Author Archives: cbroccoli

Solution Architecture and TOGAF

Posted on by cbroccoli
No Comments

I recently heard that others in my organization are attending TOGAF (The Open Group Architectural Framework) training.  I have been trained and certified in TOGAF for about 4 years now, but within SIS and later within Atos I found very little interest in the subject, despite TOGAF being arguably the defacto standard in architectural frameworks.  This is primarily due to the fact that Siemens has Chestra and Atos Origin had CLEAR as their Enterprise Architecture frameworks. On top of that, we in GST do not do Enterprise Architecture, instead we are focused primarily on Solution Architecture and then only within the Technology Architecture domain.  I think however, that an understanding of an Enterprise Architecture framework would be beneficial for all GST Solution Architects because it will put a lot of what we are doing into perspective and provide better understanding of the customer’s motivations and objectives.

TOGAF is used by organizations to develop and maintain their Enterprise Architecture and divides Enterprise Architecture into 3 primary domains:

As I mentioned above, GST Solution Architects are primarily focused on developing the Technology Architecture.  This, however, is dependant on the customer’s Information System Architecture, which in turn is dependant on the customer’s Business Architecture.   It follows then, that in developing our solutions, we are providing only a portion of the customer’s overall Enterprise Architecture (EA), and then only as part of an overall EA methodology.  This is best seen when one looks at the TOGAF Architecture Development Methodology (ADM) shown in the following diagram:

By the time the project lands at Atos’ door, the customer has, whether using TOGAF, another framework or other informal processes, already developed their Vision, Business Architecture, and Information Systems Architecture (A, B and C above).  This information would be placed in an RFP and forms the basis for the information we would use to develop our Technology Architecture (D).  So when reading and assessing RFPs, it is important to pull these pieces of information out of the RFP and document them as part of the overall Solution Strategy.  The gaps between the Technology Architecture we develop and the current customer Technology Architecture (CMO) make up the Opportunities and Solutions.  These become the transformation projects which must be implemented.  The migration planning is then the T&T plan we develop (F).  Of course our Technical Architecture has implications for the Business an Information Systems Architectures, so the customer, in their evaluation must assess the impact to the Information Systems Architecture and maybe even the Business Architecture.  It is for this reason I think it is very important for Solution Architects to understand how our solutions fit into an overall EA methodology and how they relate to other architectural domains.  For me, TOGAF seems to be the logical choice for doing this.

Categories: Enterprise Architecture, TOGAF | Tags: , ,

Migration to WordPress and Multi-Site Issues

Posted on by cbroccoli
4 Comments

I finally bit the bullet and have now migrated my site from b2evolution to WordPress.  The b2evolution user interface was far too cumbersome, especially in terms of adding diagrams to my posts.  In WordPress it is just a matter of drag and drop or browse and upload all from within the edit window.  As far as the migration of the posts goes, I could not find easy way to automate the import of the b2evolution data and since I only have 29 posts, I just manually copied and pasted the entries, resetting the dates so that they would appear in the proper chronological order.  All diagrams were on my hard drive so adding them back into the posts was easy.  The whole process took maybe 3 hours.

The bare-bones WP installation normally just allows for a single blog within its base installation.  To get multiple independent blogs, you need to either install WP multiple times or enable networking.  This brought up the following problem,  since I had decided to configure networking and I installed WP in a sub-directory (two important decisions when setting up a site)….

Say you have two blogging sites, Bobs_Blog and Alices_Blog on your main site www.mainsite.com/blogs.  These blogs will be reachable over the following URLs (assuming WP was installed in the blogs sub-directory):

http://www.mainsite.com/blogs/Bobs_Blog/

and

http://www.mainsite.com/blogs/Alices_Blog/

The two sub-directories, /Bobs_Blog and /Alices_Blog do not really exist and are just used as variables for the php scripts in WP to be able to build the web pages dynamically.   So if you now try and point some sub-domains in DNS to these paths, the web browser will not find the directory and fail.  If you add the directories manually, the browser will not be able to find a home or index file (since there really  isn’t one) and give you an error.  For example… if you configure http://bob.mainsite.com to point to www.mainsite.com/blogs/Bobs_Blog/, this will not work.  The server will try and find the Bobs_Blog directory and will fail.

