Network Knowledge - CIO, CTO & IT executive Management Consultancy offering turnarounds, infrastructure, operations, project management & software development using specialist Consultants - How to do a high level IT review in under a day part 2 page

How to do a high level IT review in under a day (Part 2)

Welcome to this, the second of a three part article on how to carry out a high level review in a day. The first part looked at how to break the problem down into more manageable chunks and then proceeded to review the Software aspects. This, the second part, looks at the Infrastructure considerations while the final part will review the Operations and Change aspects.

Infrastructure

As previously mentioned, this section reviews the hardware, hosting and security necessary for the software to operate.

So, starting with the servers. A typical E-Commerce application uses a three tier model - a web server front-end (used to show the actual web pages) a middleware tier (used to buffer the other two tiers from one another) and finally, a back-end database (used to store customer and stock information). Questions on the servers at each tier revolve around how resilient are they (clustered, master-slave or cold-standby?), how resilience is the data storage that they rely on, such as basic mirroring, more advanced RAID configuration or SANs (Storage Area Networks) and how easy is it to add more data storage. What operating system (and version) does each server run and how is it backed up? How is it backed up and by whom? In the case of the web servers, understanding what the web serving software is (usually either Microsoft IIS or Apache) also helps identify areas of potential security vulnerability. The same applies for the Middleware servers although there is more choice in terms of the software used (for example, BEA Weblogics, IBM Websphere or JBoss). Finally, the database servers, which are usually the most powerful servers, need to be understood. The same questions as those posed for the web and middleware servers apply here. However, a number of database questions also need to be asked. For example, what type (and version) of database is used? Example databases include Microsoft SQL server, MySQL and Oracle. Each has its own benefits and pitfalls so it is important to understand how the databases (and their host servers) are configured.

Having covered the servers, the next area to review is the network. This includes the network devices such as switches, firewalls, intrusion detection devices and load balancers. It also covers how the link(s) to the Internet are provided and managed. The best place to start is with a review of the network diagram. This diagram shows how each server or device is physically connected as well as how information flow is routed between the equipment. From a review of this document, a number of areas will be apparent where further questions will be necessary in order to gain a complete understanding. The obvious areas are around redundancy of devices or their components and how the routing changes dynamically as a result of a failure. This leads us to the Internet feed(s) where a review of how much bandwidth is provided (against how much is used at peak periods) is important. However, of equal importance is understanding who provides the Internet feed(s) and how they peer (connect) with the Internet. It is also vital to understand the make and model of each device e.g. Cisco switch, Checkpoint firewall, Cisco ISA intrusion detection device and F5 load balancer, as this understanding enables the areas of weakness in each product to be reviewed. The other factor of such devices is how they are configured and maintained. For example, how is interactive access to these devices controlled?

The next area of review is the Data Centre(s) as it is important to know that these are secure and continuously monitored. Areas that should be monitored include humidity, temperature both inside and outside of each rack and, of course, the door to the facility and the doors on each rack.

Whilst it is a good idea to review the processes to maintain and manage the servers and network devices, it is equally important to review the security processes. For example, how the security policy on the firewalls built up and what is is the process of controlling changes to it. Another key question is when was the last penetration test conducted and what were the results. It is also important to know whether a DDoS (Distributed Denial of Service) mitigation service has been implemented.

Finally, capacity planning should be carried out to ensure that there is sufficient capacity in the infrastructure to cater for any predicted peaks in traffic. Generally this is based on a combination of calculations and assumptions on future usage.

Infrastructure Quick Check-list
- Describe the servers that the software runs on and how they are managed
- Describe any databases involved in running the software
- Describe the network devices and how they are managed
- Describe the data centre(s) and how they are monitored
- Describe the security processes including penetration testing and DDoS mitigation
- Describe how capacity planning for the infrastructure is carried out

I hope that you found this section of the article interesting and please feel free to contact me via the Contact Us page (here) if you have any questions.

Thanks

Peter Groom

Click here to go to the final part of this whitepaper.