS) Global knowledgeGlobal knowledge
Has global view of network state to make decisions Has global view of network state to make decisions like simultaneous usage controllike simultaneous usage control
LoadingLoading Lower directory load – less servers than devicesLower directory load – less servers than devices Slower remoted decision makingSlower remoted decision making
ArchitectureArchitectureAdditional ConsiderationsAdditional Considerations
Policy distribution protocols (SNMP, COPS, Policy distribution protocols (SNMP, COPS, RADIUS)RADIUS)
Support for legacy devicesSupport for legacy devices Use Use policy proxypolicy proxy to translate policy actions for to translate policy actions for
legacy deviceslegacy devices
End-host participationEnd-host participation Dynamic state informationDynamic state information
Need data store for volatile informationNeed data store for volatile information
Missing LDAP featuresMissing LDAP features Change notificationChange notification Multiple-object transactionsMultiple-object transactions
Active DirectoryActive DirectoryData and Policy StoreData and Policy Store
Salient features:Salient features: LDAP v3: for interoperabilityLDAP v3: for interoperability Tightly integrated security (Kerberos)Tightly integrated security (Kerberos) DNS: backbone, integratedDNS: backbone, integrated Hierarchical namespaceHierarchical namespace Multi-master replication and updatesMulti-master replication and updates Dynamically extensible schemaDynamically extensible schema Global Catalog for efficient searchGlobal Catalog for efficient search Directory synch servicesDirectory synch services Scale: millions of objectsScale: millions of objects Programming and scripting API (ADSI)Programming and scripting API (ADSI)
Microsoft Active DirectoryMicrosoft Active Directory
Windows Users• Account info• Privileges• Profiles• Policy
Applications• Server config• Single Sign-On• App-specific
directory info • Policy
Windows Clients• Mgmt profile• Network info• Policy
Windows Servers• Mgmt profile• Network info• Services• Printers• File shares• Policy
Network Devices• Configuration• QoS policy• Security policy
Internet
Firewall Services• Configuration• Security Policy• VPN policy
Management Focal Point For:• Users & resources• Security• Delegation • Policy
OtherDirectories• White pages• E-Commerce
Other NOS• User registry• Security• Policy
E-Mail Servers• Mailbox info• Address book
ActiveDirectory
Group PolicyGroup PolicyPolicy Decision PointPolicy Decision Point
Group PolicyGroup Policy Extensible policy framework to apply policy to Extensible policy framework to apply policy to
groupsgroups of computers/users of computers/users Policies stored in Policies stored in Group Policy ObjectGroup Policy Object (GPO) in (GPO) in
Active DirectoryActive Directory GPO can be bound to AD containers: Sites, GPO can be bound to AD containers: Sites,
Domains, OUsDomains, OUs Inheritance order: S,D,OUInheritance order: S,D,OU Scope further filtered by security groupsScope further filtered by security groups
APIs for services to invoke policy selection APIs for services to invoke policy selection process (process (GetGPOListGetGPOList))
Can be used to push device configurations Can be used to push device configurations from Active Directoryfrom Active Directory
Policy Enforcement PointPolicy Enforcement Point
AlternativesAlternatives Host network gear on Windows 2000 when Host network gear on Windows 2000 when
possible to take advantage of full platform possible to take advantage of full platform functionalityfunctionality PBX devices, VoIP gateway/gatekeeperPBX devices, VoIP gateway/gatekeeper
Use embedded Windows 2000 as control Use embedded Windows 2000 as control OS on devices if possibleOS on devices if possible
Implement secure LDAP client in device Implement secure LDAP client in device OS starting from Open Source versionOS starting from Open Source version
SummarySummary DEN specification from the DMTF is not DEN specification from the DMTF is not
yet final – standards are a lengthy and yet final – standards are a lengthy and laborious processlaborious process
Active Directory services are available Active Directory services are available and can be leveraged for addressing and can be leveraged for addressing network management needs todaynetwork management needs today
Compelling value proposition for end-Compelling value proposition for end-customers – manageability and reduced customers – manageability and reduced TCO of network infrastructuresTCO of network infrastructures
Enterprises are planning for deployment Enterprises are planning for deployment of directory-enabled networks. Integrate of directory-enabled networks. Integrate with Active Directory services now!with Active Directory services now!