fbpx
Wikipedia

Policy-based management

June 10, 2023

Policy-based management[1][2][3] is a technology that can simplify the complex task of managing networks and distributed systems. Under this paradigm, an administrator can manage different aspects of a network or distributed system in a flexible and simplified manner by deploying a set of policies that govern its behaviour.[4][5] Policies are technology independent rules aiming to enhance the hard-coded functionality of managed devices by introducing interpreted logic that can be dynamically changed without modifying the underlying implementation. This allows for a certain degree of programmability without the need to interrupt the operation of either the managed system or of the management system itself. Policy-based management can increase significantly the self-managing aspects of any distributed system or network, leading to more autonomic behaviour demonstrated by Autonomic computing systems.[6][7]

Frameworks and languages

The most well known policy-based management architecture was specified jointly by the IETF and the DMTF. This consists of four main functional elements: the Policy Management Tool (PMT), Policy Repository, Policy Decision Point (PDP), and Policy Enforcement Point (PEP).

The PMT is used by an administrator to define or update the policies to be enforced in the managed network. Resulting policies are stored in a repository in a form that must correspond to an information model[8] so as to ensure interoperability across products from different vendors. When new policies have been added in the repository, or existing ones have been changed, the PMT issues the relevant PDP with notifications, which in turn interprets the policies and communicates them to the PEP. The latter is a component that runs on a policy-aware node and can execute (enforce) the different policies. The components of the architecture can communicate with each other using a variety of protocols. The preferred choice for communicating policy decisions between a PDP and network devices (PEPs) is the Common Open Policy Service (COPS) or SNMP, and LDAP for the PMT/PDP–repository communication.

The simplest approach for policy specification is through a sequence of rules, in which each rule is the form of a simple condition-action pair. The IETF policy framework adopts this approach and considers policies as rules that specify actions to be performed in response to defined conditions: 

 if <condition(s)> then <action(s)>

The conditional part of the rule can be a simple or compound expression specified in either conjunctive or disjunctive normal form. The action part of the rule can be a set of actions that must be executed when the conditions are true. The IETF does not define a specific language to express network policies but rather a generic object-oriented information model for representing policy information. This model is a generic one, specifying the structure of abstract policy classes by means of association, thus allowing vendors to implement their own set of conditions and actions to be used by the policy rules.

Policy conflicts

As with any programmable system, a policy-driven one can suffer from inconsistencies incurred by contradicting rules governing its behaviour. These are known as policy conflicts[9] and come about as a result of specification errors, omissions, or contradictory management operations and, in some cases, can have catastrophic effects on the operation of the managed system. They have also been described as being analogous to software bugs[10] that occur when two or more policies are activated simultaneously enforcing contradictory management operations on the system.

Classification of policy conflicts

Policy conflicts are broadly classified into domain-independent and application-specific,[11] where the former, as the names suggest, are independent of the policy application, and the latter are bound by the constraints of the application domain. Example application domains that have been considered in the literature include quality of service (QoS) in IP networks,[9][12] distributed systems,[11][13] firewall security,[14][15][16] and call control in telecommunication networks.[17] Policy conflicts can also be classified according to the time-frame at which they can be detected: static conflicts[18] can be detected through off-line analysis at policy specification time, whereas dynamic conflicts[19] can only be detected when policies are enforced as they depend on the current state of the managed system. For example, conflicts can occur between policies for dynamically allocating resources and those setting quotas for users or classes of service. As such, automation should be a key aspect of dynamic analysis mechanisms so that the operational impact of a conflict can be kept to a minimum.

