Technology Architecture Guidebook Technology Infrastructure Definition
Introduction Technology Architecture Service Definition: Technology Architecture is the structure of the underlying technology infrastructure that supports users, network resources, applications, and data Project Quest initiatives require a detailed analysis of the current Technology Architecture to identify areas in need of improvement, areas in which new technologies are required to support eCommerce services, and solutions to address these needs The following segments will be addressed: Network Services Server / Desktop Services Transaction Services Security 2
Business Needs for Technology Architecture Improvements Technology Requirements Client wishes to implement eCommerce services to expand its services offerings to partners and customers via the Internet Client plans on investing in data warehousing of customer and deal information Customer facing applications on the Internet require high availability architectures to ensure that customers do not go leave because a Client site is down Client employees require additional remote connectivity options which provide high speed access to network resources Review network infrastructure to ensure bandwidth across the network will support the additional application traffic requirements Analyze current ISP services to ensure availability of Internet service for customers, partners, and Client employees Ensure availability, scalability, and reliability of mission critical servers throughout Client Review current security standards (network and application) to ensure that Client IT resources are protected Identify available remote connectivity options and cost savings opportunities 3
Model: Technology Architecture Services Server / Desktop Services Security Firewall Application Integration Application / Web Server Application Hosting Authentication Messaging Architecture Web HTTP Server Application Service Provider Authorization Object Request Broker Web Application Server Internet Service Provider Encryption Legacy App Integration XML Database Server Network Services Database Access Database Server Sizing Database Recovery ISP Connectivity DB Server Failover Database Server Availability Server Requirements WAN / LAN Scalability Frame Relay Reliability Global Network Entry Points Availability Transaction Services Switches / Routers Failover Transaction Monitoring Transaction Verification Global Network Issues Disaster Recovery Transaction Logging Network Security Server Location Public vs. Private Load Balancing Directory Services Desktop Requirements Network Management Backbone Services Workflow Network Monitoring Communication Protocols Mobile Access Developer Workstations Event Management Network Topology Virtual Private Network Standard I-NET Browser Network Performance Switched Ethernet Remote Access Standard Email Client 4
Network Services
Segment Definitions : Network Services Definition/Key Characteristics Wide Area Networks (WAN) Services Connectivity services between locations over wide area Provides interconnectivity between local area networks in a building Links LAN and WAN networks Provides the access point to enterprise level resources Facility Backbone Services Local Area Network (LAN ) Services End device access to the data communication network infrastructure Standard workgroup LAN High-speed workgroup LAN Server farms Provide employees with connectivity to internal computing resources from mobile locations Communications is typically non-persistent and is inbound only (initiated by remote user) Mobile Access Services 6
Service Definitions : Network Services (con’t) Definition/Key Characteristics Technology to support internally initiated communications to resources on public data networks Connectivity to Internet resources from inside the company Internet and Information Provider Access (ISP) Support for communications to corporate information servers initiated by users of public data networks Technology to allow connectivity to defined corporate resources from the Internet Connectivity to Business Partners: Customers Vendors Suppliers New Acquisitions Business Partner Communication Services 7
Strategy : WAN Services WAN services are to be acquired through the Client WAN Routed internetwork Frame relay based Minimum T-1 connection speeds of 128 Kbps FR MCI current Frame Relay carrier but AT&T is to replace MCI 1Q 2000 Routers are to provide connectivity to the WAN Cisco is the Core router vendor WAN re-design will ensure Hub and Spoke connectivity is optimized between offices (I.e. connectivity between Houston and Dallas instead of Houston and San Francisco) TCP/IP is the Core networking protocol TCP/IP are supported on all servers, workstations, and networked devices WAN connectivity for large offices will be provided by ISDN circuits if Frame Relay circuits are down 8
Standards & Open Issues : WAN Services Cisco routers are the standard for WAN connectivity Frame Relay is core for office connectivity 128 Kbps Frame Relay is minimum connection speeds for WAN connectivity Open Issues Connectivity from U.S. WAN to European WAN provided only through Troy, MI Frame Relay Carriers US - MCI going to AT&T UK - Sprint Operational support of WAN US - CSC Service Level Agreement Issues on support of network elements UK - Client supports infrastructure There are no global network infrastructure support processes ISDN circuits between large offices need to be implemented to ensure failover connectivity 9
