Http://www.microsoft.com/china/msdn/library/archives/technic/voice/dnablueprint.asp
Build a blueprint for web site using Microsoft Windows DNA Platform
Sketch, .9 version of Microsoft Corporation
January 2000
Download Microsoft Word version of this document with a compressed executable. (177K)
Abstract: About the training technical information of complex Web sites with Microsoft Windows DNA technology, subjects are engineers and decision makers.
table of Contents
Executive Summary Architecture Overview Example Site Scalability Availability Safety Management and Operation Summary
executive Summary
Business is developing rapidly as a standard, web-based computing model, which features a loose connection layer of repetitive and system for task. Very large proportion of business web sites - providing online services, applications, and data collection - all built with today's Microsoft Windows DNA platform, becoming the basis of this computing model. This document defines the architecture that builds a Windows DNA site. Readers can borrow this information, design and build today's Windows DNA-based site.
This document focuses on how to use Microsoft technology, especially Windows DNA platforms, to utilize the fare and time methods, build the infrastructure of scalable, available, secure, and manageable sites. To emphasize how to maintain a simple and flexible operation and application design, and ".com" can successfully deploy and operate the site with the necessary and efficient scalability, availability, security, manageability. Second emphasize the current document a complete tool and the method of building a web application component. The advantages of Microsoft Windows DNA solution (using Microsoft (R) Windows NT (R) 4.0 and / or Windows 2000) are also entered from the macro level, and will be graduated to define how to use the Microsoft product to establish a site architecture. One level. Finally, discuss the use of Microsoft Tools and Technical Management Web sites.
Although it is only an overview, this document is also checked an example Web site that successfully uses the deployed architecture, which can be used as a model for the site built using the Windows DNA platform. This document does not involve (except for the topic such as application design, development tools, or database design, except for scalability, availability, security, and manageability); but a pointer to the corresponding document covering these areas.
"Architecture Overview" introduces some of the concepts of architectural architecture for large Web sites. In the "Sample Site", a representative site is described and the infrastructure and layers of it use. The rest of the chapter discusses the four key properties of the site - "Scalability", "Availability", "Security" and "Manageable" - and uses sample sites to explain these issues. The reference to the relevant document runs through the entire document.
Architecture overview
Introduction
Large business sites are dynamic changes: they are usually small, but with the growth of demand growth. Not only is the number of unique users supported, this growth is very rapid, but also grows in terms of the complexity and integration of user services. With investors' inspections, many sites started with a scalable of 10-100 times, which is credible. Successful business sites, by increasing the number of servers that provide logic services to the client (ie, providing their own multiple instances (clones) or by equalizing workloads between themselves), and created with existing computer systems Integrated services to manage this growth and change. This growth is based on the solid architecture, security infrastructure and management infrastructure of high availability.
Architecture objectives
The architecture of this document has reached four goals:
Linear scalability - sustainable growth to meet user needs and complexity. Continuous service availability - use redundancy and functional specialization to improve fault tolerance. The security of data and infrastructure - protects data and infrastructure from malicious attacks or steals. The simplicity and integrity of management - ensuring that the operation can meet the demand for growth. Scalability
In order to be extended, the business web site divides its architecture into two parts: the front end (client accessible) system and the backend system where long-term permanent data or the business processing system is located. The load balancing system is used to assign the work to each layer. The front-end system usually does not retain long-term states. That is, the environment each request in the front-end system is usually temporary. This architecture is extended by cloning or replicating the front end system that is coupled to the stateless load balancing system (distributing between the loads between the available clones). We call the IIS server set in the clones collection as a web cluster. Partitioning online content can also be expanded between multiple backend systems. The state-based or content-sensitive load balancing system will request route to the correct backend system. Through functional specialization, business logic complex is growing in manageable ways. A dedicated server is responsible for specialized services, including integration with legacy or offline systems. Cloning with partitioning, and functional services, these systems have great scalability by reducing each service separately.
Usability
By using multiple cloning servers (all servers provide unique addresses for their clients), the front end system has high availability and scalability. Load balance is used to distribute loads between clones. Placing the fault detection function into the load balancing system improves the availability of services. The clones that no longer provide services will automatically remove from load balancing, and the remaining clones will continue to provide services. The backend system has a high availability more challenging, mainly because they maintain data or status. They achieve high availability by using a failover clustering for each partition. Failover group wakes the application can continue to run on other computers of the disk subsystem that can access the fault system. Segmentation failover occurs when a primary node fault is supported by the partition request, at which point the partition request is automatically switched to the secondary node. The secondary node must have the right to access the same data store as the fault node, which should also be replicated. The replica can also be used in a remote location to increase the availability of the site. Availability also depends to a large extent on enterprise-level IT rules, including changing control, strict testing, and fast upgrade, and feedback mechanisms.
safety
Safety - Manage Risk by providing sufficient protection by confidentiality, confidentiality, integrity, and availability - is a basic element of any business site. Business sites use multiple security domains, including systems with different security requirements, each domain being protected by network filters or firewalls. There are three main domains, which are isolated from each other. They are: public networks; DMZ (DMZ "is derived from military terminology), is where the front and content servers; and the security network is created or used The place is also a place to manage and store security data.
management
Management and operations involve the infrastructure, tools, and administrators and technicians required to maintain business sites and their services. Many sites are located in places that are often called host environments. That is, these systems are configured with an "Internet Service Provider (ISP)" or an expert host service, which provides a wealth of Internet connectivity. Therefore, the management and monitoring of the system must be done remotely. In this architecture, we will describe the management function types that must be supported by this management network and network.
Architecture element
The key architectural elements of the business web site to be prominent in this section include: client system; load balancing, cloned front-end system (accessible access to client systems); load balance, partitioning backend system (front-end system available access Permanent storage here); and three arched architecture considerations: disaster withholding, security domains and management and operation.
Principles of large business web sites
Figure 1 shows the concept and basic principles of the business web site, which will be described in detail below in this section.
Figure 1. Principle of architecture
Figure 1 shows the division of the front end, the rear end, and the load balancing layer, as described herein. The key to the security principle of firewall and network segment is security.
Client computer
In such a site architecture, the client sends a request to a service name, which represents an application that provides the client. End users and client software do not know the internal operation of the system that provides services. Typically, end users typing the first URL, for example, http://www.thebiz.com/, then click Hyper link or complete the form on the web page to navigate to the site.
For a wide range of Web sites, an important decision is whether to support the minimum public set of functions in the browser, or whether different browser versions are available. Currently, although there are older browsers in use, HTML 3.2 is usually the lowest version supported. For example, the browser can be classified: support HTML 3.2, such as Microsoft Internet Explorer 3.0; supports dynamic HTML (DHTML), such as Internet Explorer 4.0; and supports Extensible Markup Language (XML), such as Internet Explorer 5.0. Then provide different content for each class. IIS and tools can create a page that is dynamically rendered to different browsers.
Front-end system
The front-end system consists of a server that provides a core web service such as HTTP / HTTPS, LDAP, and FTPs. Developers typically divide these front-end systems into a set of the same system called cloning body. They run the same software and share access to the same web content, HTML files, ASP, scripts, etc. via content replication or highly available files. High scalability and availability can be achieved by detecting a fault cloning body between the cloning bodies and deletes the fault clones.
Cloning body (stateless front end)
Cloning is a good means for adding processing capabilities, network bandwidth, and storage bandwidth for Web sites. Since each cloned body is locked locally, all updates must be applied to all clones. However, due to the coupling of load balancing, fault detection and eliminating client status, clone is indeed a good way to extend the site and improve availability.
No status load balance
The load balancing layer provides a service name to the user and assigns the client load to multiple web servers. This will provide usability, scalability, and some degree of manageability for server sets. There are a variety of load balancing means, including "Round Robin Domain Name Server (RRDNS) and various network-based and host-based load balancing technologies.
Maintain client status
We do not want to maintain the client status in the cloning front-end system because this is in contact with transparent client failover and load balance. There are two ways to maintain the basic method of the client status during the session. One is to store the client status in the back-end server of the partition. (Since the client status can be completely partitioned, it is easy to expand. However, it is necessary to retrieve this state for each client request). Another way to maintain client status during a session is to use cookie and / or URL. Cookies are small files managed by the client web browser. They have no benefits to reduce the load of the status server and increase the practicality of the stateless front-end system. The data can also be stored in the URL and returns when the user clicks on the displayed web page.
Front-end availability
When running application code on these front-end servers, whether it is written in high-level languages such as Microsoft Visual Basic (R) or C , it is important to isolate programming errors from different web applications. Make the application code outside the Web server process, is the best way to interrupted the programming error and avoid web server failure. Backend system
The backend system is a data store for maintaining the application data, and is also a data store that enables connectivity of the system for other maintenance data resources. Data can be stored in a normal file, a database system (such as Microsoft SQL Server (TM)) or other applications, as shown in the following table.
