The present invention relates to a system and method for managing a network.
Recent innovations in conventional communication networks (e.g., the Internet and corporate networks) are transforming a network infrastructure from a xe2x80x9cdumb, best effortxe2x80x9d model into an xe2x80x9cintelligentxe2x80x9d network. The intelligent network is built around a set of new network services such as Quality of Service, multipoint communication, remote configuration and software distribution, security, and sophisticated directory services. Resulting changes in the use of network resources require major changes in how network resources are managed. In particular, network managers and service providers must be able to monitor and control network resources and services based on policies derived from a variety of criteria such as a user""s identity, application type, current traffic conditions, bandwidth requirements, security considerations, time-of-day, and cost.
A conventional method of managing a network resource has a one-level logic structure. Such a structure has a number of constraints for each action requested. For instance, if user A wants to access a network X, the network X would look up user A""s profile to see whether user A is authorized for such access. In addition to the authorization information, user A""s profile would include other information about his privileges with respect to the network resources.
Conventional management tools use a centralized management console for configuring, monitoring, and controlling the behavior of various network devices in the network. Typically, a single logical console is responsible for a given control domain (e.g., a Windows NTO domain or an administrative domain for routing protocols), and the control domains themselves are organized into a hierarchy for the purpose of scaling to large corporate networks. Such control hierarchies also tend to reflect the organizational hierarchies within an information technology organization.
Network devices, such as switches and routers, are optimized to perform one central taskxe2x80x94data forwarding; other tasks are secondary. As a result, these devices provide only minimal support for network management, usually by supplying performance or status data in response to polls from a management console. Thus, in the deployment of policy-based control, it is important to avoid overburdening these devices with complex processing such as policy interpretation or policy-based admission control.
Furthermore, a traffic load on corporate networks spans a wide spectrum of traffic characteristics, and network traffic related to mission-critical applications (e.g., those accessing corporate databases and other services) must compete with other, less-important traffic. The explosion in the use of web-based technologies such as subscription channels, push services, and audio/video streams that do not include congestion avoidance mechanisms, all contribute to significant increases in traffic load. Deployment of internet protocol (xe2x80x9cIPxe2x80x9d) multicast and associated business applications such as distance learning and corporate training adds yet another dimension to the allocation of network resources. Clearly, such unconstrained access to a local area network (xe2x80x9cLANxe2x80x9d) bandwidth has the potential to saturate most enterprise networks and must be carefully controlled to avoid network bottlenecks. In addition, network communications need to be secure and protected. Furthermore, access to network resources (e.g., servers, files, etc.) must be controlled and protected.
The present invention relates to a system and method for managing a network using a policy tree that includes a plurality of levels (e.g., two levels, five levels, etc.). The policy tree may be generated/updated by the network and/or an outside system. When the network receives a request for providing an action to a particular source, the network determines if the action is available as a function of at least one level of the plurality of levels. If the action is available, then the network determines if the particular source is authorized to be provided with the action as a function of at least one rule of at least one further level of the plurality of levels. If the particular source is authorized, then the network provides the action to the particular source.
The plurality of levels of the policy may include a first level, a second level, a third level, a fourth level and a fifth level. The first level may be generated as a function of an action type which may be indicative of the action. The second level may be generated as a function of the action and linked to the first level. The third level may be generated as a function of the at least one rule. The fourth level may be generated as a function of at least one condition type of the at least one rule. The fourth level may be linked to the third level. The fifth level may be generated as a function of at least one condition of the at least one condition type. The fifth level may be linked to the fourth level.