Presentation is loading. Please wait.

Presentation is loading. Please wait.

Austin Wilson Microsoft Corporation Directory Enabled Networking with Active Directory.

Similar presentations


Presentation on theme: "Austin Wilson Microsoft Corporation Directory Enabled Networking with Active Directory."— Presentation transcript:

1 Austin Wilson Microsoft Corporation Directory Enabled Networking with Active Directory

2 What is Directory Enabled Networking? Policy-based management of network resources and provisioning of services Policy-based management of network resources and provisioning of services  Directory is central as it serves to bind information about users, applications and network infrastructure It is the comprehensive term that includes all technologies needed to make directory- based control of networks a reality It is the comprehensive term that includes all technologies needed to make directory- based control of networks a reality Directory enabled networking and policy- based networking are synonymous Directory enabled networking and policy- based networking are synonymous

3 DEN vs. Directory Enabled Networking DEN - the standard - is distinct from directory enabled networking DEN - the standard - is distinct from directory enabled networking Directory enabled networking is more than just DEN Directory enabled networking is more than just DEN  DEN provides a foundation  Information model  Directory schema (LDAP)  Many implementation issues and other standards for directory-enabled networking are outside the scope of DEN

4 Overview Vision of Directory Enabled Networking Harness the power of directory services for network management and services Harness the power of directory services for network management and services  Policy-based networking: simpler quality of service, configuration, and security administration  Common information model and schema for network elements and services  Interoperable network services and management solutions

5 Overview Vision of Directory Enabled Networking Directory Service Management App A Management App B Management App C Interoperability provided via Directory Service

6 Overview Vision of Directory Enabled Networking ERP DB FirewallSwitch Server Directory Service

7 Overview Directory Enabled Networks Logical division of labor Logical division of labor  Directory provides point of resource discovery and defines bindings  Networks provide end-to-end connectivity Policy-based network management Policy-based network management  Enables unification of network services and management applications  Defines and distributes policy and bindings  Enables personalized network services

8 Standards DEN Progress Report DEN Ad Hoc Working Group formed: Dec 97 DEN Ad Hoc Working Group formed: Dec 97 DEN spec finished and submitted to DMTF for further development: Sep 98 DEN spec finished and submitted to DMTF for further development: Sep 98 DEN framework is an integral part of Common Information Model (CIM) DEN framework is an integral part of Common Information Model (CIM) DEN spec incorporated into CIM model in phases DEN spec incorporated into CIM model in phases  Physical model integrated in CIM v2.1: Oct 98 (application, device, system and physical)  Logical model integrated in CIM v2.2: Jun 99 (network and services)  Policy model: work-in-progress jointly between DMTF/IETF

9 Applications Dir Enabled Networking at Work Physical infrastructure management Physical infrastructure management  Static configuration of network devices  Asset tracking  Device and topology discovery  Performance and fault management Network service management Network service management  Quality of Service (QoS)  Remote access and VPN  IP security  IP address management  Firewalls

10 RSVP-enabled campus network RSVP-enabled Differentiated service network(s) QoS (with RSVP and DiffServ) Policy: “Yes, you may have Priority Gold” or “No, you may not have Priority now” Service Level Agreement: PHB = EF; TokenBucket = TB2 (e.g. equiv to virtual leased line) Policy server Client: “May I have Priority, Please” NetMeeting Client Data Store NetMeeting Client

11 MS Active Directory Server Auth/Authz Server MS Active Directory Server MS IAS Server NAS Edge Router IPSec L2TP Legend: VPN (L2TP/IPSec Voluntary Tunnel) Internet Radius proxy Win2000

12 Architecture Policy-based Networking Policy Enforcement Points Policy Management Console Policy Decision Point Policy Repository LDAP COPS LDAP Policy Decision Point Directory SNMP Policy Proxy

13 Architecture Components Directory Directory stores a variety of information Directory stores a variety of information  User data  Authentication and access rights  User profiles  Infrastructure data  Static/start-up configuration for devices (e.g., routers, switches)  Server information (e.g., name server)  Policies  Conditions, actions, policy rules

14 Architecture Components Policy Management Console Policies express business rules Policies express business rules  Discipline-specific, perhaps even device-specific  QoS policies, remote access policies, IP security policies, firewall policies, etc. Policy console Policy console  Provides an abstraction of rules to create policies  Used to define and edit policies  Validates policies  When appropriate, the policy UI is unified with the UI that manages the entities that are the subjects of the policy (e.g., users, computers, devices)