Table 1. Different types of data storage
File System Database Other Application Sample File Share SQLAD INSERTION, SAP, SIEBEL Data HTML, Image, Executable File, Script, COM Object Category, User Information, Log, Bill Information, Price Table Stock / Stock, Slogan Advertising, Account Purpose information
The rear system extension and high availability are more challenging, mainly because they must maintain data and status. Once the scalability of a single system has reached, the data must be partitioned and multiple servers. Therefore, continuous scalability is achieved by data partitioning and data correlation routing layers or belt-state load balancing systems that map logic data to the correct physical partition.
For improved availability, cluster-typically consists of nodes that are protected by two memory-protected memory, copying, or RAIDs, will support each partition. When the service on a node fails, another node will take over partition and provide services.
Partition (with state backend system)
By copying hardware and software and dividing data between nodes, partition enhances service capabilities. Typically, the data is partitioned, such as email, user account, or production line. Partitions in some applications are done by time, such as by day or quarter. It is also possible to distribute objects with random partitions. Split and consolidate partitions require tools, it is best to connect (without interrupt service), which meets the needs of system changes. Increase the number of servers in the host partition, improve the scalability of the service. However, the selection of the partition will determine the access mode and the load thereof. Even in distribution requests, avoiding hotspots (the number of requests received by a partition is not proportional), which is also important to design data partitions. Sometimes this is hard to avoid, and there must be a large multiprocessor system host partition. Partition failover, that is, the service automatically switches to the secondary node (returned unfinished transaction), providing continuous partition availability.
Tape state load balance
If the data is partitioned by multiple data servers, or develops a server that provides a dedicated function to handle a specific type of web request, you must write the corresponding software to route the corresponding data partition or dedicated server. Typically, the application logic is running by the web server. Its preparation is to determine the location of the relevant data, and according to the content of the client, the client ID, or the cookie provided by the client ID will request the corresponding server where the data partition is located. It also knows the server location of providing dedicated features and sends the request to there. The application software completes a status load balance. The reason why it is a state is that the status of the request will be determined to be routed according to the state or the state in the request.
Availability of backend services
In addition to using failover and clustering to improve availability, an important factor in the entire system architecture is the ability to provide some limited level of service, even in a variety of service failures. For example, users should always log in to online mail services through user credentials, and then use the cloned "Simple Mail Transfer Protocol (SMTP)" router to send mail, even if the user's mail file is invalid. Similarly, users in the business site should be able to browse the directory, even if the transaction can be handled temporarily. This requires the system architecture designer to design a service that "reliably operate but performance when the individual components is fault" to avoid that the end user feels the entire site failure due to local failures. Disaster reliability
Some business Web sites require continuous service availability, even when disaster occurs: their global business activities rely on available services. Disasters may be natural disasters (earthquakes, fires or floods), or may be the result of malicious operations (such as terrorist activities or dissatisfied employees). The disaster will receive a copy of the site or some copies of the site in a place far enough to leave the main site, so that the probability of losing multiple sites in the entire disaster will be small to withstand. There are two types of replicated sites at the highest level. The active site is partially loaded. The passive site is only available after the disaster. Active site is usually used in applications that require fast failover. The passive site may only be constructed by a connection server and a remote, located in the location of the backup tape, which can be applied to the above-described server when needed. Like this minimum plan should be considered for any business.
Update the replicated site, so that their content is consistent is very challenging. The basic method here is to copy the content from the central upgrade server to the upgrade server of the remote site, update the content of each site. This method is enough for read-only content. However, for more advanced sites for executing transactions, you need to keep your database as the latest. Database replication and log transfers are often used to transfer transactional updates to the database to a remote site. Typically, the database will appear simultaneously in a few minutes. However, this is better than the site completely fails.
Security domain
Security mechanisms are used to protect confidentiality and confidentiality of sensitive information, so as to protect unauthorized access; by preventing unauthorized modifications or destruction, protection systems and data integrity; and by preventing denial of service attacks and Provide an accident or disaster plan to help ensure availability.
The security domain is a consistent security zone, and there is a definite protection interface between the regions. This concept's application helps ensure that the correct protection level is applied in the correct place. Complex systems (such as large business sites and their environments) can be divided into multiple security domains. Region indicates any desired division - for example, according to the region, according to the organization, press the physical network or server or by data type. For business sites, the main division can be appropriately followed by Internet, site DMZ, security, enterprise, and management networks. The domain may also cross or overlap each other. For example, the credit card number in the database may require additional protection. Additional safety control, such as the encryption of the card number, can provide this protection.
The following metaphor helps the image to explain the security domain. The Internet seems to be the medieval castle and its surrounding environment: outside of its walls, rarely constrained and has a variety of indisrehensible personality. According to this castle model, key structural elements used to protect Web sites is to build walls around them, and there are heavy troops to enter the main city gate to prohibit idle people. The city wall and city gate need to be constructed are equivalent to maintaining a standard for a given security level. Of course, there will be no rear door that is protected! For large business sites, the wall is called the boundary of the site. In the network term, the internal communication device indicating the site is dedicated and isolated from the Internet, except the specified portal. The main city gate of the site is called a firewall. The firewall will detect each communication package to ensure that only the desired information is allowed to enter. Continue this metaphor, the fortress in the castle protects the crown gem. Additional walls and locking doors or walls provide additional protection. Similarly, the business site protects very sensitive data by providing additional firewalls and internal networks. Figure 2. Firewall / DMZ
Firewall is a mechanism for controlling data streams between two parts of different trusted levels in a network. The range of firewalls can be from packet filters (data communication between IP ports and / or a series of IP addresses) to application-level firewalls (actually checking the contents of data). Site usually uses the extroverted firewall and filter protocols of the filtered packets and the inside of the port layer data.
The security of the protection site is very complex, but the firewall / DMZ is a key structural component (actually a subnet in the network segment). It is necessary but absolutely safe mechanism for ensuring the expected site protection level. The "Security" chapter of this document specifically describes how to protect the security of the site.
Management infrastructure
Site management systems are typically built on separate networks to ensure high availability. The management system uses a separate network, and can reduce the load of the backend network of the management traffic, thereby increasing overall performance and response time. Management and operation Sometimes it also uses backend networks, but for large, high-availability sites, it is not recommended.
The core structural components of the management system are managed console, managed servers, and management agents. All core components can be extended independently. The management console is an administrator to access and manipulate the entry of the managed system. The management server always monitors the managed system, receives alarms, and notifications, recording events, and performance data, and acts as a first line of defense for a predetermined event. The management agent performs the program of the primary management function to perform the main management functions within its resident equipment. Managing proxy and management servers communicate with each other using standard or dedicated protocols.
When the system reaches a certain scale and change rate, the management and operation of the Web site becomes a key factor. The simplicity of management, easy to configure, sustained health monitoring and fault detection may be more important than adding application functions or new services. Therefore, application engineers must be very familiar with the operating environment deploying and running applications. In addition, the operator must also be very familiar with the clone and partitioning schemes, manage tools and safety mechanisms to maintain continuously available, Internet-based services.
Sample site
Introduction
This example site strives to explain the core structural components and the infrastructure. However, it is a representative of the key structural characteristics we have discussed. For competition and safety reasons, the site owner is often unwilling to show the actual detailed inside story of its site.
Our examples take a large site as an example and show the topology and component redundancy. It is a highly available system: emergency services can save most of the fault models and reduce major disasters. All the servers from each packet from ISP 1 to ISP N support all sites emergency processing, so even if you lose a ISP, you will not make the site paralyzed. In most disasters, providing uninterrupted services requires copying the entire site on multiple geographic locations. Cisco's "Distributed Controller" is usually used to support geoplex. Unfortunately, the cost of site replication will exceed twice the building site and may result in data consistency issues of web applications.
From this example, you can send smaller and much more sites. Small sites may not need to have so many servers in each cluster. Sites that do not require high availability As long as the redundant elements are deleted, especially the entire upper half of the Internet ISP 1 starts. Sites without high database security can delete secure SQL clusters in a secure network. On the other hand, very large sites can add the following to sufficient expansion: the clones of each IIS web cluster. Web cluster number. Internet connection access point. Front end components such as firewalls.
Further, with the increase in network traffic and the number of devices to be managed, the management network must also increase scale and complexity.
Figure 3 shows the architecture of the sample site.
Figure 3. Large Web Site Network Topology Example
In Figure 3, different linear, thickness, and annotations show the IP address and connection of different parts of the network. especially:
External (in the Internet) network (fine). DMZ network (medium). Safety (internal) network (thick). Manage networks (fine lines). Cluster core dedicated network (fine-each cluster local dedicated). Connection to the enterprise network (lightning).
