Deployment Planning

Effective planning is essential to implementing Multi-Domain Security Management. This chapter examines different aspects of deployment preparation. Included are several issues that you should take into consideration when planning a new Multi-Domain Security Management deployment.

Multi-Domain Security Management Components Installed at the NOC

The following components are deployed at the Network Operation Center:

• SmartDomain Manager
• Multi-Domain Server and the Multi-Domain Log Server
• Domain
• Domain Log Server

Using Multiple Multi-Domain Servers

For better performance in large deployments with many Domains and Security Gateways, we recommend that you use more than one Multi-Domain Server. This lets you distribute the traffic load over more than one server. You can also use additional Multi-Domain Servers for high availability and redundancy.

You can also define a Multi-Domain Server as a dedicated Multi-Domain Log Server to isolate log traffic from business-critical traffic.

High Availability

When deploying many complex Domain networks, you can implement High Availability failover and recovery functionality:

• Multi-Domain Server High Availability makes sure that at least one backup server is available for continuous SmartDomain Manager access, even if one of the Multi-Domain Servers is not available.
• For Domain Management Server High Availability, you need at least two Multi-Domain Servers. You then create two or more Domain Management Servers. These Domain Management Servers are the Active and Standby Multi-Domain Servers for the Domain Security Gateways.

Multi-Domain Server Synchronization

If your deployment contains multiple Multi-Domain Servers, each Multi-Domain Server must be fully synchronized with all other Multi-Domain Servers. The Multi-Domain Security Management network and administrators databases are synchronized automatically whenever changes are made on one Multi-Domain Server. The Global Policy database is synchronized either at user-defined intervals and/or specified events. You can also synchronize the databases manually.

Multi-Domain Server synchronization does not back up Domain Management Servers or their data. Domain policies are included in the Domain Management Server database and are not synchronized by the Multi-Domain Server. You must configure your system for Domain Management Server High Availability to give redundancy at the Domain Management Server level. .

Clock Synchronization

Multi-Domain Server (including dedicated Multi-Domain Log Servers) system clocks must be synchronized to the nearest second. When adding another Multi-Domain Server to your deployment, synchronize its clock with the other Multi-Domain Server before installing the Multi-Domain Security Management package.

Use a synchronization utility to synchronize Multi-Domain Server clocks. We recommended that you automatically synchronize the clocks at least once a day to compensate for clock drift.

Protecting Multi-Domain Security Management Networks

The Multi-Domain Security Management network and Network Operation Center (NOC) must be protected by a Security Gateway. You can manage this Security Gateway using a Domain Management Server or a Security Management Server.

This Security Gateway must have a security policy that adequately protects the NOC and allows secure communication between Multi-Domain Security Management components and external Domain networks. This is essential to make sure that there is continual open communication between all components. Multi-Domain Servers communicate with each other and with Domain networks. The Security Gateway routing must be correctly configured.

The Security Gateway security policy must also allow communication between Domain Management Servers and Domain Security Gateways. External Domain administrators must be able access Domain Management Servers.

Logging & Tracking

If you are deploying a very large system where many different services and activities are being tracked, consider deploying one or more dedicated Multi-Domain Log Servers.

Routing Issues in a Distributed Environment

If you have a distributed system, with Multi-Domain Servers located in remote locations, examine routing issues carefully. Routing must enable all Multi-Domain Server components to communicate with each other, and for Domain Management Servers to communicate with Domain networks. See IP Allocation & Routing.

Platform & Performance Issues

Examine your Multi-Domain Security Management system hardware and platform requirements. Make sure that you have the needed platform patches installed. If you have a Multi-Domain Server with multiple interfaces, ensure that the total load for each Multi-Domain Server computer conforms to performance load recommendations. See Hardware Requirements and Recommendations.

Enabling OPSEC

Multi-Domain Security Management supports OPSEC APIs on the following levels:

• Security Gateway level — Security Gateways managed by Multi-Domain Security Management support all OPSEC APIs (such as CVP, UFP, SAM etc.)
• Domain Management Server level — Domain Management Servers support all OPSEC Management APIs. This includes CPMI, ELA, LEA and SAM.
• Domain Log Server level— Log servers support all logging OPSEC APIs. This includes ELA and LEA.

IP Allocation & Routing

Multi-Domain Security Management uses a single public IP interface address to implement many private, "virtual" IP addresses. The Multi-Domain Server assigns virtual IPs addresses to Domain Management Servers and Domain Log Servers, which must be routable so that Security Gateways and SmartConsole clients can connect to the Domain Management Servers.

Each Multi-Domain Server has an interface with a routable IP address. The Domain Management Servers use virtual IP addresses. It is possible to use either public or private IPs.

When configuring routing tables, make sure that you define the following communication paths:

• Domain Security Gateways to the Domain Log Servers.
• All Domain Management Servers to Domain Log Servers.
• Active Domain Management Servers to and from standby Domain Management Servers.
• All Domain Management Servers to the Domain Security Gateways.
• The Domain Security Gateways to all Domain Management Servers.

Virtual IP Limitations and Multiple Interfaces on a Multi-Domain Server

There is a limitation of 250 Virtual IP addresses per interface for Solaris-platform Multi-Domain Servers. Since each Domain Management Server and Domain Log Server receives its own Virtual IP address, there is a limit of 250 Domain Management Servers or Domain Log Servers per Solaris Multi-Domain Server.

If you have more than one interface per Multi-Domain Server, you must specify which one is the leading interface. This interface will be used by Multi-Domain Servers to communicate with each other and perform database synchronization. During Multi-Domain Server installation, you will be prompted to choose the leading interface by the mdsconfig configuration script.

Ensure that interfaces are routable. Domain Management Servers and Domain Management Server-HA must be able to communicate with their Domain Security Gateways, and Domain Log Servers to their Domain Security Gateways.