Modul: ITKGrundlagen:“Enterprise IT Infrastructure Building Blocks”
Freiburg, 12.September 2005
Content
• Introduction Enterprise IT Architecture
• Network Architecture Basics, Components
• System Architecture , Storage, Server, Data Center Trends
• Security “AAA”
Definition
“Information Technology is the use of
hardware, software, services, and supporting
infrastructure to manage and deliver
information.”
“Information Technology is the use of
hardware, software, services, and supporting
infrastructure to manage and deliver
information.”
DevicesInformationPeople Systems
Enterprise IT
• Enterprise IT needs to connect information, people, systems and devices
Distributed Enterprise IT Themes
Supplier B
Web SiteSupplier C
Orderfulfillment
Supplier A
Customers
Inventory
•Security•Reliability & Availability•Synchronous vs. asynchronous•Scalability•Integration
• Multi Channel (Extend the access hence the transactional surface)
Web, Desktop, Mobile Apps, Call Centers, B2B Partners… Allow a context to be kept through different channels
• Service Oriented (maximize re-use, permit agility)
Key enabler of multi channel Permit legacy system wrapping Faster, easier integration across business processes Increases modularity, hence increases flexibility
• Very Internet Aware (Provide Connectedness)
Within Enterprise, Remote Employees, Partners, Customers
Enterprise IT Requirements
Enterprise Architecture
• Used to define the Enterprise IT landscape to cope with the current and (hopefully) later requirements
• The art of abstraction and design of a systems, their structure, components and interrelation
• Different architectural views help to map business requirements to applications to physical systems
Conceptual
Logical
Implementation
Business Information Application Technology
Physical Servers Software
Installed Network layout
Detailed design Technology
dependent design
DB schemas Data access
strategy
Process specifications
Logical Server types
Service Mappings
Service Interactions
Service definitions
Object models
Schemas & document specifications
Workflow models
Role Definitions
Service distribution
“Abilities”strategy
Process models Service factoring
Entity relationship models
Use cases & scenarios
Business models
Architectural views
Enterprise Architecture Areas
Org
aniz
atio
nan
dSe
curit
y
Network Architecture
System Architecture
Data Architecture
Applications Architecture
Ope
ratio
nsan
dM
anag
emen
t
Functional Architecture
Strategy
Standards not all there / still evolving
Org
aniz
atio
nan
dSe
curit
y
Network Architecture
System Architecture
Data Architecture
Applications Architecture
Functional Architecture
Ope
ratio
nsan
dM
anag
emen
t
Strategy
1980s& 1990s
1990s& 2000s
2000s& 2010s
Standardization Timeline
Enterprise Architecture Areas covered in this talk
Org
aniz
atio
nan
dSe
curit
y
Network Architecture
System Architecture
Network Architecture
Networking Basics
Communications Architecture
• The complexity of the communication task is reduced by using multiple protocol layers:
• Each protocol is implemented independently• Each protocol is responsible for a specific subtask• Protocols are grouped in a hierarchy
• A structured set of protocols is called a communicationsarchitecture or protocol suite
TCP/IP Protocol Suite
• The TCP/IP protocol suite is the protocol architecture of the Internet
• The TCP/IP suite has four layers: Application, Transport, Network, and Data Link Layer
• End systems (hosts) implement all four layers. Gateways (Routers) only have the bottom two layers.
Application
Transport
Network Operating system
User-level programs
Data Link
Data Link
Media AccessControl (MAC)
Sublayer inLocal AreaNetworks
Functions of the Layers
• Data Link Layer: Service: Reliable transfer of frames over a link
Media Access Control on a LAN Functions: Framing, media access control, error checking
• Network Layer: Service: Move packets from source host to destination host Functions: Routing, addressing
• Transport Layer: Service: Delivery of data between hosts Functions: Connection establishment/termination, error
control, flow control
• Application Layer: Service: Application specific (delivery of email, retrieval of
HTML documents, reliable transfer of file) Functions: Application specific
TCP/IP Suite and OSI Reference Model
• The TCP/IP protocol stack does not define the lower layers of a complete protocol stack
ApplicationLayer
ApplicationLayer
PresentationLayer
SessionLayer
TransportLayer
NetworkLayer
(Data) LinkLayer
PhysicalLayer
TransportLayer
NetworkLayer
OSIReference
Model
(Data) LinkLayer
TCP/IP Suite
Ports
• Available at the Transport layer• Provide the multiplexing/demultiplexing facility at
this layer• 16-bit numbers• 1-1024 is reserved for standard applications• Examples 80: HTTP 443: HTTPS 25: SMTP 20: FTP
Switch
• A switch learns the MAC addresses of the devices connected to it, and sends packets directly and only to the target end-point.