Other contents of this section will provide the tutorial of the sample site, starting from the Internet until the secure network, including the enterprise network and management network.
Internet
Tutorial starts from connecting one or more Internet Service Providers (ISPs). Our example lists multiple redundant connections marked as ISP 1 - ISP N. These connections should be from different (physically independent) networks. The domain name server (DNS, not shown) provides forward and reverse mappings between domain names and one or more TCP / IP addresses. For example, http://www.microsoft.com/ The current map is currently mapped, each set of addresses are a cluster.
207.46.130.14 207.46.131.28207.46.130.149 207.46.131.30207.46.130.150 207.46.131.137
If there are multiple IP addresses, DNS will browse the address list to handle the constant query for www.microsoft.com IP addresses - therefore named "Round Robin DNS (RRDNS". The disadvantage of RRDNS is that it is not possible to detect the disappearance of the ISP connection and continue to serve the no longer working IP address. But this is not very serious because the user only requests to overload the web page. Third-party solutions, such as Cisco's Local Director or F5 NetWorks BIGIP provides a better solution for dynamic routing connections.
DMZ
The server on the front network is an Internet. The firewall is a basic security component that provides network isolation by filtering data traffic by packet type, source, and destination address. They form DMZ (non-military zone) boundaries described by the two-way arrow.
Firewall
The first component in the path is the router / firewall, and their functions are distinct or combined in one device. The router for Internet supports the Boundary Gateway Protocol (http://www.ietf.org/rfc/rfc1654.txt). High-speed front-end switches support the connection of each server in the front-end Web cluster. Another path is provided when a cross-connection with the router / firewall is invalid when the ISP connection is invalid, or when any component is faded on the path.
Front-end network
Front end provides core web services, such as HTTP / HTTPS, using Microsoft Internet Information Server (IIS) provides HTML and ASP page services, using LDAP (LightWeight Directory Access Protocol) to perform user authentication. You can also load the Site Server Business Edition to the front-end server to provide additional database-driven services. Front-end servers Packets by service and function - such as http://www.microsoft.com/, http://search.microsoft.com/, SMTP (email) or ftp (download). The SSL Service (HTTPS) is also isolated from ordinary HTTP communication. This allows the servers with high-cost hardware safety accelerator modules to support high-speed encryption. Further, the SSL session inherits the belt state and may require special failover processing.
Each Web cluster running Windows 2000 in the sample site uses NLBS (Network Load Balancing Service - also known as Windows Load Balancing Service) in Windows NT). Each clone has the same configuration in the NLBS web cluster of each publishing the same content. This will provide transparent failover for stateless web applications, which fundamentally improves service capabilities compared to individual servers. The web cluster supports broad scalability by adding a cloned body sharing cluster load.
The client proposes a request to each web cluster using the virtual IP address, which can respond to all front-end servers in the NLBS cluster. The front-end server accesses the site content on the SQL server located on the back-end cluster file shared server and backend cluster.
Provide all COM objects required for web services, including objects from the ASP page, are installed and registered on each front-end server. The ASP page of this site can be loaded on the local disk of the front-end server or on the back-end cluster file sharing server.
Each front-end server has specially enhanced security and connects to three networks:
Front End Network - Internet Access. Back end network - Access the DMZ server and access secure networks through internal firewalls. Manage Network - Support Management and Operation.
This network isolation increases security while increasing overall available bandwidth and redundancy.
Note that the unique publicly accessed IP address on any server in this site is an NLBS virtual IP address, and only the front-end server can respond to this address. IP filtering for NIC (network interface card) for Internet, ensures that only the correct communication type and source of the supported function can enter the front-end server. The IP forwarding between these networks has also been disabled.
Backend network
The backend network supports all DMZ servers by using high speed, private 10.10.1.x LAN. This architecture prevents DMZ servers directly from the Internet, even if the firewall is broken, because the Internet router is not allowed to forward the specified IP address range (see address on http://www.ietf.org/rfc/rfc1918.txt) Allocation for private Internets (address assignments for Dedu), including range 10.xxx. When using a front-end network, the redundant switch provides access to all front and backend servers. All backend switches share a public network, so the back-end traffic load will become a problem of active sites, especially separate management networks that cannot be recorded and other front-end management networks are still communicating.
The main components of the backend network are set up security server clusters, which provide storage services for web content and temporary permanent states, such as transactional data (such as shopping cart content),. Since all permanent data is available, there is no need to provide a backup tool. Scalability can be achieved by adding a cluster and partitioning database. These servers use "Microsoft Cluster Services" on Windows 2000 to implement high availability with failover capabilities. A server failure does not cause the failure of the data service or even the interruption of the service. Continue data services when the failed server recovers online. Since the hard disk does fail, use the RAID drive array to provide the necessary data redundancy protection.
Document Share Support File Storage Services in the cluster. Microsoft SQL Server running on the cluster provides database services. Each cluster server uses at least four NIC: a for each switch, a dedicated core LAN (should be used for other private network addresses, such as 192.168.10.x), one for managing LAN. In addition to server physical addresses, clusters also have multiple virtual IP addresses to support cluster itself and each cluster service address pair (for redundancy).
Enhances the server of the DMZ utility DC supports the local account of all DMZ servers, local DHCP and Name service (WINS, or best DNS) and local utility file services. The one-way trust relationship between the internal enterprise domain provides authentication access to the security of the internal system.
Secure network
Another firewall forms the internal boundaries of DMZ and isolates the so-called secure network to the backend network. The firewall is configured to only allow communication between the port and the source / destination pair. The secure network is also made of a private network (10.10.2.0 in this example), a pair of coupled switches, various servers, and devices that are tagged as VPN / routers, and devices that are marked as VPN / routers provide with internal enterprise networks. Connection. The secure network is logically part of the enterprise network. Servers on a secure network are often members of an internal enterprise domain, so domain controllers and address and name servers are assumed to be internal.
In order to support other features, other servers may also be needed in this section. There are a variety of possible processing methods, then transferred transactional data between security data. The range of transactions is from traditional synchronization (MTS - Microsoft Transaction Service) to asynchronous (MSMQ - Microsoft Message Queue) or batch or email based storage and forwarding. These contents have exceeded the scope of this document.
However, please note that for many organizations, Internet is the only delivery channel that provides user services in many channels, which is important. Take a bookstore or bank as an example. Most business logic and processing occur in the existing system within the interior. The Internet solution must work with these existing systems and serve them.
Secure data storage
Safe SQL clusters are optional and are only required for more complex transactional sites. They provide high availability, permanent storage, long-term transaction storage, and ensure confidentiality of customer information and account data. Unlike server clusters in DMZ, these servers must be backed up, either directly connected to removable storage devices, or backups over enterprise networks. Other features are similar to the DMZ cluster. For redundancy, each server will be repeated onto the two switches of the secure network. The same is to achieve scalability through partitioning databases and add clusters.
Upgrade server
The upgrade server appears in the secure network part, although they may be located in the enterprise network or even in DMZ. They accept and upgrade the content from the enterprise network or external content provider, and then deploy the content to the web server to keep the site consistently. There is usually a lot of mechanisms available, including Microsoft Content Replication, and tools such as Robocopy. Enterprise network connectivity
Show the VPN / router, the device connected to the enterprise network is actually a router, if needed, it can be combined with the VPN security function to sign and encrypt communication. In addition, the VPN function can also be added using the Windows 2000 built-in IPSec feature. This will support the security of the end-to-end on the basis of the demand, which can save the cost of VPN hardware support.
Connecting to enterprise NetEase is conveniently located on the site of the host data center. In this case, the VPN / router is connected directly to the enterprise network.
Large business sites are often hosted by remote enterprise data center. The dedicated hotline is often used to connect the site and enterprise network, especially in the case of high performance, low response time. In addition, Internet itself may also be used for transmission, in which case the VPN technology ensures that all communications are very important.
Manage network connectivity
We end our tutorial with discussions of the management network, and the management network provides the basic functions of monitoring and management sites. For the sake of simplicity, we only demonstrate the computer that connects to a separate management of the network with a LAN. These are implemented with separate NICs. Some sites do not use separate management networks. Instead, they dissert management communication on the backend network. We do not recommend this for security, network load and management.
There is no display with routers, switches, and firewalls. The serial dial-up connection used for emergency (OOB) access is not displayed. This does not mean that they don't need them. Each host can still be accessed by this setting when the management network (or backend network for management) is not available.
Summary
The following sections use the model of the previous example, discuss how the architecture described in this document meets these four goals:
Linear scalability - sustainable growth to meet user needs and complexity. Continuous service availability - use redundancy and functional specialization to increase fault tolerance. The security of data and infrastructure - protects data and infrastructure from malicious attacks or steals. The simplicity and integrity of management - ensuring that the operation can meet the demand for growth.
