Extending ADDM Discovery to Firewalls, Applications and Routers
1. Applications, Firewalls &
Routers
Extending discovery to network devices and their relationships to your
applications.
Presented by Wes Fitzpatrick – wfitzpatrick@cssdelivers.com
2. ADDM Current Discovery Capability – pros and cons
• ADDM is very good at mapping:
• Application 2 software dependencies
• Software 2 software, host dependencies
• Host 2 host, neighbouring switch dependencies
• Technical and operational dependencies
• Not so good for:
• Switch and router neighbours
• Firewall neighbours
• Load balancer neighbours
• Logical or functional application dependencies
5. Business Cases
• Multinational retailer
• 1500 OSIs comprised of Windows, Unix, AS400s, Exadata and Netezza.
• Application stack included F5 load balancers and AS400 messaging
subsystems.
• Tier 1 Investment bank
• 10,000 OSIs
• Decentralised ADDM deployments to Americas, EMEA, APAC datacentres.
• BAM not used – single focus on remote firewalled connections.
6. Getting Load Balancers into the Model
• SNMP Only
• Creates a NetworkDevice node
• No direct relationship to SIs or BAIs.
• Solution
• Trigger on a web server SI type
• Create an link through DiscoveryAccess and update an attribute on the SI
• Trigger on NetworkDevice
• Create an SI for “F5 Load Balancer”
• Reverse lookup DiscoveredNetworkConnection for port to process mapping
• All communicating software!
7. Getting Firewalls into the Model
• Can be discovered (unsupported device)
• Custom TPL needed
• SNMP?
• No direct way to link to a Host or Router
8. Getting Firewalls into the Model
http://www.xpresslearn.com/networking/design/network-design-series-ii/#
• Bank Environment
9. Getting Firewalls into the Model
• Bank Environment
• No TPL required (no application models)
• No 3rd party software available
• Scanning additional domains/zones not permitted
• NMAP not permitted
• SNMP login to firewalls/routers not permitted
• Traceroute? Maybe….
"Hop-count-trans" by Stagira - http://commons.wikimedia.org/wiki/File:Hop-count-trans.png#mediaviewer/File:Hop-count-trans.png
10. Getting Firewalls into the Model cont…
• Solution
• Obtained a pre-defined list of “hand-off” routers
• Started with pool of 100 dev hosts
• TPL out of the question
• Expanded to 1000 prod hosts
• 200,000 remote IP addresses in ADDM (40,000 unique records)
• Filtered to 7500 unique remote IPs, 230 outside of firewall
• Output 4 csv files:
• Hosts with hand-off router connections
• Hosts with no remote connections
• Traceroute timings
• Connection details
• Average 3 seconds per traceroute, 90 minutes to run.
11. Summary
• Multinational retailer
• In the process of mapping their additional applications.
• Application models now considered core to move.
• Tier 1 Investment bank
• 1st Stage proof of concept success.
• Considering expanding script to other datacenters for holistic view.
12. Summary
• Application Models can be extended to include
• Routers
• Load Balancers
• Firewalls
• ADDM is a ‘must-have’ tool for datacentre migrations
• Provides visibility of ‘what’ is connected ‘where’
• Important to understand how the application model differs from HLD
Typical application model is built from the bottom up via dependencies.
However many organisations have more of a top down view of logical or functional dependencies that include firewalls, switches, routers and load balancers.
An application server may be considered as having a logical dependency on a database server, the webservers have a logical dependency on the load balancers – though operationally or technically they work independent of each other.
Many organisations we are encountering have a desire to see things in the model which ADDM does not currently provide OOTB. These additional components are critical to an organisation that wants to see where that application sits as a dependency within their datacentre – especially when considering datacentre migrations.
Since April this year, CSS have already assisted 2 customers in preparation for Datacentre migrations.
ADDM discovers the load balancers by SNMP only. The taxonomy restricts relationships from a NetworkDevice to DisocveryAccess, Subnets, IPAddress and NetworkInterfaces.
We had limited time to model the application stack and include Load Balancer communicating relationships.
1st approach was to pick some common web server SIs and trigger and then lookup through DiscoveredNetworkConnection to find the load balancer and add as an attribute.
2nd approach – by creating a “Load Balancer” SI, were able to reverse lookup DiscoveredNetworkConnection and map ALL communicating software instances – no longer dependent on defining web servers.
These appeared in the visualisation under Inferred Software Communication.
ADDM can discover firewalls – however you need to access them from a DiscoveryAccess node – they do not create inferred nodes. There is software that can achieve this.
There may also be scripted ways to link to a host to a router or firewall, but these were not available.
Initial requirements gathering…
We were allowed to run traceroute and had CLI access. After speaking to their networks guy we got a list of hand-off routers – routers which neighbour one of the firewalls – the bank could use these routers to determine where the Hosts were connecting.
TPL was ruled out of the question – we looked at the option of running it but as well as adding significant scan time, each host may have up to 100 remote connections, and may also share connections. You would be running traceroutes multiple times against the same targets.
After increasing the test pool size the script was taking a very long time to execute, so we worked on putting in logic that ensured traceroute only ran once and all hosts were updated.
We added timings so that anyone running the script could prepare for the best time to run and they could also compare traceroute time by subnet.