• Provides much more consistent bandwidth and latency
Router
• Segments LANs into distinct networks and subnetworks; e.g. the distinct red, green and blue LANs with distinct network numbers.
• Segments LANs into broadcast domains
• Provides interface to the WAN
3rd floor
2nd floor
1st floor
Ethernet switch
router
VLAN
• A single physical LAN can be logically segmented into multiple logical LANs; and,
• Physically separate LANs can be made to behave and appear as a single LAN
• Packets are tagged according to LAN membership, e.g. green LAN, red LAN and blue LAN.
• Ethernet switches establish broadcast domains according to the defined VLAN boundaries
• Routers establish multiple VLANs on a single interface
3rd floor
2nd floor
1st floor
Campus Backbone
3rd floor
2nd floor
1st floor
Building A Building B
Router
VLAN
Firewall
• A Firewall is a barrier device placed between two separate Networks.
• The two most prevalent types of Firewalls are Packet Filters and Application Layer Gateways.
Packet Filters
• Packet Filters block traffic• Sometimes called screening routers• The filtering method is based on IP address and/or port
numbers. • They impose security restrictions at lower layers usually by
inspecting IP and TCP /UDP packet headers against tables of filtering rules.
• Based on the information it extract from the packet headers, the Packet Filter makes security decisions such as “forward this packet” or “don’t forward this packet
• Application Level Gateways (ALGs) serve as a relay between two networks.
• ALGs are application-aware entities that examine application protocol flows and only allow messages that conform to security policies to pass through
• ALGs may also modify messages so that they will conform to the policies and be able to pass through
Application Level Gateways
Example
2 M
bit/s
Lea
sed
Line
128
k Bit/
s E
NX
Con
nec t
ion
WLANs
WLAN
• A WLAN shares same characteristics as a standard data-based LAN with the exception that network devices do not use cables to connect to the network
• RF is used to send and receive packets• Sometimes called Wi-Fi for Wireless Fidelity
IEEE 802.11 Standards
• IEEE 802.11 802.11b- DSSS @11Mbps 2.4GHz 802.11a- DSSS @54Mbps 5GHz
802.11g- DSSS @22Mbps 2.4GHz 802.11e- DSSS @22Mbps w/QoS
WLAN Components
Access Point
Internet
802.11b EthernetRouter
WLAN Components (continued)
• Each network device must have a wireless network interface card installed
• Wireless NICs are available in a variety of formats: Type II PC card CompactFlash (CF) card USB stick Build in
WLAN Components (continued)
• An access point (AP) consists of three major parts: An antenna and a radio transmitter/receiver to send and receive
signals An RJ-45 wired network interface that allows it to connect by
cable to a standard wired network Special bridging software
Basic WLAN Security
• Two areas: Basic WLAN security Enterprise WLAN security
• Basic WLAN security uses two new wireless tools and one tool from the wired world: Service Set Identifier (SSID) beaconing MAC address filtering Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP)
• Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents
• Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device
• A serious vulnerability in WEP is that the IV is not properly implemented
• Every time a packet is encrypted it should be given a unique IV
Trusted Network
• It is still possible to provide security for a WLAN and treat it as a trusted network
• Wi-Fi Protected Access (WPA) was crafted by the WECA in 2002 as an interim solution until a permanent wireless security standard could be implemented
• Has two components: WPA encryption WPA access control
System ArchitectureStorage
Networked & Direct Attached Storage
Storage types
Storage Type Product Use Environment
Networked Storage Improve manageablilty, useability and costs by moving storage out the server.
Storage Area Network (SAN)
Intensive data processing and management of large quantities of storage.
300 GB or more with 1-100 servers
Network Attached Storage (NAS)
File Sharing 160GB or more attached to an IP network or a SAN
Direct Attached Satisfy immediate storage needs for overloaded servers.
SCSI Disk Arrays
Simple storage attaches directly to your server or basic clustering.
Can attach up to two servers directly to the array.
Fibre Disk
Buy the building blocks of a SAN as needed. Attach more servers as you grow.
Can attach up to two servers directly to the array.