Scalability
Introduction
Figure 4 exists two different dimensions of site scalability. The first dimension, the horizontal axis, indicating the number of unique clients with representative days and accessing the site. With the increase in the number of unique customers, the number of systems configured to support the increased client library will also increase. Typically, the contents of the site needed to support the customer library must also increase.
The second dimension, the vertical axis, indicating the degree of business complexity of the site. We have identified three main categories. Of course, there are many variants between them. The category is usually based on the functionality of the following classification. The best classification, and the easiest part of business logic, is the content provider class. The classification of the previous layer, except for the content, but many business processing is done offline. The uppermost classification existing content is also transaction, and many business processing logic is fully integrated in online processing.
As the site from left to right, from left to right, from the downward movement, the operation of the site and the difficulty of application deployment increased significantly.
Figure 4. Extended dimensions
In the rest of this section, we consider scalability in the environment in Figure 4. First, we pay attention to extending unique customers and content, and then look at the increase in business complexity.
Expand customer and content
Two diagrams of Figure 5 and Figure 6 illustrate how the number of front-end systems varies to meet the growing demand, and how to increase the number of data stored in the partition to expand online content.
(If your browser does not support Inline Frames, click here to view this picture in a separate page) Figure 5. Small site
The above figure shows the basic site with an IIS web server, a file, or SQL Server and a utility server within DMZ, which is connected to secure SQL Server or file server and security upgrade server. The following figure shows how the small site shown in Figure 5 should be expanded to support more customers and more.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 6. Expanding site
At the front end, the number of IIS web servers and the number of Web clusters of these servers have increased and loaded with NLBs balanced between them. In the backend, the number of file servers and SQL Server clusters increases, and therefore, logic needs to include data requests to the correct backend data partition in the front-end Web server. Let's explain the two techniques next step.
Extended front-end system
Increasing the number of cloned IIS Web servers, grouped into web clusters and load balancing systems, is the main technique for adding unique customers in support. However, please note that this involves important application conditions, we will discuss later.
In addition to increasing the number of IIS web servers, the web application code that optimizes the Web server is also important (this is outside the scope of this document).
WEB front end load balance against scalability
Load balance provides a single service name to the client in the form of a virtual IP address, and then distributes the client to the server set that provides the service.
There are three main technologies for load balance:
Round Robin DNS (RRDNS). Intelligent IP load balance with dedicated third-party plug-in boxes. The server inside the server uses the smart IP load balance of NLBs of Windows 2000.
RRDNS is a way to configure the Domain Name Server (DNS) so that the DNS provides sequential distribution in the IP address of the host name to the IP address of the same service. This is the basic form of load balance. The advantage of this method is that there is no cost, easy to implement, and does not require a variable server. The disadvantage is that there is no feedback mechanism for a single server load or the availability, and because the propagation delay of DNS changes causes the request to continue to the fault, there is no way to quickly delete the fault from the available server.
Based on server-load balancing will form a set of servers into NLBS clusters, then make load balancing based on whether each server in the cluster determines whether or not to process the request according to the IP address of the source. If a server in the cluster fails, other members in the cluster re-group and adjust the partition of the source IP address range. The advantage of NLBS is that low cost (NLBS is part of the Windows 2000 operating system), does not require special hardware or change the network infrastructure, and there is no single point of failure. The current restriction is that the server cannot dynamically adjust the load, and the recombination is based on server failures rather than according to application failure (although third-party tools, such as NetiQ and Microsoft HTTPMON can be used to weaken these limits).
Combine RRDNS and NLBS can produce better extensions and available configurations. All nodes in the NLBS cluster must be on the same LAN, and respond to the same IP address. It is possible to configure multiple NLBS clusters on different subnets and configure DNS to distribute requests in multiple NBLS cluster sequence. This enhances the scalability of NLBs and avoids the shortcomings of RRDNS because there are multiple computers to respond to each request sent to each NLBS cluster. Microsoft.com works in this way.
Figure 7. RRDNS & NLBS: three separate LAN network segments, a domain name application status
In order to block server failures to the client, do not store the application client status on the IIS Web server. You cannot dynamically balance the load on the client. It is best to store the client status in the data memory and, in need, according to the URL encoded data or client cookie, request to retrieve the client status for each client. Cookie with client cache is also a very effective extension method that stores information of each client in each client system, sending this information to the web server in each client request, and using this data Dedicate content or use the operations specified by other clients. RFC 2109 (HTTP State Management Mechanism), can be found in www.ietf.org/rfc/rfc2109.txt) describe the HTTP cookie protocol.
However, some applications and protocols require long-term connections from the client to the server. Use "Secure Sockets Layer (SSL)" to send encrypted data and verify the server identity, is a major example. Most IP load balancing product support allows applications or protocols to maintain a connection mechanism with the same server so that they do it normally, although there is no fault transparency.
Expansion backend system
Increase the memory and processors of multiprocessor systems to extend backend systems. The Windows 2000 Advanced Server operating system supports up to 8 CPU and 8 GB of memory. However, in some cases this is no longer possible, or does not want to have such a large data dependence on a single system. Based on this, it is necessary to expand the backend system by partitioning the data or the logical service provided by its services. We will be called partitions. Unlike clones (copy hardware, software, and data) for extended front-end systems, partitions only copy hardware and software, and distribute data in each node. The request for a particular data object needs to be routed to the correct partition of the corresponding data. This route determined by the data is required to run the application software running on the web server. The routing layer determined by the data can be regarded as a state load balance relative to the stateless load balance, and the former is used for the expansion of the cloning front end system. It also needs to develop split and combined software for managing partitions to make the load is evenly dispersed above all partitions, which avoids any single partition into hotspots.
However, this responsibility typically falls on the head of the application engineer, and they scattered data on the business object, and as the data size and workload continue to grow, the business object also distributes evenly distributed on the number of increasing servers. Fortunately, as mentioned earlier, many sites are relatively simple in accordance with the object partition. However, the partition object scale is difficult to change after the site deployment is completed, which makes the upgrade design decision especially important.
Another way to extend is to provide services provided by the backend system to the functional specialization system that provides services to the client. This is often referred to as an N layer model. We will discuss it in detail below the chapter on the expansion business complexity.
Expansion network infrastructure
With the increase of site traffic, including internal communication within Internet and DMZ, the network infrastructure must also be improved. In order to support this growth, the link bandwidth must be added to upgrade the hub to a switch, and install additional networks (eg, add a dedicated management network to mitigate the load of the backend network).
Expansion business complexity
The figure below illustrates the growth of system security and quantity with the growth of the business process of the business process of the system and the business process. Maximum System Capacity - Whether the system design can grow steadily with business growth - usually any site is most concerned.
Three models of site complexity are: "Content Provider", "Offline Transaction" and "Online Transaction". Content provider. In this model, transaction processing of the internal network is not required. All web services and content servers are from DMZ inside. All content is first assembled on the upgrade server and then push the DMZ server by copying. As mentioned in the previous section, by increasing the web cluster, increasing the clone of the web cluster, add the rear end cluster server to expand the model.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 8. "Content Provider" model
Offline transaction processing. This model is similar to the "Content Provider" model, but there is an offline transaction access to the business application on the internal network. In the Content Provider Model, copy the contents of the DMZ server from the upgrade server. To support offline (non-real time) transaction, you need to transfer transaction data from DMZ to the internal network. The Microsoft Message Queue (MSMQ) service can be used to reliably transmit these offline transactions. To support traditional delivery channels, application systems and databases are implemented on internal networks. Devices labeled "Other Delivery Channels" represents traditional expressions, such as customer workstations, interactive voice answering units (IVRUs), or dedicated input devices such as sales terminals or ATMs. The complexity of the model increases with the increase in the number of backend servers in the internal network behind the internal firewall. MSMQ can support asynchronous communication and ensure reliable messaging, so useful for this type of interaction. Batch processing requests are another success technology that is shared to the cost of sending messages to the internal network.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 9. "Offline Transaction" model
Online transaction processing. In this model, the web browser is truly online access to traditional applications residing on the internal network. The function of the business application is implemented on the internal network, which typically supports multiple delivery channels. Transaction communication from DMZ to internal networks is implemented using standard synchronous communication mechanisms. When connecting to a client, the need to integrate with online business applications greatly increases the complexity of the model. This model is the most complicated and difficult to expand because the interaction with the internal system must be synchronized, or at least when the customer is interacting with the online service. These interactions require serious design and minimize their quantity. For example, the shopping basket can only be expanded within the interaction inside the DMZ, and can only be used after the customer request; the actual purchase should use the internal system.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 10. "Online Transaction" model
Usability
Introduction
The main technique for increasing site availability is to increase redundant components. These redundant components can be used to create multiple communication paths, multiple servers that provide the same service, and alternate servers for the fault server in the event.
