Design
An RSS system pays for itself as it provides normal location-wide operations even when any one service or sub-component fails. Designed to be an optimal answer when productivity depends on internet access, at every point including Internet connectivity, RSS supports no less than two ways forward, often three or more — each of which is fully capable on its own, always contributing, automatically taking over when needed. An RSS ‘core belief’ is the old phrase: “When time matters: two is one, and one is none.” Because we know it’s ‘when’ and not ‘if’ every component will fail, today’s affordable computing costs makes it ‘time’ for your location to keep things normal when parts fail — choose our high-availability RSS design.
In the case of internet service, RSS provides connections for up to seven internet service providers at the same time, only one of which need be operative to provide all functions — including remote users as well as location wired / wifi access. You can even designate a mobile phone hotspot as a backup internet service provider.
From time to time, RSS will send notice of an internet outage at their location, but as RSS automatically shifted to an alternate provider the notice of the outage at their location came while the outage was in progress — via the internet!
It’s a great peace-of-mind, morale boosting, staff scheduling and cost savings design — repairs can take place during normal business hours, and usually without disruption and very very rarely more than scheduled maintenance.
RSS installations do not require ‘internet routers’ or ‘gateways’, as those are often themselves single points of failure and so not acceptable in an RSS design. The capabilities and structural details are to the right.
RSS provides an extensive roster of networking administration tools– almost none of which small offices need to manage or even read about. Those responsible in larger organizations will find them fully capable and extensively detailed enough to integrate into the largest existing structures. RSS checks all the feature, device compatibility, performance, scale and security boxes. From the simplicity and maintainability needs of a small office to the administration requirements of multi-location, multi-domain organization.
Highlights of networking / VPN remote-host and networking admin gate subsystem capabilities and structural components, including links to background and details, are in the sliding two columns on the right. Click the column heading to pause the slider, or click the arrows midway on the left or right to see the next column.
This is ‘multi-isp internet access in a cabinet’ .
- Integrated Subsystems:
- RSS Monitor – Managing the integrity, status and configuration of all the services and providers: rssmonitor implements ‘gate’ virtual machines, each of which tracks the operation of the other, taking over as necessary, and when primary, routes all the vlans and subnets and addressing management subsystems comprising an rss location installation.
- DHCP Servers – Internet Service Consortium, ‘ISC’, has provided name-to-address services since 1994. RSS incorporates the latest ‘KEA’ dhcp servers to dispense ipv4 and ipv6 addresses to approved devices seeking connection to the local LAN. These are integrated into the local high-availability database infrastructure to provide long term consistency and integration with the DNS and administrative subsystem.
- Router Advertisement Services – Internet Protocol version 6 allows client devices and hosts that so desire to learn of gateways to non-local internet facilities by standard router advertisement subsystems. To avoid security issues, no internal RSS system relies on these advertisements, but RSS provides these for the benefit of client devices and desktops/laptop hosts that may expect it. RSS deploys the radvd subsytem. General information. Details.
- High Availability Services Load Distribution, Monitoring/Routing – To provide its many services consistently, even when expected failures occur among some parts here or there, for each major functional group RSS maintains separate instances of near identical cooperating subsystems. RSS uses the widely popular HAProxy package, initially developed in 2000 and maintained by HAProxy Tech LLC on gateway virtual machines to monitor the health of all the subsystems, then share the load by distributing requests for services among them. In addition to the services, HAProxy and RSS provide a health and status reporting display. General Information, example partial frontend screenshot, example partial backend screenshot.
- Encrypted site-site and ‘road warrior’ VPN Services – Only if and when required by clients, RSS allows client data to move across the internet via encrypted virtual private networking links managed via the latest WireGuard technologies. These links allow client locations and ‘road warriors’ or home based staff access as if located within a client location. (Note that if only remote ‘sync’ access is needed, such as to selected files, directories, email, calendars and similar, RSS provides more specific and secure Nextcloud based alternatives). When more integrated remote access is required, or a client wishes to use the internet to link departments separated too far for direct wired link: RSS provides services using Wireguard and the latest custom certificates specific to each client location. Wireguard aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding IPSec’s legendary administrative overhead. It is considerably more performant than alternatives such as OpenVPN. General Information. Details.. Overview. General Information. Details.
