My mission at Orange DSI began in January 2020 and lasted until June 2022. The goal was to build a secure infrastructure that will work with a secure workstation.
In order to accomplish this, I started building a validation platform with the necessary services. The infrastructure was running virtually on VMWare, and all the machines I managed were running Redhat Linux 8.
Once I had everything I needed to start creating the machines and doing their initial configuration, I used Ansible to automate these tasks. My playbooks were simple but worked very well, interacting with VMWare's API. Once the creation of the machines was finished, I also wrote some ansible playbook to do some initial configuration, like properly set up DNS configuration, repositories, NTP and so on.
The first thing I setup was the DNS, after assigning IP addresses to every machine. I chose to use bind9 because I had some prior knowledge. The DNS had multiple views to handle different source and destination IPs. There were also other zones with different domains.
Following the DNS, I needed to have a local repository server so every machine could install packets without quering Redhat servers each time. To do that, I used a dedicated machine on which I cloned Redhat repositories using built-in commands. Once the cloning is done, the server acts as a repository. To maintain packages up to date, a script can be used and run with cron.
I also had to setup OpenLDAP for the users. With that, they could authenticate and use the services provided by the infrastructure. The OpenLDAP server was working with kerberos as well.
There are many other applications I used such as Apache web server, Haproxy for load balancing, postgresql for databases, Stormshield as firewall, and more.
Security was a big part of the project as the infrastructure had to be compliant with a lot of rules.
Every connection was encrypted with SSL certificates, users and machine to machine. Thanks to that, I learned a lot regarding certificates, private keys, and how to manage and secure applications and servers.
*nix rights were also very important here. I had to be very careful of rights depending on the type of file and information. For instance, a private key should never be readable by everyone, setuid and setguid bit were highly not recommanded. This requirement helped me understand better how *nix rights work and what files should be protected more than some others.
SELinux was set up on every machine, preventing users and applications from modifying some system parameters that could break the machine or loosen its security. For example, I cannot set the SSH port to a port usually used in HTTP connections without modifying SELinux policies.
This validation platform was not monitored in the first place. I considered it was not critical enough for me to be notified by mail as soon as there is a small issue. This was not a good idea as some problems came in after some time, like disk space becoming low or full, CPU usage jumping because an app was misbehaving, etc.
I decided to deploy the monitoring solution I know the best : Centreon. I set it up to monitor the whole validation platform, with more than 300 services. It helped a lot in intercepting issues that could become a big problem if not quickly fixed.
Besides the infrastructure, I worked with a secure workstation that connected using VPNs set up on a Stormshield machine. This workstation is an additionnal computers used to take care of critical tasks in the most secure way there is, thanks to its tighten operating system and robust security on the infrastructure.
Another non-negligible aspect of the project was the ability to work as a team. There was a lot of people involved in the project, with many of them not present in the office with me. There were people in different cities, and communication was essential. We had to communicate a lot using several tools, work with different entity and with people that had different skills and backgrounds.
I found this very enriching because all these different people taught me a lot of things during these two years.