diff --git a/proposals/draft-nx.md b/proposals/draft-nx.md index 4861f084..c4fc1fc1 100644 --- a/proposals/draft-nx.md +++ b/proposals/draft-nx.md @@ -122,7 +122,7 @@ update of Mongo-DB for Rama (done by Dima) ---- Checkout the app: Open OnDemand - +https://rustdesk.com # Meeting diff --git a/proposals/draft_infrastructure_security_concept.drawio.svg b/proposals/draft_infrastructure_security_concept.drawio.svg index 77119e06..8d52471f 100644 --- a/proposals/draft_infrastructure_security_concept.drawio.svg +++ b/proposals/draft_infrastructure_security_concept.drawio.svg @@ -1,16 +1,16 @@ - + - - - - - - + + + + + + -
+
https/443 @@ -20,17 +20,17 @@
- + https/443... - - + + -
+
443 @@ -40,17 +40,17 @@
- + 443... - - + + -
+
443 @@ -58,18 +58,18 @@
- + 443 - - - + + + -
+
Puppet @@ -77,17 +77,17 @@
- + Puppet - - + + -
+
http/80 @@ -97,36 +97,36 @@
- + http/80... - - - + + + -
+
- YUM Repos + RPM Repos
- - YUM Repos + + RPM Repos - - + + -
+
tftp @@ -138,17 +138,17 @@
- + tftp... - - + + -
+
443 @@ -156,16 +156,16 @@
- + 443 - + -
+
- PXE @@ -175,21 +175,21 @@
- + - PXE... - - - - - - + + + + + + -
+
Git @@ -197,21 +197,21 @@
- + Git - - - - - - + + + + + + -
+
NFS @@ -219,17 +219,17 @@
- + NFS - - + + -
+
443 @@ -237,18 +237,18 @@
- + 443 - - - + + + -
+
Icinga Master @@ -256,19 +256,19 @@
- + Icinga Master - - - - + + + + -
+
5665 @@ -276,16 +276,16 @@
- + 5665 - + -
+
Elastic @@ -293,17 +293,17 @@
- + Elastic - - + + -
+
???? @@ -311,16 +311,16 @@
- + ???? - + -
+
Icinga Satellites @@ -328,17 +328,17 @@
- + Icinga Satellites - - + + -
+
@@ -360,18 +360,18 @@
- + nrpe... - - - + + + -
+
AD @@ -379,16 +379,16 @@
- + AD - + -
+
ETH RedHat Satellite @@ -396,17 +396,17 @@
- + ETH RedHat Satellite - - + + -
+
https @@ -414,16 +414,16 @@
- + https - + -
+
Other content provider @@ -431,16 +431,16 @@
- + Other content provid... - + -
+
introduction of content scanning @@ -448,17 +448,17 @@
- + introduction of content scanning - - + + -
+
... @@ -466,16 +466,16 @@
- + ... - + -
+
@@ -492,21 +492,21 @@
- + All Networks[Security L... - - - - - - + + + + + + -
+
Icinga Satellite @@ -516,16 +516,16 @@
- + Icinga Satellite... - + -
+
@@ -554,17 +554,17 @@
- + - Systems are installed in the DMZ?... - - + + -
+
5665 @@ -572,16 +572,16 @@
- + 5665 - + -
+
Icinga Satellites @@ -589,16 +589,16 @@
- + Icinga Satellites - + -
+
logstash @@ -606,13 +606,13 @@
- + logstash - - + + @@ -629,12 +629,12 @@ - - + + -
+
@@ -656,17 +656,17 @@
- + nrpe... - - + + -
+
@@ -688,17 +688,17 @@
- + nrpe... - - + + -
+
@@ -717,16 +717,16 @@
- + DataCenter Network... - + -
+
@@ -743,22 +743,22 @@
- + All Networks[Security L... - - - - - - - - + + + + + + + + -
+
agents @@ -766,16 +766,16 @@
- + agents - - + + -
+
beats @@ -783,16 +783,16 @@
- + beats - - + + -
+
beats @@ -800,17 +800,17 @@
- + beats - - + + -
+
???? @@ -818,17 +818,17 @@
- + ???? - - + + -
+
5665 @@ -836,16 +836,16 @@
- + 5665 - + -
+
@@ -860,17 +860,17 @@
- + DMZ[Security Level 2] - - + + -
+
5665 @@ -878,17 +878,17 @@
- + 5665 - - + + -
+
Staging / Infrastructure Network @@ -896,16 +896,16 @@
- + Staging / Infrastructure Network - + -
+
YUM Repos DMZ @@ -913,16 +913,16 @@
- + YUM Repos DMZ - + -
+
puppet DMZ @@ -930,16 +930,16 @@
- + puppet DMZ - + -
+
Metrics DMZ @@ -947,17 +947,17 @@
- + Metrics DMZ - - + + -
+
https/443 @@ -965,17 +965,17 @@
- + https/443 - - + + -
+
8140 @@ -983,16 +983,16 @@
- + 8140 - + -
+
node @@ -1002,16 +1002,16 @@
- + node... - + -
+
node @@ -1021,16 +1021,16 @@
- + node... - + -
+
PXE @@ -1040,17 +1040,17 @@
- + PXE... - - + + -
+
tftp @@ -1062,17 +1062,17 @@
- + tftp... - - + + -
+
https/443 @@ -1080,17 +1080,17 @@
- + https/443 - - + + -
+
https/443 @@ -1098,17 +1098,17 @@
- + https/443 - - + + -
+
8140 @@ -1116,17 +1116,17 @@
- + 8140 - - + + -
+
https/443 @@ -1134,18 +1134,18 @@
- + https/443 - - - + + + -
+
once systems are staged and hardned, they are moved out into production-dmz network @@ -1153,17 +1153,17 @@
- + once syste... - - + + -
+
https/443 @@ -1171,16 +1171,16 @@
- + https/443 - - + + -
+
Firewall @@ -1188,18 +1188,18 @@
- + Firewall - - - + + + -
+
we push the content of the repo to the repo server from the internal infrastructure @@ -1207,17 +1207,17 @@
- + we push the content of the repo... - - + + -
+
ssh/22 @@ -1225,7 +1225,7 @@
- + ssh/22 diff --git a/proposals/draft_infrastructure_security_concept.md b/proposals/draft_infrastructure_security_concept.md index cec4860f..7ed52e09 100644 --- a/proposals/draft_infrastructure_security_concept.md +++ b/proposals/draft_infrastructure_security_concept.md @@ -22,4 +22,18 @@ The content of the repos in the DMZ are pushed from the PSI network. The repo se * Maybe have one group that takes care of all DMZ servers? ## Notes -The idea is that we first setup a repo server and then peu-a-peu install the other infrastructure components \ No newline at end of file +The idea is that we first setup a repo server and then peu-a-peu install the other infrastructure components + + +Decision whether we have to use a satellite or not +* Security Level +* Architecture Network (amount of traffic) +* Architecture Icinga (load satellite) + +---- +Security + +1. Zones +2. Network segmentation (VRF) + - 985 subnets in 185 network segments +3. A network segmentation does have a security level attached \ No newline at end of file diff --git a/proposals/draft_security_concepts.drawio.svg b/proposals/draft_security_concepts.drawio.svg new file mode 100644 index 00000000..6ff47b0d --- /dev/null +++ b/proposals/draft_security_concepts.drawio.svg @@ -0,0 +1,332 @@ + + + + + + + +
+
+
+ VRF - Virtual Routing and Forwarding +
+
+
+ + + VRF - Virtual Routing and Forwarding + + + + + + + + + + +
+
+
+ Zone +
+
+
+ + + Zone + + + + + + + + + + +
+
+
+ VRF A +
+
+
+ + + VRF A + + + + + + + + + + +
+
+
+ VRF B +
+
+
+ + + VRF B + + + + + + + +
+
+
+ VRF X +
+
+
+ + + VRF X + + + + + + + +
+
+
+ Subnet 1 +
+
+
+ + + Subnet 1 + + + + + + + +
+
+
+ Subnet 2 +
+
+
+ + + Subnet 2 + + + + + + + +
+
+
+ Subnet 3 +
+
+
+ + + Subnet 3 + + + + + + + +
+
+
+ Subnet 1 +
+
+
+ + + Subnet 1 + + + + + + + +
+
+
+ Subnet 2 +
+
+
+ + + Subnet 2 + + + + + + + +
+
+
+ Subnet 3 +
+
+
+ + + Subnet 3 + + + + + + + +
+
+
+ Subnet 1 +
+
+
+ + + Subnet 1 + + + + + + + +
+
+
+ Subnet 2 +
+
+
+ + + Subnet 2 + + + + + + + +
+
+
+ Subnet 3 +
+
+
+ + + Subnet 3 + + + + + + + + + + + +
+
+
+ Firewall +
+
+
+ + + Firewall + + + + + + + +
+
+
+ [security level] +
+
+
+ + + [security leve... + + + + + + + +
+
+
+ [security level] +
+
+
+ + + [security leve... + + + + + + + +
+
+
+ [security level] +
+
+
+ + + [security leve... + + + + + + + + + Viewer does not support full SVG 1.1 + + + + \ No newline at end of file diff --git a/proposals/draft_standard_sw_stack.md b/proposals/draft_standard_sw_stack.md index b5929a7d..34ea6193 100644 --- a/proposals/draft_standard_sw_stack.md +++ b/proposals/draft_standard_sw_stack.md @@ -7,4 +7,10 @@ Additional packages: * open-vm-tools [vm only] -AFS will only be an additional package - it will not be part of the core distribution \ No newline at end of file +AFS will only be an additional package - it will not be part of the core distribution + +# TODO + +Include following functionality in base stack? +* SMB mounting for users gfa-cifsmount +* telwho - gfa-telwho