High volume real time contiguous etl and audit


Published on

How Microsoft IT audits the network access

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

High volume real time contiguous etl and audit

  1. 1. How Microsoft protects its Network<br />Remus Rusanu<br />High Volume Real Time Contiguous ETL and Audit <br />
  2. 2. Agenda<br />Network Access Protection<br />NAP Audit as implemented by Microsoft IT<br />Service Broker in 5 slides<br />High Availability, Scale Out and Real Time<br />Demo<br />Similar Projects<br />Q&A<br />
  3. 3. Network Risks<br />Highly connected<br />Distributed data<br />Mobile workers<br />Remote access <br />Web services<br />Wireless<br />Mobile smart devices<br />
  4. 4. Network Access Protection<br />Policy ValidationEvaluates company security policies and determines compliant computers (“healthy”) vs. non-compliant ones (“unhealthy”)<br />Network RestrictionRestricts network access based on computer “health”<br />RemediationApplies necessary updates for non-compliant computers to become compliant, “healthy”. Once healthy, the network restrictions are lifted<br />Ongoing ComplianceChanges to the company’s security policy or to the computers compliance trigger a new evaluation of network restrictions<br />Health Agents Windows Security Health Agent, SCCM, IPSec, Wireless, VPN, Forefront, DHCP, BitLocker<br />
  5. 5. NAP Overview<br />
  6. 6. NAP Modes<br />Reporting Mode<br />Backend receives metrics, no client impact<br />Capture/analyze daily statistics of unhealthy vs. healthy clients<br />Estimate impact to user base if enforcement enabled<br />Deferred Enforcement Mode<br />No network restrictions during the deferment period<br />End users receive notifications when non-compliant<br />Helpdesk contacted by end users in regards to notifications<br />Enforced Mode<br />Non compliant systems are quarantined.<br />Productivity affected during quarantine.<br />Health certificate required to access other NAP enable clients/servers<br />
  7. 7. NAP Audit<br />Network Protection Server logging:<br />Text files<br />SQL: exec dbo.ReportEvent @event;<br />@event is an XML. Correlated by a session-id:<br />Network access request (session start)<br />Request Accepted/Request Denied<br />Accounting information (for VPN every 10 min)<br />The Health status is part of the second packet<br />Status of each SHA on the computer: OS updates, firewall, anti-virus etc<br />
  8. 8. NAP Reporting<br />Aggregate all NAP audit events into a DW<br />Allow analysis of<br />Compliant/Non-compliant status and evolution<br />Reasons for non-compliance<br />Most frequent causes of computer quarantine<br />Efficiency of automatic remediation<br />Forensic analysis of computers and users activity<br />
  9. 9. Processing NAP Audit Events<br />Service Broker Delivery<br />XML Shredding<br />Transactional Replication<br />47 geo-distributed <br />NPS Servers<br />Local ReportEvent<br />Mirrored Publication<br />Mirroring allows for Maintenance Downtimes<br />Mirrored Routes<br />
  10. 10. A Crash Course on Service Broker<br />Message based communication between SQL Server instances<br />SEND is a T-SQL verb to send a message<br />SEND ON CONVERSATION @handle (‘Hello, World’);<br />RECEIVE is a T-SQL verb to receive messages<br />Conversations are message exchange sessions<br />Durable, persisted in the database<br />Long lived, can be reused for days, years<br />BEGIN CONVERSATION starts a conversation<br />END CONVERSATION ends a conversation<br />Any message belongs to exactly one conversation<br />Order of delivery is guaranteed within a conversation<br />
  11. 11. A Service Broker Application<br />
  12. 12. The small print: all the Broker Objects<br />Service<br />An addressable Broker destination.<br />Think mailing address.<br />Message Types, Contracts<br />Formalize the messages a Service can accept. <br />Think COM Interfaces.<br />Queues<br />Where a Service keeps its messages until they are Received.<br />Think mailbox.<br />Remote Service Bindings<br />Associate a targeted service with an identity (certificate)<br />‘when you send to service Foo, encrypt the data with certificate Bar’<br />Routes<br />Specify the physical location of a Service. <br />Think Post Master.<br />Endpoints<br />Configure the communication protocol to be used<br />TCP listener port<br />Authentication and authorization<br />Encryption scheme<br />Allows two SQL Server instances to connect<br />
