add ideas for DMZ infrastructure
This commit is contained in:
File diff suppressed because one or more lines are too long
|
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 106 KiB |
@@ -1,3 +1,22 @@
|
||||
# [DRAFT] Core Infrastructure Security Concept
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## DMZ
|
||||
* There is a dedicated and additionally protected (firewall) infrastructure network within the DMZ
|
||||
* This network holds the provisining infrastructure and is used for staging new nodes
|
||||
* After new nodes are staged and hardened the nodes are moved out into the "real" DMZ network(s)
|
||||
* VLAN and IP need to be changed
|
||||
* Node will be still able to connect to the repo server as well as puppet and metric server in the infrastructure network (this way it is ensured that nodes are actively managed and still get updates)
|
||||
|
||||
The content of the repos in the DMZ are pushed from the PSI network. The repo servers in the DMZ only hold the latest packages - we do not have snapshotting, etc. (need to be discussed).
|
||||
|
||||
### TODO
|
||||
* we need to define a dedicated DMZ stack
|
||||
* minimal os / software stack
|
||||
* firewall enabled and blocking everything except the specially configured ports
|
||||
|
||||
|
||||
* Every node in the DMZ must have a responsible person (it would be better group)!
|
||||
* Maybe have one group that takes care of all DMZ servers?
|
||||
|
||||
Reference in New Issue
Block a user