|
November 4, 1997
Cisco and Microsoft are conducting a draft specification review in order to communicate our directory specification to our customers and ISV's, and to establish a leadership position in a very important area.
The purpose of the specification review is fourfold:
Cisco and Microsoft are taking the leadership position in directory-enabled networks. Over 150 people from 75 companies will be attending the meeting. Many of our major customers and most of our competitors will be in attendance. Cisco and Microsoft are running the meeting, and we will maintain authorship of the draft specification.
Cisco and Microsoft announced an initiative and a draft specification for directory enabled networks. This is an open, industry-wide initiative with the goal of helping customers develop rich network applications that will work with offerings from a variety of network and directory vendors. This initiative is supported by more than 20 companies, including 3Com Corp., Ariel Corp.; Ascend Communications, Inc.; Berkeley Networks; Cabletron Systems, Inc.; Compaq Computer Corp.; CompuServe Network Services, Inc.; Comtrol Corp.; ConXion, Inc.; Digex Incorporated; Digi International; Digital Equipment Corp.; ECI Telematics; Fore Systems; GridNet International; Hewlett-Packard Co.; Intel Corp.; MSN©, The Microsoft Network; Net Access; New Oak Communications, Inc.; Packet Engines, Inc.; RAScom, Inc.; South Carolina SuperNet; and SwitchSoft Systems, Inc.
The draft specification provides a schema and information model for representing network elements and services in a directory. An implementation of this specification then enables an appropriate set of network services to be associated with users and applications. The specification defines a set of data models for typical network devices, and implements these as extensions to the directory services schema. Management tools can then populate the directory with instances of actual devices discovered on the network, and set properties such as descriptions of the services supported by devices, and provisioning or configuration details. Since this information is integrated with the directory, it is possible to associate specific users with network properties. This combination allows the network to be dynamically configured to support each user's needs. For example, certain users may be authorized to use the network for video conferencing, so they need secure conference paths to be established automatically, no matter where they may log onto the network. This requires a common data store for the tools used to authenticate and authorize applications and services for the user as well as the network provisioning software. In this example, the common data store is the directory and its networking extensions. This network-enabled directory provides a unified focal point for the administration, management, and utilization of the above tools and applications.
A directory-enabled network is one where user profiles, applications, and network services are integrated through a common information model that stores network state and exposes network information. This information then enables bandwidth utilization to be optimized; it enables policy-based management; it provides a single point of administration of all network resources; and all this serves to lower total cost of ownership, and improves the services that end-users can rely on regardless of their physical location.
A directory-enabled network is one where users and applications interact in a controlled way with network elements and network services to provide predictable and repeatable services to users, while also strengthening security and simplifying provisioning and management of network resources. The directory-enabled network uses directory services to store critical information to facilitate access, management, and search operations. Users, applications, and services can be abstracted through profiles. A profile is a template of attributes and behaviors that describe an object or a set of objects. Profiles can be applied to a single user or a group of users. Profiles provide a higher level of abstraction for important system components --- group, service, and network --- while still providing the ability to model and operate on the fundamental building blocks of user, computer, and device. Put another way, profiles tell the system what needs to be done, not the specific steps necessary to do it. Policies define desired behavior between two or more objects. It is important to note that policy is separate from enforcement or auditing. In a network, policies apply to a broad range of different services, such as configuration, routing and switching, access control, and usage of services such as encryption and QoS. Centralized policies are the key to overall management of the network. Today, implementing and enforcing consistent policy of any type across a corporation manually is an expensive, labor-intensive, and error-prone proposition. This is due to the inherent complexity of managing many inter-dependent features across many different types of network elements. The "Enhancing Networking through Integration with the Directory Service" specification defines a standard way of storing the policies and profiles (the schema) as well as an information model that defines the desired interaction between objects on the network. The directory also represents objects that consume these network resources, such as users and applications. This allows directory-enabled network elements and applications to discover and enforce policy at the point where resources are consumed. This enables this specification to control the implementation of policy at the group or user level; the administrator can then personalize the network (in terms of what services are available) for individuals and groups of users and devices.
The extensions defined by this specification have benefits for all audiences: Developers can now write applications that leverage the network in a transparent way for the user. Furthermore, these applications are inherently independent of vendor-specific network devices. However, they enable developers to take advantage of specific networking features provided by various vendors via pre-defined ways. Finally, since the directory is used as a common repository, applications can now inter-operate much more easily and at a lower level. Administrators are able to centrally manage their networks at an individual device level as well as at more abstract levels. This combination dramatically reduces the total cost of ownership. End users will be able to receive network services that are tailored to their individual profiles transparently. For example, they will be able to have guaranteed bandwidth for bandwidth-sensitive applications such as distance learning and video-conferencing.
No. This work is independent of any one particular network or directory vendor. Cisco and Microsoft have started the initiative, and will be hosting a Design Preview that will be open to network and directory vendors, ISVs, and other interested parties very soon. In the meantime, Cisco and Microsoft will jointly present a high-level overview of the specification to the 6,000 developers who attend Microsoft's Professional Developers Conference on September 23-26, 1997.
Our customers can now leverage their current investments to bring a new level of network services to end users, while at the same time reducing the complexity of network provisioning and administration. The specification enables application developers for the first time, to transparently provide network services on a per-user basis.