- Provisioning – Via ‘syslinux’, ‘pxe / pxelinux’ and NFS: client systems with just network access and nothing else can choose from a large menu of operating systems to install, disk cloning capabilities, memory testing and more. “Internet of Things” devices such as IP telephony and security, production control and monitoring can get customized software updates, configuration files and access to safe and redundant storage. Both ‘BIOS’/legacy modes and signed UEFI modes supported. Read-only file access is available local network devices via http, https, tftp and nfs version 4 protocols.
- Firewall / Antivirus – RSS deploys the highly performant nftables technology to provide customized firewall and routing services. Because of its great compatibility and linux integration, many optional subsystems are available to provide clients options for ‘hands-on’ monitoring and performance reporting. While other RSS subsystems provide more traditional antivirus scanning, the RSS firewall implementation itself blocks many virus exploit methods. About nftables. General Information. Details.
- Date / Time – Implemented in two parts, the RSS Data/Time system offers time service in a highly available fashion, designed to keep your site activity private and time reference rock steady– it is buffered against jitter when individual systems may fail. Many highly available subsystems rely on high accuracy clock agreement, so RSS provides it.
- The first half establishes a location-wide highly stable reference time, implemented by the designed-with-security-first NTPSec package. Running on a physically secure sub-network on each bare-metal server, RSS manages a single authoritative instance with the rest as always-in-sync hot backups. By default, only one instance references a variety of internet sources, guaranteeing a very stable and monotonic time base and shielding site per-host metadata from the public. It is possible to re-define the reference time source to be a local device that does not rely on the internet at any time, such as a gps receiver or other client-supplied device. NTPSec Overview. Details. This ‘timeserver’ host is advertised to all connected systems as the authoritative, site-wide reference clock and is compatible with all known operating systems in use.
- The second half of the time system are the ‘client packages’: the program on each of the many RSS hosts, and at the option of the client any other device, host or system. The widely popular and compatible chrony package syncs all RSS systems other than bare-metal servers. Overview. Details.
- Security Technologies – To avoid giving those with ill intent information, RSS server installations at client locations have further security related technologies which are documented only for admin users. However, other than described publicly, nothing in RSS permits client data or metadata to leave the client’s installations.
- Foundational Subsystems:
- Maridb/Galera – Highly available multi-server SQL database engine, used by the gate systems in the site-local mode (secure, high performance). A successor to MySql. General Information. Details.
- Galera Cluster – SQL High Availability: Realtime synchronization of all the computers supporting SQL database operations. General Information. Details.
- Host OS: Ubuntu LTS running on either ‘bare metal’ or virtual machine/KVM – Each RSS site supports not fewer than two simultaneously running gateway servers. Even should only one be running, all services will appear normal. All routing and gateway functions are isolated in a virtual machine both to protect the overall system from breaches and to allow the installation of the latest routing related patches without concern for dependencies and incompatibilities in unrelated subsystems. The underlying Linux distribution for the gate subsystem is Ubuntu. While ‘docker’ and related isolation technologies provide small speed advantages, virtual machine isolation remains the gold standard for security and is therefore the basis for RSS firewall and routing systems. Ubuntu Linux General Information, Details. KVM General Information , Details.
- 1 to 7 internet service providers at each of up to 16 locations/department
- Stability: so long as one internet service provider is working, anything that provides information to the internet from your systems, and anything your team needs from the internet works as well. Even use a cell phone as an emergency hotspot ISP. And yes — the email and websites hosted at your location remain available worldwide even though the addresses your ISP provides may change without notice. No ‘static ips’ required of the internet service provider.
- Better: since by design no information leaves your location that doesn’t absolutely need to cross the internet: all data and RSS services hosted at a location remain available even when all internet service providers fail.
- Inclusive: No third-party router required. Every RSS server has one dedicated ethernet nic (10Gb, 1Gb or 100MB) set aside for a direct connection to an internet service provider. (If fewer internet service providers exist than servers at a location, high availability is improved by connecting many servers to the same ISP via an un-managed switch). (Note: to offer high availability when servers fail, every RSS installation has at least 4 internet capable servers, so long as two are working, your systems are ‘up’). For installations that require routers between the internet service provider and RSS: so long as DHCP is provided by the connection to the RSS server, all functions will work.