Model: Current WAN Infrastructure - Large Offices Large Offices U.S. : Traffic is sent across the WAN via MCI Frame Relay services (Note: AT&T will replace MCI as carrier 1Q 2000). Chicago and San Francisco are two of the Hubs for smaller offices. Large Offices Europe : Traffic is sent across the European WAN via Sprint Frame Relay services. Troy, Michigan connects to a segment of the U.K. through 256K Frame Relay services. France is connected via ISDN. 10
Model: Current WAN Infrastructure - Small Offices Small Offices are connected to the Client WAN frame relay connections to a Hub office. The minimum frame relay connection speeds are 128 Kbps to a hub office. 11
Model: WAN Infrastructure Re-design WAN Re-design : Offices will be connected to the nearest point of entry to the WAN when if feasible. Location of data for the office will be a deciding factor for WAN connectivity. Direct connections to Chicago from small offices may be necessary if the small office data is located in Chicago. The strategy is to connect each office in the most logical manner in regards to cost, data, and bandwidth requirements. 12
Strategy : LAN and Facility Backbone LAN Services All LAN services are to be supported by 10/100 Mbps switched Ethernet technology 10 Mbps is Core for standard workstation 100 Mbps is Special-Use for high speed workgroup 10/100 Mbps Ethernet Network Interface Cards (NICs) are Core for all new workstations 100 Mbps Full Duplex is Core for servers TCP/IP is the Core networking protocol TCP/IP are supported on all servers, workstations, and networked devices Facility Backbone Services 100 Mbps Ethernet frame switching is the Core facility backbone technology Backbone switches are to be upgradeable to Gigabit Ethernet Routers are Core for connectivity between logical network segments and access to WAN Access to shared servers and WAN connectivity is to be provided through the site facility backbone 13
Standards & Open Issues : LAN & Facility Backbone Services All LAN cabling and cross-connects are to be Category 5 compliant Cisco Catalyst Ethernet frame switches are Core for LAN and facility backbone Cisco is the Core vendor for all routers 10/100 Mbps Ethernet Network Interface Cards (NICs) are the standard for providing scalability for future multimedia traffic Open Issues Currently, not all LAN cabling is Category 5 compliant Backbone connectivity between floors in some offices is in need of improvement 14
Model : LAN & Facility Backbone Services (Chicago) * Offices smaller than Chicago will have a subset of the technologies modeled above. 15
Strategy : Mobile Access Services Remote Node access is the current technique for mobile user and telecommuter connectivity via a common NT RAS implementation Outsourcing of Dial-in service to IP VAN based VPN is Emerging for mobile users ISDN is case by case special-Use for telecommuters with high speed, full-period requirements DSL is an emerging, case by case special- Use for telecommuters with high speed, full- period requirements Mobile Access users will have access to the same network elements as they would if they were physically connected to the network Client standard authentication procedure is to be adopted at the point of access 16
Standards & Open Issues : Mobile Access Services Currently, Remote Node access is the Core technique for mobile user and telecommuter connectivity via a common NT RAS implementation Mobile Access users will have access to the same network elements as they would if they were physically connected to the network Client standard authentication procedure is to be adopted at the point of access Open Issues Need to perform detailed cost - benefit analysis on VAN / VPN access Client IT requires documentation of the remote connectivity options, costs associated with each option, and approval requirements for implementation Implementation of remote connectivity options can bring with it additional security requirements which will need to be assessed to ensure security of network resources In the context of a broader security standard establishment, Client is to evaluate one-time password technology (e.g., SecureID) and x.509 certificate (e.g., Verisign, Entrust) alternatives 17
Model: Mobile & Telecommuter Access 18
Strategy: ISP and External Partner Services Internet Service Provider (ISP) Access Redundancy will be addressed to ensure that Internet Services are always available Utilize backup ISP Implement Enterprise Class Cisco Router to connect to multiple ISPs Failover in place so that if the main ISP goes down the backup ISP provides Internet Services Business Partner and Public Connectivity Business Partner Connectivity is to be supported at multiple levels Direct Connection through fixed network connection is Core. Access through Internet is Core Virtual Private Network (VPN) is Emerging Links to all external IP networks are protected by firewall and DMZ DMZ hosts web servers and business partner application servers 19
Standards & Open Issues : ISP Services Cable and Wireless will be main service provider for Internet Services A backup ISP will be implemented to ensure availability of Internet Services Cisco Enterprise Class Router will be implemented to connect to the main and backup ISPs Dual power supplies Dual processors Hot swappable Open Issues Identify backup ISP and develop Service Level Agreement Acquire and configure Cisco Enterprise Class router to connect to main and backup ISPs * See next slides for ISP connectivity options which were addressed. Option 1 is described above. 20