SCSI implementations
• SCSI-1: Uses an 8-bit bus, and supports data rates of 4 MBps• SCSI-2: Same as SCSI-1, but uses a 50-pin connector instead of a 25-
pin connector, and supports multiple devices. This is what most people mean when they refer to plain SCSI.
• Wide SCSI: Uses a wider cable (168 cable lines to 68 pins) to support 16-bit transfers.
• Fast SCSI: Uses an 8-bit bus, but doubles the clock rate to support data rates of 10 MBps.
• Fast Wide SCSI: Uses a 16-bit bus and supports data rates of 20 MBps.
• Ultra SCSI: Uses an 8-bit bus, and supports data rates of 20 MBps. • SCSI-3: Uses a 16-bit bus and supports data rates of 40 MBps. Also
called Ultra Wide SCSI.• Ultra2 SCSI: Uses an 8-bit bus and supports data rates of 40 MBps. • Wide Ultra2 SCSI: Uses a 16-bit bus and supports data rates of 80
MBps.
SAN (Storage Area Network)
• A SAN is an intelligent network environment in which storage resources are deployed and managed independently of any single server .
SAN Benefits
• Performance FC @ 200MB/sec vs SCSI @ 40MB/sec
• Availability Redundancy, non-disruptive upgrades
• Scalability Add or re-deploy storage as needed
• Backup/restore/archive LAN-free; move data at FC speed vs LAN (up to 100x)
• Centralized storage management Manage SAN as a single entity (shared resources)
SAN Components
Fiber Channel (FC) networkRedundant network made upof fiber channel switches•Very low latency•High reliability•Fiber optic or copper cables•Distance 10km•1, 2 or 4 Gb transmission speeds
Host Bus Adapter (HBA)Similar to a SCSI adapter card or a network interface card (NIC), provides the server with a FC interface to the SAN
Storage SubsystemIncludes storage processor,cache and storage devices (e.g. disks)
DELL EMC2 SAN solution: 4TB capacity
DAE (Disk Array Enclosure)
CX300 DPE (Disk Processor Enclosure )
DAE (Disk Array Enclosure)
24 Port FC Switches 2GB/s
DELL EMC2 SAN solution: 4TB capacity
DAE (Disk Array Enclosure)
CX300 DPE (Disk Processor Enclosure)
DAE (Disk Array Enclosure)
24 Port FC Switches 2GB/s
iSCSI
• Native storage I/O over TCP/IP Leveraging the install base of Ethernet and TCP/IP networks Lower costs than FC Lower performance Much higher latency Only really comparable to FC
with TOE and iSOE on NICiSCSI
TCP
IP
MAC
PHY
RAID
RAID (Redundant Array of Inexpensive Disks)
• Late 1980s R&D project at UC Berkeley • Capacity scaling
Combine multiple address spaces as a single virtual address
• Performance through parallelism Spread I/Os over multiple disk spindles
• Reliability/availability with redundancy Disk mirroring (striping to 2 disks) Parity RAID (striping to more than 2 disks)
Most common RAID level
• Level 0 (striping) Any application which requires very high speed storage, but does not need
redundancy. Photoshop temporary files are a good example Minimum of 2 drives required
• Level 1 (mirroring) , Applications which require redundancy with fast random writes; entry-
level systems where only two drives are available. Small file servers are an example
Minimum of 2 drives required• Level 5 (distributed (stripping) parity),
High performance if most I/O is random and in small chunks. Database servers are an example
Minimum of 3 drives required• Level 0/1 or 10 (mirroring and striping)
Dual level raid, combines multiple mirrored drives (RAID 1) with data striping (RAID 0) into a single array. Provides highest performance with data protection
Minimum of 4 drives required
RAID Level 5
Backup & Recovery
File server Web server DB server APP server
Backup server
SCSI bus
Backupagent
Backupagent
Backupagent
Backupagent
Work schedulerData mover
Metadata systemMedia manager
Tape drive(s) orTape subsystem
Ethernet network
Generic Network Backup System
Tape subsystems
Robot
Tape Subsystem Controller
Tapedrive
Tapedrive
Tapedrive
Tapes
Backup operations
• Full (all data) Longest backup operations Usually done over/on weekends Easiest recovery with 1 tape set
• Incremental (changed data) Shortest backup operation Often done on days of the week Most involved recovery
• Differential (accumulated changed data) Compromise for easier backups and recovery Max 2 tape set restore
• Completing backups within the backup window* Starts after daily processing finishes Ends before next day's processing begins
• Media management and administration Thousands of tapes to manage Audit requirements are increasing On/offsite movement for disaster protection
• Balancing backup time against restore complexity
*Backup window = time allotted for daily backups
Traditional backup challenges
LAN-free backup in SANs
File server Web server DB server APP server
Backupsoftware
Ethernet client network
Backupsoftware
Backupsoftware
Backupsoftware
SAN switch
Tape drives or tape subsystem
SAN
LAN
Advantages of LAN-free backup
• Consolidated resources (especially media)• Centralized administration• Performance• Offloads LAN traffic
System ArchitectureServer
Server Clustering
Today’s server infrastructure requirements
• High Availability No single point of failure Real time notification
• Scalability Increasing processing power and capacity needs Incremental addition of resources
• Manageability Contain the cost of maintaining a increasingly complex
environment
• Cluster = A group of individual computers and storage devices that work together yet can be accessed as a single system.