Consider the following two figures. The first in front-end system and backend systems have some high availability. The second is redundant with all components and network links.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 11. Using certain redundant medium sites
In Figure 11, we have two web clusters, each with multiple servers, and we have two server clusters, each configured to use the "Microsoft Cluster Service" failover cluster. We discussed the infrastructure of adding service availability in the following sections.
(If your browser does not support Inline Frames, click here to view this picture in a separate page)
Figure 12. Large sites using complete redundancy
In large sites in full redundancy, not only multiple web clusters, but each server is configured to use the "Microsoft Cluster Service" failover cluster. In addition, there is also a connection and a separate management network with multiple ISPs. Availability of front-end systems
As described in Section IV, the cloning technology can be used to provide a highly available front-end Web service when cloning technology is coupled to NLBS load balancing and unclear Web servers. As mentioned earlier, if multiple NLBS web clusters are configured with Round Robin DNS, the web server can be restored from the network infrastructure failure.
The basic idea has been clarified in the "Scalable" section, as well as additional requirements, that is, when cloning or running the response, the load balancing system must delete the clones from the web cluster until it fixes . NLBS automatically tracks the WEB cluster operates and recombine when a fault occurs. When the IIS web server on Windows 2000 fails, you will automatically restart. But when IIS web servers hang, you must be inspected by monitoring tools. Microsoft's HTTPMON or third-party tools can write scripts to complete this work such as Netiq (http://www.netiq.com/).
Availability of network infrastructure
Network infrastructure and the continuation of the site and the Internet connection are critical. As shown in the sample site, the primary technology is through multiple ISPs with multiple Internet connections. The connection should be different; that is, the communication tool from the provider to the user should use the physical independent path. This eliminates site failure caused by the disconnection - this situation is not rare.
To achieve maximum availability, you should consider using different power supplies and residual uninterruptible power supplies. The diversity in the infrastructure is often a major charm of the host site, which facilitates providing a host service with a number of ISPs.
In the site, the switch and router should be connected to each other in this way, that is, each service has a plurality of paths and connections. Finally, as described in "Management and Operations" section, separate management networks and out-of-band networks are important for management performance and recovery functions in various network infrastructure failures.
Availability of backend systems
With the "Microsoft Cluster Services", the backend system is highly available, which provides the core technologies that provide data layer redundancy and failover function running on the cluster. Microsoft Cluster Services allows multiple SQL databases and file sharing to share RAID devices, so if the primary file or database server fault, the backup server will automatically online to replace its position. As NLBs, this system-level service does not require specialized programming.
Data of databases and web contents need to be stored on the RAID disk array. If the hard disk is faulty, the data will continue to be available, and the running hard drive can be swapped with the disk array without interrupting the service.
The back-end server will periodically send a message called heartbeat to detect a fault application or server. Heartbeat is sent by a dedicated NIC on a private network (such as the group set of heartbeat network). If a server detects a heartbeat network communication failure, it will request a cluster status to confirm. If another server does not respond, the ownership of the fault server (such as disk device and IP address) will be automatically transferred to the surviver. Then, restart the work of the fault server on the surviving server. If individual applications fail (not server failure), "Microsoft Cluster Services" will usually restart the application on the same server. If you fail, the Microsoft Cluster Services will transfer the application resource and then restart on another server.
safety
Introduction
Security is managed by fully protecting the confidentiality, secretivity, integrity, and availability of information. Security mechanisms and services such as encryption, authentication, authorization, responsibility, and management support this goal. Since the protection mechanism will never be perfect, the detection mechanism (monitoring and auditing) will generate alarm or trigger response (corrective operation) when possible intrusion occurs. Security domain concepts, such as the "Architecture Overview", for ensuring policy consistency and the most economical security control application is invaluable. In the domain, safety is like a chain, which is the same as its unsolved link. The consistent control of the entire domain is necessary, the entire domain may contain all functions and components in the network, platform, and application layers, and all functions and components in the domain. Boundary compensation controls that need to be low-security domains will increase security to the extent to which they need.
The first step in protecting sites is to analyze the natural conditions of business risks, protected systems and data and the cost of available security mechanisms, and then identify the best business solutions.
Typically, the business site should have higher protection than only information sites that are only used for browsing. Many business sites include multiple features with different security needs. There is no need to apply the highest security protection for the entire site. By separating these complex sites to a security domain, you can choose to achieve maximum security protection, which may be expensive.
Security policies and physics security procedures are important aspects of a valid security program. In addition, it is important to achieve the simplest user and management interface despite the complexity of large sites inherently or by security control. Complexity causes false configuration and avoidance. Strategy-based security management and configuration automation are as possible in feasible occasions. Since this paper focuses on security architecture and technology, we will not further tell this problem. However, it is important to note that effective security is not just a person and method. It is also useless if people don't realize security needs or considers irrelevant, then the best technology is useless.
In the rest of this section, we will discuss a variety of protection mechanisms, including network and platform protection. (Application Protection beyond the scope of this article.) Next we consider the customer authentication and authorization required by complex web applications.
Network protection
DMZ structure
The sample site illustrates the application of the firewall and DMZ. MDZ is an important architecture element that provides multi-layer protection between Internet and internal system resources. It contains:
Firewalls for Internet, which filter Internet communicates and separated from network communication from DMZ. The special features and high security (reinforced) components of the required services are supported in DMZ, such as web or email services. The firewall facing inside, which separates DMZ communication from a secure internal network while providing controlled access to limited number of reinforcement systems and services in these networks.
The firewall facing the Internet is widely used in actual (although often in the form of a security routing). Allow all Web sites that are connected to the company or other secure network, you should also use an internal firewall to isolate DMZ with internal networks.
For the protection site DMZ is necessary, it is not enough inside itself. Once any of the components in DMZ is broken, they can be used to attack the entire site. Sensitive customers and account information and authentication / authorization databases should not be placed in DMZ, but should be protected in a secure internal network. Performance considerations may enhance the need to copy sensitive data to DMZ. If the "Platform Protection" is discussed, it is necessary to use other mechanisms to improve data security.
Firewall type
Firewalls typically functions on the network protocol layer and exclude all network communication outside the license source / destination IP address and port (protocol, such as HTTP or SMTP).
The easiest way is to establish a firewall from a network router configured with the correct "Access Control List (ACL)". This security router is actually used as a firewall. They can filter unwanted communication (based on protocol type and source and destination address), and protect DMZ from partial - not all-service refused attacks. Some sites use a router due to performance reasons because very complex firewalls cannot support the required throughput (sometimes in the range of gigabits per second). Low risk sites may also choose a security router due to cost reasons. Full network layer isolation is provided by maintaining communication state, packet shielding or belt-state firewall. They can detect the known service rejected attacks and provide additional security features such as network address translation (NAT, which fully hide internal devices) and FTP (dynamically select data transfer port). Common firewalls include FireWall-1 for Cisco's PIX or Check Point. These devices can now support more than 150 trillion throughput per second.
However, the firewall is not universal. Since they are generally functions on the network layer, they cannot prevent higher protocol layers from attacking. For example, an application or web server is easily attacked by buffer overflow within DMZ that cannot be checked in a string that cannot be checked. This will cause the crash or deterioration of the service, which will allow the decryption master to control the components. Unfortunately, this kind of book is more common than imagining.
Firewall configuration
The firewall for the Internet should only visit the services required to support Web site business features, typically HTTP and LDAP, and unused FTP and SMTP mail. Virtual private networks (VPNs) supporting limited business or other remote services may also be needed. Seriously review and prohibit open access to all ports unless there is a strong business requirement. The conventional platform for constructing a firewall (for example, Windows 2000 and Checkpoint's firewall-1) must be extremely sturdy.
Based on the access to internal data and system resources, as well as protocols and services required to support and manage DMZ components, the internal firewall should also limit the communication. If the decryption master is trying to pass through the DMZ, the internal firewall is an important means of protecting the key information resources of the internal network. The number and type of ports and addresses needed to cross internal firewalls are often more than the external firewall, especially through the DMZ backend network. Accessing the internal network is the primary goal of decrypting masters. Limit to only a few sets of necessary ports and target hosts that can only access extremely limited access, so that only limited opportunities in DMZ have only limited opportunities to attack internal networks.
Network isolation
For security, the internal data network in DMZ should be isolated while increasing bandwidth. Usually each computer is equipped with two or more network interface cards (NICs). The sample site describes the network segmentation and has a certain discussion. The key principle is:
Isolation of different Internet communication types into different web clusters - for example, HTTP, HTTPS, and FTP. Each cluster can then be configured to reject data other than the types required for the transfer service. Isolate Internet Communications with backend communication. This prevents the internal network directly from the Internet and allows for each NIC to configure the filter to limit the communication to only the type required for the server. As described in the sample site, the non-routed network address is used for the internal Web site network. In order to isolate the management communication with all other communication, we use the management network. A NIC filter can also be configured to limit communication only for NIC. Powerful management functions should also be limited to management networks and cannot cross the service network. It also eliminates management communication through firewall, which greatly reduces weakness. Managing LAN itself is safe to close.