Model: ISP Redundancy & Failover Current - State : Currently, there is no redundancy with the Cable & Wireless. If Cable & Wireless, the router connecting to C&W, or the T-1 goes down, ISP service is stopped. This needs to be addressed to ensure availability of ISP service. Option 1 : Implement Cisco Enterprise Class Routers with dual power supplies, dual processors, and hot swappable capabilities to connect to multiple ISPs. If one ISP goes down, traffic can be re-routed to the backup ISP. 21
Model: ISP Redundancy & Failover Option 2 : Two ISP’s will provide service. One Cisco router will be deployed to connect to each ISP. The two routers will then route traffic to a load balancing router, then the firewall, and finally to either the DMZ or Client Domains. Option 3 : This is a manual process which enables Client to re-route Internet traffic in the case that ISP connectivity is lost. Traffic will be re-routed by updating DNS, router tables, and proxy servers. The U.K. ISP will be utilized if the U.S. ISP goes down and vice-versa. 22
Standards & Open Issues : External Partner Services Business Partner Connectivity is to be supported at multiple levels Direct Connection through fixed network connection is Core. Access through Internet is Core Virtual Private Network (VPN) is Emerging Links to all external IP networks are protected by a firewall and the DMZ DMZ hosts web servers and business partner application servers Packet filtering firewalls with inspection are to be used to secure all interfaces from non- Client IP networks Open Issues Putting applications and data that is to be shared with external partners on DMZ application servers opens up a security risk To mitigate risks, Client should implement an additional DMZ for business partner application servers Virtual Private Networks can be a cost effective method to create Extranets for business partners 23
Model : External Partner Services 24
Application Server Services
Strategy : Server Architecture Web and Application Servers Customer and partner facing web servers must provide the highest levels of availability and scalability possible Web and application server scalability will be achieved through Windows NT Load Balancing Services Availability of web and application servers will be fortified through the implementation of NT clustering services Raid 5 Disk Arrays for mission critical servers Placement of backup web servers, application servers, and database servers in different cities will assist in disaster avoidance Database Servers Operational data stores will be clustered to provide high levels of availability Multiple database servers will be deployed for operational data stores. These database servers will utilize parallel database cluster services and will be replicated with each other to provide seamless access to data across application server clusters. 26
Standards & Open Issues : Server Architecture Windows NT Clustering will be implemented to ensure availability of web server, application server, and database server resources Windows NT Load Balancing Service (WLBS) will be implemented on web and application servers to assure high availability and quick response Availability Requirements: Mission Critical - 99.9% High Availability - 99.7% Standard Availability - 99% Web and Application Servers in the DMZ will be Firewall protected by Firewall-1 servers The firewalls are responsible for routing web requests throughout the network Issues Website usage will need to be monitored to ensure that Windows NT Load Balancing Service (WLBS) performs to Client expectations Other Load Balancing vendor solutions should be considered once Client experiences greater traffic from the web (I.e. Cisco and F5 load balancing solutions) Workflow engine will be responsible for routing requests from the web to backend data sources and servers. It will be mission critical that the workflow engine stay running 99.9% of the time. High availability requirements have impacts on service contracts with CSC who provide network management services to Client 27
Model: Application and Database Server Architecture 28
Models : High Availability Server Architectures Windows NT Clustering DISA Architecture Utilizing Load Balancing 29
Security Services
Model : Security Framework 31
Strategy : Authentication and Authorization Username and password authentication, at the application level, will be required for access to private network resources Username / password is core Verisign Digital Certificates is emerging Direct database access will not be given to unauthenticated users MS SQL Server database will handle authentication and authorization of users directly accessing data sources Access to network resources on the Client domain will be provided through Windows NT security Authorization Firewalls will be implemented between the ISP, the DMZ, and the Client Domains in order to protect network resources Checkpoint Software Firewall-1 is the core firewall software vendor Redundancy checking by StoneBeat software Firewall is responsible for routing of network traffic to the Client private domain and DMZ domains Each firewall will have 3 NIC cards. One for the ISP, one for the DMZ, and one for the Client Private Domain The security model implemented at the SQL Server level will allow record level access to information 32
