Nortel policy software helps with both security and QoS

Virtually all enterprises are concerned with network access controls. Most are equally interested in delivering consistent service quality to their users. Yet, I expect few, if any, would want to combine capabilities that address network access controls and quality-of-service controls in a single product. Many may even question why this makes sense.

Nortel’s Optivity Policy Services (OPS) takes a simple but far-reaching approach to both network access and QoS. OPS was designed for provisioning voice, video, and data over IP. In addition, it offers network access control for network resources and controls against denial-of-service attacks. It is centralized and uses policy-based provisioning to accomplish its goals; policy definitions can be developed quickly and distributed automatically.

Using OPS, each policy has three elements: traffic condition, schedule, and a template for consistently deploying the policy across a network. OPS leverages a DiffServ network model where differentiated services are achieved by marking packets at the edge node and honoring the marking in the network core. Policies can be used to admit or deny certain types of data flows across a network. Some policies can be installed at a lower priority to deny certain types of traffic, while admission-control policies can then be installed at a higher priority to admit permissible flows in the network. Traffic can be shaped or dropped as appropriate and activated or deactivated according to schedules that meet the needs of the organization.

Enterprise Management Associates recently validated its effectiveness for two users. One was a regional hospital, which purchased OPS to handle massive changes to many devices at the same time – a common requirement for midsize IT groups with limited staffing.

Then it was hit with Welchia and Blaster. For this hospital, a typical scenario before OPS would have been to manually develop a filter to block the virus and then apply and load filters manually. Using OPS, the hospital identified the viruses and worked with Nortel support to set up a policy that would filter the virus traffic.

In another environment, OPS was purchased to push consistent policies out across a distributed network. The goal was strictly to avoid having to physically touch hundreds of wiring closets to maintain QoS. That organization was also hit by a widespread virus and used OPS to create and deploy filters that blocked traffic from spreading the virus to the network core. The organization thus learned the value of OPS for security in addition to QoS.

As both of these examples indicate, Nortel’s OPS crosses the boundaries of security and QoS, both of which are key to elements of service-level management. In EMA’s view, this combination of QoS with access control is a compelling one, even though in one instance a VoIP application was temporarily blocked when all ICMP traffic was disabled without specifying ports.

OPS is likely to cost under $20,000 (as estimated by Nortel), and prospective buyers concerned about security should plan to invest in policy planning and deployment. In many environments with Nortel infrastructure, this should be well worth the effort in returns gained from managing the ongoing battle with security attacks.