Cover story: Taming the network

The good thing about today's distributed networks is that IT managers incrementally can add as much horsepower as their companies require. Unfortunately, these networks are harder to control than ever.

Despite rapidly advancing technologies, supervising networking devices, users, and security remains a manual, repetitive task -- one that costs organisations dearly in time and money.

It is no surprise then that nearly everyone in networking is talking about policy-based management, a mechanism for prioritising networking resources, such as bandwidth, based on individual users or applications.

For example, IT managers may reserve a percentage of overall bandwidth for a videoconferencing application or give users of an IP telephony application the highest-priority access to the WAN. Policy-based management promises to cut costs by optimising network usage and automating painstaking management chores.

It also promises to add value by providing a method for adding services that tie business practices to technology policies.

Many users and industry experts expect the ongoing convergence of directories, networking hardware, and network management software eventually to lead to a policy-based networking nirvana.

But for now, controversy rages about how to manage network-usage policies.

Networking vendors are pushing standards, but others say those standards are immature or too unrealistic to be relied upon.

Meanwhile, some IT managers are not waiting for vendors to give them the reins but are charging ahead with their own incremental solutions to enable the creation of network-usage policies.

Central to the goal of gaining control over the network and management costs are directories such as Novell's Novell Directory Services (NDS), Netscape's Directory Server, and Microsoft's forthcoming Active Directory.

Managers are looking to policy-based management to define and automate who can use the network and applications, when they can be used, and how much bandwidth can be used with them.

To enforce these policies, devices and applications must tap directories for user information.

Likewise, directories must contain information on devices, such as router configuration.

This requirement for information sharing is driving network hardware and directory software vendors to integrate their products.

For instance, Novell struck deals with Cisco, Nortel, Lucent, and Cabletron to ensure that NDS can help administer networking policies in routers and switches. In the second quarter of this year, Novell plans to ship an upgraded NDS that lets network managers allocate bandwidth in Lucent and Nortel equipment via the directory's interface.

But new products are not the whole story. Observers say that before IT managers dive into the world of policies, they must first tame the chaotic mess of directories on their networks.

That often means standardising on one vendor's directory software in the hopes of centralising numerous distributed operations.

"The challenge is to get companies to build corporate directories," says Richard Villars, an analyst at International Data Corp.

"This is a step that has nothing to do with technology, and it's a big one."

Others doubt that users will clean up their directory acts any time soon.

A recent report by Forrester Research warns that despite talking about building corporate directories for years, few organisations have done it. Instead of relying on a corporate directory to help enforce elaborate policies, Forrester recommends minimising the number and complexity of policies by categorising users and policies into broad classes and enforcing the policies using the existing capabilities of a simplified network architecture.

Other thought leaders are pushing for ways to unify disparate directories other than standardising on one network-wide directory.

Metadirectories, for example, aim to provide an overarching framework that sits on top of the network's existing directories, which are not otherwise interoperable. The result is a central repository for policy information.

Yet others see the emergence of new standards as the glue to policy networks, particularly the Directory Enabled Networks (DEN) and Lightweight Directory Access Protocol (LDAP) initiatives.

The former addresses policy schema, or standard methods for the way in which policies are represented in directories and accessed by management tools.

The latter, an Internet Engineering Task Force (IETF) standard, allows proprietary directories to share information.

One or both show promise for creating the directory foundation needed to implement network policies, users say.

"We're very critically looking at policy management," says Don Johnson, network operations manager at the New Jersey Department of Human Services. "But there needs to be more of a standards-based approach."

Specifically, the department would like to apply quality-of-service policies to wide-area network access. End users who deal with other agencies via the department's extranet, for example, would be given greater priority than those surfing the Web in "noncritical" mode, Johnson explains.

"We have limited bandwidth on our WAN, and we need to conserve that," Johnson says. "We can't just throw money at problems."

But until vendors settle on common schema and ensure interoperability between networking hardware and directories, Johnson says he is reluctant to forge ahead.

That interoperability is the goal of standards such as DEN. Officials at Cisco, the company that proposed the original standard along with Microsoft about two years ago, claim that the process is well under way.

The two companies recently passed DEN off to the Desktop Management Task Force, a neutral standards body, and included a baseline mechanism for defining qual-ity-of-service levels, extensions for vendor-specific devices, and policies, says Joe Hielscher, director of marketing at CiscoAssure Policy Networking, in California.

But the quality-of-service standard still could be a showstopper. Although it backs DEN and remains an active participant in the standards work, Novell will jointly propose a competing DEN quality-of-service standard with Lucent and Nortel, says Michael Simpson, director of strategic market planning at Novell.

These power struggles leave Forrester highly sceptical of DEN's powers as a panacea because the definition of common schema could take a long time for vendors to agree on, if in fact they ever do.

While organisations await useful standards, other experts advise that hardware-related policy issues such as quality of service can be more economically solved by overprovisioning networking devices.

