InformationWeek
Defining The Business Value Of Technology
August 9, 1999
 Print this story |
Policy-based networking helps users improve access and simplify administration
By Brian Riggs
These are only a handful of the 20,000 or more users from thousands of outside organizations that the New Jersey Office of Information Technology expects will access its extranet during the next year. Setting access rights and security parameters for each user--and being able to update them as new contracted agencies are added, new employees are hired, and others leave--has the potential to become a nightmare of monstrous proportions.
That's why Don Johnson, director of advanced technology research, is setting up network policies to simplify management of the extranet. "Policy networking is the cornerstone of our extranet," he says. "We see it as essential in enabling our E-government strategy."
Privileged List
Typically taking their cues from entries in network directories, policies are enforced by policy servers that ensure that switches, routers, firewalls, and other network elements reserve the requisite amount of bandwidth, prioritize packets of a privileged application, and grant or restrict access to particular sets of users.
In a typical policy system, directory server software such as Novell Directory Services or Netscape Directory stores information on which users or user groups have access rights to specific resources on the network, as well as which user group or application gets priority over others. A policy server, typically based on a networking equipment vendor's proprietary software such as Cisco's CiscoAssure or 3Com's Transcend Policy Server, interprets what the information stored in the directory means to the performance of the network. The policy server also communicates policies to policy-enabled network devices such as routers and switches.
Partner Preference
Some vendors, notably IBM with its Common Policy Engine, are attempting to simplify this model by integrating policy server software into networking devices, effectively eliminating the need for a stand-alone policy server.
Policy networking is expected to play a key role in building scalable company extranets, particularly large extranets with a user base that changes frequently. By assigning access rights and different levels of service quality to disparate groups of users, IT managers can simplify extranet administration. "The idea is not to have to manage users individually but to manage them by role," says Charles Rutstein, an analyst at Forrester Research, noting that policies can significantly simplify the management of extranet security.
Related links:
And from our sister publications:
human-resources representative at a hospital logs on to the state of New Jersey's extranet to modify contact information for several employees. An administrator at a state welfare agency searches the extranet for private organizations that provide job training. A case worker at a rehabilitation center uses the extranet to track which services have been provided to a client by various state agencies and other organizations.
Policy-based networking lets companies set up and maintain centralized lists of network privileges associated with a particular user, a group of users, or an application. A policy can specify, for example, that order-entry applications always have bandwidth available regardless of network congestion. Another policy can determine that all accounting representatives have prioritized network access on the last day of the month when finances are being balanced. Policies can also grant a particular group of users access to a specified set of network resources, but deny the same group access to other resources.
For example, a policy-based network can specify that all network traffic generated by extranet partners during weekday business hours gets priority over standard Web browsing and E-mail transmissions. When the business partner logs on to the extranet, policy-enabled devices submit the request for prioritized treatment to the policy server. The policy server then accesses the business partner's profile in the directory and verifies the time at which the request is being made. The policy server then either permits or denies the request for prioritized treatment. If permitted, the networking devices adjust the amount of bandwidth available on the network and the priority at which various application traffic is sent so the extranet partner's traffic gets priority.
continued...page 2, 3
Back to This Week's Issue
Featured Microsite
