Download Lecture 16: Architectural Considerations

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Zero-configuration networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer network wikipedia , lookup

Airborne Networking wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Lecture 16:
Architectural Considerations
Prof. Shervin Shirmohammadi
SITE, University of Ottawa
Prof. Shervin Shirmohammadi
CEG 4185
16-1
Network Architecture
• Architecture:
– high-level, end-to-end structure for the network.
– Relationships between major architectural components of the
network.
•
•
•
•
Addressing and routing
Network management
Performance
Security
– It is key in integrating requirements and flows into the structure of
the a network.
• You can think of it as the blue print that encompasses all
the important components of the network, from a highlevel perspective.
Prof. Shervin Shirmohammadi
CEG 4185
16-2
1
Network Architecture vs. Design
• Architecture describes relationships, which are generally location
independent.
• Design specifies technologies, protocols, and network devices.
– Locations play an important role in network design
• Even the most experienced network designer must first conceptualize
a big picture of the network before developing a more detailed
design of the components.
Architecture
Design
Broad
Scope
Focused
Generalized
Level of Detail
In Depth
Relationships
Description
Technologies
Independent
Location
Dependant
Prof. Shervin Shirmohammadi
CEG 4185
16-3
Component Architecture
Function
Capability
Mechanism
Addressing / Routing
Provides robust and
flexible connectivity
between devices
Addressing, Routing
Network Management
Provides monitoring,
configuring, and
troubleshooting
NMS, NM protocols
Performance
Provides resources to
support capacity, delay,
and RMA
QoS, SLA, Policies
Security
Restricts unauthorized
access, usage, and
visibility within the
network.
Firewalls, Security
policies, filters, Access
Control List (ACL).
Prof. Shervin Shirmohammadi
CEG 4185
16-4
2
Reference Architecture Goal
• Our objective is to get to a reference architecture that is
influenced by our requirements, flows, and goals, as well
as the component architectures.
Requirements, Flows, and Goals
Security
Architecture
Net Mgmt
Architecture
Performance
Architecture
Routing
Architecture
Other
Architecture
Reference
Architecture
Prof. Shervin Shirmohammadi
CEG 4185
16-5
Balancing the Reference Architecture
• Depending on the requirements, traffic flows, and goals the
reference architecture is either balanced or favored to particular
functions.
• This is an informed decision that is important in the documented
part of the network architecture.
• Example:
– Consider a network where low delay and jitter performance are a
requirement. Routing, Security and N.M. affect these values, so some of
them must be sacrificed to meet performance.
– In this approach each function is developed as its own composite
architecture and delay and jitter can be optimized in the performance
component architecture and can be prioritized over the other architectures.
Prof. Shervin Shirmohammadi
CEG 4185
16-6
3
Optimizing the Reference Architecture
• Numerous trade-offs occur between addressing/routing, N.M.,
performance, security.
• High security => low performance
– Security may have to take low profile in parts of the network.
• N.M. => low security
– When management is a high priority a separate security component
architecture for N.M. may be required.
• High Resolution N.M. => low Performance
– Out-of-band N.M. a solution.
– What about security?
• Simplicity in addressing/routing => low performance
– Several performance protocols like DiffServ and RSVP are tightly
coupled to the addressing scheme.
Prof. Shervin Shirmohammadi
CEG 4185
16-7
Architectural Models
• Three types of architectural models make a good
starting point:
– Topological maps
• Concentrate mostly on geographical or topological arrangement.
– LAN/MAN/WAN
– Access/Distribution/Core
– Flow-based maps
• Take advantage of flow information
–
–
–
–
Peer-to-peer
Client-server
Hierarchical client-server
Distributed computing
– Functional models
• Focus on one or more functions or features of the network.
– Service-provider
– Intranet/extranet
Prof. Shervin Shirmohammadi
– single-/multi-tier
– end-to-end
CEG 4185
16-8
4
Network Regions
• Characterizing regions by traffic flows allows each
region to be applied in a similar fashion to all
functions.
• Common regions
– Access (edge)
• Most traffic is generated and terminated here.
• Access control & traffic shaping
– Distribution
• Traffic flows are aggregated and terminated for common services,
applications & storage servers
– Core (backbone)
• Transits for aggregates of traffic flows
• Differentiated services
– External Interfaces, and DMZ (demilitarized zone)
• Aggregation points for traffic flows external to the network.
