Novell's Networking Primer
Businesses rely heavily on their computer networks to provide high productivity and to perform many services essential to making a profit. When their networks go down, it usually costs them in loss of productivity and performance, and the larger the company, the greater the loss. For some global companies, network downtime is so critical that it can mean millions of dollars of profit loss for each downtime hour and even, in some cases, for each downtime minute. Hence, it is something of an understatement to say that good network management is important to modern businesses, no matter how large or small their networks.
To appreciate what it means to manage a network, you need to understand that networks, regardless of size, are almost always in a state of growth and change. You must accept that eventually all network components will fail. You must also accept that users can and will make mistakes that damage workstation configurations and server files, and that workstations, printers, and servers will need to be added or removed. In addition, new applications will be added, existing applications will be upgraded, bandwidth requirements will increase, and networking technology itself will change, requiring you to phase-out chunks, segments, and sometimes even the whole of the old networking technology.
Most literature on network management will list five key areas for network managers to focus on, as recommended by ISO:
- Fault management
- Configuration management
- Performance management
- Accounting management
- Security management
Fault management involves quickly identifying network problems and taking steps to isolate them. This includes the proper notification of responsible parties when network components fail. For instance, with the right equipment you can set up your network to send you a pager notice when a network problem occurs. You can even have the system display specific codes on your pager that identify the server or other network component involved.
Configuration management involves changing network and user configurations in order to optimize network performance and productivity. This is closely tied to fault management, which often employs the technique of changing configurations to isolate network faults.
Performance management involves tracking important network occurrences such as processor and RAM usage levels, disk access requests, usage of specific programs, and data packets being sent and delivered across the network. This data is then used to project future network upgrade requirements as well as to troubleshoot network performance problems.
Accounting management means tracking and billing network users for the software and other services that they use. This has become a serious issue, with some companies being taken to court and paying fines for not having purchased enough software licenses for the number of users actually using the software.
Security management involves protecting your network from unauthorized access to critical business data or system resources. Safeguards must be installed to ensure the integrity of your network. This issue becomes even more complex when you connect your network to the Internet. Without some sort of security your network and all of its data and resources are vulnerable to unauthorized access. Because of the widespread use of computer networks and the increased dependence of most businesses on their networks, network security issues have become paramount. Network management solutions are incorporating a broad range of security features to further ensure the security of computer networks.
Network security technology can be roughly divided into two categories: those that protect against unauthorized access from within (employees or other recognized network users) and those that protect against access from without (hackers, unauthorized Internet intrusions, viruses). Authentication is the most common security measure used to protect networks against access to sensitive information from within. Authentication involves the use of user passwords and rights. When on a network you are given a password that allows you to log on to the network. In addition, you are assigned rights to specific network resources. If you are not given specific rights to a restricted resource, you are not allowed to access the resource.
As the need for higher levels of network security increase, new developments are being made that augment this authentication process. Now there are small, handheld authentication devices, such as ActivCards and Tokens, that act as "password generators" for restricted-access networks. When you wish to access the network, you must enter a personal identification number into the authentication device (which you keep with you at all times). The device will then generate a random, single-usage password that will allow access to the network. This method prevents someone from learning your password and then using it to access your terminal while you are absent.
If your network is connected to the Internet or an extranet, additional measures are required to secure it against virus infections and highly-skilled computer hackers. Virus protection software is crucial to network security. These software programs scan all data entering your network from any outside source for known viruses and warn you of any viruses encountered, so you may avoid corrupting your network software. Updates for virus software are made available through the vendor, usually on a subscription basis. These updates ensure that your virus software will be able to identify new viruses as they are discovered.
Protection against unauthorized access from outside your network is usually provided through some sort of firewall service. Firewalls are either computers or routers that are set up to provide a secured "doorway" through which you can access the Internet and Internet users can access your Web data.
Firewall services can be configured to meet specific security needs. They can be set up to screen Internet users trying to access your network, and to allow only certain authorized employees to access the Internet from within your network. In addition, many firewalls now feature remote authorization for employees using a remote (off-site) Internet connection to access restricted network resources. Other non-Internet applications for firewall services include protecting mainframes or subnetworks from general access within an organization and ensuring confidentiality of data transmitted across networks.
All of these aspects of network management are crucial to the continued success of your network. Managing these aspects, however, is a daunting task that becomes more difficult as your network grows and evolves. Luckily, the computer industry is aware of the importance of network management and is constantly developing new products to assist in management tasks. The most important of these recent developments is directory services. The following section explains directory services and how they are revolutionizing the complex task of computer network management.