Detection and resolution of policy conflicts

To effectively use policies and drive the functionality of a managed system in a consistent manner, it is necessary to check that newly created policies do not conflict with each other or with policies already deployed in the system. To achieve this, detection processes utilise information regarding the conditions under which conflicts can arise to search policy spaces and identify policies that meet the conflict criteria. Based on the types of conflicts identified in the literature and the different application domains in which they occur, research has concentrated in the development of mechanisms and techniques for their effective detection. Although simple conflicts (e.g. modality conflicts) can be detected by syntactic analysis, more specialised inconsistencies require a precise definition of the conditions for a conflict, which sometimes include domain-specific knowledge, and processes that utilise such information to signal the occurrence of a conflict. Popular approaches for the detection of conflicts have been based on: meta-policies (detection rules),[9][11][20] policy relationships,[14][15][16] applicability spaces,[21] and information models.[22]

Resolution is the latter part of policy analysis, which aims at handling detected inconsistencies, preferably in an automated manner, so that consistency among policies can be restored. The process of resolving conflicts may involve retracting, suppressing, prioritising, or amending policies, and in some cases, enforcing a new policy altogether so that consistency among policy rules can be restored. The methodology in doing so depends heavily on the type of policies involved and the domain in which conflicts occur. Although human intervention is unavoidable in some situations, several research efforts focussed on techniques to automate the resolution process where possible. Popular approaches for the resolution of conflicts have been based on: meta-policies (resolution rules),[9][19][20] precedence,[11] policy ordering,[15][21] and conflict prevention.[23]

The time-frame at which conflicts can be detected influences the analysis methodology and requirements for dealing with them. Static conflicts are typically detected through analysis initiated manually by the system administrator; conflicts represent inconsistencies between policies and are typically resolved by amending the policies.[9][18] In contrast, run-time conflicts must be detected by a process that monitors policy enforcement and detects inconsistent situations in the system’s execution. Resolution must be achieved automatically, for example through enforcing resolution rules.[9][19] Lack of automation in the handling of run-time conflicts may have catastrophic consequences on the correct system operation, especially when managing QoS for delay sensitive applications.

Policy refinement

Ideally, a policy-based management system should facilitate the definition of high-level administrative goals, which are easy for humans to express and understand, enable their translation into low-level policies and map them into commands that configure the managed devices accordingly. While the high-level goals reflect the business objectives of the network administrator, the low-level policies are responsible for device-level configurations.

Policy refinement is the process of transforming a high-level goal or abstract policy specification into low-level, concrete policies that can be enforced on the managed system. The main tasks of the refinement process are the following:

  • Determine the resources that are needed to satisfy the requirements of the policy
  • Translate high-level goals into operational policies that the system can enforce
  • Verify that the low-level policies actually meet the requirements specified by the high-level goal

Several policy refinement approaches have been developed. The most notable ones are based on linear temporal logic,[24] event calculus,[25] and utility computing.[26][27]

