200 likes | 328 Views
DEDS Migration. CPS IT Industry Meeting - 28.01.2010 Revised for follow-up call -11.02.2010. Contents. Introduction to DEDS. Need for Change. CPS Gateway - DEDS – CPSO Existing Architecture. CPS Gateway - DEDS – CPSO Proposed Architecture. Rationale for using FTPS How does FTPS works.
E N D
DEDS Migration CPS IT Industry Meeting - 28.01.2010 Revised for follow-up call -11.02.2010
Contents • Introduction to DEDS. • Need for Change. • CPS Gateway - DEDS – CPSO Existing Architecture. • CPS Gateway - DEDS – CPSO Proposed Architecture. • Rationale for using FTPS • How does FTPS works. • What CPSO’s have to do. • Benefits of migration. • Migration plans.
Introduction to DEDS • CPS Operators communicate to CPS Gateway server via DEDS (Data Exchange Distribution System), which is in DMZ, providing FTP communication via VPN/ISDN between BT and CPSO’s. • DEDS acts as a post box. • CPSO’s push files to DEDS for delivery to CPSG. • CPSG pushes files to DEDS for further delivery to CPSO’s.
Need for Change • ISDN access to DEDS is slow due to limited bandwidth. • Being older technology, ISDN setup is difficult and costly to maintain in terms of availability of equipment and skills to maintain them. • VPN access is limited by availability of VPN ports on BT firewall. Ports are almost exhausted. • Existing DEDS hardware has scalability limitations. • Failover capability is limited and slow on existing infrastructure.
CPS Gateway - DEDS - CPSO Existing Architecture FIREWALL Push Files to DEDS Push File to CPs Push Files to CPSG Push Files to DEDS CPS Gateway DEDS Primary CPSO1 ISDN/VPN FTP XFB ISDN/VPN CPSOn FTP DEDS Secondary DEDS Cluster RED Side Green Side
CPS Gateway - DEDS - CPSO Proposed Architecture NEW DEDS D N S S W I T C H I N G D N S S W I T C H I N G CPSO 1 FTPS (one way SSL over internet) Data Mirroring XFB CPS Gateway FTPS (one way SSL over internet) CPSO n NEW DEDS DR FTP is replaced by FTPS.
How FTPS will work? • DEDS hardware will be migrated to new scalable Architecture. This hardware will be accessed by CPSO’s systems using standard Internet URL calls instead of an IP address. • CPSO’s will transfer the files to DEDS via One Way SSL over internet. • FTPS replaces Normal FTP by using one way SSL and basic authentication. • DEDS will be exposed to internet with IP filtering applied on BT firewall to accept calls only from registered IP’s
Rationale for using FTPS: • FTPS is a widely used standard alongside SFTP. Each has its own advantages and disadvantages. • Few specific reasons for choosing FTPS: • Chrooting – Required to ensure each CP has isolated working area on DEDS server for Data Security. • Time bound login – Like CPS, there are other BTW services which are not available 24 * 7. It is necessary to restrict CP access to DEDS outside of agreed service hours. • Logging – To generate MIS of CP’s upload/download activities. • Command Execution – To ensure CP can execute only certain commands necessary for transfer of files and restrict potentially harmful commands for health of DEDS. • X509 certificates will be used by BT on DEDS server as Server Certificate. CPSO's will be provided with necessary CA (certifying authority) certificates to authenticate BT’s Server Certificate. • For receiving files from DEDS, if Option 1 (PUSH approach, details on later slides) is preferred, CPSOs will have to host a server certificate for DEDS to authenticate CPSO servers using One Way SSL.
What CPSO’s will have to do? • Transferring files to DEDS • CPSO’s have to build the capability at their end to transfer the files to DEDS via one way SSL over internet. • CPSO’s can use any FTPS client of their choice. There are many commercially available or freeware clients. • DEDS authenticate CPSO’s by username and password. • The FTPS connection will be established to transfer the files to DEDS.
What CPSO’s will have to do? Receiving files from DEDS There are two options – PUSH approach - CPSO’s have to make a infrastructure change at their end to host SSL certificate so that BT (DEDS) can push the files to CPSO’s using FTPS through internet. PULL approach - CPSO’s have to make a functional change at their end and have to pull the files from DEDS.