As networks increase in size and diversity and become more complex, the administration of these networks becomes increasingly difficult. Our modern network environments often include a variety of hardware and software. Users often require multiple passwords and varying levels of access and authority—all of which must be entered in several locations across the network. And if any change occurs in the user's status, this information must again be modified at each of these locations. Heterogeneous environments, Internet access, and the security issues involved with each further compound the problem.
A solution for this increasingly difficult task of network and information management can be found in directory services. Directory services provide you with the capabilities to manage your entire network—regardless of size, operating system, or complexity—from a single location. With directory services, user information is entered once and then automatically applied across the entire network. E-mail addresses, group memberships, access rights, and heterogeneous operating system accounts are created automatically. Likewise, any changes to user or resource information are automatically updated throughout the network. Administrators no longer need worry about the security issues involved with the termination of employees. Once the user's profile is removed, all related access and authority is immediately revoked.
Currently, most directory services are based on the X.500 directory standard and, more specifically, Lightweight Directory Access Protocol (LDAP), the protocol used to access directory information. Due to its extensive use in TCP/IP-based networks, LDAP is rapidly becoming the standard for directory service access and directory-enabled applications.
Directories are similar to databases in that they organize information into records and fields. Below is a table from a sample database:
|UserID||Last Name||First Name||Password||Telephone||Cubicle||Title|
In this table each row constitutes a record and each column is a field. A relational database would consist of two or more such tables in which the field of one table would correspond to the field of another. For example, the "cubicle" field in the above table might correspond to the cubicle field in another table with fields such as "size," "floor," "workstation type," and "printer type." (This second table would keep track of cubicle location, dimensions, the equipment each contains, etc.) Relational databases work well for organizing complex data relationships, but the directory can go one step further: it can organize information into a hierarchy.
Consider the fictional company, Networking, Inc. It has offices in four locations: Tokyo, New York City, Albany, N.Y., and London. Each location houses different departments; for example, Sales and Marketing are in the Albany office and Testing and Production are in the London office. Networking, Inc. has organized its network directory according to the company hierarchy shown in Figure 44.
Figure 44: Hierarchical organization of a fictional company
In the directory the network is depicted as a series of "objects," which are virtual representations of network components and organizational elements.
Figure 45: The directory tree
The above diagram shows a directory "tree," so called because the hierarchical organization resembles an upside-down tree with the "root" object at the top and the branches extending downward. The object labelled "Networking_Inc" is an organization object, and the rest of the icons represent "organizational units" (OUs). The root, organization, and OU objects are all "container objects," meaning that they can hold other objects. In the above example, the root object holds all the other objects, and the New York object holds the Albany and NYC objects and all their departmental OU objects. Each of these container objects may contain other objects that represent other containers, servers, volumes, applications, users, printers, or other network components. Objects that cannot contain other objects, such as printers or users, are called "leaf" objects.
The advantage of using container objects is that the changes you make to the container will affect all the objects in the container. For example, if you wanted to establish a server policy for all the servers in New York, you could assign the policy to the New_York OU and the policy would automatically "flow down" to all the servers contained in that OU. This eliminates having to assign the policy to each server individually. If you did not want a particular server to be affected by those changes you could select that server's object and designate it an exception.
Objects in the directory are comparable to records in a database, and the fields are called, collectively, the "schema." Because the nature of each object is different, the schema for each object type is different. For example, a printer object could contain fields in its schema for its make, model, speed, resolution, and IP address. A user object's schema could contain the fields in the example database table and many others. When fields can be added to a schema as needed, it is called an "extensible schema."
In a hierarchically organized directory, the name of each object shows where it fits in the hierarchy. For example, if the employee named Ignacio Lopez works in Sales, his directory "name space" would be lopezi.Sales.Albany.New_York.Networking_Inc. Likewise, the name space for Trace Beaulieu in Design would be beauliet.Design.Tokyo.Networking_Inc. Every object in the directory has one of these hierarchical name spaces.
The opposite of a hierarchical name space is the "flat" name space, which would be the user name only: lopezi or beauliet. In such a case, there could not be another lopezi or beauliet in the entire directory; each user name would have to be unique. This presents a problem if, for example, there are several HP LaserJet5si printers on the network. But with a hierarchical name space there is no problem. By including the full "context" in each name space, the directory can easily recognize the difference between hplj5si.Engineering.Tokyo.Networking_Inc and hplj5si.HR.NYC.New_York.Networking_Inc.
