the architecture of ircan s hre n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The Architecture of IRCan’s HRE PowerPoint Presentation
Download Presentation
The Architecture of IRCan’s HRE

Loading in 2 Seconds...

play fullscreen
1 / 19

The Architecture of IRCan’s HRE - PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on

The Architecture of IRCan’s HRE. What is IRCan?. A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Architecture of IRCan’s HRE' - branxton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is ircan
What is IRCan?
  • A Government initiative started by the Treasury Board Secretariat of Canada and Public Works and Government Services Canada.
  • Has the mandate to provide mechanisms to create and archive reusable digital assets (Intellectual Resources) that interest The Crown.
problem
Problem
  • Provide a flexible, upgradable, dependable, infrastructure that Government departments can use to host applications and projects, involving FLOSS applications and tools.
  • Provide the capability to implement each project’s security policy, within the greater responsibilities of The Crown.
  • Provide a solution that doesn’t “get in the way” of receiving a certificaton from SSC authority.
packages
Packages

Ubuntu

KVM

Ganeti

OTRS

DRBD

MediaWiki

Unbound

& NSD

Openswan

OpenVPN

BackupPC

Nagios

Munin

Apache

Postfix

Pylons

networking
Networking

Internet

hh

Bridge

FW

Bridge

FW

Public Network

Admin

Server

Node1

Node2

Node3

Node<n>

Private VLANs

Disk Network

vlans clouds
VLANs & Clouds

OpenVPN

Openswan

VM

Ganeti

Controller

VM

NMS

VM

BackupPC

VM

MediWiki

VM

Infrastructure

Backup

Services

VM

Email

Forwarder

VM

DNS

Server

VM

VM Mgmt

Website

VM

Monitoring

VM

Customer Services

DMZ Services

On Public Network

External

DNS Server

VM

Customer

Self-serve

Website

Customer Private

Clouds

OpenVPN

VM

Customer’s

VM<n>

...

node connections
Node Connections

Node1

Node<n>

eth0

eth0

Disk Network

eth2

eth2

Private VLANs

Public Network

eth1

eth1

Internet

potential protected b customer cloud implementation

Internet

Potential Protected BCustomer Cloud Implementation

IRCan

FW

Public Network

VPN

endpoint

Private

FW1

Customer A minicloud

Web

Server

Database

Server

Private

FW2

ircan firewall
IRCan Firewall
  • Bridge-based
    • Rules constrain MAC addresses, ports and protocols. MACs are verified against client DB.
  • Web-controlled by client
    • Choice of pre-defined security policies. Each comes with standard docs that client can submit with their certification request.
vm disk infrastructure
VM disk infrastructure
  • DRBD offers live replication between pairs of nodes.
  • Block Devices are paired for high availability.
  • The VM images must be pre-sized.
  • Possible Elastic Storage provided in the future.
slide14
DRBD

Part1

Part2

DRBD mount

DRBD mount

Live replication

DRBD Block Device

DRBD Block Device

Disk Network

vm provisioning
VM provisioning
  • Customer may choose to use one of our hardened distro, which comes with standard docs that they can submit with their certification request.
customer setup
Customer Setup
  • Still being worked on.
  • Customer given a token that they use to register themselves on our self-serve website.
  • Mini-cloud automatically created with a VPN endpoint dedicated to the client.
  • VPN certificate wrapped with whatever crypto the customer gave us: SSH, PGP, SSL
customers cloud setup
Customers Cloud Setup
  • Customers connect to their VPN endpoint and connect to our internal self-serve website.
  • Customers can create new VMs and Private Networks, and can push firewall policies to our IRCan firewall.
customer services
Customer Services
  • Customers may elect to be monitored and backed-up. They push data to our customer service servers.
  • Customers are not forced to run proprietary agents.
  • Outbound email forwarding provided, not inbound filtering.
  • DNS can be primary or secondary.
thank you
Thank you
  • Patrick Naubert: patrickn@xelerance.com
  • IRCan project mgmt website: ircan.gc.ca