See also

References

  1. ^ R. Boutaba and S. Znaty. Towards Integrated Network Management: A Domain/Policy Approach and its Application to a High Speed Multi-Network. In Proceedings of IEEE/IFIP International Symposium on Network Operation and Management (NOMS'94), pp. 777-789, February 1994.
  2. ^ M.S. Sloman, "Policy Driven Management for Distributed Systems," Journal of Network and Systems Management, Vol. 2, No. 4, pp. 333-360, Plenoum Press, December 1994.
  3. ^ R. Boutaba and I. Aib. Policy-Based Management: A Historical Perspective. Journal of Network and Systems Management. Vol. 15, No. 4, pp. 447-480, Springer, December 2007.
  4. ^ R. Boutaba and S. Znaty. An Architectural Approach for Integrated Networks and Systems Management. ACM SIGCOMM Computer Communication Review, Vol.25, No. 5, pp. 13-39, 1995.
  5. ^ D. Verma "Simplifying network administration using policy-based management", IEEE Network 2002.
  6. ^ R. Boutaba, S. Omari and A. Virk. SELFCON: An Architecture for Self-Configuration of Networks. KICS/IEEE International Journal of Communications and Networks (special issue on Management of New Networking Infrastructure and Services), Vol.3, No. 4, pp. 317-323, December 2001.
  7. ^ D. Agrawal, S. Calo, K. Lee, J. Lobo, D. Verma, "Policy Technologies for Self Managing Systems", IBM Press, 2008
  8. ^ B. Moore, E. Ellesson, J. Strassner, A. Westerinen, “Policy Core Information Model,” RFC 3060, IETF, February 2001.
  9. ^ a b c d e f M. Charalambides, P. Flegkas, G. Pavlou, J.R. Loyola, A.K. Bandara, E.C. Lupu, M.S. Sloman, A. Russo, N. Dulay, “Policy Conflict Analysis for DiffServ Quality of Service Management,” IEEE Transactions on Network and Service Management, Vol. 6, No. 1, March 2009.
  10. ^ J. Strassner, “Policy-Based Network Management,” Morgan Kaufmann Publishers, ISBN 1- 55860-859-1, 2004.
  11. ^ a b c d E.C. Lupu, M.S. Sloman, “Conflicts in Policy-based Distributed Systems Management,” IEEE Transactions on Software Engineering - Special Issue on Inconsistency Management, Vol. 25, pp. 852-869, 1999.
  12. ^ T. Samak, E. Al-Shaer, H. Li, “QoS Policy Modeling and Conflict Analysis,” proceedings of IEEE Workshop on Policies for Networks and Distributed Systems, New York, USA, June 2008.
  13. ^ A.K. Bandara, E.C. Lupu, A. Russo, “Using Event Calculus to Formalise Policy Specification and Analysis,” proceedings of IEEE Workshop on Policies for Distributed Systems and Networks, Lake Como, Italy, June 2003.
  14. ^ a b E. Al-Shaer, H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” proceedings of IEEE Communications Society Conference, Hong Kong, March 2004.
  15. ^ a b c E. Al-Shaer, H. Hamed, “Modeling and Management of Firewall Policies,” IEEE Transactions on Network and Service Management, Vol. 1, No. 1, April 2004.
  16. ^ a b E. Al-Shaer, H. Hamed, R. Boutaba, M. Hasan.  Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications, Volume 23, No. 10, pp.2069 - 2084, October 2005.  
  17. ^ L. Blair, K. Turner, “Handling Policy Conflicts in Call Control,” proceedings of International Conference on Feature Interaction, Leicester, UK, June 2005.
  18. ^ a b M. Charalambides, P. Flegkas, G. Pavlou, A.K. Bandara, E.C. Lupu, M.S. Sloman, A. Russo, N. Dulay, J.R. Loyola, “Policy Conflict Analysis for Quality of Service Management,” proceedings of IEEE Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, June 2005.
  19. ^ a b c M. Charalambides, P. Flegkas, G. Pavlou, J.R. Loyola, A.K. Bandara, E.C. Lupu, M.S. Sloman, A. Russo, N. Dulay, “Dynamic Policy Analysis and Conflict Resolution for DiffServ Quality of Service Management,” proceedings of IEEE/IFIP Network Operations and Management Symposium, Vancouver, Canada, April 2006.
  20. ^ a b A. Polyrakis and R. Boutaba. The Meta-Policy Information Base. IEEE Network, special issue on Policy-Based Networks, Vol.16, No. 2, pp. 40-48, 2002.  
  21. ^ a b D. Agrawal, J. Giles, K.W. Lee, J. Lobo, “Policy Ratification,” proceedings of IEEE Workshop on Policies for Networks and Distributed Systems, Stockholm, Sweden, June 2005.
  22. ^ S. Davy, B. Jennings, J. Strassner, “Application Domain Independent Policy Conflict Analysis Using Information Models,” proceedings of IEEE/IFIP Network Operations and Management Symposium, Bahia, Brazil, April 2008.
  23. ^ R. Chadha, Y. Cheng, J. Chiang, G. Levin, S.W. Li, A. Poylisher, L. LaVergne, S. Newman, “Scalable Policy Management for Ad Hoc Networks,” proceedings of Military Communications Conference, New Jersey, USA, October 2005.
  24. ^ J.R. Loyola, J. Serrat, M. Charalambides, P. Flegkas, G. Pavlou, “A Methodological Approach toward the Refinement Problem in Policy-Based Management Systems,” IEEE Communications Magazine, Topics in Network and Service Management, Vol. 44, No. 10, October 2006.
  25. ^ A.K. Bandara, E.C. Lupu, A. Russo, N. Dulay, M. Sloman, P. Flegkas, M. Charalambides, G. Pavlou, “Policy Refinement for IP Differentiated Services Quality of Service Management,” IEEE Transactions on Network and Service Management (TNSM), Vol. 2, No. 2, 2006.
  26. ^ I. Aib and R. Boutaba. Business-driven optimization of Policy Based Management Solutions; A Web Application Hosting SLA Use Case. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM'2007), Munich (Germany), May 2007.
  27. ^ I. Aib and R. Boutaba. On leveraging policy-based management for maximizing business profit. In IEEE Transactions on Network and Service Management. Vol. 4, No. 3, pp. 163-176, December 2007.

