1 / 12

Policy-based Automatic Configuration of Network Elements in Separate Segments

Policy-based Automatic Configuration of Network Elements in Separate Segments. Tomomi Yoshioka, Tomohiro Igakura, and Toshio Tonouchi NEC Corporation Networking Research Laboratories 4-1-1 Miyazaki , Miyamae -ku, K awasaki -city , K anagawa 21 6 -8 555 , Japan

ivory-bauer
Télécharger la présentation

Policy-based Automatic Configuration of Network Elements in Separate Segments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy-based Automatic Configuration of Network Elements in Separate Segments Tomomi Yoshioka, Tomohiro Igakura, and Toshio Tonouchi NEC Corporation Networking Research Laboratories 4-1-1 Miyazaki, Miyamae-ku, Kawasaki-city, Kanagawa 216-8555,Japan E-mail: {t-yoshioka@ab, t-igakura@bx, tonouchi@cw}.jp.nec.com

  2. Firewall Firewall Firewall Firewall Firewall Client Client Client Client Client Server Firewall Firewall Server Firewall Server Firewall Server Introduction – Corporate Network • Large networks always suffer from heterogeneity. • Networks divided by division firewalls bring inconsistency. • Evolving corporate network requires frequent management system update. Policy based management system NMS

  3. COPS Policy Server [RFC 2748] Distributes the same policy set to all network elements Supports homogeneous environment only General Purpose Policy Control Language such as [Sloman94] Focuses on the control of a network element. Lacks the ability to describe relationship among managed network elements. Issues Policy Server Policy Server Policy deployment Policy deployment policy b policy policy a c policy enforcement points policy enforcement points

  4. Proposal; Policy-based Automatic Configuration System • Policy Server; • accepts policies that determine messages sent to network elements, • receives the control command messages, and forwards the message to hosts that have to receive it. • Therefore; • this policy-based automatic network control system is able to handle heterogeneity because the Policy Server can receive and send messages to any kinds of network elements, • since the message forwarding is managed with the policy on the server, each network element receives messages that do relate the element. Bob registers his policy in the Policy Server. Policy Server From: Bob Message Acceptance Policy: (policy data) 1 The printer sends a control command message. 3 2 To: (features of NE) To do: (control data) The Policy Server forwards the message to a host whose policy indicates that it offers that particular service. Printer Bob Printer Manager Pager Server

  5. Policy-based System Architecture ~Automatic management consistent over separated segments~ • Network structure : Three segments • Personnel Department • Research Department • System Administration Department • For a Client in the Research Department to use a service offered by the Personnel Department… System Administration Department Authentication Server Policy Server 1. Authentication of a Client 2. Reconfiguration of all relevant firewalls Firewall Research Department Personnel Department VPN Firewall Firewall 3. Access to the AP Service Server Client AP Service Server VPN:Virtual Private Network

  6. Policy-based System Architecture~Configuration Sequence~ • A Client logs onto the network control system. Policy Command message message: send messageid: 003 receivers: /net/fw/ (syncopation) Head sName “ClientNatAndFw”; pName “thruClient”; rID 8; Body sT,”192.168.0.50”; sT,”10.56.33.54” End 4. A request to conduct a further reconfiguration of the firewalls System Administration Department 2 Policy Server Authentication Server 3 5. Forward messages requesting reconfiguration Firewall 1 Personnel Department 6 VPN 7 8 Client Firewall Firewall 9 Research Department AP Service Server

  7. Policy-based System Architecture~Control Command Messageand Policy~ Policy Control command message message: send messageid: 003 receivers: /net/fw/ (syncopation) Head sName “ClientNatAndFw”; pName “thruClient”; rID 8; Body sT,”192.168.0.50”; sT,”10.56.33.54”; End Header, which thePolicy Server compares to registered policies. Attribute “receivers” indicates destination(s) of messages to be forwarded. Command name to be executed Parameter name of Command Payload, which contains the control command to reconfigure firewalls. The control command is written in “cDR”. Parameter value, which is the string data indicating the IP address of the Research firewall. Parameter value of the IP address of the Client.

  8. Feature 1~Plug and Play of a New AP Service Server~ • The server registers itself to Policy Server. • The Policy Server reconfigures the related firewalls. DHCP:Dynamic Host Configuration Protocol System Administration Department Policy Server 4. The AP service server requests the reconfiguration of the Research Department firewall. DHCP Server 1. A DHCP request is sent to the DHCP server. DHCP server assigns an IP address to the new AP Service Server and replies it a DHCP reply. Firewall 2. AP Service Server registers its policy into the Policy Server. VPN 5.The Policy server also reconfigures the client side firewall. AP Service Server Firewall Firewall 3. The AP service server reconfigures firewalls. Research Department Personnel Department

  9. Feature 2~Automatic Failure Recovery (1)~ • Failed AP Service Server deregistration process System Administration Department 3. Error report forward Fault Management Server Policy Server 4. A request message to deregister AP Service Server 1 policy Firewall 2. Error report Personnel Department Research Department VPN Firewall Firewall Failure Execution request message to the failed AP Service Server 1 1. Error response AP Service Server 2 Client AP Service Server 1

  10. Feature 2~Automatic Failure Recovery (2)~ • AP Service Server 2 take-over process System Administration Department 5. Take-over request message 8. Result forward Fault Management Server Policy Server 6. Forward of the take-over request message 9. Result return Firewall 7. Result for the request Research Department VPN Firewall Failure Firewall AP Service Server 2 10. Result notification Client AP Service Server 1 Personnel Department

  11. Feature 3~Reconfiguration of Network Segments~ System Administration Department 1. Registration of firewall at Department b Policy Server Department b 4 2. Registration of AP Service Server b AP Service Server b 3 Authentication Server Firewall Firewall 5. Forward of message requesting reconfiguration 5 Research Department Department a VPN 5 AP Service Server a Firewall Firewall Client Even if a new network segment is added, existing policies is required no modifications.

  12. Conclusion & Future Work • Conclusion • We proposed a network control system utilizing our Policy Server and made a proof-of-concept implementation. • Important features of this network control system are: • Enabling to apply policy control even in heterogeneous network environment • Adapting policy controls respecting the relationship among network elements • The example applications of our system are: • Plug and play of a new AP Service Server • Automatic failure recovery • Reconfiguration of network segments • Future Work • A translator which makes stubs changing protocols from WSDL • An application tool which helps administrators to write policy • Quantitative evaluation • A study of next-generation autonomous system

More Related