The Cable Guy - February 2001

Introduction to DEN

By The Cable Guy

Directory enabled networks (DEN) is an industry initiative, sponsored by the Distributed Management Task Force (DMTF), to develop a standard information model for representing network elements and services in a directory. DEN is comprehensive, including a mixture of technologies that enable the directory-based control of networks. DEN is also known as policy-based network management.

A directory is defined as a physically distributed and logically centralized repository of infrequently changing data that is used to manage a computing environment. Windows 2000 Active Directory directory service is an example of a directory. For DEN, the directory stores the state of the network and provides access to network information.

By integrating the directory and the network, the directory takes on a new role. It not only acts as a repository for information about users and computing resources (such as servers or printers), it is also extended to include information about network devices, services, and applications. Of even greater significance, the directory includes information about the relationships among all of the elements in the directory.

In this expanded view of directory services, users and both computing and network resources can use the directory service to publish information about themselves while discovering and obtaining information about other resources. When information about users, network elements, and services is available in a central location, policies can be used to manage the network.

Policy information includes a set of rules, structured as conditions and actions, for managing resources in the context of a specific realm of network management such as IP address management, quality of service (QoS), or security. User information typically includes not only user profiles, but also authentication and authorization data (access rights).

DEN management

DEN management focuses on managing three areas in the IT environment: the physical infrastructure, network services, and the desktop.

Physical infrastructure management

For the physical infrastructure, the directory stores object definitions that contain the attributes of network devices, including routers, switches, hubs, firewalls, remote access devices, and other components. With the use of object classes and inheritance properties, these devices are more easily and consistently managed through the directory. Knowledge of the physical network structure can be useful in a variety of ways including asset tracking, access list management, and fault isolation.

Asset tracking

Using DEN, IT managers can maintain an inventory of network equipment and configuration. Keeping this network data in a central repository provides for better network modeling and management. By maintaining state data for network devices, an IT manager can determine which users are using what network equipment and services within an organization. By maintaining configuration data for network devices, network device configuration becomes centralized, providing the potential for sharing common configuration elements among multiple network devices. This simplifies configuration and ongoing maintenance, which is most often performed separately for each device.

For asset tracking, the directory schema provides a way to combine asset tracking with network management. The asset tracking number is stored as an attribute of the directory object that represents the hardware device. Searches can be performed based on the asset tracking number to locate a specific piece of hardware. After the hardware asset object has been found in the directory, references to container objects that identify its physical location can be followed. For example, a hierarchy might start at the chassis that contains the object, and go to the rack containing the chassis, to the closet where the rack is located, and so on.

Access list management

Access lists, also known as packet filters, are definitions of specific types of network traffic. For example, an access list might define all traffic to and from a range of IP addresses. Access lists are used for a variety of purposes, including firewalls and security, to accept, reject, or secure network traffic.

For example, an access list can be used to reject packets with spoofed IP addresses. Spoofing is a common type of attack in which the source address of a packet that originates from outside of an organization is forged to make it appear to have originated from inside of the organization. By assigning an access list to a router's Internet interface that reject packets with spoofed IP addresses, all traffic coming from the Internet with spoofed addresses is dropped by the router.

Without DEN, you must configure each Internet router with the access list and assign the access list to the router's interface. With DEN, you can create a single access list policy to reject spoofed traffic and then assign that policy to the Internet interface of each Internet-connected router.

Fault isolation

When communication faults occur, following the path of the physical connections between devices helps identify the point of failure. At various points it might be necessary to find the physical location of one of the devices or the endpoints of a physical connection so that a physical inspection can occur or diagnostics can be performed. By storing both physical location and connectivity relationship information in the directory, fault isolation can be greatly simplified.

Network services management

Managing network services through DEN allows administrators to assume a network-centric view of services and provision them on an end-to-end basis instead of managing individual network elements. The following are some examples of DEN-based network service management.

Quality of service

Quality of service (QoS) can prioritize application traffic and allocate resources across the network to ensure the delivery of mission critical applications when the network is congested. Mission critical applications are given higher priority, while e-mail and file transfers receive a lower priority. A QoS policy can identify specific types of traffic for high or low priority. A QoS policy can also include per-user settings—such as the number of flows allowed, the amount of peak rate bandwidth that can be requested, and the allowable bandwidth reservations (dependent upon the time of day)—that provide for the delivery of personalized QoS service. In order to manage these QoS policies effectively, a solution is needed that is integrated with the existing directory that stores information about user objects. With DEN, the network administrator edits new QoS attributes for user objects in the directory, eliminating the need to maintain multiple stores of user information.

Policy-based routing

Another use of QoS is policy-based routing, which can be used to select alternative routing paths based on traffic characteristics. Policy-based routing provides the ability to differentiate on the basis of a user, application, operation, or process and direct traffic to higher-performance lines than other traffic. Policy-based routing also permits servicing critical, time-sensitive, or confidential information by special routes that are not available to other traffic. To be scalable, policy-based routing requires centralized administration and management, which requires the directory in order to be implemented. With DEN, QoS policies that are configured in the directory can be applied to routers in the organization, achieving the desired routing behavior.

IP address management

IP address management is a crucial network service for IP networks that automates the following tasks:

• Configuring network nodes with an IP address, subnet mask, default gateway address, and the preferred DNS server with DHCP.
• Monitoring usage of addresses to ensure efficient allocation.
• Configuring DNS servers with each node's name and IP address mapping with DNS dynamic update protocol.

With DEN, DNS and DHCP servers can directly receive their configurations from the directory. They can access and store both configuration and operational data in the directory for sharing and coordination across multiple servers.

Desktop management

Enterprise networks include large numbers of computers, including those on user desktops and laptops used by roaming users. These computers are connected to various server systems that are often geographically separated. Network administrators want both the power and flexibility of the distributed system and the simplicity of centralized system administration.

In addition to the increasing need to lower the cost of ownership for PC networks, there is also an increasing need to lower the cost of desktop administration. First, much of the cost of administering the desktop environment results from user configuration errors, which increase the number of Help desk incidents and waste employee time. Second, application and file deployment is a huge cost for an organization. Administrators need to both mandate desktop and application settings and efficiently install applications so that users have neither the need nor the ability to modify their system configuration. The directory stores computer configuration, user preferences, application settings, and policies that govern application deployment.

As an example of DEN, the Group Policy infrastructure for desktop policy enforcement that is included in Windows 2000 uses Active Directory to combine policy and desktop management. Integration with the directory provides for desktop policy management that is centralized and independent of the user's location.

Related Links

For more information about DEN and Windows 2000 technology, consult the following resources:

• Active Directory: A Platform for Directory-enabled Networking
• Directory Enabled Networks---Frequently Asked Questions
• Directory-enabled Networks (Adobe Acrobat file)

For a list of all The Cable Guy articles, click here.