15 Architecture Components Policy Decision Point PDP generally takes the form of policy servers PDP generally takes the form of policy servers  Makes policy selection, gets policy from directory  Makes policy decisions  Detects and resolves policy conflicts  Distributes policy actions based on its decision to enforcement points  Access/deny  Traffic shaping parameters for a QoS policy  Address filters for a firewall policy  May propagate policies to other servers  Monitors usage and effectiveness of policy enforcement

16 Architecture Components Policy Enforcement Point Network node in the direct path of traffic flow (router, switch, remote access server, firewall) Network node in the direct path of traffic flow (router, switch, remote access server, firewall) Policy enforcement point Policy enforcement point  Requests policy-based decisions  Optionally caches policy decisions for future use  Processes traffic per policy decision  Relays events to policy decision point

17 Architecture Variations Two-tiered Architecture Policy Decision Point & Policy Enforcement Point Policy Management Console Policy Repository Packets in Packets out LDAP Directory

18 Architecture Variations Two-tiered Architecture Device considerations Device considerations  Requires smarter network devices (LDAP enabled)  Direct LDAP interactions with directory Firewall/security Firewall/security  LDAP typically not allowed across firewall  Need for encryption on some attributes can force large number of SSL/TLS connections Global knowledge Global knowledge  Lacks global view of network state to make decisions like simultaneous usage control Loading Loading  Increased directory load  Faster decision making and traffic processing

19 Architecture Variations Three-tiered Architecture Policy Enforcement Point Policy Management Console Policy Server Policy Repository Packets in Packets out LDAP COPS LDAP Directory

20 Architecture Variations Three-tiered Architecture Device considerations Device considerations  Network devices can be simple  Devices can be schema independent Firewall/security Firewall/security  Servers typically in data center, can be secured  Existing PEP-PDP protocols are “firewall friendly” (DHCP, RADIUS, COPS) Global knowledge Global knowledge  Has global view of network state to make decisions like simultaneous usage control Loading Loading  Lower directory load – less servers than devices  Slower remoted decision making

21 Architecture Additional Considerations Policy distribution protocols (SNMP, COPS, RADIUS) Policy distribution protocols (SNMP, COPS, RADIUS) Support for legacy devices Support for legacy devices  Use policy proxy to translate policy actions for legacy devices End-host participation End-host participation Dynamic state information Dynamic state information  Need data store for volatile information Missing LDAP features Missing LDAP features  Change notification  Multiple-object transactions

22 Active Directory Data and Policy Store Salient features: Salient features:  LDAP v3: for interoperability  Tightly integrated security (Kerberos)  DNS: backbone, integrated  Hierarchical namespace  Multi-master replication and updates  Dynamically extensible schema  Global Catalog for efficient search  Directory synch services  Scale: millions of objects  Programming and scripting API (ADSI)

23 Microsoft Active Directory Windows Users Account info Privileges Profiles Policy Applications Server config Single Sign-On App-specific directory info Policy Windows Clients Mgmt profile Network info Policy Windows Servers Mgmt profile Network info Services Printers File shares Policy Network Devices Configuration QoS policy Security policy Internet Firewall Services Configuration Security Policy VPN policy Management Focal Point For: Users & resources Security Delegation Policy Other Directories White pages E-Commerce Other NOS User registry Security Policy E-Mail Servers Mailbox info Address book Active Directory

24 Group Policy Policy Decision Point Group Policy Group Policy  Extensible policy framework to apply policy to groups of computers/users  Policies stored in Group Policy Object (GPO) in Active Directory  GPO can be bound to AD containers: Sites, Domains, OUs  Inheritance order: S,D,OU  Scope further filtered by security groups  APIs for services to invoke policy selection process (GetGPOList) Can be used to push device configurations from Active Directory Can be used to push device configurations from Active Directory

25 Policy Enforcement Point Alternatives Alternatives  Host network gear on Windows 2000 when possible to take advantage of full platform functionality  PBX devices, VoIP gateway/gatekeeper  Use embedded Windows 2000 as control OS on devices if possible  Implement secure LDAP client in device OS starting from Open Source version

26 Summary DEN specification from the DMTF is not yet final – standards are a lengthy and laborious process DEN specification from the DMTF is not yet final – standards are a lengthy and laborious process Active Directory services are available and can be leveraged for addressing network management needs today Active Directory services are available and can be leveraged for addressing network management needs today Compelling value proposition for end- customers – manageability and reduced TCO of network infrastructures Compelling value proposition for end- customers – manageability and reduced TCO of network infrastructures Enterprises are planning for deployment of directory-enabled networks. Integrate with Active Directory services now! Enterprises are planning for deployment of directory-enabled networks. Integrate with Active Directory services now!

27


Download ppt "Austin Wilson Microsoft Corporation Directory Enabled Networking with Active Directory."

Similar presentations


Ads by Google