1 / 19

The Architecture of IRCan’s HRE

The Architecture of IRCan’s HRE. What is IRCan?. A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada.

branxton
Download Presentation

The Architecture of IRCan’s HRE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Architecture of IRCan’s HRE

  2. What is IRCan? • A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada. • Has the mandate to provide mechanisms to create and archive reusable digital assets (Intellectual Resources) that interest The Crown.

  3. Problem • Provide a flexible, upgradable, dependable, infrastructure that Government departments can use to host applications and projects, involving FLOSS applications and tools. • Provide the capability to implement each project’s security policy, within the greater responsibilities of The Crown. • Provide a solution that doesn’t “get in the way” of receiving a certificaton from SSC authority.

  4. Packages Ubuntu KVM Ganeti OTRS DRBD MediaWiki Unbound & NSD Openswan OpenVPN BackupPC Nagios Munin Apache Postfix Pylons

  5. The Guts

  6. Networking Internet hh Bridge FW Bridge FW Public Network Admin Server Node1 Node2 Node3 Node<n> Private VLANs Disk Network

  7. VLANs & Clouds OpenVPN Openswan VM Ganeti Controller VM NMS VM BackupPC VM MediWiki VM Infrastructure Backup Services VM Email Forwarder VM DNS Server VM VM Mgmt Website VM Monitoring VM Customer Services DMZ Services On Public Network External DNS Server VM Customer Self-serve Website Customer Private Clouds OpenVPN VM Customer’s VM<n> ...

  8. Node Connections Node1 Node<n> eth0 eth0 Disk Network eth2 eth2 Private VLANs Public Network eth1 eth1 Internet

  9. An Example

  10. Internet Potential Protected BCustomer Cloud Implementation IRCan FW Public Network VPN endpoint Private FW1 Customer A minicloud Web Server Database Server Private FW2

  11. The Parts

  12. IRCan Firewall • Bridge-based • Rules constrain MAC addresses, ports and protocols. MACs are verified against client DB. • Web-controlled by client • Choice of pre-defined security policies. Each comes with standard docs that client can submit with their certification request.

  13. VM disk infrastructure • DRBD offers live replication between pairs of nodes. • Block Devices are paired for high availability. • The VM images must be pre-sized. • Possible Elastic Storage provided in the future.

  14. DRBD Part1 Part2 DRBD mount DRBD mount Live replication DRBD Block Device DRBD Block Device Disk Network

  15. VM provisioning • Customer may choose to use one of our hardened distro, which comes with standard docs that they can submit with their certification request.

  16. Customer Setup • Still being worked on. • Customer given a token that they use to register themselves on our self-serve website. • Mini-cloud automatically created with a VPN endpoint dedicated to the client. • VPN certificate wrapped with whatever crypto the customer gave us: SSH, PGP, SSL

  17. Customers Cloud Setup • Customers connect to their VPN endpoint and connect to our internal self-serve website. • Customers can create new VMs and Private Networks, and can push firewall policies to our IRCan firewall.

  18. Customer Services • Customers may elect to be monitored and backed-up. They push data to our customer service servers. • Customers are not forced to run proprietary agents. • Outbound email forwarding provided, not inbound filtering. • DNS can be primary or secondary.

  19. Thank you • Patrick Naubert: patrickn@xelerance.com • IRCan project mgmt website: ircan.gc.ca

More Related