Network policy is a collection of rules that govern the behaviors of network devices. Just as a federal or central government may lay down policies for state or districts to follow to achieve national objectives, network administrators define policies for network devices to follow to achieve business objectives.
A network that runs on policies can be automated more easily and therefore respond more quickly to changing needs. Many common tasks, such as adding devices and users and inserting new applications and services, can now be easily accomplished. Well-defined policies can benefit a network in the following ways:
An even bigger advantage to enterprises is the security gains from policy. By granularly defining policies that give users and devices the least amount of access to resources that they need to do their jobs, you can better protect sensitive data. Violations can be caught and mitigated quickly. Such zero-trust security measures reduce risk, contain threats, stop lateral movement of malware, and help verify regulatory compliance.
A network that follows well-defined policies capably fills business needs that it is designed to support. Think of network policies as objectives or goals. Without clear objectives, your network can't be set up to deliver optimally, and without goals, its performance can't be measured.
Network policies reflect business intent. Network controllers ingest business intent and create policies that help achieve the desired business outcomes. Policies are enforced and carried out by network equipment such as switches, routers, wireless access points, and wireless LAN controllers. Networks operated in an ad hoc fashion, without guiding policies, will likely fail to deliver optimally.
Well-executed policies in the network provide consistency of service throughout it, regardless of locations, means of connectivity, or devices in use. This means users and things can use the network from anywhere and still have the same access privileges and quality of network experience.
Network devices and their operations can be better automated when guidance exists. With policies, configurations can be automated and orchestrated so that each device does what's required to achieve the larger objectives.
Once well-understood goals are defined, metrics can be established to measure how the network is delivering. Continuous analysis of performance helps ensure that policies are being followed and business objectives are being met.
With policies in place, any violations can be easier to detect. Security is more easily enforced, threats more quickly contained, and risk rapidly reduced with security-related policies.
Policies don't exist in a vacuum. All network devices, users, and applications should be governed by those policies.
Since network policies specify how the network must function in different circumstances, there is no set list of policies. A network's policies depend on what's necessary to achieve business objectives. Some of the more common policies that all businesses need to consider are:
These govern whether a given user or thing will become part of the network and what resources the person or device can access. Access and security policies might be the most important types of policies, since the security of data and applications depends on them.
These define the relative importance of various applications and how the traffic for each should be prioritized.
These govern how traffic from certain types of users should be routed, such as guest traffic through a firewall.
Policies can be defined on an IP-address level or by role. Role-based policies are dynamic, offer more flexibility, are easier to automate, and support user and device mobility. IP-based policies are static, do not scale, and are best suited for an environment that doesn't change much.
Despite the acknowledged importance of setting and adhering to policies, most corporate networks do not have effective policy strategies in place. The reasons most often cited are:
Many enterprise networks simply evolve over the years. New divisions and their needs are addressed in a one-off manner. Each merger or acquisition bridges two disparate networks without an effective plan. Several types of network devices with varying capabilities may also contribute to disorder.
Even if the network was well designed originally, operating policies may not have been adjusted as business needs changed over the years. In these cases, there's often no good way to update or specify new policies without redesigning the entire network.
When network administrators must adapt their networks to new business needs, they may be constrained by the need to manually reconfigure network devices. This lack of agility and the scaling difficulties mean network cannot live up to expectations.
Of course, you can't implement policies without knowing what policies to implement. This is particularly true for larger networks that have evolved over time and whose administrators may not have a complete grasp of business needs and how the network is responding to them. Here are the steps for implementing policies that work:
All the tasks listed above for discovering, defining, authoring, and activating policies are certainly not easy to perform. Network controllers that follow the industry's intent-based networking (IBN) framework are best suited for those jobs. They take business intent as input, translate it into policies, and make sure the policies are being applied appropriately and delivering the desired results.