Security and Authentication
A primary function of the directory is to manage authentication and network security. A typical network consists of components that need to be available to all users as well as those that should be available only to a few. For example, everyone may need access to a particular printer, but the payroll application should be accessible only to authorized users. Without directory-enabled authentication, access to each restricted component would require a separate password. In such a case, you would be forced to remember a different password for each restricted-access application, server, or other component, which would result in a network administrator's nightmare: constant calls for help when a password is forgotten, or worse, passwords taped onto monitors for all to see.
Directories solve this problem by providing "single sign-on." You log on to the network once with one password, and access to network components is controlled with information in the components' schema. For example, the schema for a server in Human Resources (HR) might indicate that only users in the Human Resources OU have the right to access it. If Marcia Whitehead in Production tries to log on to the HR server, the directory checks the server's schema to see if she is included in its access control list (ACL). Because no one in Production has rights she is denied access. The ACL is similar to a bouncer guarding the entrance to an exclusive club: if your name is not on his clipboard, you don't get in.
Directories allow access rights to be assigned on a large scale or on a very small scale. For example, if network administrators want to grant everyone in the company rights to print on a particular printer, they can drag the printer's object onto the Networking_Inc object and set the rights in one easy step. Also, they can assign rights with an extremely fine degree of granularity, such as determining that while a half-dozen users can see the contents of the personnel database, only one user can alter them.
This method of granting access rights makes for powerful security: if unauthorized users try to access the payroll application, for example, the directory will prevent them from doing so because such rights would not be listed in the application's ACL. They would also not have the ability to alter their access rights, making it next to impossible for them to access anything they should not.
An additional advantage of using a directory for authentication is that because the login information is stored centrally in the directory, you can log on to the network from any workstation on the network. With proper configuration, you can even log on through the Internet, which is extremely useful when you are away from your office.
Directories also form the basis for improved network management. Just as access rights can be granted with a fine degree of control, administrative rights can also be granted on any scale. If Bonnie May needs control over every aspect of the network, her icon is dragged onto the root object and rights are granted (by someone else with similar rights). If network administrators do not have time to make changes to telephone numbers and addresses, they can grant rights to alter only those fields to one or more administrative assistants.
Principal among the advantages of using a directory to manage a network is that administrative control can be centralized. With directory-enabled management tools such as Novell's NetWare Administrator or ConsoleOne, network administrators can see and manage the entire network from one location. Instead of hiring four full complements of network administrators for each office, for example, Networking, Inc. could hire only one.
Although the directory enables management from a central location, a well-deployed directory does not itself reside in any one place. If the entire directory resided on a single server, the directory would be extremely vulnerable to failure: if that server went down, essential services provided by the directory such as authentication, security, and management would disappear.
For this reason, well-designed directories can be replicated or copied across the network to provide fault tolerance. For example, if in each of Networking, Inc.'s departmental OUs there were two servers, a copy of the directory could reside on each one. If one server went down, the directory's services would be provided by back-up copies on the other servers.
However, it is probably not practical to house a copy of the entire directory on each server. Not only would the directory take up too much disk space, it would also increase server traffic and reduce server performance. It is better to "partition" the directory along logical boundaries and store replicas of the partitions on different servers.
Figure 46: Directory partitions
Figure 46 shows the directory partitioned into four segments. One holds the Tokyo OU and its subordinates. The second holds all the objects in Albany, the third holds only the NYC OU, and the fourth consists of everything in the London OU. To alleviate server traffic, only a partition of the directory would be housed in each location: the London partition would reside on the London servers only, for example, and the Tokyo partition would reside on the Tokyo servers. In this arrangement, each directory partition would service only those objects that are physically closest to it, thereby reducing directory response time. Additionally, you would authenticate to the directory through the partition closest to you instead of authenticating across a slow or expensive WAN connection. And even with the directory divided and distributed across multiple servers, network administrators can still view and manage the directory as a single unit.
The Directory and E-Business
The security and management capabilities of directories have been exploited for quite some time, but the full utility of directories as data stores is only beginning to be explored. The hierarchical arrangement, extensible schema, and fine degree of control make directories the ideal foundation for applications that require flexible methods to store and organize data. A large number of these applications are "e-business" or electronic business applications. E-business is the practice of conducting traditional business processes by electronic means, often using an intranet or the Internet. These processes include customer service, electronic store fronts, employee provisioning, supply-chain management, and other kinds of collaboration between businesses.