What CPSO’s will have to do? • Receiving files from DEDS – • Potential benefits/changes for Option 2 (PULL approach) • CPSOs may already have functional capability to PULL files from DEDS for some other products/services like downloaded of CDRs. • CPSOs won’t have to deploy necessary infrastructure to host SSL server to allow for inbound One Way SSL connections from DEDS and hence doing away with one time implementation and ongoing maintenance costs • CPSOs can connect to DEDS for receiving files in the same manner as for sending files to DEDS • CPSOs can customize PULL frequency as per their order volumes. It is advised to keep a minimum PULL frequency of 5 mins (for high volume CPSOs) and a maximum of one PULL attempt per day (for very low volume CPSOs) • CPSOs continue to send handshake response. However considering CPSOs can PULL files from DEDS as per their requirement, existing SLA period of 100 mins for handshake will be reviewed to accommodate for this change. • Appropriate OfCom reports will be modified to accommodate revised SLAs • If there is a requirement, an archival policy can be implemented to allow CPSOs to access already pulled files for an agreed period of time.
Benefits of Migration • Enabling FTPS over one way SSL through internet access to DEDS for improved security. • To remove VPN set up pre-requisite for CPSO’s using VPN. • For CPSO’s using ISDN, no need to maintain necessary infrastructure for ISDN connectivity and also saving dialling costs. • Increase in the Bandwidth. • There will be new DR (Disaster Recovery) site which will ensure continued availability in case of any issues at primary site. • Beneficial to CPSO’s using DEDS to download CDR’s
How Migration will be managed? • Migration will be managed in three phases. • Phase –I : New DEDS server will be available in live ready for CPS Operators to migrate. • Once Phase – I is complete, the CPS operators may start migration to new DEDS via One Way SSL over internet (FTPS). • Phase –II : CPS Gateway will be migrated to new DEDS by end of phase - II. Between Phase I & Phase II, BTW will internally manage synchronisation of existing DEDS and new DEDS system. • Phase –III : The old DEDS server will be decommissioned as all CPS Operators would have migrated to FTPS connectivity with DEDS.
CPS Gateway - DEDS - CPSO Proposed Architecture Phase - I XFB CPS Gateway CPSO1 FTP OLD DEDS Data Synchronization. NEW DEDS CPSOn FTPS (one way SSL over internet) Phase I
CPS Gateway - DEDS - CPSO Proposed Architecture Phase - II CPSO1 FTP OLD DEDS Data Synchronization. NEW DEDS XFB CPS Gateway FTPS (one way SSL over internet) CPSOn Phase II
CPS Gateway - DEDS - CPSO Proposed Architecture Phase - III DEDS D N S S W I T C H I N G D N S S W I T C H I N G CPSO 1 FTPS (one way SSL over internet) Data Mirroring XFB CPS Gateway FTPS (one way SSL over internet) CPSO n DEDS DR Phase III
How can CPSO’s go about it? • Approach BT Product Manager / BT Account Manager contact to schedule migration to NEW DEDS. • Complete FTPS client installation & configuration. • FTPS clients are available either commercially or as free-ware. • Test connectivity to BT system with on-ramp server. (Support team will make this available) • Test connectivity to NEW DEDS (Live) • Start using new DEDS!
Time scales • Phase-I : This is expected to be ready by end-May’10 • Phase-II : This is planned to start in Jun’10 depending on the completion of Phase I in time. • Phase-III : Plan is to start decommission of OLD DEDS by end of Phase II, but this is subject to the CP transition plans to be discussed between CPSO’s and BT Account Managers / Product Line leads.
FTPS Client Samples • CoreFTP Lite (Windows) URL: http://www.coreftp.com • SmartFTP (Windows) URL: http://www.smartftp.com • IglooFTP Pro (Windows, Linux) URL: http://www.iglooftp.com • FlashFXP (Windows) URL: http://www.flashfxp.com • SDI FTP (Windows) URL: http://www.sdisw.com • LFTP (Unix, MacOS X) URL: http://lftp.yar.ru/ • RBrowser (MacOS X) URL: http://www.rbrowser.com • FTPTLS (OpenBSD, possibly other Unix as well) URL: http://www-user.tu-chemnitz.de/~grmo/ftptls/ Port: http://www-user.tu-chemnitz.de/~grmo/ftptls/port/ftptls-port.tar.gz • Glub Tech Secure FTP Client (at least Unix, MacOS X and Windows) URL: http://secureftp.glub.com/ • NOTE: BT does not recommend any specific product. The list above is for reference only. CPs are requested to take their own informed decision.