4.2.3. Architecture
4.2.3.1. Components
The deployment of UNAC module only requires the installation of two components:
ON Core: Performs the centralized management of the solution, capture of discovery events, profiling of discovered assets, and implementation of business logic.
ON Analytics: Management and visualization of the collected information, the dashboard’s generation, and reports visualization.
The deployment of additional components depends on final project requirements.
4.2.3.1.1. ON Core
ON Core provides the centralized administration console. Is where the access policy engine resides, so it performs the user authentication and validation of the user posture/profiling.
It is a mandatory component of the solution that includes critical components such as:
Policy Engine: It is the solution’s brain; all modules are implemented using this component.
CMDB: It is the memory of the solution where all the configuration, assets and its features are saved.
Administration portal: It is the control panel for the solution
Note
It is a critical component in the solution. The implementation of one or more nodes will depend on the requirements of the deployment, and the final architecture design to provide high availability.
With this component offline, we would lose the ability to process authentication requests, so it would be necessary to configure the ability to control this situation (degraded mode) in the network devices.
4.2.3.1.2. ON Analytics
ON Analytics, is based on the Elastic Stack (ELK). The node receives the different solution logs, as well as the metadata of the traffic processed in ON Sensor via Filebeat. It gives structure to metadata and build the datalakes to display dashboards to the administrator.
- It is a mandatory component of the solution that includes non-critical components such as:
Aggregator: enrichment of all the information generated by any component of OpenNAC Enterprise.
Search Engine: based on an elastic search engine that allows you to easily search the information generated and collected by the OpenNAC Enterprise components.
Dashboards and reports: the solution includes a set of dashboards and reports based on common technical information gathered. You can create and generate your own custom dashboards
Note
ON Analytics is a non-critical component for the solution, therefore, it does NOT require high availability. The implementation of one or more nodes will depend on the requirements of the deployment, and the final architecture design. If this component is outlined, the main functionality of OpenNac Enterprise modules would continue working, with the exception that during the outlined period we would no longer have the ability to process and display the information of the solution.
In deployments where a large amount of data is generated, it may be necessary to deploy multiple Analytics nodes to load balancing the storage. Analytics has two types of roles, typically within the same node, a role with aggregation functions (Aggregator) that receives information through Filebeat and process logs with Logstash, the other role (Analytics) with data management functions performed by ElasticSearch and visualization through Kibana.
4.2.3.2. Standard Architecture
A reference architecture requires the components described above and depends on the network architecture available to the customer, as well as the number of users on the network.
Based on mandatory components and location in the network, the following points should be considered:
The network devices can support more than one RADIUS server in its configuration, so the architecture may consider having two or more ON Core to be deployed.
Use an ON Proxy that performs the balancing to multiple ON Core and use a single RADIUS server in the Network Device settings.
The following diagram shows the standard architecture and its components locations.
Note
The high availability deployment depends on the needs and customer network resources, so an additional component such as a RADIUS Proxy (provided by OpenNAC) or a load balancer can be added, this approach if all nodes work in active mode and in case of shutdown event of one of them there is no service interruption in the authentication.
4.2.3.3. Standard Sizing
Based on the reference architecture, the standard sizing of the solution for the UNAC module to support up to 5.000 concurrent users. Keep in mind that when it comes to authentication, the solution is sensitive to latency, so is recommended a maximum of 10ms between the communication of the network electronics and the ON Core.
4.2.3.3.1. Sizing
Concurrent user growth is achieved by adding more nodes in an N + 1 scheme through a RADIUS proxy or load balancer.
Component |
Number |
CPU |
Memory |
Disc/Type |
Network Int. |
|---|---|---|---|---|---|
ON Core |
1 |
8 Cores |
16 GB |
160 GB/SSD |
2 NIC |
ON Analytics |
1 |
8 Cores |
16 GB |
200 GB/SSD |
2 NIC |
Note
The 2 network interfaces are mainly for service and management (internal communication between the different nodes)