Cluster definition
Clustering Terminology:• Nodes = An individual system that is either an active or inactive member of a
cluster.• Cluster service = The collection of software on each node that manages or
performs a cluster specific activity.• Resources = Physical or logical entities managed by the Cluster service.
Example: Disk drives• Shared Disks = Devices (normally hard drives) that cluster nodes are attached
to via a shared bus.• Quorum Disk = Resides on the shared disks and maintains consistency of the
cluster configuration on all nodes. It contains management data, recovery log, and arbitrates between nodes to determine ownership of the cluster.
Cluster Concepts and Terminology
Cluster configuration
Private Storage Device
Private Storage Device
Shared Storage Device
Heartbeat
LAN
Data Center Trends
DBMS Servers
Web Servers
Browsers
App Servers
Load Balancing
Storage Network
Firewall Network
• Mapping of server platforms to n-tier architectures
• Requirements and capabilities vary by tier
Data Centers today - A multi-tier perspective
Scalability: Up and Out
• “Scale Up” Datacenter Class machines “big iron” Cluster for availability
• “Scale Out” Commodity servers Cluster for scalability and availability
Up
Out
2004 2008
Scale out Blade servers Thin rack form
factor (1-2U) Small SMP
(1-2 CPUs) Intel Volume
Scale out Modular servers Rack or standalone
form factor Medium SMP
(1-4 CPUs) Intel Volume
Scale up and out Single instance* Large SMP or
hybrid (NUMA) (4-16+ CPUs)
Intel & RISC
Win2003 Linux
Win2003 Linux
Win2003 Unix &
legacy Linux
Multiple boxes IP load balancing Systems
management services
Same as above plus: Application server
session management
App server load balancing
Data storage (mirroring, RAID, replication)
OS clustering DBMS clustering Typically 2 nodes
(moving to 4+)
Operating System
Win2000 Linux NT Win2003
Win2000 Linux NT Unix Win2003
Win2000 Unix Win 2003 Legacy NT Linux
PlatformScalability
High Availability
ServerLayer
WebServer
AppServer
DBMSServer
The tiers
Data center example
2 M
bit/s
Lea
sed
Line
128
k Bit/
s E
NX
Con
nec t
ion
• Virtualization Clients see a large virtual server Underlying infrastructure hidden
• Virtualization form factors Blades contain processor, memory, and I/O Rack contains blades, switches, UPS and cooling Grids, add sync/async network, applications aware of bandwidth
and latency dynamics
Virtualization
Typical Blade Platform Today
Compute Blades Chassis midplane
Network switches
FC switches
Chassis Management Module (CMM)
1GBE NIC
1GBE NIC
CPU
CPU Memory
Chipset
IDE Drive
IDE Drive
Fiber Channel Daughter Card
1GBE NIC
1GBE NIC
CPU
CPU Memory
Chipset
IDE Drive
IDE Drive
Fiber Channel Daughter Card
1GBE NIC
1GBE NIC
CPU
CPU Memory
Chipset
IDE Drive
IDE Drive
Fiber Channel Daughter Card
1GBE NIC
1GBE NIC
CPU
CPU Memory
Chipset
IDE Drive
IDE Drive
Fibre Channel Daughter Card
• Current models are typically 6U to 7U chassis with 10 to 14 1P/2P x64 blades
• Each blade is like a server motherboard IDE/SCSI attached disks, network and IO Daughter card on the
blade Midplane is passive; IO switches provided in the chassis
DELL PowerEdge 1855 Blades
Blade Chassis
Blade Server
Server Virtualization example
• Volume 32-bit application solution• Out of the box consolidation• Heterogeneous OS/App
consolidation• Supported on standard servers• Highly flexible and configurable
solution
Software Partitions using Virtual Server (VS) 2005
Windows compliant server
Windows Host OS
App App App
NT4 Win2K Win2K3
Virtual Server
What is Grid Computing?