Together, Cisco and Microsoft have simplified the complexity of dealing with two distinct areas, network services and users. Partners can leverage this work immediately in their own applications and integrated solutions. To illustrate this, SwitchSoft, Cisco and Microsoft demonstrated an ISV application controlling Cisco routers and switches that used information stored in Microsoft's Active Directory to personalize network services on a per-user basis.
Yes. An objective of this initiative is to provide a common way to access various heterogeneous directories, on whatever platforms they reside. With Active Directory, in addition to supporting the native Windows NT namespace, it also provides access to DNS, NDS, and X.500-based directories, using their native protocols, or LDAP. It is open and so can extend to provide access to other namespaces. With this initiative, Cisco and Microsoft are extending Active Directory in Windows NT Server 5.0 to the network namespace, and Cisco will produce UNIX versions of the Active Directory. Together with Microsoft, Cisco is ensuring full cross-platform directory services, integrated with network services.
These companies and others were briefed last week and invited to participate. There is ongoing dialogue with all of these directory and networking vendors and we are encouraging their participation.
Yes. Cisco and Microsoft will host a design preview in the fourth quarter of 1997 as part of an open design review process, the results of which will be submitted to the Internet Engineering Task Force (IETF) for publication.
We are not announcing specific products at this time. What we are stressing is the importance of an open initiative for directory enabled networks and a draft specification for building intelligent network applications.
The specification for directory enabled networks is directory independent. Any Directory vendor can produce an implementation based on the specification. In addition to this base interoperability, Active Directory can provide additional interoperability and integration capabilities with other directory products and vendors through LDAP and ADSI.
The specification for directory enabled networks and Active Directory relies on LDAP as a core data access protocol. LDAP is also fully supported in the Active Directory Service Interfaces (ADSI) which enable developers to develop not only for Active Directory but also for other LDAP-based or any other directory. Cisco products will provide integration and interoperability with other directory service products through ADSI and LDAP support.
Active Directory supports LDAP and ADSI. ADSI is a set of open interfaces that abstract the capabilities of directory services from different network providers to present a single view for accessing and managing network resources. Administrators and developers can use ADSI services to enumerate and manage resources in a directory service, no matter which network environment contains the resource. This can be an LDAP-based, NDS-based, or NTDS-based directory. It does not matter so long as a service provider is available for that directory service.
The LDAP C APIs are raw APIs which makes it somewhat difficult to write to. ADSI supports multiple high-level languages, such as Visual Basic, Perl, and C/C++. This means that administrators and developers can use the tools they already know. It also provides the ability to script actions in an easy-to-use, high-level language. Similarly, ADSI offers support for Java---ADSI objects provide easy access to directory services for Java Applets and programs through Java COM.
The Common Information Model (CIM) is the standard schema for managing desktop systems. It is being developed by the DMTF (Desktop Management Task Force). Cisco and Microsoft are both active members of the DMTF, and support using CIM for desktop management products. CIM describes manageable objects such as computer systems, network systems, and software packages. Directory service products like Active Directory describe users and the objects they use, such as files, applications, and printers. By extending directory services with networking extensions, the gap between manageable objects and the users who require service from them is bridged. So this work is complementary with CIM, and network management tools will use both. We believe CIM will be used mainly for equipment inventory purposes, and possibly to monitor, troubleshoot, and configure devices. Directory-enabling networks is a higher level service that defines the relationships between networks, users, and network services.
Web-Based Enterprise Management (WBEM) is Microsoft's set of management infrastructure services based on CIM. WBEM implements a datastore, and a number of components that can be used to populate the datastore with real-world objects, and to retrieve information about these objects. Windows-based management tools will use WBEM as a platform.
Yes. Microsoft will ship an Active Directory service provider (SP) as part of the WBEM SDK. This SP reads information placed in the directory by the network extensions that we are announcing today. In this way, WBEM can benefit from network element and service information that has already been loaded into the directory, and can populate the CIM data store with this information. This is an example of how the networking extensions can be used to unify heterogeneous sources of information. The ADSI SDK ships with service providers for Windows NT, Novell NDS, Novell 3x bindery and LDAP.
ANS is a Cisco Network Management initiative for delivering next generation policy-based network and service level management. ANS can leverage the central directory and network schema to assure network services in terms of availability, performance and security.
In May 1997, Microsoft and Cisco announced that: Cisco would adopt Active Directory, Cisco will implement Active Directory on various UNIX platforms, Cisco and Microsoft would jointly extend and enhance Active Directory to support network service modeling, provisioning and administration and add user-based policies Through the integration of Cisco IOS software with Microsoft Active directory, Cisco is simplifying the access to, and use, of advanced Cisco IOS networking features A key benefit of this collaboration is that network resources can be as easily managed in the same unified way as customer's Enterprise resources using an extensible, rich user interface framework and Active Directory technologies. All aspects of managing any of these resources are tightly integrated, simplifying their administration and maintenance and ensuring scalability and reusability. This collaboration will extend Active Directory so that it can support network service modeling, provisioning and administration. This means that the directory can store information and policy used by the network services themselves to control facilities such as quality of service (QoS) and specific users' access to them. Finally, it is important to note that Active Directory is open and standards based, supporting standards such as LDAP, DNS and HTTP, meaning any client or server that adheres to these standards can access and benefit from Active Directory.
Posted: Sat Jul 1 10:54:15 PDT 2000
All contents copyright © 1992--2000 Cisco Systems, Inc. Important Notices and Privacy Statement.