high volume real time contiguous etl and audit
DESCRIPTION
How Microsoft IT audits the network accessTRANSCRIPT
How Microsoft protects its Network
Remus Rusanu
High Volume Real Time Contiguous ETL and Audit
Agenda
Network Access Protection NAP Audit as implemented by Microsoft IT Service Broker in 5 slides High Availability, Scale Out and Real Time Demo Similar Projects Q&A
Network Risks
Highly connected Distributed data Mobile workers Remote access Web services Wireless Mobile smart
devices
Network Access Protection
Policy Validation Evaluates company security policies and determines compliant computers (“healthy”) vs. non-compliant ones (“unhealthy”)
Network Restriction Restricts network access based on computer “health”
Remediation Applies necessary updates for non-compliant computers to become compliant, “healthy”. Once healthy, the network restrictions are lifted
Ongoing Compliance Changes to the company’s security policy or to the computers compliance trigger a new evaluation of network restrictions
Health Agents Windows Security Health Agent, SCCM, IPSec, Wireless, VPN, Forefront, DHCP, BitLocker
NAP Overview
NAP Modes
Reporting Mode– Backend receives metrics, no client impact– Capture/analyze daily statistics of unhealthy vs. healthy clients– Estimate impact to user base if enforcement enabled
Deferred Enforcement Mode– No network restrictions during the deferment period– End users receive notifications when non-compliant– Helpdesk contacted by end users in regards to notifications
Enforced Mode– Non compliant systems are quarantined.– Productivity affected during quarantine.– Health certificate required to access other NAP enable clients/servers
NAP Audit
Network Protection Server logging:– Text files– SQL: exec dbo.ReportEvent @event;
@event is an XML. Correlated by a session-id:– Network access request (session start)– Request Accepted/Request Denied– Accounting information (for VPN every 10 min)
The Health status is part of the second packet– Status of each SHA on the computer: OS updates, firewall,
anti-virus etc
NAP Reporting
Aggregate all NAP audit events into a DW Allow analysis of
– Compliant/Non-compliant status and evolution– Reasons for non-compliance– Most frequent causes of computer quarantine– Efficiency of automatic remediation
Forensic analysis of computers and users activity
Processing NAP Audit EventsService Broker Delivery
XML Shredding
Transactional Replication
Mirrored Routes
Mirrored Publication
47 geo-distributed
NPS Servers
Mirroring allows for Maintenance
Downtimes
Local ReportEvent
A Crash Course on Service Broker
Message based communication between SQL Server instances SEND is a T-SQL verb to send a message
– SEND ON CONVERSATION @handle (‘Hello, World’); RECEIVE is a T-SQL verb to receive messages Conversations are message exchange sessions
– Durable, persisted in the database– Long lived, can be reused for days, years– BEGIN CONVERSATION starts a conversation– END CONVERSATION ends a conversation– Any message belongs to exactly one conversation– Order of delivery is guaranteed within a conversation
A Service Broker Application
Initiator Computer Target Computer
BEGIN CONVERSATION @hFROM SERVICE InitiatorTO SERVICE ‘Target’
SEND ON CONVERSATION @h (‘Hello’)
RECEIVE @message=message_body,@h = conversation_handleFROM Target
PRINT @message
END CONVERSATION @h
RECEIVE @message=message_body,@h = conversation_handleFROM Initiator
END CONVERSATION @h
The small print: all the Broker Objects
Service– An addressable Broker destination.– Think mailing address.
Message Types, Contracts– Formalize the messages a Service can accept. – Think COM Interfaces.
Queues– Where a Service keeps its messages until they are Received.– Think mailbox.
Remote Service Bindings– Associate a targeted service with an identity (certificate)– ‘when you send to service Foo, encrypt the data with certificate Bar’
Routes– Specify the physical location of a Service. – Think Post Master.