June 10, 2023
policy, based, management, technology, that, simplify, complex, task, managing, networks, distributed, systems, under, this, paradigm, administrator, manage, different, aspects, network, distributed, system, flexible, simplified, manner, deploying, policies, t. Policy based management 1 2 3 is a technology that can simplify the complex task of managing networks and distributed systems Under this paradigm an administrator can manage different aspects of a network or distributed system in a flexible and simplified manner by deploying a set of policies that govern its behaviour 4 5 Policies are technology independent rules aiming to enhance the hard coded functionality of managed devices by introducing interpreted logic that can be dynamically changed without modifying the underlying implementation This allows for a certain degree of programmability without the need to interrupt the operation of either the managed system or of the management system itself Policy based management can increase significantly the self managing aspects of any distributed system or network leading to more autonomic behaviour demonstrated by Autonomic computing systems 6 7 Contents 1 Frameworks and languages 2 Policy conflicts 2 1 Classification of policy conflicts 2 2 Detection and resolution of policy conflicts 3 Policy refinement 4 See also 5 ReferencesFrameworks and languages EditThe most well known policy based management architecture was specified jointly by the IETF and the DMTF This consists of four main functional elements the Policy Management Tool PMT Policy Repository Policy Decision Point PDP and Policy Enforcement Point PEP The PMT is used by an administrator to define or update the policies to be enforced in the managed network Resulting policies are stored in a repository in a form that must correspond to an information model 8 so as to ensure interoperability across products from different vendors When new policies have been added in the repository or existing ones have been changed the PMT issues the relevant PDP with notifications which in turn interprets the policies and communicates them to the PEP The latter is a component that runs on a policy aware node and can execute enforce the different policies The components of the architecture can communicate with each other using a variety of protocols The preferred choice for communicating policy decisions between a PDP and network devices PEPs is the Common Open Policy Service COPS or SNMP and LDAP for the PMT PDP repository communication The simplest approach for policy specification is through a sequence of rules in which each rule is the form of a simple condition action pair The IETF policy framework adopts this approach and considers policies as rules that specify actions to be performed in response to defined conditions if lt condition s gt then lt action s gt The conditional part of the rule can be a simple or compound expression specified in either conjunctive or disjunctive normal form The action part of the rule can be a set of actions that must be executed when the conditions are true The IETF does not define a specific language to express network policies but rather a generic object oriented information model for representing policy information This model is a generic one specifying the structure of abstract policy classes by means of association thus allowing vendors to implement their own set of conditions and actions to be used by the policy rules Policy conflicts EditAs with any programmable system a policy driven one can suffer from inconsistencies incurred by contradicting rules governing its behaviour These are known as policy conflicts 9 and come about as a result of specification errors omissions or contradictory management operations and in some cases can have catastrophic effects on the operation of the managed system They have also been described as being analogous to software bugs 10 that occur when two or more policies are activated simultaneously enforcing contradictory management operations on the system Classification of policy conflicts Edit Policy conflicts are broadly classified into domain independent and application specific 11 where the former as the names suggest are independent of the policy application and the latter are bound by the constraints of the application domain Example application domains that have been considered in the literature include quality of service QoS in IP networks 9 12 distributed systems 11 13 firewall security 14 15 16 and call control in telecommunication networks 17 Policy conflicts can also be classified according to the time frame at which they can be detected static conflicts 18 can be detected through off line analysis at policy specification time whereas dynamic conflicts 19 can only be detected when policies are