Download Microsoft`s Active Directory Services

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Net bias wikipedia , lookup

Network tap wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Directory Enabled Networking
with Active Directory
Austin Wilson
Microsoft Corporation
What is Directory Enabled
Networking?
 Policy-based management of network
resources and provisioning of services
 Directory is central as it serves to bind
information about users, applications and
network infrastructure
 It is the comprehensive term that includes all
technologies needed to make directorybased control of networks a reality
 Directory enabled networking and policybased networking are synonymous
DEN vs. Directory Enabled
Networking
 DEN - the standard - is distinct from
directory enabled networking
 Directory enabled networking is more
than just DEN
 DEN provides a foundation
 Information model
 Directory schema (LDAP)
 Many implementation issues and other
standards for directory-enabled
networking are outside the scope of DEN
Overview
Vision of Directory Enabled Networking
 Harness the power of directory services
for network management and services
 Policy-based networking: simpler quality
of service, configuration, and security
administration
 Common information model and schema
for network elements and services
 Interoperable network services and
management solutions
Overview
Vision of Directory Enabled Networking
Management
App B
Management
App A
Directory
Service
Management
App C
Interoperability provided via Directory Service
Overview
Vision of Directory Enabled Networking
Directory
Service
Server
Switch
Firewall
ERP DB
Overview
Directory Enabled Networks
 Logical division of labor
 Directory provides point of resource
discovery and defines bindings
 Networks provide end-to-end connectivity
 Policy-based network management
 Enables unification of network services
and management applications
 Defines and distributes policy and
bindings
 Enables personalized network services
Standards
DEN Progress Report
 DEN Ad Hoc Working Group formed: Dec 97
 DEN spec finished and submitted to DMTF
for further development: Sep 98
 DEN framework is an integral part of
Common Information Model (CIM)
 DEN spec incorporated into CIM model in
phases
 Physical model integrated in CIM v2.1: Oct 98
(application, device, system and physical)
 Logical model integrated in CIM v2.2: Jun 99
(network and services)
 Policy model: work-in-progress jointly between
DMTF/IETF
Applications
Dir Enabled Networking at Work
 Physical infrastructure management
 Static configuration of network devices
 Asset tracking
 Device and topology discovery
 Performance and fault management
 Network service management
 Quality of Service (QoS)
 Remote access and VPN
 IP security
 IP address management
 Firewalls
QoS (with RSVP and DiffServ)
NetMeeting
Client
Policy: “Yes, you may have Priority Gold”
or “No, you may not have Priority now”
Service Level Agreement:
PHB = EF; TokenBucket = TB2
(e.g. equiv to virtual leased line)
Data Store
RSVP-enabled
campus network
Policy
server
Differentiated
service
network(s)
RSVP-enabled
campus network
NetMeeting
Client
Client: “May I have Priority, Please”
VPN (L2TP/IPSec Voluntary Tunnel)
Win2000
MS Active
Directory
Server
Internet
Auth/Authz
Server
NAS
Edge
Router
Edge
Router
Radius
proxy
Legend:
IPSec
L2TP
MS IAS
Server
MS Active
Directory
Server
Architecture
Policy-based Networking
Policy
Repository
LDAP
Directory
Policy
Management
Console
LDAP
Policy
Proxy
SNMP
Policy
Decision
Point
COPS
Policy Enforcement Points
Policy
Decision
Point
Architecture Components
Directory
 Directory stores a variety of information
 User data
 Authentication and access rights
 User profiles
 Infrastructure data
 Static/start-up configuration for devices (e.g.,
routers, switches)
 Server information (e.g., name server)
 Policies
 Conditions, actions, policy rules
Architecture Components
Policy Management Console
 Policies express business rules
 Discipline-specific, perhaps even device-specific
 QoS policies, remote access policies, IP security
policies, firewall policies, etc.
 Policy console
 Provides an abstraction of rules to create policies
 Used to define and edit policies
 Validates policies
 When appropriate, the policy UI is unified with the
UI that manages the entities that are the subjects
of the policy (e.g., users, computers, devices)
Architecture Components
Policy Decision Point
 PDP generally takes the form of policy servers
 Makes policy selection, gets policy from directory
 Makes policy decisions
 Detects and resolves policy conflicts
 Distributes policy actions based on its decision to
enforcement points