To demonstrate how a directory can make business processes more efficient, consider the following scenario. New employees hired by Networking, Inc. need to be "provisioned" or supplied with what their new job requires—workstations, network passwords, security clearance—and the company needs to put the employees' personal information into their various systems—payroll, insurance, 401K. Without a directory-enabled system, the employee must visit each department one by one to obtain the necessary supplies and must fill out a multitude of forms that will be manually keyed in by each department into its own separate system. The risk of human error is high, and when the employee's information changes, each department must be notified separately, further increasing the likelihood that some departments will have outdated information.
With a directory-enabled provisioning application the employee's information is entered once into the computer and stored in the directory. Each department's application would have access to that single data store. As illustrated in Figure 47, a directory-enabled process ensures that employees can be provisioned quickly and efficiently—even before they walk in the door their first day.
Figure 47: Directory-enabled provisioning software simplifies the provisioning process.
The figure shows a directory entry for Naren Shankar. Each of the computer icons represents departments that need to know information about him so that he can be properly provisioned. For example, Payroll would need to know his salary, Equipment would need to know what kind of workstation he will use, and Network Administration would need to know at which level he should be granted access rights. The arrows in Figure 47 point to the information that would be of special interest to each department, but in reality the departments would have access to several fields such as name and phone extension. It should be noted that none of the departments would have or need access to all the information: for example, Network Administration would not be able access to salary information, and Insurance would not require security clearance information. Just as a directory can grant and restrict user access rights, it can also restrict which fields applications access. And when Naren leaves the company, his information will be deleted only once and the change will take effect across the entire network.
Novell Directory Services (NDS) is the best directory on the market today. NDS eDirectory, Novell's latest directory product, represents the culmination of more than a decade of development. Based on X.500 and LDAP, NDS has become the de facto standard for directories. eDirectory is highly scalable, which means it can hold more than one billion objects. eDirectory is integrated with the NetWare operating system, and with Novell Account Management you can use eDirectory to manage other NOSs such as Windows 2000, Windows NT, Solaris, and Linux.
Even networks that are not managed by a central directory nevertheless contain many directories. Many applications such as e-mail applications create directories specific to their needs. Most companies also maintain one or more databases that often contain overlapping or redundant information; for example, several directories might store a person's address and telephone number, or product prices would appear in one or more databases. Keeping the information in these directories and databases up-to-date can occupy inordinate amounts of time and effort, and even the best efforts cannot prevent incorrect information from circulating.
The best solution would be to create one huge directory that contains every scrap of information used by every last application and every single department; however, unless you are building your company from the ground up, starting today, this approach is as impractical as it is expensive. The next best thing is to synchronize the directories, or in other words, connect them in such a way that when information is changed in one directory, the change is reflected in all the directories.
The latest technology to provide this capability is XML, which stands for eXtensible Markup Language. A language similar to HyperText Markup Language (HTML), XML enables translation between incompatible file formats. Novell has developed a solution called DirXML that uses XML to create "metadirectories"—directories that function as a single directory but that in fact are made up of several otherwise incompatible directories or databases. A metadirectory enables synchronization between directories so that when a change is made to one, it is made to all. It also makes it possible to search a number of directories at once from a single interface.
For more information about directories and DirXML, please visit the Novell World Wide Web site at http://www.novell.com.
Figure 48: A metadirectory connects users to information stored on any network database.
Choosing a Network Implementation
Before designing a network, the complete assessment of a company's networking needs is in order. The tasks that will need to be automated or otherwise made more efficient must be identified, as must the business applications that are currently supported and those that are being considered for the future. Does the company need to provide shared access to word processing files, or does it have multi-user databases to support? Is electronic mail a necessity? What type of Web server and platform combination will best service the company's Web site requirements?
Once all of the current business tasks and functions that the company expects to support have been determined, and the best guess regarding future requirements has been made, prioritization is the next step. As the networking plan is deployed, the company should consider which parts of that plan—such as those that impact critical business functions—should be implemented immediately and which can be addressed at a later time. This process will allow the company to diffuse its expenditures over time and also give employees sufficient time to adapt to an updated networking environment.Return to Primer Index | Primer Appendix | Previous Section