Prof. Shervin Shirmohammadi
CEG 4185
16-9
Topological Models
•
There are 2 popular topological maps
– LAN/MAN/WAN model
– Access/distribution/core model
•
•
•
•
•
LAN / MAN / WAN Concentrates on the boundaries between the WAN /
MAN / LAN
Access/distribution/core focuses on function rather than location. Focuses
on the behaviour of these interface points.
Access is closer to the user this is where most traffic flows are sourced
and/or sinked.
Distribution is where flows are consolidated
Core is used for bulk transport
WAN
Core
MAN
Dist.
MAN
Dist.
Access
LAN
Prof. Shervin Shirmohammadi
Access
LAN
CEG 4185
Access
LAN
Access
LAN
16-10
5
Flow-based Models
• These are based on the flow models
that were developed during analysis.
• Like before there are 4 flow models
– Peer-to-peer
• No obvious location for peers
• closer to the core model
– Client-server
• Functions, features, and services are
focused on the servers therefore
architectural features are at these
interfaces
– Hierarchical client-server
• Similar to client-server
– Distributed computing
• Data sources and sinks are obvious
locations for architectural features.
Prof. Shervin Shirmohammadi
CEG 4185
16-11
Functional Models
• Focus on particular functions in the network.
– Service-provider
• Focuses on privacy and security, service delivery, and billing.
– Intranet/extranet
• Typical enterprise
model focusing on
security and privacy.
– Single-tier/multitier
• Identifies parts of the network
as having single-tier or multi-tier
performance
– End-to-end models
• Are the most difficult to apply
because one has to understand
where each function will be located.
• These models will generally be
fairly closely related to the
requirements.
Prof. Shervin Shirmohammadi
CEG 4185
16-12
6
Using the Architectural Models
• It is generally easier to start from the topological model because
they can easily cover the larger scope of the network.
• On the other hand functional and flow-based models are better for
focusing on a particular area of the network.
Prof. Shervin Shirmohammadi
CEG 4185
16-13
Combining Models (1/2)
Where client-server or hierarchical client-server models may
overlap with the access/distribution/core model.
Prof. Shervin Shirmohammadi
CEG 4185
16-14
7
Combining Models (2/2)
Core
Dist.
ClientServer
Model
Distributed
Computing
Model
ServiceProvider
Model
Intranet/
Extranet
Model
End-toend Model
Hierarchical
Client-Server
Model
Access
Prof. Shervin Shirmohammadi
CEG 4185
16-15
Example
• Recall from lecture 8
Central Campus LAN
P1
North Campus LAN
45
Servers (2)
P1
40
P1
67
F4
F5
51
14
F6
P1
P1
Servers (4)
60
P1
2
14
22
South Campus LAN
Prof. Shervin Shirmohammadi
2
Storage
Servers (2)
CEG 4185
88
F7
74
16-16
8
Topological Model
• Access/Distribution/Code areas
Central Campus LAN
Access
Core
North Campus LAN
45
Servers (2)
40
14
51
67
Servers (4)
60
Access
2
14
22
South Campus LAN
Prof. Shervin Shirmohammadi
88
2
Storage
Servers (2)
74
CEG 4185
16-17
Flow-Based Model
• Distributed Computing Model
Central Campus LAN
North Campus LAN
Distributed Computing
P1
Distributed Computing
45
Servers (2)
P1
40
P1
67
F4
F5
51
14
F6
P1
P1
Servers (4)
60
P1
2
2
14
22
Distributed Computing
Storage
Servers (2)
88
F7
74
South Campus LAN
Prof. Shervin Shirmohammadi
CEG 4185
16-18
9
Architectural Considerations: Security
•
•
•
•
Evaluate potential security mechanisms
Consider where they apply within the network
Determine external and internal relationships.
Start simple and work toward more complex solutions:
– The access / distribution / core architectural model we discussed before
can be used as a starting point to apply security points.
– Security can be added at different points in the architecture.
– Security is increased from access to distribution to core areas.
• External Relationships:
– Security & Addressing
• NAT is an addressing scheme that helps security. Dynamic addressing
interferes with address specific filtering.
