IT Performance Improvement
Networking and Telecommunications
Share This Article
Policy-Based Network Management
A policy is the combination of rules and services where rules define the criteria for resource access and usage. A policy is formally defined as an aggregation of policy rules. Each policy rule is composed of a set of conditions and a corresponding set of actions. The condition defines when the policy rule is applicable. Once a policy rule is activated, one or more actions contained by that policy rule may be executed. These actions are associated with either meeting or not meeting the set of conditions specified in the policy rule.
Policy-based systems have become a promising solution for implementing many forms of large-scale, adaptive systems that dynamically change their behavior in response to changes in the environment or to changing application requirements. This can be achieved by modifying the policy rules interpreted by distributed entities, without recoding or stopping the system. Such dynamic adaptability is fundamentally important in the management of increasingly complex computing systems.
Policy-based management (PBM) is a management paradigm that separates the rules governing the behavior of a system from its functionality. It promises to reduce maintenance costs of information and communication systems while improving flexibility and runtime adaptability. It is today present at the heart of a multitude of management architectures and paradigms, including SLA-driven, business-driven, autonomous, adaptive, and self-* management.
The policy-based technology could relieve the suffering of managing the large computer systems and free the manager from monitoring the equipments and systems directly and supply a systematic method for establishing, revising, and distributing policies. Policy is a kind of criterion that aims at determining the choice of the actions in an individual system. The criterion is long-lasting, illustrative, and originated from the target of the management.
As a result the policy-based management has the following merits:
- When system requirement alters, it is only necessary to change or add some new policies instead of re-coding.
- To make the best use of the resources by flexible distribution of the resources according to the dynamic information and the different requirements of various service types.
- Different users use different policies, and this is convenient for users and at the same time makes the system more extensible and more maintainable.
- Make the system less dependent on the system manager and make the system more intelligent.
Many researchers and organizations have come to do research together on the framework of the policies and its implementation and begin to apply it in the management of the network and wireless network. Indeed the policy-based management is still immature and need to make improvement.
4.1.2 Policy-Based Management Architecture
Several working groups in the IETF and DMTF (Distributed Management Task Force) try to define a standard policy framework and related protocols. In Figure 4.2, LDAP denotes Lightweight Directory Access Protocol, COPS denotes Common Open Policy Protocol, and CLI denotes Command Line Interface. It includes the following components:
Figure 4-2. The IETF Policy-Based Management Architecture
Policy Management Tool is the server or host where policy management software can do
- policy editing
- policy presentation
- rule translation
- rule validation
- global conflict resolution
Policy Information Repository is a data store for policy information. This data store may be application specific, operating system specific, or an enterprise common repository. For the purpose of this report, the policy information repository is a PBM application specific directory service. Policy information repository can
- store policy information
- search policy information
- retrieve policy information
- rule locator
- device adapter
- state resource validation (requirements checking)
- policy rule translation
- policy transformation
Policy Enforcement Point (PEP) is a network device, such as a router, switch, firewall or host that enforce the policies received from the PDP. The policies are enforced (through dynamic configuration changes to access control lists, priority queues or other parameters) as directed by the policy decision point. PEP can do
- specified operation by policy rule
- optional policy rule validation
In most implementations of the framework, the Policy Server (Tools), Policy Repository, and PDP are collocated and may potentially be hosted within the same physical device.
Advantages of policy-based management are listed as follows:
- providing better-than-best-effort service to certain users
- simplifying device, network, and service management
- requiring less engineers to configure the network
- defining the behavior of a network or distributed system
- managing the increasing complexity of programming devices
- using business requirements and procedures to drive the configuration of the network
4.1.3 Policy-Based Network Management
Policy-Based Network Management is that the network management is accomplished based on policy. Large-scale networks can now contain millions of components and potentially cross organizational boundaries. Components fail and so other components must adapt to mask these failures. New applications, services, and resources are added or removed from the system dynamically, imposing new requirements on the underlying infrastructure. Users are increasingly mobile, switching between wireless and fixed communication links. To prevent the operators from drowning in excessive detail, the level of abstraction needs to be raised in order to hide system and network specifics. Policies that are derived from the goals of management define the desired behavior of distributed heterogeneous systems and networks and specify means to enforce this behavior.
Policy provides a means of specifying and dynamically changing management strategy without coding policy into the implementation. Policy-based management has many benefits of delivering consistent, correct, and understandable network systems. The benefits of policy-based management will grow as network systems become more complex and offer more services (security service and QoS).
Policy-Based Network Management (PBNM) provides a means by which the administration process can be simplified and largely automated. Strassner defined policy-based network management (PBNM) as a way to define business needs and ensure that the network provides the required services. In traditional network management approaches, such as SNMP, the usage of network management system has been limited primarily to monitoring status of networks. In PBNM, the information model and policy expressions can be made independent of network management protocols by which they are carried.
The task of managing information technology resources becomes increasingly complex as managers must take heterogeneous systems, different networking technologies, and distributed applications into consideration. As the number of resources to be managed grows, the task of managing these devices and applications depends on numerous system and vendor-specific issues.
Policy-based network management started in the early 1990s. Although the idea of policies appeared even earlier, they were used primarily as a representation of information in a specific area of network management: security management. The idea of policy comes quite naturally to any large management structure.
In policy-based network management, policies are defined as the rules that govern the states and behaviors of a network. The management system is tasked with:
- the transformation of human-readable specifications of management goals to machine-readable and verifiable rules governing the function and status of a network,
- the translation of such rules to mechanical and device-dependent configurations, and
- the distribution and enforcement of these configurations by management entities.
The most significant benefit of policy-based network management is that it promotes the automation of establishing management-level objectives over a wide range of systems devices. The system administrator would interact with the networks by providing high-level abstract policies. Such policies are device-independent and are stated in a human-friendly manner.
Policy-based network management can adapt rapidly to the changes in management requirements via run-time reconfigurations, rather than reengineer new object modules for deployment. The introduction of new policies does not invalidate the correct operation of a network, provided the newly introduced policies do not conflict with existing policies. In comparison, a newly engineered object module must be tested thoroughly in order to obtain the same assurance.
For large networks with frequent changes in operational directives, policy-based network management offers an attractive solution, which can dynamically translate and update high-level business objectives into executable network configurations. However, one of the key weaknesses in a policy-based network management lies in its functional rigidity. After the development and deployment of a policy-based network management, the service primitives are defined. By altering management policies and modifying constraints, we have a certain degree of flexibility in coping with changing management directives. However, we cannot modify or add new management services to a running system, unlike mobile code or software agents.
In details, essential characteristics of a PBNM system include:
- Management and provisioning of other services
- Support extensions through interfaces
- Configure QoS
- Ensure bandwidth
- Control bandwidth
- Provide application performance analysis
- Control access
- Configure usage (authentication or encryption)
- Define QoS treatment of encrypted flows (combine security and QoS Policies)
- Manage QoS in multi-domain networks
- Enable end-to-end QoS management
- Configure security services with gateways from different domains on each side
- Support hierarchical policy management
- Enable policy management across multiple policy domains
- Standards Based
- Support key standards (IETF, ISO, DiffServ, IPSes, etc.) as they are accepted
- Integrate with existing management solutions
- Hide the detail and present useful concepts and interfaces
PBNM can be used in dealing with complex network management tasks. Figure 4.3 illustrates a PBNM automated network device configuration/change management capability in an integrated environment.
Figure 4-3. PBNM Automated Configuration/Change Management in an Integrated Environment