The present invention relates to a network management system. More specifically, the present invention relates to a network management system that can do batch setup operations remotely for service applications operating through a plurality of coordinated network devices.
Conventionally, a technology that provides support for management of devices distributed over a network has been disclosed in Japanese laid-open patent publication number 9-69083 (“Method for distributed management and failure management”). This technology provides unified management through a network management mechanism working together with a system management mechanism. The network management mechanism performs network management on computers connected to a network, and the system management mechanism performs job control for the computers.
An example of a technology that provides management of tunneling in firewalls is presented in the Japanese laid-open patent publication number 10-200530 (“Method and system for managing”—this is a Japanese application filed in conjunction with a priority claim based on U.S. application Ser. No. 08/773,542). In this technology, the tunneling configurations between a plurality of networks are displayed graphically.
Furthermore, according to “Getting to the Root of Policy Management”, an article from Data Communications magazine (May 21, 1998, Vol. 21, No. 8), there has been active discussion of the use of directory services to set up access policies in distributed server groups.
With the development of the Internet, various network devices and the software services that operate thereon have been developed and the settings involved in the use of these devices and services have gotten more complex. In particular, there has recently been an increase in software services in which a plurality of network devices operate in a coordinated manner. In these software services, consistency must be maintained not only within settings for a single unit, but also between the network devices.
An example of these types of settings includes settings used for tunneling in routers. Tunneling is a technology where a packet generated by a source is stored in another packet and transferred over a segment of a communication path. Tunneling is implemented through a pair of tunneling devices. Referring to FIG. 1, for example, there is shown a packet being sent from a host A of a network A to a host B of a network B. In order to provide tunneling between a router A and a router B in the path, the following operations must be performed:
(1) The router A receives a packet from the host A addressed to the host B in the network B. This router A encapsulates this packet in a packet with the source address set to the router A and destination address set to the router B. This packet is sent to the router B.
(2) The router B receives the packet from the router A and extracts a packet whose source address is the host A and whose destination address is the host B. This packet is sent through the network B.
If the host B is to reply to the host A with a packet that acknowledges receipt of the packet from the host A, the following operations are performed:
(3) The router B receives a packet from the host B addressed to the host A in the network A. This router B encapsulates this packet in a packet with the source address set to the router B and the destination address set to the router A. This packet is sent to the router A.
(4) The router A receives the packet from the router B and extracts a packet whose source address is the host B and whose destination address is the host A. This packet is sent through the network A.
To perform these operations, it must be assumed that:
The router A knows that packets addressed to the network B should be sent to the router B; and
The router B knows that packets addressed to the network A should be sent to the router A.
The settings for the two routers must not contradict each other, i.e., there must be no inconsistencies between the settings.
A similar system of settings can be found in the access control settings used for a multi-level firewall. A firewall uses the source address and the destination address to determine whether or not to permit access. In the case of the network environment shown in FIG. 2, the host A accesses a server on the Internet through a firewall FW-A1 and a firewall FW-A. These are packet-filtering firewalls placed at the access points of their respective networks. Access control for this case involves the following operations: (1) the firewall FW-A1 permits access to communication in which the source address is the host A and the destination address is the Internet; and (2) the firewall FW-A permits access to communication in which the source address is the host A and the destination address is the Internet.
If the access control settings in the two firewalls contradict each other, the host A may not be able to communicate with the Internet or the host A may be able to communicate with unexpected addresses.
In conventional technology:
(1) A single computer provides unified management by linking a network management mechanism and computer jobs (Japanese laid-open patent publication number 9-69083);
(2) A pre-existing tunneling set-up is displayed graphically (Japanese laid-open patent publication number 10-200530). There have also been attempts to use a directory service to set up the access policies for distributed servers. However, none of these technologies focus on how to efficiently manage and distribute configuration files stored in distributed computers, and they do not provide features for maintaining consistency in the contents of the configuration files.