enforced as they depend on the current state of the managed system For example conflicts can occur between policies for dynamically allocating resources and those setting quotas for users or classes of service As such automation should be a key aspect of dynamic analysis mechanisms so that the operational impact of a conflict can be kept to a minimum Detection and resolution of policy conflicts Edit To effectively use policies and drive the functionality of a managed system in a consistent manner it is necessary to check that newly created policies do not conflict with each other or with policies already deployed in the system To achieve this detection processes utilise information regarding the conditions under which conflicts can arise to search policy spaces and identify policies that meet the conflict criteria Based on the types of conflicts identified in the literature and the different application domains in which they occur research has concentrated in the development of mechanisms and techniques for their effective detection Although simple conflicts e g modality conflicts can be detected by syntactic analysis more specialised inconsistencies require a precise definition of the conditions for a conflict which sometimes include domain specific knowledge and processes that utilise such information to signal the occurrence of a conflict Popular approaches for the detection of conflicts have been based on meta policies detection rules 9 11 20 policy relationships 14 15 16 applicability spaces 21 and information models 22 Resolution is the latter part of policy analysis which aims at handling detected inconsistencies preferably in an automated manner so that consistency among policies can be restored The process of resolving conflicts may involve retracting suppressing prioritising or amending policies and in some cases enforcing a new policy altogether so that consistency among policy rules can be restored The methodology in doing so depends heavily on the type of policies involved and the domain in which conflicts occur Although human intervention is unavoidable in some situations several research efforts focussed on techniques to automate the resolution process where possible Popular approaches for the resolution of conflicts have been based on meta policies resolution rules 9 19 20 precedence 11 policy ordering 15 21 and conflict prevention 23 The time frame at which conflicts can be detected influences the analysis methodology and requirements for dealing with them Static conflicts are typically detected through analysis initiated manually by the system administrator conflicts represent inconsistencies between policies and are typically resolved by amending the policies 9 18 In contrast run time conflicts must be detected by a process that monitors policy enforcement and detects inconsistent situations in the system s execution Resolution must be achieved automatically for example through enforcing resolution rules 9 19 Lack of automation in the handling of run time conflicts may have catastrophic consequences on the correct system operation especially when managing QoS for delay sensitive applications Policy refinement EditIdeally a policy based management system should facilitate the definition of high level administrative goals which are easy for humans to express and understand enable their translation into low level policies and map them into commands that configure the managed devices accordingly While the high level goals reflect the business objectives of the network administrator the low level policies are responsible for device level configurations Policy refinement is the process of transforming a high level goal or abstract policy specification into low level concrete policies that can be enforced on the managed system The main tasks of the refinement process are the following Determine the resources that are needed to satisfy the requirements of the policy Translate high level goals into operational policies that the system can enforce Verify that the low level policies actually meet the requirements specified by the high level goalSeveral policy refinement approaches have been developed The most notable ones are based on linear temporal logic 24 event calculus 25 and utility computing 26 27 See also EditIn network management Network and Service Management Taxonomy Network management Network management system Network performance management Network and Service Management Taxonomy Systems managementReferences Edit R Boutaba and S Znaty Towards Integrated Network Management A Domain Policy Approach and its Application to a High Speed Multi Network In Proceedings of IEEE IFIP International Symposium on Network Operation and Management NOMS 94 pp 777 789 February 1994 M S Sloman Policy Driven Management for Distributed