GP.Data Transport: Difference between revisions

From OIAr
Jump to navigation Jump to search
(New GP)
 
(brought access aggregation back in the pattern)
 
Line 15: Line 15:
{{Pattern Graphic
{{Pattern Graphic
|graphic=GP.Data Transport.png
|graphic=GP.Data Transport.png
|source=GP.
|size=600px
|size=600px
|title=Data Transport pattern
|title=Data Transport pattern
Line 22: Line 23:
{{Generic Pattern Composition Row
{{Generic Pattern Composition Row
|function=GF.Access Conditioning
|function=GF.Access Conditioning
|choice=May
|choice=Must
|reason=This function indicates special or additional processing that needs to occur when an infrastructure facility is going to use this Data Transport service.
|reason=This function indicates special or additional processing that needs to occur when an infrastructure facility is going to use this Data Transport service.
}}
{{Generic Pattern Composition Row
|function=GF.Access Aggregation
|choice=Must
|reason=This function handles the concentration of network access.
}}
}}
{{Generic Pattern Composition Row
{{Generic Pattern Composition Row
Line 33: Line 39:
|function=GF.Address Lookup
|function=GF.Address Lookup
|choice=May
|choice=May
|reason=Usually an address scheme is chosen for a logical network (or combination thereof), but a different scheme of names is used by the clients (or the network internally). This facility takes care of the translation from name to address (and optionally from address to name). It is not needed in the rare case that no name schemes are in use.  
|reason=Usually an address scheme is chosen for a logical network (or combination thereof), but a different scheme of names is used by the clients (or the network internally). This facility takes care of the translation from name to address (and optionally from address to name). It is not needed in the rare case that no name schemes are in use.
}}
}}
{{Generic Pattern Composition Row
{{Generic Pattern Composition Row
|function=GF.Interconnection
|function=GF.Interconnection
|choice=May
|choice=May
|reason=When designing larger networks, then there may be a need to link multiple network segments over relatively large distances. Interconnection is the Generic Function that can provide this functionality, and it handles the challenges that are associated with networking over these longer distances. Note that this GF also allows for (unencrypted) tunneling between Data Transport Zones.  
|reason=When designing larger networks, then there may be a need to link multiple network segments over relatively large distances. Interconnection is the Generic Function that can provide this functionality, and it handles the challenges that are associated with networking over these longer distances. Note that this GF also allows for (unencrypted) tunneling between Data Transport Zones.
}}
}}
{{Generic Pattern Composition Row
{{Generic Pattern Composition Row
Line 56: Line 62:
Also, the combination of Encryption and Interconnection can represent remote-connection facilities like a VPN service/dial-in service. Note however that most often it is required to route the traffic entering and leaving this remote-connection facility through the Data Zone Protection pattern. This is because users and systems connecting to the Data Transport Zone often reside in a different Data Transport Zone, security-wise.
Also, the combination of Encryption and Interconnection can represent remote-connection facilities like a VPN service/dial-in service. Note however that most often it is required to route the traffic entering and leaving this remote-connection facility through the Data Zone Protection pattern. This is because users and systems connecting to the Data Transport Zone often reside in a different Data Transport Zone, security-wise.


Note that when modeling a remote-connection facility, the Data Transport pattern represents a logical data transport zone that encompasses the remote users and the interlinks to the organization's remote connection facility; this zone is separate from the logical data transport zone that the users are connecting to.  
Note that when modeling a remote-connection facility, the Data Transport pattern represents a logical data transport zone that encompasses the remote users and the interlinks to the organization's remote connection facility; this zone is separate from the logical data transport zone that the users are connecting to.
}}
}}
{{Generic Pattern Composition Row
{{Generic Pattern Composition Row
|function=GF.Reduction
|function=GF.Reduction
|choice=May
|choice=May
|reason=Just as with Encryption, it may be necessary to add extra functionality to any Interconnection. Reduction in this case can be added to make better use of the available capacity on the Interconnection.  
|reason=Just as with Encryption, it may be necessary to add extra functionality to any Interconnection. Reduction in this case can be added to make better use of the available capacity on the Interconnection.
}}
}}
{{Table Ending}}
{{Table Ending}}
Line 68: Line 74:
|service=GS.Authentication+Authorization
|service=GS.Authentication+Authorization
|choice=May
|choice=May
|reason=If a network section needs security, this facility can be included. In essence it provides (a generic form of) access control, by performing one or more checks on the connecting infrastructure facility that tries to gain access to, or use, the network. Access controls are a form of authorization data, which are stored in an (included) Permission Register.  
|reason=If a network section needs security, this facility can be included. In essence it provides (a generic form of) access control, by performing one or more checks on the connecting infrastructure facility that tries to gain access to, or use, the network. Access controls are a form of authorization data, which are stored in an (included) Permission Register.
}}
}}
{{Generic Pattern Adjacent Service Row
{{Generic Pattern Adjacent Service Row
|service=GS.Data Zone Protection
|service=GS.Data Zone Protection
|choice=May
|choice=May
|reason=Usually two logical network segments are described by different Data Transport pattern variants because the security contexts (and thus requirements) for the segments differ. If this is the case, then a connection between these segments needs to make use of this pattern Data Zone Protection, in order to ensure the right security levels in both segments. However if the network segments have the same security requirements (and differ only in characteristics and/or quality levels), then they can be linked without use of this adjacent pattern.  
|reason=Usually two logical network segments are described by different Data Transport pattern variants because the security contexts (and thus requirements) for the segments differ. If this is the case, then a connection between these segments needs to make use of this pattern Data Zone Protection, in order to ensure the right security levels in both segments. However if the network segments have the same security requirements (and differ only in characteristics and/or quality levels), then they can be linked without use of this adjacent pattern.
}}
}}
{{Generic Pattern Adjacent Service Row
{{Generic Pattern Adjacent Service Row