Standards & Open Issues : Authentication and Authorization MS SQL Server Security is Core database authorization security Windows NT Domain security is Core for security of Client domain resources Checkpoint Software Firewall-1 is the core firewall software vendor Redundancy checking by StoneBeat software Each firewall will have 3 NIC cards. One for the ISP, one for the DMZ, and one for the Client Private Domain Open Issues Global standards for authentication and authorization need to be documented in order to ensure security of network resources Need to identify monitoring and logging products for traffic isolation, automated response, and logging 33
Model : Authentication and Authorization 34
Models : Authentication and Authorization Two Factor Digital Certificate Authentication Application Level Authentication 35
Transaction Services
Model: Transaction Processing Manager 37
Model: Message Oriented Middleware 38
Model: Object Oriented Middleware 39
Appendix A - Service Definitions
Model: Technology Architecture Services Server / Desktop Services Security Firewall Application Integration Application / Web Server Application Hosting Authentication Messaging Architecture Web HTTP Server Application Service Provider Authorization Object Request Broker Web Application Server Internet Service Provider Encryption Legacy App Integration XML Database Server Network Services Database Access Database Server Sizing Database Recovery ISP Connectivity DB Server Failover Database Server Availability Server Requirements WAN / LAN Scalability Frame Relay Reliability Global Network Entry Points Availability Transaction Services Switches / Routers Failover Transaction Monitoring Transaction Verification Global Network Issues Disaster Recovery Transaction Logging Network Security Server Location Public vs. Private Load Balancing Directory Services Desktop Requirements Network Management Backbone Services Workflow Network Monitoring Communication Protocols Mobile Access Developer Workstations Event Management Network Topology Virtual Private Network Standard I-NET Browser Network Performance Switched Ethernet Remote Access Standard Email Client 41
Model: Network Services ISP Connectivity WAN / LAN Frame Relay Global Network Entry Points Switches / Routers Global Network Issues Network Security Public vs. Private Directory Services Network Management Backbone Services Network Monitoring Communication Protocols Mobile Access Event Management Network Topology Virtual Private Network Network Performance Switched Ethernet Remote Access 42
Service Definitions - Network Services ISP Connectivity Provide redundant connectivity to and from the Internet Service Provider. Ensure high availability of Internet services from the ISP through failover services. Frame relay is a communication method that allows high speed traffic to travel across a fiber-optic cable. Large offices connect their networks using this method. Frame Relay Global Network Entry Points These are points on the Client network in which a customer, business partner, or ISP have access to Client network resources. Switches and routers are responsible for routing network traffic across multiple locations. Switches / Routers Global Network Issues Identify issues with global network connectivity and address what changes are needed in order to support office around the world. 43
Service Definitions - Network Services Network Security The security measures that are in place to ensure security of network resources. An examples of this include Firewall protection. Public network is the network resources that are customer and partner facing. Private network is the network resources that Client employees and a few business partners have access to. Public vs. Private Directory Services This is a set of services that allow you to keep information about a user stored on a server for use in applications. Virtual Private Networks An ISP hosted private network which allows mobile users and business partners to connect to your network. Mobile users and telecommuters need to have access to network resources. This is the group of options that allow users to connect remotely to the Client network. Remote Access Communications Protocols The underlying protocols that allow network resources and applications to communicate across a network. 44
Service Definitions - Network Services Network Topology Model of the current WAN and LAN infrastructure. These models depict where servers are located and what communication methods exist between servers and desktops on the network. Switched Ethernet is the communication method utilized by Client to connect users and workgroups to the Local Area Network or LAN. Switched Ethernet Network Monitoring The tools and processes in place to ensure availability of network resources and the bandwidth of the network across the Client Domain. Element Management The tools and processes in place to ensure availability and performance of network elements such as routers that are responsible for the transfer of traffic across the network. The tools and reporting methods available from the network management contractors (CSC) which allow Client to report on network performance and bandwidth issues. Network Performance 45
Model: Server / Desktop Services Application Integration Application / Web Server Application Hosting Messaging Architecture Web HTTP Server Application Service Provider Object Request Broker Web Application Server Internet Service Provider Legacy App Integration XML Database Server Database Access Database Server Sizing Database Recovery DB Server Failover Database Server Availability Server Requirements Scalability Reliability Availability Failover Disaster Recovery Server Location Load Balancing Desktop Requirements Workflow Developer Workstations Standard I-NET Browser Standard Email Client 46
Service Definitions - Server / Desktop Services Web / HTTP Server Ensure that web servers are scalable, reliable, and available to the standards necessary to deploy Project Quest initiatives. Web Application Server Web application servers are responsible for running application logic of web based applications. Our team will ensure availability and scalability of these servers to ensure proper availability and performance of web based applications. Application Integration The integration tools currently available to integrate the new eC applications with existing legacy applications (i.e. Messaging architecture, CORBA, XML, etc.) Application Service Provider Determine whether the new eC applications should be supported by Client IT or if there is a business case to use an Application Service provider to support the applications. Ensure that Database servers can handle future data requirements, specifically of a data warehouse application. Database Server Sizing Look into what requirements there are for backup and recovery of data such as Enterprise Storage solutions (i.e. EMC). Database Server Recovery 47
Service Definitions - Server / Desktop Services Database Server Failover Ensure that the database servers have failover capabilities in place so that enterprise data is always available. Database Server Availability Evaluate current server architecture and identify gaps in need of improvement. The goal is to provide a scalable, reliable, and fully available database server architecture. Scalability, Reliability, and Availability Evaluate current Web HTTP and Application server architecture and identify gaps in need of improvement. The goal is to provide a scalable, reliable, and fully available technology architecture. Analyze future state requirements for disaster recovery. What tools and methods can be put in place in order to ensure that data is protected from disaster. Disaster Recovery Evaluate what methods can be put in place to place web, database, and application servers across the WAN in order to outages in one location effecting customer and partner facing applications. Server Location The tools and services available for balancing the traffic being sent between servers in a server architecture. For example, routing web traffic between web servers in order to gain optimal performance. Load Balancing 48
Service Definitions - Server / Desktop Services Workflow Providing necessary client software on the Desktop in order to implement a workflow routing system. Standard Internet Browser Ensure that all workstations are deployed with a standard internet browser Application Developer Workstations Provide Application Developers the workstation software and hardware needed to effectively develop applications. For example, Win NT deployment for object development. Standard Email Client Ensure deployment of standard email clients on all desktops. This is an effect of workflow and messaging. 49
Model: Security and Transaction Services Firewall Authentication Authorization Encryption Transaction Services Transaction Monitoring Transaction Verification Transaction Logging 50
Service Definitions - Security Services Firewalls are responsible for security of Client private network resources and routing internet requests to the appropriate domain. Current Firewall security services will be assessed to ensure security of core systems after implementation of eC services. Firewall This is the processes of validating users of infrastructure resources whether they are web based or whether they are dialing in via RAS connectivity. Authentication Authorization After authentication happens, you can authorize users of your applications to use network resources. Levels of authorization need to be set so that web users have one set of rights, business partners another, and employees have full access. This is the securitization of information traveling across the internet. All private information provided to Client by public users should be encrypted to secure the information. Encryption 51
Service Definitions - Transaction Services Monitoring of transactions across the network to ensure transaction throughput. Transaction monitors allow you to identify gaps in the network which may be causing poor performance of applications. Transaction Monitoring This is a utility which can be part of multiple products. The purpose of it is to ensure that a transaction from any application can be queued if a network resource is down and complete once the resource can be brought back up. Transaction Verification Transaction Logging The purpose of this utility is to create a log of transactions in order to report any transactions which did not complete, those that completed with errors, and those transactions which completed without error. 52