– Security & Network Management
• Security depends on Network Management
– Security & Performance
• These 2 are nearly always at odds. Security zones will affect the performance
of that zone
Prof. Shervin Shirmohammadi
CEG 4185
16-19
Access / Dist / Core & Security
Level 3
Firewall
Level 2
Firewall
Level 1
Firewall
Core
Distribution
Packet
Filters
Distribution
Access
Access
Access
User A
User B
User C
Prof. Shervin Shirmohammadi
CEG 4185
Encryption
Intrusion
Detection
Firewalls
16-20
10
Security Zones
Security
Level 1:
Lowest
Security
Level 3:
Highest
Core
Distribution
Access
Distribution
Access
Access
User
Devices
User
Devices
Prof. Shervin Shirmohammadi
Security
Level 2:
Medium
User
Devices
CEG 4185
16-21
Developing Security Zones
• More realistically you will need to define security level
zones for user devices, services and the network.
Security
Level 5:
Servers
Security Level 4:
Groups A and B
Network A
Network E
Security Level 1:
General
Network B
Network G
Network C
Network D
Prof. Shervin Shirmohammadi
Network F
Security Level 3:
Group D
CEG 4185
Security Level 2:
External
External Network /
Internet
16-22
11
Architectural Considerations: Performance
•
Start simple
•
From the flow analysis maps you know where performance requirements need to be
applied in the network.
Recall that the access/distribution/core architectural model separates network based
on function.
– BestEffort -> DiffServ -> IntServ
•
– Core -> bulk traffic -> aggregated
– Distribution -> flows to and from servers and aggregate traffic.
– Access -> most traffic is sources and sinked here.
•
•
•
Performance mechanisms that operate on individual flows (admission control,
resource allocation, IntServ, ATM QoS) should be considered for access.
Performance mechanisms that operate on aggregated flows (DiffServ, WFQ
RED/WRED, and MPLS all fit in here) should be considered for core and
distribution.
External Relationships:
– Performance and Addressing
• Performance is closely coupled with routing through mechanisms like DiffServ & IntServ, and
RSVP. These are not simple protocols.
– Performance and NM
• Performance relies on NM to configure, monitor, manage, verify, and bill.
– Performance and Security
• Security mechanisms will affect negatively performance, especially those security mechanisms
that are intrusive.
• If security mechanisms interrupt, terminate, or regenerate a traffic flow they seriously affect the
ability to provide end-to-end QoS.
Prof. Shervin Shirmohammadi
CEG 4185
16-23
Architectural Considerations: NM
•
Centralized/distributed monitoring
– Centralized: all monitoring data are sent from one monitoring node using either in-band or out-ofband-monitoring
– Distributed: local monitoring nodes
• Less NM traffic
• In-band/out-of band
•
For a LAN start with one monitoring device per IP subnet. Estimate:
–
–
–
–
•
•
Number of user and network devices to be polled
Average number of interfaces / device, and the number of parameters to be collected
Frequency of polling
This combined rate should not be more than 10% of the capacity of the line. For Ethernet keep this
at 5%.
For a WAN start with a monitoring device per WAN/LAN interface.
Local storage vs. archival
– Data usually kept locally, cached for easy retrieval (within hours). If not used this quickly then
archive it.
•
Selective copying of data
•
Data Migration
•
Metadata
– Consider saving only every N iteration of data. N can range from 100 to 10000.
– Usually occurs at night time from local to archive
– Additional information about the data is very useful. Data types time stamps etc.
Prof. Shervin Shirmohammadi
CEG 4185
16-24
12
Trade-offs
• Internal:
– In-band management cheaper than out-of-band but affects the traffic flow
performance.
– Out-of-band is more reliable and allows access to remote devices.
– Out-of-band can be more secure.
– Centralized manager is simpler but is a single point of failure.
• External:
– Network Management and Addressing
• Management domain needs to be considered in the network architecture design.
– Network Management and Performance
• This is discussed before: how network data affects traffic flow and capacity.
– Network Management and Security
• Network management relies on a particular level of security to get access to the
managed objects.
Prof. Shervin Shirmohammadi
CEG 4185
16-25
13
Related documents
Towards Novel Drug Targets MIDLANDS BIOPHYSICS NETWORK SYMPOSIUM
Towards Novel Drug Targets MIDLANDS BIOPHYSICS NETWORK SYMPOSIUM
Slide 1
Slide 1
The City College of New York
The City College of New York
Document
Document
Principles of Marketing and Marketing Research
Principles of Marketing and Marketing Research
Special Session on “Application of Nature Inspired Algorithms for
Special Session on “Application of Nature Inspired Algorithms for
Speech title
Speech title
SOCIAL INTERACTION
SOCIAL INTERACTION
Slide 1
Slide 1
Customer-based marketing strategy
Customer-based marketing strategy
eHealth Network Monitoring
eHealth Network Monitoring
Philip Derbeko
Philip Derbeko