Latest revision as of 20:34, 15 January 2015


This is a Generic Pattern document GP Data Transport Version: 0.4 OIAr logo
Document type: Generic Pattern Owner:

J.A.H. Schoonderbeek



Description

This Generic Pattern belongs to "Core". This Pattern provides the means to transport digital data between automated systems, within a single "Data Transport Zone", as well as to and from adjacent Data Transport Zones.

Note that the data transport over multiple Data Transport Zones with differing owners and/or security requirements must usually pass one or more Data Transport Zone Protection services, to satisfy the respecitve security requirements.

Services realized

This Pattern realizes the following service(s):

  • Data Transport (This service transports data between automated systems.)

Functional and Integration view

This is the graphic representation of the functional model of this Generic Pattern:

Data Transport pattern
Data Transport pattern


Generic Pattern Composition

This pattern is an aggregation of the following (mandatory and optional) functions, expressed in Generic Functions:

Icon Function Inclusion Rationale
GF.Access Conditioning icon Access Conditioning recommended This function indicates special or additional processing that needs to occur when an infrastructure facility is going to use this Data Transport service.
GF.Access Aggregation icon Access Aggregation recommended This function handles the concentration of network access.
GF.Distribution icon Distribution recommended This function lies at the heart of the data transport service.
GF.Address Lookup icon Name Resolution optional Usually an address scheme is chosen for a logical network (or combination thereof), but a different scheme of names is used by the clients (or the network internally). This facility takes care of the translation from name to address (and optionally from address to name). It is not needed in the rare case that no name schemes are in use.
GF.Interconnection icon Interconnection optional When designing larger networks, then there may be a need to link multiple network segments over relatively large distances. Interconnection is the Generic Function that can provide this functionality, and it handles the challenges that are associated with networking over these longer distances. Note that this GF also allows for (unencrypted) tunneling between Data Transport Zones.
GF.Controlling icon Controlling recommended The purpose of this function within the Pattern is to focus the attention on the security aspects of an available means to read and/or alter the configuration of the Data Transport facility, thereby revealing security sensitive details and/or allow unauthorized modification of access to the Data Transport facility.
GF.Connection Handling icon Connection Handling optional This function supports users or systems connecting with this Data Transport Zone over a different path than a connection with this or an adjacent Data Transport Zone. The most common example of this would be a VPN connection. Note that the VPN solution itself is likely to form a Data Transport Zone separate from the Data Transport Zone that it's providing access to.
GF.Encryption icon Encryption optional It may be necessary to connect Data Transport Zones using untrusted intermediary networks (essentially all networks not under control by the organization). In this case, the tunnel between the Zones must be encrypted using this GF.

Also, the combination of Encryption and Interconnection can represent remote-connection facilities like a VPN service/dial-in service. Note however that most often it is required to route the traffic entering and leaving this remote-connection facility through the Data Zone Protection pattern. This is because users and systems connecting to the Data Transport Zone often reside in a different Data Transport Zone, security-wise.

Note that when modeling a remote-connection facility, the Data Transport pattern represents a logical data transport zone that encompasses the remote users and the interlinks to the organization's remote connection facility; this zone is separate from the logical data transport zone that the users are connecting to.

GF.Reduction icon Reduction optional Just as with Encryption, it may be necessary to add extra functionality to any Interconnection. Reduction in this case can be added to make better use of the available capacity on the Interconnection.

Services connected with this Generic Pattern

This Generic Pattern has the following mandatory and optional relations with adjacent Generic Services.

Service Adjacency Summary Rationale
Authentication & Authorization optional This service can validate an identity claim, and it can validate the permissions required for an action, as part of an Authentication & Authorization process. If a network section needs security, this facility can be included. In essence it provides (a generic form of) access control, by performing one or more checks on the connecting infrastructure facility that tries to gain access to, or use, the network. Access controls are a form of authorization data, which are stored in an (included) Permission Register.
Data Zone Protection optional This service satisfies relevant security requirements while passing data between different Data Transport services. Usually two logical network segments are described by different Data Transport pattern variants because the security contexts (and thus requirements) for the segments differ. If this is the case, then a connection between these segments needs to make use of this pattern Data Zone Protection, in order to ensure the right security levels in both segments. However if the network segments have the same security requirements (and differ only in characteristics and/or quality levels), then they can be linked without use of this adjacent pattern.
Data Transport optional This service transports data between automated systems. Different Data Transport facilities can be linked - the facilities would differ in e.g. organizational ownership, security level or physical location.

Applied Patterns based on this Generic Pattern

The following Applied Patterns are based wholly or in part on this Generic Pattern: