The Architecture of IRCan’s HRE

The Architecture of IRCan’s HRE

What is IRCan?

A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada.

Has the mandate to provide mechanisms to create and archive reusable digital assets (Intellectual Resources) that interest The Crown.

Problem

Provide a flexible, upgradable, dependable, infrastructure that Government departments can use to host applications and projects, involving FLOSS applications and tools.

Provide the capability to implement each project’s security policy, within the greater responsibilities of The Crown.

Provide a solution that doesn’t “get in the way” of receiving a certificaton from SSC authority.

Packages

OTRS

Ubuntu KVM Ganeti

DRBD MediaWiki

Openswan OpenVPN Unbound & NSD

BackupPC Nagios Munin

Apache Postfix Pylons

The Guts

NetworkingInternet

hhhh

Node1 Node2 Node3 Node<n>AdminServer

BridgeFW

BridgeFW

Public Network

Private VLANs

Disk Network

VLANs & Clouds

Infrastructure

Customer Services

DMZ ServicesOn Public Network

Customer PrivateClouds

GanetiController

VM

NMSVM

BackupPCVM

MediWikiVM

OpenVPNOpenswan

VM

VM MgmtWebsite

VM

DNSServer

VM

EmailForwarder

VM

BackupServices

VM

MonitoringVM

CustomerSelf-serveWebsite

ExternalDNS Server

VM

Customer’sVM<n>

OpenVPNVM

...

Node Connections

Node1 Node<n>

eth0

eth1

eth2

eth0

eth2

eth1

Disk Network

Public Network

Private VLANs

Internet

An Example

Potential Protected BCustomer Cloud Implementation

Internet

Public Network

IRCanFW

PrivateFW1

PrivateFW2

VPNendpoint

WebServer

DatabaseServer

Customer A minicloud

The Parts

IRCan Firewall

Bridge-based

Rules constrain MAC addresses, ports and protocols. MACs are verified against client DB.

Web-controlled by client

Choice of pre-defined security policies. Each comes with standard docs that client can submit with their certification request.

VM disk infrastructure

DRBD offers live replication between pairs of nodes.

Block Devices are paired for high availability.

The VM images must be pre-sized.

Possible Elastic Storage provided in the future.

DRBD

Part1 Part2

Disk Network

DRBD mount DRBD mount

DRBD Block Device DRBD Block DeviceLive replication

VM provisioning

Customer may choose to use one of our hardened distro, which comes with standard docs that they can submit with their certification request.

Customer Setup

Still being worked on.

Customer given a token that they use to register themselves on our self-serve website.

Mini-cloud automatically created with a VPN endpoint dedicated to the client.

VPN certificate wrapped with whatever crypto the customer gave us: SSH, PGP, SSL

Customers Cloud Setup

Customers connect to their VPN endpoint and connect to our internal self-serve website.

Customers can create new VMs and Private Networks, and can push firewall policies to our IRCan firewall.

Customer Services

Customers may elect to be monitored and backed-up. They push data to our customer service servers.

Customers are not forced to run proprietary agents.

Outbound email forwarding provided, not inbound filtering.

DNS can be primary or secondary.

Thank you

Patrick Naubert: [email protected]

IRCan project mgmt website: ircan.gc.ca