Systems Journal of Network and Systems Management Vol 2 No 4 pp 333 360 Plenoum Press December 1994 R Boutaba and I Aib Policy Based Management A Historical Perspective Journal of Network and Systems Management Vol 15 No 4 pp 447 480 Springer December 2007 R Boutaba and S Znaty An Architectural Approach for Integrated Networks and Systems Management ACM SIGCOMM Computer Communication Review Vol 25 No 5 pp 13 39 1995 D Verma Simplifying network administration using policy based management IEEE Network 2002 R Boutaba S Omari and A Virk SELFCON An Architecture for Self Configuration of Networks KICS IEEE International Journal of Communications and Networks special issue on Management of New Networking Infrastructure and Services Vol 3 No 4 pp 317 323 December 2001 D Agrawal S Calo K Lee J Lobo D Verma Policy Technologies for Self Managing Systems IBM Press 2008 B Moore E Ellesson J Strassner A Westerinen Policy Core Information Model RFC 3060 IETF February 2001 a b c d e f M Charalambides P Flegkas G Pavlou J R Loyola A K Bandara E C Lupu M S Sloman A Russo N Dulay Policy Conflict Analysis for DiffServ Quality of Service Management IEEE Transactions on Network and Service Management Vol 6 No 1 March 2009 J Strassner Policy Based Network Management Morgan Kaufmann Publishers ISBN 1 55860 859 1 2004 a b c d E C Lupu M S Sloman Conflicts in Policy based Distributed Systems Management IEEE Transactions on Software Engineering Special Issue on Inconsistency Management Vol 25 pp 852 869 1999 T Samak E Al Shaer H Li QoS Policy Modeling and Conflict Analysis proceedings of IEEE Workshop on Policies for Networks and Distributed Systems New York USA June 2008 A K Bandara E C Lupu A Russo Using Event Calculus to Formalise Policy Specification and Analysis proceedings of IEEE Workshop on Policies for Distributed Systems and Networks Lake Como Italy June 2003 a b E Al Shaer H Hamed Discovery of Policy Anomalies in Distributed Firewalls proceedings of IEEE Communications Society Conference Hong Kong March 2004 a b c E Al Shaer H Hamed Modeling and Management of Firewall Policies IEEE Transactions on Network and Service Management Vol 1 No 1 April 2004 a b E Al Shaer H Hamed R Boutaba M Hasan Conflict Classification and Analysis of Distributed Firewall Policies IEEE Journal on Selected Areas in Communications Volume 23 No 10 pp 2069 2084 October 2005 L Blair K Turner Handling Policy Conflicts in Call Control proceedings of International Conference on Feature Interaction Leicester UK June 2005 a b M Charalambides P Flegkas G Pavlou A K Bandara E C Lupu M S Sloman A Russo N Dulay J R Loyola Policy Conflict Analysis for Quality of Service Management proceedings of IEEE Workshop on Policies for Distributed Systems and Networks Stockholm Sweden June 2005 a b c M Charalambides P Flegkas G Pavlou J R Loyola A K Bandara E C Lupu M S Sloman A Russo N Dulay Dynamic Policy Analysis and Conflict Resolution for DiffServ Quality of Service Management proceedings of IEEE IFIP Network Operations and Management Symposium Vancouver Canada April 2006 a b A Polyrakis and R Boutaba The Meta Policy Information Base IEEE Network special issue on Policy Based Networks Vol 16 No 2 pp 40 48 2002 a b D Agrawal J Giles K W Lee J Lobo Policy Ratification proceedings of IEEE Workshop on Policies for Networks and Distributed Systems Stockholm Sweden June 2005 S Davy B Jennings J Strassner Application Domain Independent Policy Conflict Analysis Using Information Models proceedings of IEEE IFIP Network Operations and Management Symposium Bahia Brazil April 2008 R Chadha Y Cheng J Chiang G Levin S W Li A Poylisher L LaVergne S Newman Scalable Policy Management for Ad Hoc Networks proceedings of Military Communications Conference New Jersey USA October 2005 J R Loyola J Serrat M Charalambides P Flegkas G Pavlou A Methodological Approach toward the Refinement Problem in Policy Based Management Systems IEEE Communications Magazine Topics in Network and Service Management Vol 44 No 10 October 2006 A K Bandara E C Lupu A Russo N Dulay M Sloman P Flegkas M Charalambides G Pavlou Policy Refinement for IP Differentiated Services Quality of Service Management IEEE Transactions on Network and Service Management TNSM Vol 2 No 2 2006 I Aib and R Boutaba Business driven optimization of Policy Based Management Solutions A Web Application Hosting SLA Use Case In Proceedings of the IFIP IEEE International Symposium on Integrated Network Management IM 2007 Munich Germany May 2007 I Aib and R Boutaba On leveraging policy based management for maximizing business profit In IEEE Transactions on Network and Service Management Vol 4 No 3 pp 163 176 December 2007 Retrieved from https en wikipedia org w index php title Policy based management amp oldid 1146000463, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.