“In basic terms, grids are clusters of interconnected servers, enabling shared computing resources
utilization”
“Defining Grid Computing”, Giga Research
Grid Computing Vision
• Computing as a utility A network of clients and service providers
• Client-side: Simplicity Request computation or information and receive it
• Server-side: Sophistication Availability, load balancing, utilization Information sharing, data management
Grid Computing Components
• Storage• Database Servers• Application Servers• Provisioning and
Management Tools
Who we are
Organization and Security
Sophistication of Hacker Tools
Packet Forging/ Spoofing
19901980
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
Hijacking Sessions
Sweepers
Sniffers
Stealth Diagnostics
Technical Knowledge Required
High
Low 2000
DDOS
Internet Worms
Threats Are More Dangerous; Easier to Use
Data and ResourcesData and Resources
Application DefensesApplication Defenses
Host DefensesHost Defenses
Network DefensesNetwork Defenses
Perimeter DefensesPerimeter Defenses
Ass
ume
Pri
or L
ayer
s Fa
ilA
ssum
e P
rior
Lay
ers
Fail
Security - Defense In Depth
IdentitySecureConnectivity
PerimeterSecurity
Security Monitoring
Security Management
Network Security Tools
Internet
AuthenticationFirewallsVPN
Intrusion DetectionScanning Policy
Identity Services: Think “AAA”
• Authenticate: Who are you?• Authorize: What can you do?• Account: What did you do?
797979
Identity and AAA+
• User account management—manage users across an ever-expanding set of network access points (voice, video, cable, DSL, wireless, etc. )
• User authentication—stronger authentication required to control users accessing corporate resources from public networks and VPNs
• User and administration policies—more flexibility to address different authorization requirements across LANs, WANs, VPNs, intranets, extranets and B2B exchanges
• User reporting and tracking—tools to monitor, audit and log user and administration activity in the network
• User Session management—track IP-to-ID, user status, transparent authentication, maximum sessions, user security (is Fred on the network?), etc.
Intranet/ExtranetBusiness-to-Business
Access ControlServer
Branch Office
ISDN
RADIUS
NAS
PSTNAnalog
Corp Network
Token server
External Datastore
Win32, NDS, SQL,ODBC, LDAP, etc.
Voice
AAA in the Network
Internet
Home Telecommuter
DSLCable
ISPGateway
Proxy AAA
Wireless LANs
TelnetAdminTACACS+
Internet VPNs Wireless LANs
Wireless
802.1xSwitching
Authentication
• Verification of the user’s identity• Three factors (three Ws)
What you Know (pin, password) What you Have (token, key pair, smartcard) Who You Are (fingerprint, voice, DNA...)
• “Two-Factor” authentication is common goal to increase security, better establish who the users are
• Initial logon procedure to authenticate user• Doesn’t specify what a user is allowed or not allowed to do (Authorization)• Various authentication methods
Classic User ID / password Third-party authentication
• Windows 2000• UNIX• Netegrity SiteMinder• Lotus Notes
Kerberos
Kerberos - the 3-headed dog that guards the entrance to Hades
What is Kerberos?
• Developed at M.I.T.• A secret key based service for providing authentication in open
networks• Authentication mediated by a trusted 3rd party on the network:
Key Distribution Center (KDC)
Kerberos overview
• Authentication method: User’s enter password on local machine only Authenticated via central KDC once per day No passwords travel over the network
• Single Sign-on (via TGS): KDC gives you a special “ticket”, the TGT, usually good for rest of the day TGT can be used to get other service tickets allowing user to access them
(when presented along with authenticators)
Directories
• Directory - the database that holds the information about objects that are to be managed by the directory service
• Directory service - the interface to the directory; provides access to the data that is contained in that directory.
• Directory services act as a central authority that can securely authenticate resources and manage identities and relationships between them.
• Directory services use a distributed model for storing their information and that information is usually replicated between directory servers.
LDAP – Light Weight Directory Access Protocol
• LDAP defines a relatively simple protocol for updating and searching directories running over TCP/IP
• Implementations: MS Active Directory Novell eDirectory Red Hat Directory Server