Endpoints– Configure the communication protocol to be used
TCP listener port Authentication and authorization Encryption scheme
– Allows two SQL Server instances to connect
The Nugget: Activation
Attach a stored procedure to a Service Broker Queue– Will run when there are messages in the queue
Will run a stored procedure inside SQL Server– No external connection required– Fully contained within the database
No external process No msdb configuration No SQL Agent requirement
Magically tunes itself to the load– Launches new procedure instances as needed– WAITFOR (RECEIVE …) is internationally LIFO
When load is reduced, procedures timeout and exit
Transactional semantics– Will launch after a server shutdown and restart– Will launch after a mirroring failover– Will launch after a cluster failover– Will launch after an attach or a restore– The Server can crash and burn
the procedure will launch when your DR procedure is complete
Local Availability: SQL Express
If the NPS Server is running, the SQL Express is likely running too
Express is light on resource usage – Single CPU– 1 GB RAM buffer pool– 4Gb (10GB in R2) DB size
Transact-SQL programming Cheap to distribute to hundreds of sites
Reliable Delivery: Service Broker
SEND is a local transaction– Never affected by the target availability
Guarantees Exactly Once In Order delivery– Handles retries– Target downtime– Connection problems can be resolved day, months even years after
occurred without data loss Security can traverse domains
– NTLM/Kerberos – Certificates– Authentication, Authorization, Encryption handled at SQL endpoint
configuration level
Scale Out: Service Broker
Hundreds and thousands of peers– EdCon handles +1500 data sources
Abstracts physical location with ROUTEs– Server relocation
Heterogeneous SQL 2005/SQL 2008– Rolling upgrade of the deployed servers
Available on all editions including Express High Throughput
– Spikes can be delivered at +6000 msgs/sec – Highly optimized code path to insert into target
Process XML: XPath and Activation
Service Broker Internal Activation– readers launched when messages arrive– Self-tuning reader count MAX_QUEUE_READERS– No pulling!
XML payload projected into columns – XPath– XQuery
Automatic processing batching– RECEIVE TOP 1000 creates a 1000 size batch to process
Correlation awareness– NPS packets 1 (Start) and 2/3 (Accept/Reject) processed by the same reader– Original order is preserved during processing
DW: Transactional Replication
Isolate the XML shredding from reporting– Different indexes for processing vs. reporting– Processing server delete data after 10 days– DW retains 1 year of data (~1.5 TB)
Transactional Replication– Preserves order of operations– Preserves transaction boundaries
Easy to deploy and manage between few peers– Supports mirrored publishers
Availability: Mirroring
Activation processing is entirely DB contained– No msdb jobs, no master dependencies– Transactional consistent – Automatically starts up on new host after failover
Service Broker Routing is mirroring aware– CREATE ROUTE …
WITH ADDRESS = ‘tcp://principalname’,MIRROR_ADDRESS = ‘tcp://mirorrname’;
– Will instantly follow a failover Mirroring allows for maintenance to occur
– Apply CU and SP– Apply OS patches
DEMO
Similar Projects
Real Time Analytics with SQL Server 2008 R2 StreamInsight– Silverlight media content delivery metrics– nbcolympics.com, March Madness
Real Time metrics with R2 StreamInsight Trends and analysis in DW
– Aggregated with Service Broker– Processed with Activation– SSIS for upload into DW
Silverlight Metrics Collection
Silverlight media player
WCF to reportUsage Metrics
StreamInsight Real Time
Service Broker Local SEND
Activation Processing
SSIS Extraction into OLAP DW
Critical for Performance
Reuse Broker conversations– Each SEND on its own conversation:
~15 writes into 6 tables (for a full round-trip)– SEND on an existing conversation:
2 writes on 2 tables– RECEIVE cannot batch process messages on
distinct conversations
Gotchas
Mirroring support for DB master key– sp_control_dbmasterkey_password– Allows Service Broker to open the database master key on the new principal, after
a failover Mirroring and Service Broker routes
– If the mirroring session is suspended, rotes must be modified Replication and mirroring
– Only publisher can be mirrored– Principal and Mirror must share the same distributor– –PublisherFailoverPartner parameter added to the Log Reader agent
Replication and SQL 2008 Upgrade rollout– Publisher version must be less than Distributor version
SQL Express is the have-not of monitoring– No Data Collection Sets support
Acknowledgements
Tom Baker, Senior SE Systems Engineer Roger Doherty, Senior Technical Evangelist
Q&A
slideshare.net/rusanu @rusanu