Access/deny
Traffic shaping parameters for a QoS policy
Address filters for a firewall policy
 May propagate policies to other servers
 Monitors usage and effectiveness of policy
enforcement
Architecture Components
Policy Enforcement Point
 Network node in the direct path of traffic
flow (router, switch, remote access
server, firewall)
 Policy enforcement point
 Requests policy-based decisions
 Optionally caches policy decisions for
future use
 Processes traffic per policy decision
 Relays events to policy decision point
Architecture Variations
Two-tiered Architecture
Policy
Repository
LDAP
Directory
LDAP
Packets in
Packets out
Policy Decision Point &
Policy Enforcement Point
Policy
Management
Console
Architecture Variations
Two-tiered Architecture
 Device considerations
 Requires smarter network devices (LDAP enabled)
 Direct LDAP interactions with directory
 Firewall/security
 LDAP typically not allowed across firewall
 Need for encryption on some attributes can force
large number of SSL/TLS connections
 Global knowledge
 Lacks global view of network state to make
decisions like simultaneous usage control
 Loading
 Increased directory load
 Faster decision making and traffic processing
Architecture Variations
Three-tiered Architecture
Policy
Repository
LDAP
Directory
LDAP
Policy
Server
COPS
Packets in
Packets out
Policy Enforcement Point
Policy
Management
Console
Architecture Variations
Three-tiered Architecture
 Device considerations
 Network devices can be simple
 Devices can be schema independent
 Firewall/security
 Servers typically in data center, can be secured
 Existing PEP-PDP protocols are “firewall friendly”
(DHCP, RADIUS, COPS)
 Global knowledge
 Has global view of network state to make decisions
like simultaneous usage control
 Loading
 Lower directory load – less servers than devices
 Slower remoted decision making
Architecture
Additional Considerations
 Policy distribution protocols (SNMP, COPS,
RADIUS)
 Support for legacy devices
 Use policy proxy to translate policy actions for
legacy devices
 End-host participation
 Dynamic state information
 Need data store for volatile information
 Missing LDAP features
 Change notification
 Multiple-object transactions
Active Directory
Data and Policy Store
 Salient features:
 LDAP v3: for interoperability
 Tightly integrated security (Kerberos)
 DNS: backbone, integrated
 Hierarchical namespace
 Multi-master replication and updates
 Dynamically extensible schema
 Global Catalog for efficient search
 Directory synch services
 Scale: millions of objects
 Programming and scripting API (ADSI)
Microsoft Active Directory
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Other
Directories
• White pages
• E-Commerce
Other NOS
• User registry
• Security
• Policy
E-Mail Servers
• Mailbox info
• Address book
Active
Directory
Windows Clients
• Mgmt profile
• Network info
• Policy
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Network Devices
• Configuration
• QoS policy
• Security policy
Management
Focal Point For:
• Users & resources
• Security
• Delegation
• Policy
Applications
• Server config
• Single Sign-On
• App-specific
directory info
• Policy
Internet
Firewall Services
• Configuration
• Security Policy
• VPN policy
Group Policy
Policy Decision Point
 Group Policy
 Extensible policy framework to apply policy to
groups of computers/users
 Policies stored in Group Policy Object (GPO) in
Active Directory
 GPO can be bound to AD containers: Sites,
Domains, OUs


Inheritance order: S,D,OU
Scope further filtered by security groups
 APIs for services to invoke policy selection
process (GetGPOList)
 Can be used to push device configurations
from Active Directory
Policy Enforcement Point
 Alternatives
 Host network gear on Windows 2000 when
possible to take advantage of full platform
functionality
 PBX devices, VoIP gateway/gatekeeper
 Use embedded Windows 2000 as control
OS on devices if possible
 Implement secure LDAP client in device
OS starting from Open Source version
Summary
 DEN specification from the DMTF is not
yet final – standards are a lengthy and
laborious process
 Active Directory services are available
and can be leveraged for addressing
network management needs today
 Compelling value proposition for endcustomers – manageability and reduced
TCO of network infrastructures
 Enterprises are planning for deployment
of directory-enabled networks. Integrate
with Active Directory services now!
Related documents
FoxFiles: Getting Started What is FoxFiles?
FoxFiles: Getting Started What is FoxFiles?
Regulatory statistics and information
Regulatory statistics and information
Operating Systems (OS)
Operating Systems (OS)
Components of an operating system
Components of an operating system
OPERATING SYSTEM FUNCTIONS
OPERATING SYSTEM FUNCTIONS
What is LDAP (Lightweight Directory Access Protocol
What is LDAP (Lightweight Directory Access Protocol
CUSTOMER_CODE SMUDE DIVISION_CODE SMUDE
CUSTOMER_CODE SMUDE DIVISION_CODE SMUDE
MS Word version
MS Word version
LDAP- Lightweight Directory Access Protocol
LDAP- Lightweight Directory Access Protocol
Linux - the most important … Linux: SHELL ~$ command –options
Linux - the most important … Linux: SHELL ~$ command –options
File System Interface
File System Interface
Naming
Naming