Successful e-business strategies depend on highly available back-end systems that support popular operating systems and applications that are standards-based and incorporate best practices, thereby easing integration issues, both technological and operational. That is the word from Grenville Payne, Practice Manager, GIS Practice at Unisys Africa.
Systems infrastructures that drive e-business combine a number of technology solutions into a complex environment necessary to provide a secure, highly available, highly resilient and 24x7 service. Technologies include wide area networking, global server load-balancing, data caching, firewalls, intrusion detection systems, reverse proxy servers, server load-balancing, de-militarised zones, SSL accelerators, Web server farms and the management processes and procedures that are necessary for any systems solution.
Improvements of these technologies move at an alarming rate, and one of the issues facing a business implementing an e-business infrastructure, or even a business with an existing infrastructure, is keeping abreast of the technological change.
Ensuring that the systems that underpin e-business are available, no matter the threat, means being aware of, and implementing certain technologies and configurations depending on the environment.
Global server load-balancing balances client sessions across two or more physically distributed sites for resilience and disaster recovery. Due to the always-on nature of the Internet, providers are increasingly operating two or more sites in an active-active configuration.
Security is one of the primary concerns for e-business users, without which their businesses are at risk. Firewalls impose an access policy between two separate networks, such as the Internet and internal network of an organisation. They inspect every packet of information to determine whether the packet should be allowed to pass freely between the networks, or simply ignored. The information to determine this is stored within the firewall rule-base.
The rule-base itself should be kept small; in general limited to no more than 15 to 20 rules. There are two reasons for this: the first is that the larger the rule-base, the more processing is required within the firewall, and the more of a bottleneck the firewall becomes; the second, and the one that is the biggest risk to the business, is that the larger the rule-base, the greater the chance of having conflicts in the rule-base that inadvertently allow unwanted hackers into the internal network.
The same rule-base associated with a firewall can usually be applied to a router. The only thing that differentiates the two is that a firewall has a log. This log is critical, because a firewall is only as effective as the process to monitor and act on events in the log. If you do not monitor the log regularly, you severely diminish the effectiveness of the firewall.
The intrusion detection system (IDS) works in partnership with the firewall.
Probes are inserted at various points on the internal network; the de-militarised Zone (DMZ), behind firewalls, proxy servers and on the internal network itself. The IDS monitors traffic on the network and looks for specific profiles that indicate that malicious activity is likely and can alert and/or automatically respond to such an event.
IDS systems can interact with the firewall to close a specific session or port to minimise the effect of any malicious activity. IDS systems have standard profiles configured. However, the real power of an IDS can only be realised by fine-tuning these profiles with information based on your particular environment and the profiles of the types of people who are deemed the greatest threat to the service or network.
Redundancy within an e-business systems infrastructure is necessary in order to provide the levels of availability required for a 24x7 service.
Redundancy of the firewall can be addressed in several ways: providing an active-standby configuration, using products with VRRP support, or using load-balancing technology.
As the functionality and demand for your Internet service grows, there is a greater demand on the infrastructure components. To minimise this demand, and to reduce the impact on performance of bottlenecks such as firewalls and reverse proxy servers, it is usual to deploy cache servers. Cache servers serve static content that can make up over 80% of the content served from a typical e-commerce site.
Cache servers can be deployed in two locations within the infrastructure; the DMZ, and in front of the firewall, usually served by a load-balancing switch. This enables them to understand what content the client is requesting from the Web servers and, if that content is recognised as static content, for example, gifs or jpegs, it can redirect the request to a cache server to satisfy that request, rather than through the firewall to the reverse proxy and Web servers. This can dramatically improve the performance of the service provided.
Reverse proxy servers are effectively application firewalls. Normal firewalls allow network traffic through based on the originating and destination IP address, and the port. Reverse proxy servers allow communication between the client and the Web service based on what URL the client is requesting. Furthermore, the client is not allowed to talk to the Web server directly, the reverse proxy will retrieve the information or pages requested and return them to the client on behalf of the Web server.
There is no direct client to Web server session or communication.
The DMZ is a protected network located between the Internet and internal or private network. It forms a buffer zone for all traffic entering the internal network from the Internet. The DMZ comprises a separate sub-net with physically separate firewalls, of differing types to further improve security, on either side of the network. The firewall rules do not allow external requests to pass directly to the internal network; they must pass though servers located in the DMZ. This provides a layer of security for the internal network.
With the implementation of reverse proxy servers within the DMZ, and the isolation from the client provided by the reverse proxy servers, it became feasible to relocate the Web servers within the internal network. This allows management functionality, such as content management, release management and maintenance to be implemented more easily. Web server farms are considered the most appropriate method of implementing a large Web service capability, although server consolidation in this area will become more feasible over time.
There can be no doubt that building a systems environment to successfully support e-business is a complex area with a requirement for people who really understand the various technologies, their particular benefits and disadvantages, and how they all fit together.
Share
Editorial contacts