CrossNodes Briefing: Policy Management
We all live by the rules, and often enough network managers are the ones chosen to enforce those rules. When it comes to maintaining who has what rights for individual files, workgroup files, those that can be accessed remotely, or what workstations individual users can work from, the amount of maintenance can be staggering -- particularly on an enterprise-sized network. This brought about a new breed of software -- policy management.We take a look at what it does, and what you need to consider in implementing policy management systems. Each CrossNodes Briefing is designed to act as a reference on an individual technology, providing a knowledge base and guide to networkers in purchasing and deployment decisions.
IT and network managers need rules to run a protected, efficient network. They need to implement consistent network security. They must prioritize network traffic, and they require virus protection guidelines for workstations. All these concerns work best when the managers can establish a common, consistent set of rules.
These rules, known as policies, sound simple. In practice, they are difficult to define and enforce. Any attempt to establish policies means that some users will disagree, and that introduces politics to the equation. Enforcement, especially at the workstation level is difficult and time consuming, and each policy change requires a reconfiguration of each network device, an expensive process.
As a result, policy management represents a new breed of products, but the array of products marketed as policy managers can be as confusing as the task of establishing, implementing, and maintaining policies. At the low end, policy management products consist of templates designed to help managers define and publish policies. Other products configure network devices remotely to simplify the implementation and maintenance of policies. Still others offer enforcement checks. A few products try to integrate all these features, but even these tend to concentrate on security, network traffic, or workstation policies.
A Market Without Standards
The market lacks definition. The term policy management can refer to security systems, Virtual Private Networks (VPNs), network traffic, and internal LANs. Managers understand the need to establish network security policies. New technologies such as voice over IP (VoIP) that require predictable data transfers without delays raise the importance of creating policies for prioritizing network traffic. Controlling and maintaining user workstations also represent a concern. IT and network managers, therefore, must focus on one facet of the network rather than try to solve every problem at once.
A lack of standards also hinders the advancement of policy management systems. Most vendors that provide policy management systems only support their own equipment. This limits managers to a single vendor. For some, this may provide a solution. Other managers, however, will want to integrate products from several vendors. As the policy management market matures, standards will evolve, and this will accelerate the acceptance of these systems.
A Question of Security
Security remains a major concern for IT and network managers. A secure network requires configurable firewalls, control over the data traffic, and assurances that workstations and servers have effective virus protection. The configuration of secure connections gets more complex as organizations incorporate VPN traffic, wireless connections, and VoIP.
As the network grows in complexity, so does the task of managing policies. Each change requires that every security device be reset to meet the new rules. This can be time consuming and prone to error. With a centralized policy manager, however, IT and network personnel can maintain and update security devices and switches from a central console. The functions supported vary from product to product, but the following functions may be provided:
- Setting encryption algorithms for the network
- Establishing encryption key lengths
- Assigning digital signatures for specific users
- Providing a graphical map of network devices and operations
- Reporting usage statistics