HTTPS - SSL for encryption
Sending data on the Internet, as you can send postals through postal: Anyone along the way can take it. Therefore, standard secure communication channels are very important for Web sites and other applications that deliver sensitive customer information through public networks. Secure Sockets Layer (SSL) is combined with HTTPS protocol and server authentication, providing the required encryption and web server authentication. It is important to learn that SSL can only protect communications in the transfer without replacing other site security mechanisms. Server authentication is transparent to the client because most of the web browsers currently can automatically verify all major certification authorities issued. It is obvious that the user knows that the site is not important to communicate with the right site instead of someone else.
SSL encryption provides confidentiality and integrity for transfer data, which is especially important to protect user passwords and credit card information. Due to the export restrictions applied by the US Business Department (DOC), there are currently two encrypted versions. Use the strong version of the 128-bit key to freely use it in the US and international designated industries (such as banking and health care industries). For other users, export encryption software is limited to 56 bits.
SSL does have problems. First, SSL is a state. In the creation of the security session, you must maintain a state during the creation of the secure session, which increases the session dependency requirements of the front-end load balancing system. Second, encryption / decryption is a high-intensity calculation for web servers, and there may be no sufficient processor cycle to support this feature in software. The hardware accelerator can alleviate the server load, but the cost is high, and only the limited front-end server is deployed. In other words, HTTPS is usually isolated from HTTP and supports special front-end servers. For these reasons, the use of SSLs is limited in communications that do need this level protection.
Intrusion detection
Intrusion Detection System (IDS), such as the NetRanger or ISS of Cisco, providing real-time monitoring of network communication. IDS detects a wide range of hostile attack signatures (mode), which can generate alarm warning operator and in some cases to stop the router to communicate with hostile sources.
Deploying some intrusion detection is important for highly secure environments, which is consistent with the safety method of "prevention, detection and resistance" discussed in "security, introduction" section. IDS sensors should be installed in each different network, even before the firewall or border router. These sensors communicate with the management console will be described in the "Management and Operations" section later.
Unfortunately, there are several reasons that lead to IDS still not commonly used:
Performance - Real-time monitoring of very high performance networks is still not feasible. Error accepting, error rejection - IDS distinguishes attack from normal network communication is being improved, but it is still not enough. The IDS manager is submerged in the record due to the low signal to noise ratio. Cost - Ids' implementation and operation cost is high.
Other technologies can be used to intrusion detection - for example, route Telnet port traffic to a certain trap or dedicated server. Although there is no way to prevent them, use third-party server log analysis tools to provide intrusion information. Cisco provides Netflows feature on a router that can be used to detect network intrusion, but there is no good analysis tool support. Unfortunately, the status of intrusion detection skills is not well developed.
Platform protection
Reinforcement component
Reinforcing is another important way to protect individual server operating systems. All DMZ and the internal system of communications are reinforced. This includes strict defining and configuring access to access using ACL resources (eg, files and registration items), unfielding protocol, services, and utilities that support business functions and computer management. It is necessary to pay attention to the settings of security and review.
The TCP / IP protocol stack should use a filter in a feasible place. IPsec (IP Security) in Windows 2000 has a lot of mature and perfect filtration strategies, even if its integrity and encryption are used. No need to restart, selecting a selected port prevention in the IP address / subnet is feasible. All filtrations are performed under the bottom, so services such as IIS are not available at all. Service Pack 4 For Windows NT 4.0 Distribution The Security Configuration Editor (SCE) is an important new tool for implementing consistent, policy-based control. Windows 2000 adds "Group Policy Editor" (GPE), which extends this feature (and more) to the domain, active directory organizational unit, or even computer groups. The security configuration settings for most operating systems can now be defined in the policy template. These templates can be configured for all types of machines and implement all computer systems in the site. Since these templates should implement the close prevention of the product computer, it is best to build a template for maintenance and diagnosis. Related analysis functions allow for analysis and verification of the server's current security configuration, which is an important way to verify the continuous compliance with strategies.
Third-party networks and system security scanning tools are another important auxiliary content that guarantees the effective security configuration of the site server. Famous products from manufacturers such as Internet Security System (ISS - http://www.iss.net/) and NetWork Associates (http://www.nai.com/) (English) include a wide range of attack situations, To provide an assessment of network and system weaknesses.
In order to learn about the latest books of the decrypted master and the patch required to keep up with the safety defense trend, pay attention to security warnings, such as from CERT (http://www.cert.org/), it is necessary . Microsoft provides email security announcements for its products. (The administrator can register the service on http://www.microsoft.com/security/ (English).)
Key service components, such as domain controllers, domain name services, Internet information servers, and Microsoft SQL Server have special additional requirements. You can find an excellent and complete security checklist for configuring Windows NT 4.0 / IIS 4.0 Server at http://www.microsoft.com/security/. Many Windows NT configurations are also applicable to Windows 2000 and other DMZ hosts.
monitor
You must regularly monitor the (review) platform to ensure that the configuration and policy will not deviate from the initial security configuration. Many logs and tools provide this feature, including Windows 2000 event logs, IIS logs, secure configuration, and analysis, and Sysdiff (NT Resource Toolkit). Windows 2000 uses code signatures and System File Checker to verify the integrity of important system modules. A large number of third-party tools support integrity checks, including different sources of antivirus scanners and Tripwire's Tripwire (http://www.tripwiresecurity.com/) (English), which verifies the selected files and registration settings.
To ensure access, you can only use the site policy to be available for licensed people, regular review administrators, groups, and service accounts are also important. This is just a simple manual process for sites with relatively small accounts.
Windows domain structure
The site area consists of a plurality of servers, and each category contains a large number of devices. A large-scale site may contain thousands of servers. Separate backend networks typically support all servers within DMZ. Since the management and service account required to support the site, the single domain structure is adapted to manage all DMZ server accounts. Identification of authentication to secure networks and internal servers and their databases may need to be unidirectional trust relationship with the internal domain. Windows 2000 provides flexible site account integration through the business's activities directory, while supporting the high security needs of the site. Protective site data security
Security mechanisms for protecting data integrity and confidentiality include network and system access control, encryption, and verification or monitoring tools.
First, you need to classify the available data of the site, such as program and HTML code; customer information includes passwords or other authentication / authorization; advertisements; product catalogs and other content. The impact of unauthorized access (confidential / secret) and unauthorized damage or modification (integrity) should be understood one by one type. For example, most static HTML pages are public without access protection. On the other hand, the breaking rings of these pages will seriously reduce the user's confidence in the site.
Understanding data characteristics, assessing the related risks and identifying the cost of protection control, reliable business judging should determine the required protection.
One of the most costly and important decisions that must be made is whether or not to copy site systems and databases in geography, or use optional possible plans. Natural disasters, fires, terrorist attacks and main networks are unlikely, but there are always potential possibilities that sites cannot run.
DMZ, which carefully planned, realized and maintained is quite safe. However, highly sensitive data is usually worth additional protection. Common methods are:
Sensitive data should be stored within an internal firewall (for example, a secure network of the sample site). Since some access paths must be legally accessed through the firewall, this solution is not universal, and performance can be reduced to an unacceptable level. The database typically contains low-sensitive data, but some data must be protected, such as credit card numbers. If such data is within DMZ, encrypted in the database and decrypted when needed. The password can only be stored after the one-way algorithm is converted, and from the clear storage. Special attention is required for a directory for customer authentication because the breakthrough of the subsystem exposes all customer data.
Microsoft's SQL Server 7.0 relational database enhances the ANSI / ISO SQL standard, which specifies that users cannot view or modify data unless the owner of the data grants its license. To ensure strict and safe authentication, it is important to run SQL Server in Windows NT Authentication mode. (Since the system administrator defines the user login account by the password transferred by the hypodel, it does not recommend the authentication mode of SQL Server.) Protecting SQL Server is generally outside of this article. For more information, see SQL Server 7.0 Books Online provided by MSDN.
Customer (member) Access Control
Customer Access Control includes authenticating the authentication mechanism of the customer's identity, and the authorization mechanism to specify the resources that the validated user accessible.
The authentication of large sites can be as simple as the cookie of anonymous customer browser. (Customer cookie is also widely used to maintain customer authentication and authorization status. To prevent tampering, the web server should use the key to mark cookies.) You should also encrypt the sensitive data in cookies.) Anonymous registration is often used to track advertisements and customers Personalization.