  13. 13. The Nugget: Activation<br />Attach a stored procedure to a Service Broker Queue<br />Will run when there are messages in the queue<br />Will run a stored procedure inside SQL Server<br />No external connection required<br />Fully contained within the database<br />No external process<br />No msdb configuration<br />No SQL Agent requirement<br />Magically tunes itself to the load<br />Launches new procedure instances as needed<br />WAITFOR (RECEIVE …) is internationally LIFO<br />When load is reduced, procedures timeout and exit<br />Transactional semantics<br />Will launch after a server shutdown and restart<br />Will launch after a mirroring failover<br />Will launch after a cluster failover<br />Will launch after an attach or a restore<br />The Server can crash and burn<br />the procedure will launch when your DR procedure is complete<br />
  14. 14. Local Availability: SQL Express<br />If the NPS Server is running, the SQL Express is likely running too<br />Express is light on resource usage <br />Single CPU<br />1 GB RAM buffer pool<br />4Gb (10GB in R2) DB size<br />Transact-SQL programming<br />Cheap to distribute to hundreds of sites<br />
  15. 15. Reliable Delivery: Service Broker<br />SEND is a local transaction<br />Never affected by the target availability<br />Guarantees Exactly Once In Order delivery<br />Handles retries<br />Target downtime<br />Connection problems can be resolved day, months even years after occurred without data loss<br />Security can traverse domains<br />NTLM/Kerberos <br />Certificates<br />Authentication, Authorization, Encryption handled at SQL endpoint configuration level<br />
  16. 16. Scale Out: Service Broker<br />Hundreds and thousands of peers<br />EdConhandles +1500 data sources<br />Abstracts physical location with ROUTEs<br />Server relocation<br />Heterogeneous SQL 2005/SQL 2008<br />Rolling upgrade of the deployed servers<br />Available on all editions including Express<br />High Throughput<br />Spikes can be delivered at +6000 msgs/sec <br />Highly optimized code path to insert into target<br />
  17. 17. Process XML: XPath and Activation<br />Service Broker Internal Activation<br />readers launched when messages arrive<br />Self-tuning reader count MAX_QUEUE_READERS<br />No pulling!<br />XML payload projected into columns <br />XPath<br />XQuery<br />Automatic processing batching<br />RECEIVE TOP 1000 creates a 1000 size batch to process<br />Correlation awareness<br /> NPS packets 1 (Start) and 2/3 (Accept/Reject) processed by the same reader<br />Original order is preserved during processing<br />
  18. 18. DW: Transactional Replication<br />Isolate the XML shredding from reporting<br />Different indexes for processing vs. reporting<br />Processing server delete data after 10 days<br />DW retains 1 year of data (~1.5 TB)<br />Transactional Replication<br />Preserves order of operations<br />Preserves transaction boundaries<br />Easy to deploy and manage between few peers<br />Supports mirrored publishers<br />
  19. 19. Availability: Mirroring<br />Activation processing is entirely DB contained<br />No msdb jobs, no master dependencies<br />Transactional consistent <br />Automatically starts up on new host after failover<br />Service Broker Routing is mirroring aware<br />CREATE ROUTE … WITH ADDRESS = ‘tcp://principalname’,MIRROR_ADDRESS = ‘tcp://mirorrname’;<br />Will instantly follow a failover<br />Mirroring allows for maintenance to occur<br />Apply CU and SP<br />Apply OS patches<br />
  20. 20. DEMO<br />
  21. 21. Similar Projects<br />Real Time Analytics with SQL Server 2008 R2 StreamInsight<br />Silverlight media content delivery metrics<br />nbcolympics.com, March Madness<br />Real Time metrics with R2 StreamInsight<br />Trends and analysis in DW<br />Aggregated with Service Broker<br />Processed with Activation<br />SSIS for upload into DW<br />
  22. 22. Silverlight Metrics Collection<br />WCF to reportUsage Metrics<br />StreamInsight Real Time<br />Service Broker Local SEND<br />Silverlight media player<br />Activation Processing<br />SSIS Extraction into OLAP DW<br />
  23. 23. Critical for Performance<br />Reuse Broker conversations<br />Each SEND on its own conversation:<br />~15 writes into 6 tables (for a full round-trip)<br />SEND on an existing conversation:<br />2 writes on 2 tables<br />RECEIVE cannot batch process messages on distinct conversations<br />
  24. 24. Gotchas<br />Mirroring support for DB master key<br />sp_control_dbmasterkey_password<br />Allows Service Broker to open the database master key on the new principal, after a failover<br />Mirroring and Service Broker routes<br />If the mirroring session is suspended, rotes must be modified<br />Replication and mirroring<br />Only publisher can be mirrored<br />Principal and Mirror must share the same distributor<br />–PublisherFailoverPartner parameter added to the Log Reader agent<br />Replication and SQL 2008 Upgrade rollout<br />Publisher version must be less than Distributor version<br />SQL Express is the have-not of monitoring<br />No Data Collection Sets support<br />
  25. 25. Acknowledgements<br />Tom Baker, Senior SE Systems Engineer<br />Roger Doherty, Senior Technical Evangelist<br />
  26. 26. Q&A<br />slideshare.net/rusanu<br />@rusanu<br />