CrossNodes Briefing: Policy Management

By Gerald Williams | Aug 13, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/864851/CrossNodes-Briefing-Policy-Management.htm

IT and network managers need rules to run a protected, efficient network. They need to implement consistent network security. They must prioritize network traffic, and they require virus protection guidelines for workstations. All these concerns work best when the managers can establish a common, consistent set of rules.

These rules, known as policies, sound simple. In practice, they are difficult to define and enforce. Any attempt to establish policies means that some users will disagree, and that introduces politics to the equation. Enforcement, especially at the workstation level is difficult and time consuming, and each policy change requires a reconfiguration of each network device, an expensive process.

As a result, policy management represents a new breed of products, but the array of products marketed as policy managers can be as confusing as the task of establishing, implementing, and maintaining policies. At the low end, policy management products consist of templates designed to help managers define and publish policies. Other products configure network devices remotely to simplify the implementation and maintenance of policies. Still others offer enforcement checks. A few products try to integrate all these features, but even these tend to concentrate on security, network traffic, or workstation policies.

A Market Without Standards
The market lacks definition. The term policy management can refer to security systems, Virtual Private Networks (VPNs), network traffic, and internal LANs. Managers understand the need to establish network security policies. New technologies such as voice over IP (VoIP) that require predictable data transfers without delays raise the importance of creating policies for prioritizing network traffic. Controlling and maintaining user workstations also represent a concern. IT and network managers, therefore, must focus on one facet of the network rather than try to solve every problem at once.

A lack of standards also hinders the advancement of policy management systems. Most vendors that provide policy management systems only support their own equipment. This limits managers to a single vendor. For some, this may provide a solution. Other managers, however, will want to integrate products from several vendors. As the policy management market matures, standards will evolve, and this will accelerate the acceptance of these systems.

A Question of Security
Security remains a major concern for IT and network managers. A secure network requires configurable firewalls, control over the data traffic, and assurances that workstations and servers have effective virus protection. The configuration of secure connections gets more complex as organizations incorporate VPN traffic, wireless connections, and VoIP.

As the network grows in complexity, so does the task of managing policies. Each change requires that every security device be reset to meet the new rules. This can be time consuming and prone to error. With a centralized policy manager, however, IT and network personnel can maintain and update security devices and switches from a central console. The functions supported vary from product to product, but the following functions may be provided:

  • Setting encryption algorithms for the network
  • Establishing encryption key lengths
  • Assigning digital signatures for specific users
  • Providing a graphical map of network devices and operations
  • Reporting usage statistics

A Push for Speed
Data transfers and network efficiency continue to grow in importance as users demand more bandwidth and fast response times. Quality of Service (QoS) helps define the importance of each type of traffic and establishes the users and applications that require the best response time. Such applications as VoIP require low latency, and network managers know that traffic has to take priority. Similarly, some critical applications cannot overcome delays, and these must have priority over such traffic as e-mail and application data.

Developing a true QoS definition is difficult. Managers must create policies that balance bandwidth usage while granting priority to specific data transmissions. The politics alone are complex. Each user believes that his or her application is high priority. In reality, some users must endure some delays to ensure that a high-priority connection gets the bandwidth it needs. Further, QoS requires refinement as organizations change and grow. This means that traffic must be monitored and analyzed to achieve optimal policies. In addition, many organizations are moving from static configurations that set access policies on each port to user-based schemes that establish policies for each user.

Remote configuration support is key. This capability allows managers and IT staff to update switches and other network devices from a central console when changes are made. However, remote configuration generally requires that all the equipment come from a single vendor.

The Call for Consistency
Workstations may be the most difficult network devices to control. Users regularly add software, fail to update virus protection programs, and ignore the latest updates to applications software. Managers end up with a disparate collection of configurations that are more difficult to maintain. In cases where the latest virus software is not running, these systems also represent a security risk.

Most companies developed workstation policies that define a minimum standard configuration. Maintaining these workstations requires time and money. Several vendors now offer centralized auditing software to ensure that workstation usage and configurations conform to the policies of the company. Some programs also allow managers to apply updates remotely, and this can save a considerable amount of time.

Finding the Right Policy Manager
Implementing a policy manager is as much a philosophical question as it is a decision based on features. Once a manager decides to adopt a rules-based network, priorities must be identified. A careful analysis of the current infrastructure should show whether security, performance, or workstations require the most work. The analysis also serves as a starting point for defining the rules. Once the focus is set, it is important for the manager to identify the devices affected by the policies.

Regardless of the area addressed by the policy manager, reporting and the user interface are important factors. Managers need to understand how well their security policies operate. Similarly, they must determine the nature of the traffic each user generates if they want to enhance the networks efficiency. Reports and audits also help ensure compliance to workstation configuration policies. Similarly, an effective user interface eases the task of changing policies and allows managers to quickly assess the health of the network. Therefore, managers should consider each policy managers reporting capability and ease of use before they select a product.

Gerald Williams serves as director of quality assurance for dolphin inc., a software development company. williams has extensive background in technology and testing, previously serving as editorial director with national software testing labs (nstl), executive editor with datapro research, and managing editor of datapro's pc communications reference service.