For the user's website application, the most wide authentication mechanism is based on the form logging in, which combines the user ID and password in the encrypted SSL session. Although X.509 customer verification is further applied to commercial applications, it is not possible to popularize users in the near future.
Authentication is the overall lack of industry standards. Existing third-party methods are still dedicated. Traditionally, most authentication functions have been hardly written in business logic, so the cost of development and maintenance is high. LDAP-based directory servers - typically scalability and availability - located in DMZ for supporting authentication, sometimes used for authorization. It has provided LDAP's "Windows 2000 Active Directory" supports millions of users outside of the frame. The expandable framework of the Active Directory can make a safe access control basis for the Windows file system, IIS, and other Microsoft products.
Microsoft's Site Server 3.0 and Site Server 3.0 Business Versions are extended to virtual support unlimited number of users. The Site Server can implement the LDAP protocol on the SQL Server database in this "Site Server" service and - a large site. "Site Server Members" combined with IIS support authentication and authorization, including users, groups, credentials, permissions, roles, and preferences. "Members" scalable architecture, in object, and even attribute levels support site-specific, true ACLs. "Site Server Members" can greatly reduce the burden related to customer access functions while providing powerful and fully integrated built-in features.
Microsoft's "Passport" service (http://www.passport.com/) provides another advanced customer authentication method. "Passport" is a common login service, and its partner can integrate it in your site. Convenience to our customers lies in: through Microsoft's partner Wallet service, simplifying login access to partners' sites, and can safely, click mode. Due to the authentication function, the burden of developing and supporting this function is reduced and supported on the partner site. Partners can also share customer profile information and have access to secure credit card data stored in the Wallet. Partners must install the Passport Manager on its site to proxy "passport" login, manage cookie, and convert Wallet data. "Passport" uses a wide application of browser cookie's Kerberos style authentication.
Point
Site security is not additional characteristics. It is very important to pre-plan security and the risk and cost of achieving the expected protection is very important. The security domain model is an important tool that guarantees sufficient, cost-effective security on the site.
The protection mechanism can be divided into network security, platform security and application security (exceeding this scope). The key elements of network security are firewalls / DMZ, network segments, and SSL encryption. Platform security is composed of enhanced operating systems and services, as well as implementing audit functions and monitoring tools.
E-commerce and customer personalization support requires customer authentication and authorization. The LDAP protocol supports access control. Confidential customer information, especially passwords and account information, should be stored in the internal firewall.
Management and operation
Introduction
The site's dependence on the network and uninterrupted services, to ensure the availability, robustness and performance of the service running, exert considerable pressure. Designed a sophisticated management system is the key to successful management and operation of large business sites. Good deployment tools can make the web site grow smoothly. Good monitoring and troubleshooting tools allow the operator to quickly resolve the problems of components and services before the business is affected. The management system itself must ensure that the system is not running off.
Many large sites are geographically separated from operators, and are always managed in a managed data center that is close to high capacity Internet bandwidth. In order to reduce the cost of business trip, management networks must provide remote deployment, supply, monitoring, and to eliminate the ability to troubleshoot in geographical sites.
The management and operation of the site system are very complicated and difficult. Operators face challenges in deployment, adjustment, and operation of Web site systems. Microsoft and many third-party manufacturers provide a large number of WINDOWS NT systems management products. Alternative Microsoft Development Tools enable the operator to customize the management system to better run the site.
Site management should be combined with system and network management. Microsoft's System Management Server can be used for system management tasks such as plan, deployment, and change and configuration management. Microsoft's tools and service packages such as Performance Monitor, SNMP Services, WMI, Event Logs, and Backup Tools, available for event management, performance management, and storage management (operation management). Large sites often purchase network management from Web host companies that provide network infrastructure, services and tools (for example, rule faults and solutions, there are all-weather monitoring for server, backbone path, router, power system, etc. Everything to spread around the world). This section specializes in system and running management, and reforms network management to Web host providers and explains how to use Microsoft's products and technology to establish reliable and powerful management systems.
The main content to be solved in this section:
To improve availability and enhance security, the management network is separated from the service network. Distribute management network components:
Eliminate or reduce performance bottlenecks. Eliminate a single fault point. Allow independent expansion. Improve the availability of management system. Use Microsoft tools and products as much as possible to obtain higher performance due to closely combined with the underlying platform. Automate task as much as possible. Monitor everything that improves the infrastructure and identifies them before the problem.
Management infrastructure
Management network
Manage and operation can share the backend network or exist on separate LANs. Use the management of the backend network (sometimes called the band management) cost less and easy to operate. But due to the following reasons, this approach may not be suitable for managing all-weather services:
In-band management hinders the performance of the service network. Notifications related to management, such as SNMP traps, may be filled with network, generate and / or expand performance bottlenecks. When the service network is paralyzed, it is impossible to generate a fault notification. Safety meaning.
Therefore, for large Web sites, developers should establish separate management networks for scalability, availability, and security.
Manage system components
Typically, the management system consists of management console, management server, and management agent.
Figure 13. Managing system components
Figure 13 is a schematic diagram illustrating the core management system components and communication between them.
Management console
The management system is the interface of the management console and the user. The management console is responsible for:
User Login and Authentication (Network Operator, Administrator). Provide access to all management servers: Once a management server is accessed, the user can view all the status of the management node based on the authority of the server, and publish the command to update the software and configuration on these nodes. Provides a response to the user's command.
Many current solutions achieve management console and management servers, which should be considered two logical layers, but is implemented in a single layer for cost and convenient use. However, it is sometimes necessary to release coupling between the two layers due to availability, scalability, and managed networks away from operating centers.
Management server
The management server is the main force of the management system. Managing servers communicate with managed nodes (Windows NT Servers, Cisco Routers, and Other Network Devices) through dedicated or standard protocols. Management server is responsible:
Accepting, filters and associates events from managed nodes within its permission. Collect, store, and analyze performance information. Distribute and install software on managed nodes. Update configuration parameters on managed nodes.
Because the management server collects large amounts of information (more than a few megabytes per day), this information is typically stored in a separate computer, that is, on the backend server.
Management agent
The management agent is a program that resides on the managed node. In order to accept management, each device - whether it is a Windows NT server or a simple network hub - must have a management agent. The management agent mainly performs the following features:
Monitor the resources of the managed devices and receive resources actively sending notifications and events. Provide tools for configuring and adjusting the managed node resources. To query the resources of the managed devices, check their current configuration, status, and performance data. Some nodes may have only one agent, such as a network router for SNMP management. Other, such as Windows NT servers, complicated and include multiple agents using different protocols. Agents and servers use standard and dedicated protocol communications.
Extended management infrastructure
In order to protect the initial investment, the management system must be able to expand from small and managed with its management. The management system must fully expand when a site extension is expanded and newly added.
Small sites can be managed in very simple management system, which typically uses backend networks. The simplest management system is centralized system: a small amount of computer with management server and console software. Each computer can manage the entire site. The following describes a centralized management system. To expand such a management system, developers must distribute them. Next, we will introduce the steps required for the distributed management system. Finally, give everyone an example of a distributed management system.
Centralized management system
The management system can also be centrally distributed. A single central management entity controls all management systems, which is the characteristics of centralized management systems. Centralized management is implemented by a powerful computer, this (some) computers allow access to all components of the site system to monitor all devices and accept alarms and notifications from all managed elements. Central management is usually done by the primary service network.
Due to the simple, low cost and easy management of centralized management systems, it is very popular in small environments (such as start-up sites with only several servers). Microsoft provides a wealth of tools and applications such as SMS, PerfMon, Time Logs, Robocopy, and Scripts. Third-party manufacturers also offer other applications and tools.
Distributed management system
With the rapid growth of the Web site, centralized management systems have proven to be inefficient. Concentrated centralized management systems focus on one or two computers: lack of scalability, producing performance bottlenecks, and has a single fault point. These issues make centralized management systems do not apply to managed, rapidly expanded and highly available sites. In order to solve scalability and availability, the management system should be distributed according to the method:
Separate the management console from the management server. Add more servers to manage less nodes in each server. Add more console to allow access to more administrators and technicians. Between the server, the workload is divided by region or management.
Management system example
Our sample site uses a distributed management system implemented on a separate LAN.
Figure 14 depicts the management system used by the sample site. Because the theme of this chapter is the management system, we use the managed system - site itself - expressed as cloud. See Figure 3 for details on the sample site architecture.
Figure 14. Administrative system example
In this management system example, different lines styles, thickness, and annotations represent management LAN, remote access, and installed applications on the management system component. There are:
Manage networks (rough lines). RAS Dial in the management network (fine line).
Management console
In this example management network, the management console is separated from the management server, which can be concentrated in (highly secure) "Network Operation Center". Management tools and applications must be carefully selected to remotely provide almost all management functions.
