The Architecture of IRCan’s HRE. What is IRCan? A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government.

Slides:



Advertisements
Similar presentations
Heroix Longitude - multiplatform, automated application performance monitoring and management software.
Advertisements

Network Systems Sales LLC
Mapping Service Templates to Concrete Network Semantics Some Ideas.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Designed for High Availability.  Fault-Tolerant Design  Shared Storage across 4 Nodes. Each Node: ▪ 6 X 900GB SAS 10k RPM hard drives configured RAID.
Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Controlling access with packet filters and firewalls.
M2M Gateway Features Jari Lahti, CTO
1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,
Virtual IP Network Windows Server 2012 Windows 08 Dual Subnets.
LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.
Additional SugarCRM details for complete, functional, and portable deployment.
Data Center Network Redesign using SDN
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Virtual Company Group 8 Presentation Date: June /04/2017
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Normalized Endpoint Computing Research Team Results PSU Technology Solution Mat B. & Alice S.
70-411: Administering Windows Server 2012
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Presented by: Sanketh Beerabbi University of Central Florida COP Cloud Computing.
The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Create a dynamic datacenter with software-defined networking
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Security fundamentals Topic 10 Securing the network perimeter.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
INFSO-RI Enabling Grids for E-sciencE Dynamic Connectivity Service Oscar Koeroo JRA3.
NETGEAR CONFIDENTIAL FVS338 ProSafe VPN Firewall 50.
Cyber Security for the Smart Grid™ N-Dimension Solutions Lemnos Interoperability Demo August 2011.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Complete VM Mobility Across the Datacenter Server Virtualization Hyper-V 2012 Live Migrate VM and Storage to Clusters Live Migrate VM and Storage Between.
R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,
Alfresco Enterprise on Azure Shah Rahman Founder and CEO, CloudlyIO.
Inspirirani ljudima. Ugasite mobitele. Hvala.. Paolo Pialorsi Senior Consultant PiaSys ( Publishing apps for SharePoint 2013 on Microsoft.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
INF526: Secure Systems Administration Composition of Systems And Security Domains Prof. Clifford Neuman Lecture 3 3 June 2016 OHE100C.
SCALABILITY AND SECURITY Presentation. 01 Scalability.
Security fundamentals
OpenStack.
Troubleshooting Networked Video
Chapter 7. Identifying Assets and Activities to Be Protected
BEST CLOUD COMPUTING PLATFORM Skype : mukesh.k.bansal.
Working at a Small-to-Medium Business or ISP – Chapter 8
Oracle SOA Cloud Integration Project
Implementing Network Access Protection
Security Tips for James Eyrich Manager Security Operations and Incident Response
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
2TCloud - Veeam Cloud Connect
Introduction to Networking
How do You attend the meetings?
VPN-Implementation Using UBUNTU OS and OpenVPN and Hamachi in client-server environment. By Ruphin Byamungu, Kusinza United States International University-Nairobi.
2018 Real Cisco Dumps IT-Dumps
Server-to-Client Remote Access and DirectAccess
Firewalls Purpose of a Firewall Characteristic of a firewall
Virtual Private Network
Unit 8 Network Security.
Cloud Security AWS as an example.
Presentation transcript:

The Architecture of IRCan’s HRE

What is IRCan? A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada. Has the mandate to provide mechanisms to create and archive reusable digital assets (Intellectual Resources) that interest The Crown.

Problem Provide a flexible, upgradable, dependable, infrastructure that Government departments can use to host applications and projects, involving FLOSS applications and tools. Provide the capability to implement each project’s security policy, within the greater responsibilities of The Crown. Provide a solution that doesn’t “get in the way” of receiving a certificaton from SSC authority.

Packages OTRS UbuntuKVMGaneti DRBDMediaWiki OpenswanOpenVPN Unbound & NSD BackupPCNagiosMunin ApachePostfixPylons

The Guts

Networking Internet hhhhhhhh Node1Node2Node3Node Admin Server Bridge FW Bridge FW Public Network Private VLANs Disk Network

VLANs & Clouds Infrastructure Customer Services DMZ Services On Public Network Customer Private Clouds Ganeti Controller VM NMS VM BackupPC VM MediWiki VM OpenVPN Openswan VM VM Mgmt Website VM DNS Server VM Forwarder VM Backup Services VM Monitoring VM Customer Self-serve Website External DNS Server VM Customer’s VM OpenVPN VM...

Node Connections Node1Node eth0 eth1 eth2 eth0 eth2 eth1 Disk Network Public Network Private VLANs Internet

An Example

Potential Protected B Customer Cloud Implementation Internet Public Network IRCan FW Private FW1 Private FW2 VPN endpoint Web Server Database Server Customer A minicloud

The Parts

IRCan Firewall Bridge-based Rules constrain MAC addresses, ports and protocols. MACs are verified against client DB. Web-controlled by client Choice of pre-defined security policies. Each comes with standard docs that client can submit with their certification request.

VM disk infrastructure DRBD offers live replication between pairs of nodes. Block Devices are paired for high availability. The VM images must be pre-sized. Possible Elastic Storage provided in the future.

DRBD Part1Part2 Disk Network DRBD mount DRBD Block Device Live replication

VM provisioning Customer may choose to use one of our hardened distro, which comes with standard docs that they can submit with their certification request.

Customer Setup Still being worked on. Customer given a token that they use to register themselves on our self-serve website. Mini-cloud automatically created with a VPN endpoint dedicated to the client. VPN certificate wrapped with whatever crypto the customer gave us: SSH, PGP, SSL

Customers Cloud Setup Customers connect to their VPN endpoint and connect to our internal self-serve website. Customers can create new VMs and Private Networks, and can push firewall policies to our IRCan firewall.

Customer Services Customers may elect to be monitored and backed-up. They push data to our customer service servers. Customers are not forced to run proprietary agents. Outbound forwarding provided, not inbound filtering. DNS can be primary or secondary.

Thank you Patrick Naubert: IRCan project mgmt website: ircan.gc.ca