Significado y sentido del principio de tolerancia y sus efectos en la sociedad

VALVERDE TÉLLEZ

III.3. Significado y sentido del principio de tolerancia y sus efectos en la sociedad

As businesses continue to embrace the Web, e-commerce applications flourish. The e-commerce module enables organiza-tions to support this capability through the use of a multiple component design. Here we examine how to provide both high availability and security via firewalls, server load balancers, and connections to multiple Internet serviced providers (ISP).

Achieving High Availability

The prevention of downtime is the goal of any high-availability strategy, and meeting this goal will require the integration of a number of components: redundancy, technology, people, processes, and tools.

Component Design for the E-Commerce Module

A number of different pieces make up the e-commerce module. Routing, switching, firewall, and server content-balancing components all make up common e-commerce designs. To construct complex e-commerce module designs, it is necessary to understand how to integrate these elements.

Typical firewall design for e-commerce: Security is key in an e-commerce implementation, so the design must take into account firewall issues. Typical implementations of the e-commerce module are implemented in a data center where it is connected to the Internet via one or more ISPs. Within the e-commerce module are multiple firewalls at various layers.

Large site design: A large site might have three firewalls separating and securing the web, application, and data tiers. In this design, the Internet connects to the web tier or the outer demilitarized zone (DMZ) supporting web services. Web servers then communicate with the application tier through a second pair of firewalls, and then these servers communicate with the data tier through a third pair of firewalls.

Application gateway approach: An alternative approach is to route all traffic between the layers through the servers. In this approach, the web tier servers act as application-specific gateways, adding security because a hacker would have to penetrate the firewall and the web server operating system to attack the middle layer of firewalls.

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.

Designing an E-Commerce Module

Internet Service Provider A

Web Tier

Application Tier

Database Tier

FIGURE 7-1 Server as Application Gateway

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

Virtualization using firewall contexts: Firewall contexts are now supported within the Cisco firewall family to allow the virtualization of a physical firewall or Application Control Engine (ACE) module. When you use this, specific VLANs or interfaces may be connected to specific security contexts, which in turn supports its own policies such as access control lists (ACL), Network Address Translation (NAT), protocol fixups, and so on.

Layering with Virtual Firewalls: When constructing a multitiered e-commerce model, a single pair of firewall devices may be used to create virtual firewall layers. One approach is to use a pair of Cisco Catalyst 6500 switches with Firewall Services Modules (FWSM) rather than individual firewalls.

Transparent and routed mode firewalls: Firewall design using the Cisco product family now supports firewalls that operate in either transparent or bridged mode, or in traditional routed mode, and this may be established on a per-context basis.

n Transparent mode: FWSM bridges two VLANs and traffic passing through the FWSM is subject to IP ACLs.

n Routed mode: FWSM routes between the VLANs and traffic passing are subject to IP ACLs, security state tracking, and so on.

Load-Balancer Designs for E-Commerce

To support both scaling and high availability, a server load balancer (SLB) or content load balancer may be used.

Through the use of an SLB, the workload may be spread among many actual servers while providing flexibility in extending server capacity through the addition of more server capacity to the pool. Cisco offers a number of product lines that provide content and SLB services:

n Cisco CCS 11500 Series Content Services Switch (CSS) n Cisco Content Switching Module (CSM)

n Cisco Application Control Engine (ACE)

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

Designing an E-Commerce Module

Basic SLB designs include router mode, bridge mode inline, and one-armed (or two-armed) mode and include the need to select appropriate redundancy from among active/active, active/passive, or failover triggers. Design of an SLB may also include Client Source NAT (CSNAT), which rewrites the IP address of the client before the packet goes to the server.

E-Commerce Topology Designs

Three common designs are typically used when constructing an e-commerce solution:

n One firewall per ISP, with separate NAT pools.

n Stateful failover with common external prefix advertised through Border Gateway Protocol (BGP) with a single NAT pool.

n Distributed data centers with multiple ISPs.

Integrated E-Commerce Designs

Base Module Design

This basic e-commerce design uses a core layer that houses the first stage of firewalls. Aggregation and access layers are trusted zones with no security between the web, application, and database zones. Routed mode is used to provide connec-tivity to the SLBs or firewalls by the aggregation layer. Further, all e-commerce traffic goes via the CSMs, which might require additional CSM configuration for direct access to the servers for non-load-balanced sessions initiated by the servers.

Routing in the base e-commerce module is static for the most part, with virtual IP addresses used to support failover.

With regard to traffic flow, while the firewall handles security logic, the CSM handles the SLB decision or passes management traffic directly to a specific server.

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

Two Firewall Layers

Additional protection can be had by inserting a firewall into the aggregation layer. This form of two firewall layers may be implemented using a one-armed design in which a one-armed SLB device is employed. In this design, it is possible to have direct server traffic flow. The one-armed SLB model with aggregation firewall may also support multiple firewall contexts. In this model, it is no longer necessary to have a separate firewall in the core layer. A further design option is a one-armed SLB with CSS modules that firewall all traffic. With CSS in the one-armed mode, non-load-balanced traffic to and from the servers can bypass the CSS devices.

No matter the design that is ultimately used, it is important to test it thoroughly. Proper lab testing can help to validate network behavior and failover conditions, and can aid in future troubleshooting and design analysis.

E-Commerce Tuning

A number of Cisco technologies, such as BGP tuning, enhanced object tracking, optimized edge routing, and Domain Name System (DNS) site selection and failover, offer enhanced e-commerce capabilities to suit various designs needs.

n BGP Tuning: Used to control packet flow and convergence characteristics.

n Enhanced Object Tracking (EOT): A standalone process to track the status of objects built in to the Cisco IOS software.

n Optimized Edge Routing (OER): Provides alternative path selection based on policies. The OER cycle is learn, measure, apply policy, optimize, and verify.

n Cisco Global Site Selector (GSS): Content development across multiple distributed and mirrored data locations is leveraged to optimize site selection, improve DNS responsiveness, and ensure data center availability.

CCDP ARCH Quick Reference

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

Designing an E-Commerce Module

FIGURE 7-2 Optimized Edge Routing (OER)

Master

CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press

Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem

In document El principio de tolerancia religiosa en Emeterio Valverde Téllez (página 193-200)