Setting quality-of-service policies at the LAN/WAN boundary where monthly carrier expenses are significant makes sense to preserve application performance, according to Bruce Robertson, vice president of adaptive infrastructure strategies at the consulting company Meta Group.

On the other hand, he says, adding bandwidth and the associated hardware expenditures is more cost-effective in the local campus network.

"Today, most organisations implement a simple QOS [quality-of-service] policy in a targeted, specific, simple way -- like 'Keep these two applications ahead of everything else'," Robertson says.

"More complex policy will wait for some time to become realistic."

Indeed, that is the case at Incyte Pharmaceuticals, a California-based company that provides DNA research and gene research to drug companies.

The company manually set policies on devices that carry its video streaming application, while other issues with bandwidth allocation have been tackled with raw horsepower -- 2Gbit/sec to 4Gbit/sec on backbone switches between the company's buildings.

"We'll start implementing QOS when we see that backbone get overrun," says Phil Kwan, manager of network operations and planning at Incyte.

Meanwhile, other IT managers are grappling with more basic network policies, such as authentication and access controls.

Instead of relying on standards or vendor-specific product integration, the University of Clemson, in South Carolina, decided to develop its own software for instituting a single user identification number and password for all servers and applications, regardless of platform.

Students had to use the mainframe to register for courses each semester and could rarely remember their passwords, causing an inordinate amount of time and resources to be spent on retrieving the information, says Dave Bullard, a research associate in Clemson's IT department.

However, students checked their e-mail at least once a day and could always remember that password, so the university decided to develop its own tool to automate access to the two systems using the same information.

At the same time, the software allows applications to use NDS data for authorisation rather than the application's own internal tables. This saves departments across campus the administrative burden and development cost of setting up the access control tables themselves.

"Once we picked NDS as the single, user ID/password, why not use the other information there?" Bullard says.

Clemson first started using the software, called Authserv, in 1996; it will soon be made commercially available.

Another academic institution went about solving its access control problems outside the realm of policy standards and vendor integration.

When the administration at Brigham Young University, in Utah, wanted to consolidate ID and log-in procedures for the school's intranet, the IT staff had to figure out a way to corral the numerous departments that developed their own applications.

However, school officials chose commercial, third-party software from Californian startup enCommerce. The application, getAccess, lets the university's departments develop to a specific framework, while getAccess uses information from an LDAP-compliant directory to take care of access controls and security.

"The [department] developers don't have to worry about coding and security for their Web-based intranet applications," says Brad Stone, director of product development, IT services at Brigham Young.

"That's often the stuff they don't do well," Stone adds, citing unprotected cookies as a common problem.

Furthermore, Stone says, the software provides for single ID and password sign-on, regardless of the application or platform a user is working on.

But with these controls in place, Stone says, the hardest part of the process was the political one of agreeing on what those policies should be.

"Policies need to be based on business decisions, not technology, and then implemented on the appropriate platform," Stone says.

"If you don't define the business process first, then you'll fight against that forever."

Breakout: Driving net management

"Proper network management, including bandwidth allocation, is something people are just starting to tackle now," according to Mitch Radomir, business development manager and strategic marketing manager, Anixter.

Radomir believes there are two main drivers behind network management -- the move from shared to switched networks and an increasing trend for end users to share in the IT budget.

"Network management is now becoming a major issue because we've made a move from shared to switched networks and it's virtually impossible to control a switched network without management tools," Radomir said.

Also end users, influenced by the outsourcing trend and in control of part of the IT budget, are calling for network service level agreements he added.

Casestudy: Monash Uni looks at solutionsBy Laura MasonMELBOURNE -- Monash University is considering implementing a policy-based network management solution from Fore Systems, according to regional director, South Asia, Alex Turkington.

Fore is close to signing a deal with Monash on the solution, he said.

"We're working with [Monash] very closely to look at how we can adapt our products to their requirements.

They are looking very closely at this application-aware story . . . and the SAP agent, as they continue and further their SAP rollout," Turkington said.

That SAP agent is ERP Express, a new product from Fore that leverages its Directory Enabled Networking (DEN) solution, the Extensible Directory Services Agent (EDSA).

EDSA allows network managers to control routing switches through policies defined in a centralised directory, and ERP Express uses EDSA to deliver predictable network service levels for SAP, enabling prioritisation of ERP traffic.

Fore has a long-standing relationship with Monash, having partnered with Cabletron to upgrade the university's network to a Fore switched ATM backbone last year.

Monash officials were not prepared to comment on the university's policy based network management plans, indicating plans were not yet finalised.

Rollout of SAP R/3 at Monash is scheduled for completion in mid-2000.

At a cost of around $20 million it will replace more than 80 systems in current use.

Join the newsletter!

Error: Please check your email address.

More about Anixter AustraliaEDSAenCommerceFore SystemsForrester ResearchIETFInternet Engineering Task ForceLucentMeta GroupMicrosoftMonash UniversityMonash UniversityNDSNovellSAP AustraliaSEC

Show Comments