Design
RSS provides an extensive roster of administration tools detailed to the right– almost none of which small offices need to manage or even read about. Those responsible in larger organizations will find them fully capable and extensively detailed enough to integrate into the largest existing structures. RSS checks all the feature, device compatibility, performance, scale and security boxes. From the simplicity and maintainability needs of a small office to the administration requirements of multi-location, multi-domain organization.
The smallest admin configuration supports hundreds of users via two dedicated website host ‘virtual machines’ using fewer resources than a low-end laptop, each running on different physical servers. The largest configuration supports thousands of users via pairs of dedicated admin servers running in each of 16 locations, each connected by up to 16 simultaneous internet service providers. And — it is seamless to increase or decrease capacity.
Highlights of admin hosting subsystem capabilities and structural components, including links to background and details, are in the sliding two columns on the right. Click the column heading to pause the slider, or click the arrows midway on the left or right to see the next column.
This is ‘admin hosting in a box’ (or 2x 16 boxes)!
- Integrated Subsystems:
- Identity Management – Multi-server, high availability user authentication, authorization, policy, certificate and trust management systems from Alma based on FreeIPA. Provides GSSAPI / Kerberos authentication to the database subsystem. Among so many other things, provides administrators and optionally users a GUI to manage accounts and passwords, set up email addresses and aliases, and more. Supports DNSSEC secured company domain names, and cross-trust agreements with Microsoft’s Active Directory. General Information. Details.
- Security Technologies – To avoid giving those with ill intent information, RSS server installations at client locations have further security related technologies which are documented only for admin users. However, other than described publicly, nothing in RSS permits client data or metadata to leave the client’s installations.
- Foundational Subsystems:
- Ceph – “The future of storage”. Updated annually since 2012, among many other things: provides the replicated storage engine supporting all the website hosting needs. General Information. Details.
- Host OS: ALMA Linux (Redhat/Centos successor) running on ‘bare metal’ and/or virtual machine/KVM – Even the smallest RSS client supports no fewer than two separate administrative subsystems simultaneously running each in a virtual machine as part of a physical server. Should only one be running, administrative services will appear normal. Scales to thousands of users natively. This design protects the overall system from breaches and to allows the installation of the latest administrative subsystem related patches without concern for dependencies and incompatibilities in unrelated subsystems. While ‘docker’ and related isolation technologies provide small speed advantages, virtual machine isolation remains the gold standard for security and is therefore the basis for RSS administrative hosts running as a subsystem on a server. The underlying Linux distribution for the database subsystem is Alma, a successor to Centos/Redhat Linux. Alma Linux General Information, Details. KVM General Information , Details.
- Administration of user accounts, authorized systems and services
- Users and Groups: Adding to the expected GUI-based ‘names and passwords’ facility (including the ability for users to manage their own passwords alongside administrative password reset), RSS integrates a full suite of optional capabilities. Smaller installations need learn or manage nothing further. Larger installations will find a complete suite of services and capabilities. These include an industry standard and fully detailed organizational relationship staff information directory (‘LDAP‘). Beyond demographic and personal details, the system provides management of personal SSL certificates, SSH public key publishing, Kerberos ‘Principal Aliases’, Radius proxy name, two factor authentication, login shell/home directory specs for Linux use, Windows/SMB user specs. Also the ability to participate in ‘cross domain trust’ agreements in the Microsoft Active directory ecosystem of ‘security forests’. Making administration of hundreds or thousands simpler, the system provides assignment to ‘roles’ which identify specific authorities beyond those of more general ‘groups’. This includes the ability to specify which hosts a user may access, authority to use programs which call for greater access than the user might have outside the use of the program, and more. Partial screenshot. Details.
