The Architecture of IRCan’s HRE
Jan 13, 2016
The Architecture of IRCan’s HRE
What is IRCan?
A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada.
Has the mandate to provide mechanisms to create and archive reusable digital assets (Intellectual Resources) that interest The Crown.
Problem
Provide a flexible, upgradable, dependable, infrastructure that Government departments can use to host applications and projects, involving FLOSS applications and tools.
Provide the capability to implement each project’s security policy, within the greater responsibilities of The Crown.
Provide a solution that doesn’t “get in the way” of receiving a certificaton from SSC authority.
Packages
OTRS
Ubuntu KVM Ganeti
DRBD MediaWiki
Openswan OpenVPN Unbound & NSD
BackupPC Nagios Munin
Apache Postfix Pylons
The Guts
NetworkingInternet
hhhh
Node1 Node2 Node3 Node<n>AdminServer
BridgeFW
BridgeFW
Public Network
Private VLANs
Disk Network
VLANs & Clouds
Infrastructure
Customer Services
DMZ ServicesOn Public Network
Customer PrivateClouds
GanetiController
VM
NMSVM
BackupPCVM
MediWikiVM
OpenVPNOpenswan
VM
VM MgmtWebsite
VM
DNSServer
VM
EmailForwarder
VM
BackupServices
VM
MonitoringVM
CustomerSelf-serveWebsite
ExternalDNS Server
VM
Customer’sVM<n>
OpenVPNVM
...
Node Connections
Node1 Node<n>
eth0
eth1
eth2
eth0
eth2
eth1
Disk Network
Public Network
Private VLANs
Internet
An Example
Potential Protected BCustomer Cloud Implementation
Internet
Public Network
IRCanFW
PrivateFW1
PrivateFW2
VPNendpoint
WebServer
DatabaseServer
Customer A minicloud
The Parts
IRCan Firewall
Bridge-based
Rules constrain MAC addresses, ports and protocols. MACs are verified against client DB.
Web-controlled by client
Choice of pre-defined security policies. Each comes with standard docs that client can submit with their certification request.
VM disk infrastructure
DRBD offers live replication between pairs of nodes.
Block Devices are paired for high availability.
The VM images must be pre-sized.
Possible Elastic Storage provided in the future.
DRBD
Part1 Part2
Disk Network
DRBD mount DRBD mount
DRBD Block Device DRBD Block DeviceLive replication
VM provisioning
Customer may choose to use one of our hardened distro, which comes with standard docs that they can submit with their certification request.
Customer Setup
Still being worked on.
Customer given a token that they use to register themselves on our self-serve website.
Mini-cloud automatically created with a VPN endpoint dedicated to the client.
VPN certificate wrapped with whatever crypto the customer gave us: SSH, PGP, SSL
Customers Cloud Setup
Customers connect to their VPN endpoint and connect to our internal self-serve website.
Customers can create new VMs and Private Networks, and can push firewall policies to our IRCan firewall.
Customer Services
Customers may elect to be monitored and backed-up. They push data to our customer service servers.
Customers are not forced to run proprietary agents.
Outbound email forwarding provided, not inbound filtering.
DNS can be primary or secondary.