The Management Console can run a Windows NT server, a workstation, or a professional version. They typically have many applications: System Management Server Administrator Console, Terminal Services (TS) Client, Telnet, Internet Explorer, and SNMP MIB browser. These tools all provide remote management functions, so they can be used in a travel environment in a travel environment.
Management server
In the distribution system, each management server can only serve managed nodes within its jurisdiction - such as, a zone or a partition, a building, a building, a campus, a city, and so on. For example, local management servers can manage local events and networks in each office in Europe and North America. Distribute management servers and partition them, allowing them to manage limited quantity nodes, will allow people to lock management server in safes. Reduce or eliminate network congestion (That is, Asia's Windows NT server is upgraded by Tokyo's management server, and does not need to New Jersey's servers). Eliminate a single fault point.
The same management server is not interacting with the managed nodes in other regions (but, do not rule out this).
We recommend that the management server runs the Windows NT 4.0 server version or Windows 2000 Server version to ensure better system stability and provide additional services available only in server versions. Managing the management app has the system and network management functions required for the site. The services and applications provided by Microsoft should be installed on the management server ("Performance Monitor", System Management Service (SMS) "and" Event Log "). The SNMP trap manager or trap receiver should also be installed on the management server.
Back-end server (BES)
The backend server is a computer with a large-capacity hard disk for long-term storage management server collected. There is no need to store management data with separate computers. However, the largest business site is recorded daily to gigabit data (for future data acquisition and utilization), so use separate computers to store this information. Large databases are often used to store events, performance counters, and statistics recorded by managed nodes. The SMS database can also be placed on the BES. The backend server also hosts the utility and tools of the data stored in the database: collecting programs, analyzing programs, etc. This allows many customers to use their own highly custom or traditional tools.
Distributed and concentrated
Distributed management systems have many important advantages over centralized management systems. They provide better scalability and availability, and reduce or eliminate performance bottlenecks and faults. However, there are also some shortcomings in distributed management systems, such as higher costs (related to adding more equipment and management) and more complex. When designing a management system for a site, carefully weigh the pros and cons of a centralized or distributed management method.
Management system requirements
Deployment and installation
To successfully deploy new services and devices, the management system must provide deployment and installation tools. Development includes installation and configuration of new devices, and copy site content and data to the new machine. The following tools and techniques are often used to configure new services and machines.
Unattended / automatic server installation
To deploy a new server, use the script to create a server's gold (or ideal) version. Then, use tools such as Norton Ghost Walker (English), capture the image copy of the Gold server system disk, and then build a new server using this gold image.
Sysprep (Windows 2000)
Sysprep is a tool that completely installs Windows 2000 on multiple machines (you can get from "Windows 2000 Resources"). After completing the initial installation steps on a single system, the administrator can run sysprep and ready for copying sample computers. The web server in the usual site area is based on the same image, but the secondary configuration is different (such as name and IP address). In addition, the combination of Sysprep and Winnt.sif response files provides a tool for each computer to configure each computer.
Content replication
"Content Copy Service" and Robocopy are often used for content replication. "Content Copy Service" is one of the "Microsoft Site Server" product range (http://www.microsoft.com/siteserver/site/ (English)). Robocopy is a 32-bit Windows command line application that simplifies the task of the same copy of the folder tree in multiple maintenance files. Robocopy can be obtained in "Windows NT / 2000 Resources". Change and configuration
The System Management Server provides all the tools required for the change and configuration management of site servers. SMS makes many changes and configuration management tasks, such as hardware list / software list, product consistency, software distribution / installation, and software metrics.
For more information on the Microsoft System Management Server, located at http://www.microsoft.com/smsmgmt/ (English). Other tools from third parties, located at http://www.microsoft.com/ntserver/management/exec/vendor/thrdprty.asp (English).
Performance monitoring
Continuing monitoring is important for the 24x7 service running the site. Many sites use the log and counter-based monitoring, as well as as possible remote management to ensure continuous availability and provide data to improve their infrastructure. Tools for monitoring site server performance include Performance Monitor (English), SNMP MIB browser, and HTTPMON.
Event management
Event management needs to monitor the health status and status of site systems (usually real-time), warning administrators' problems, and merge event logs for facilitating management. Event monitoring tools can track each server or network component, you can also pay attention to application services, such as email, transaction or web services. For sites with hundreds of machines, you have to filter out important events from background noise, event filtering, warnings, and display tools are absolutely necessary. Tools such as event logs, SNMP proxy and SMS (for events to SNMP traps) can be used for event management.
External emergency recovery
Fixing the fault node when managing the network itself is a difficult problem. When interference inside the belt can be managed by an OOB.
OOB management refers to the product access to the management node, which uses the use of dial-up telephone lines or serial cables, rather than managing networks. Therefore, each managed node must have a serial port for external access. Using OOB management allows the faulty service or node to be online to make a repair, analyze the cause of the failure.
OOB demand
OOB management should provide all or part of the features:
Operating system and service control
Restart the fault service or node. Offline the fault service or node. (This is important because the fault node allows the network to fill the fault notice.) Set and control the firmware. Change the firmware configuration. Set the operating system and service.
BIOS and "Start Device Control"
Hardware power management. BIOS configuration and hardware diagnosis. Remote console input and output.
OOB solution
There are many solutions that can complete the tasks described above. Table 2 summarizes the use of the widest range of solutions from Microsoft and third-party manufacturers.
Table 2. External solution
Function Name Vendor Terminal Server Used in Windows NT 4.0 Terminal Server Edition or 2000 Server Edition Termservmicrosoft Seattle Labs Settings and Installing Unattended Warranty Systems and Post-Operations Case Scripts GHOST IC3 Remote Installation Services (Windows 2000) Microsoft Norton Imagecast MicrosoftBIOS Configuration and Hardware Diagnostics Integrated Remote Console (IRC) Remote Monitoring Board (RIB) Display Remote Server Access Compaq Compaq Apex Hardware Power Management Integration Remote Console (IRC) Remote Monitoring Board (RIB) Remote Power Control Compaq Compaq Baytechoob Security
Dialing Enter the console port to reveal the network to be accessed. Protecting OOB operations prevent this situation. At least you need to perform strict authentication for managers, usually use the one-time (question and answer) password provided by the security token. Administrators have a token based on hardware or software, and use them to negotiate with the access server of the target. This opens the connection with the terminal server, the server is turned to provide serial access to a host. Ideally, link encryption is also used to prevent eavesdrops and possible leaks caused by invaders. The increasingly popular solution is to provide strict authentication and encryption with a public key based on VPN (virtual private network).
Automation of management tasks
The design of the management system should allow automated operations, such as stopping or starting services or overall nodes, run scripts or batch files when an event occurs, or attempting to resume when the management network is not available. The well-designed system will use email, phone, pager or mobile phone, automatically notify the event or problem that the IT technician appears.
A variety of tools and applications can automate management tasks:
Set a alarm value on the counter in the "Alarm Window" in the Performance Monitor, so that when the value of the selected counter is equal to, when it is greater than or less than the specified setting, the transmission of a message is triggered, the operation of a program, or one The launch of the log. The SNMP manager provides an automation tool that generates a notification when receiving a trap and then runs a program, batch or script. BackOffice components (such as Microsoft Exchange and SQL Server) can occur when the service-related event occurs (for example, the remote mail server does not answer messages in a predefined time interval), trigger exceptions. For example, the Microsoft Exchange server can send emails, display alarms on the screen, or send notifications to the external application. Write a flexible script using a Windows Script Host (WSH) or any other script mechanism to monitor the system and generate a message or trigger automatic task when needed.
There are also many third-party solutions that implement automated, they are listed in: http: //www.microsoft.com/ntserver/management/exec/vendor/thrdprty.asp.
Safety
The security of the management infrastructure is extremely important because the leakage of the subsystem will make the entire site's elongation of each component of each component. All security elements discussed in the previous section of the security architecture are discussed here.
Despite the extensive, one of the most popular management agreements - SNMP - is still lacking from the perspective of security. SNMP copies are very vulnerable passwords. Although it does not allow users to log in, someone is allowed to control nodes. Please select and strictly control the management protocol of each site.
Summary
In this article, we talked how to use Microsoft Windows platforms and other Microsoft technologies to establish scalable, available, secure, and easy-to-manage site infrastructure. We emphasize the simplicity and flexibility of maintaining the operation and design of large sites, and focusing on how to successfully deploy and operate sites according to the following four objectives of the architecture: linear scalability - continuous growth to meet user needs And business complexity. Continuous service availability - use redundancy and functional specialization to increase fault tolerance. The security of data and infrastructure - protects data and infrastructure from malicious attacks or steals. The simplicity and integrity of management - ensuring that the operation can meet the demand for growth.
We expect that this is the first in many articles, comprehensively and in-depth involves Microsoft products and technology design, development, configuration, and operation of large business websites.