- General purpose computers (and ‘virtual machines’)/Devices/Hosts:
- Connected laptops, desktops, servers and ‘virtual machines’ running within larger bare-metal servers when connected to the local area network are automatically assigned addresses and their names and link layer network address(s) are added to the administrative GUI (along with DNS and related databases). If administrators so choose, complete inventory related information may be added, and enhanced capabilities added such as ssh public keys to confirm the host’s identity, SSL certificates assigned to the host, any of several authentication indicators such as RADIUS, PKINIT, SPAKE/FAST, Two-factor auth, whether software running on the system may also act as a user (common for devices, see below), and further security privilege related options. Screenshot.
- By default, the machine is given the DHCP admin class. Appropriate for systems that need not always have the same address, or are always ever consumers of services– not offering services to others for more than a short while. If DHCP class machines are disconnected for several days, their records are purged and addresses freed for others to use. But, if an admin changes the class from ‘dhcp’ to ‘device’, RSS will assign a permanent status to it, issue SSL certificates for its use. And its addresses will not change and it will be reachable as if a local device across the client’s locations –and, with further effort if desired, the public.
- Devices are also machines with all the aspects mentioned above, but understood to be dedicated to a particular purpose. Some are locked to a purpose because of their construction, such as wifi access points or managed switches. Others ‘seem like’ devices because of they are typical desktops but always used in a specific way, such as a video editing station, or because of special purpose devices attached to them (such as laboratory measurement equipment). If a device is trusted to act on behalf of a user without the user’s personal presence, admin can check a related box (generally not done with general purpose devices).
- A service is one or more related running programs which, taken together, deliver a specific capability. Unique to a service is — it often does not matter on which server or machine the programs are running. To give the programs authority to access the resources it needs on whichever system hosts it, the service can be given a name and any of a rich set of authorities, including the ability to act ‘as if’ a user. Screenshot.
- Connected laptops, desktops, servers and ‘virtual machines’ running within larger bare-metal servers when connected to the local area network are automatically assigned addresses and their names and link layer network address(s) are added to the administrative GUI (along with DNS and related databases). If administrators so choose, complete inventory related information may be added, and enhanced capabilities added such as ssh public keys to confirm the host’s identity, SSL certificates assigned to the host, any of several authentication indicators such as RADIUS, PKINIT, SPAKE/FAST, Two-factor auth, whether software running on the system may also act as a user (common for devices, see below), and further security privilege related options. Screenshot.
- Authentication Services
- SSL Certificates: GUI based complete suite of certificate management capabilities: External and internal certificate authorities, templates for managing profiles/classes of certificates, managing which users/subsystems have access to which certificates, and of course all the details certificates and keys themselves contain. Screenshot. General Information. Details. Internally RSS automatically creates and manages the certificates necessary for all its operations.
- Time/Use-count based access: Create/manage ‘tokens’ called ‘OTP’ — basically a user/password combination meant to grant users or devices or special subsystems access to chosen systems/services for a specific period of time or number of uses.
- RADIUS server linkage: RADIUS is a widely deployed security management technology, which can be integrated into the RSS framework using this facility. General information. Details.
- Certificate based identity management. RSS provides an optional means of identification: possession of a public/private certificate pair as proof of identity. A GUI in RSS provides administrators the means to create certificates and ‘map’ them onto one or more users, this allows the certificate owner to act as if any of the permitted users.
- Policy Management
- Host-based access control: Manage from which host users and/or software subsystems may access other hosts, other services.
- Special authority assignment / ‘sudo’: Allow otherwise ‘normal’ users or groups of users limited access to specific subsystems or services which require authority beyond that of the user.
- For client machines using the Redhat/Fedora/Centos/Alma style of Linux: Manage user based elevated access to features secured by the ‘SELinux’ mechanism.
- Password policies:
- Manage how many characters long passwords must be
- How long passwords may remain unchanged,
- How many previous passwords are disallowed from being reused
- How long the system forces the user to wait between failed password attempts
- How long the user account is locked out after some number of repeated failed attempt.
- Set length of time permissions to special authorities/access lasts without renewal/recheck: Kerberos Ticket Policy.