The prescribed solution to this problem is to install MU Domain Mapper plugin and use that to redirect the http requests to the correct location.  Unfortunately the MU Domain Mapper plugin only works if WP is installed in the root directory!

A second idea was to just ask my DNS hosting provider to map a CNAME to the path … for example:

bob.mainsite.com     IN      CNAME     www.mainsite.com/blogs/Bobs_Blog/

Unfortunately, this is not a valid DNS entry 🙁

So the idea I had was to add an index file to the sub-directory which would only redirect the http request to the real site. Based on our example, the index file would have the following php code (taken from http://www.cyberciti.biz/faq/php-redirect/ )…

<?php
/* Redirect browser */
header(“Location: http://www.mainsite.com/blogs/Bobs_Blog/”);
/* Make sure that code below does not get executed when we redirect. */
exit;
?>

When I added a sub-directory called blogs/Bobs_Blog and included this file, I ran into the problem that it created a redirect loop and generated yet another browser error.

The final solution was to create a new independant directory and add the redirect file there.  Then point the DNS sub-domain to this directory and voila… it worked!  The final configuration has http://bob.mainsite.com pointing to www.mainsite.com/blogs/Bobs_Blog_redir/and the sub-directory Bobs_Blog_redir contains an index.php file with the code shown above.  One Caveat… once you connect to the site, the real URL then appears (www.mainsite.com/blogs/Bobs_Blog) and is used throughout.  For me this is not a problem, my goal was to have a simple URL for people to use (and remember).  Once in the site, everything is automated anyway.

Categories: PHP, Web Design, Web Server Configuration, WordPress

RSA 2012 Day 4: IPv6 Vulnerability Management and BYOD

Posted on by cbroccoli
No Comments

Two good sessions today, one on the state of vulnerability management in IPv6 and the second on the security issues with BYOD.

The vulnerability management session was interesting in that while Microsoft, all Linux variants, Cisco, HP, Juniper, Check Point and other OS and network device vendors have been implementing IPv6 capabilities into their products, the vulnerability management vendors have been sleeping.  They are just coming to the realization that customers would like to be able to perform vulnerability tests for IPv6 enabled hosts on their networks.  I mentioned in my post yesterday that the primary issue with performing vulnerability scans on IPv6 is the scarcity of the addresses in an IPv6 address space.  It is simply not possible to scan all of the addresses in a single IPv6 subnet to find hosts and to then probe for vulnerabilities in a reasonable amount of time.  The vendors are working on models to do this; however, no final “best practice” solution is available yet.  Some suggestions which were presented are to scan active IPv4 addresses to find the hosts and then check if they are running IPv6, to perform SNMP walks on the routers or switches to determine which hosts are running IPv6, review the CMDB for known hosts or review log files on network and other devices.

In the BYOD session, the primary discussion revolved around identifying the threats to mobile devices in general, but only two possible models for supporting BYOD emerged.   The primary threats to mobile devices as seen by the panel are:

  • Bridging from a mobile device into the enterprise network
  • ActiveSync vulnerabilities
  • Rouge base stations which can eavesdrop on calls
  • Lack of granular controls for many of the mobile OS’
  • Poor password usage since users find it difficult to type in complex strong password

The two models which were discussed for supporting a BYOD model are to either require the user to accept corporate policy controls (e.g. encryption, virus scanner, etc.) on their personal device by installing an enterprise MDM solution or to implement local virtual containers on the devices.  The container solution would solve the problem that if a user leaves the company, only the corporate container can be wiped and the personal container can remain in place.

In both situations, a security policy should define what applications will be made available to users who bring their own devices. This policy should be based on the criticality and security requirements of the applications as well as the usability of the applications.  For example, does it make sense to allow access to spreadsheets from iPhones when they really cannot read or manipulate them in any practical manner?

Categories: IPv6, IT Security | Tags: ,