- Optionally, up to 7 small wifi capable laptops located anywhere in an installation can be repurposed to act as if an ethernet connection to an ISP — via a cell phone’s wifi hot-spot capability. The speeds will be limited to that service’s capability — but all operations will remain functional. The system will fail-over to working hotspots when needed.
- Up to 16 locations can be identified as ‘the same department’ or ‘squad’, so long at least one internet service provider is working at each location, all will appear as if housed in the same building. A device plugged into one can be reached by any. RSS provides an auto-configured site-site VPN powered by the latest encryption via wireguard — using security certificates and keys particular to each location and created/maintained there. Even with that — only traffic that needs to travel among locations crosses the internet.
- Larger organizations can group departments together, providing access to intra-organizational private services such as company restricted websites, media, files, etc. (Groups of departments or ‘squads’ are termed rss ‘echelons’).
- Only if your installation requires more than the ability of your team to make use of the internet (such as hosting websites available to the general public, or connecting buildings that have no direct connection, or allowing ‘road warriors’ VPN access): RSS maintains cloud based routers that offer the fixed addressing necessary (ip4 and ip6).
- Road Warrior / VPN access: Up to 1K external systems / department can be allowed VPN access, and when connected will function entirely as if located within a department/squad. These systems can be people using desktops or laptops or mobile, or they can be dedicated ‘internet of things’ devices. Each is assigned a fixed internal internet address, optionally with kerberos security layered atop wireguard security, and custom automatically generated per-device certificates/keys as well.
- Provisioning – Any device with a local network physical connection, whether laptop or desktop, server or ‘internet of things’ or ‘system on a chip’ custom / special purpose, without anything else pre-installed or temporarily plugged in: can ‘boot over the net’ or have access to configuration and/or updates, including entire operating system installations or just storage backup/copying/diagnosis. Whole groups of similar devices can share setup files, as well as particular devices having setups specific to just them.
- Integrated DHCP/DNS with easy identification of fixed-address or ‘static’ devices — complete with optional auto-generated SSL certificates and kerberos security accounts (called ‘principals’), even email addresses.
- Verified accurate and highly available by dozens other services worldwide. Click here to see the map. Includes the latest DNSSEC security validation enhancements.
- Native ‘in house’ Name Servers / Name Resolution. Highly performant, and prevents data leaks — only those web sources involved in providing information sought by clients, and the involved internet carriers can learn meta-data about which businesses your firm is contacting and when: an end to ‘data-mining’ by third parties watching client web activity.
- Domain Name-Server Hosting — for any number of client domains. Just point your domain registrar’s sytem to your RSS public IP addresses (optional) and your in-house DNS resolvers will manage all aspects of DNSSEC and field public domain and sub-domain resolution queries. Administration via the “DNS” section of the Admin GUI.
- All attached devices get automatically assigned numerical addresses, and are loaded into DNS with their hostnames (with automatic duplicate-name resolution). Hardware specific parameters such as mac addresses and other details too are automatically presented in the RSS GUI, with automatic expiration pruning.
- Authorized administrators can use a GUI to review currently active device details, and designate as permanent fixed-address chosen devices.
- The hostnames of each connected device is loaded into the RSS site-private domain name system. The system provides addresses that resolve to the hostname of the device, and allows those that know the hostname of the device to get the address of that device (both IP4 and IP6). Provision is made to create hostnames for devices that do not provide one, and to resolve collisions among devices offering the same name.
- Administrators may use the GUI to designate any connected system a ‘device’ — which causes RSS to assign a fixed address and name, meaning the device, such as a printer, will always get the same address every time it is turned on no matter how long it may have been disconnected. The system automatically manages the technical details regarding ‘mac’ addressing and the like, administrators need only change the text string ‘dhcp’ to ‘device’ in the gui to get this service.
- Connected systems designated as ‘devices’, in addition to fixed addressing noted above, are automatically issued SSL certificates and keys, along with kerberos ‘principal’ addresses and even optionally email addresses and other service accesses normally limited to people — all maintained by RSS. More advanced ‘internet of things’ devices can load department specific security keytabs and certificates to provide site-local encryption and enhanced integration and security.
- Advanced applications can integrate a limited number of ‘cloud servers’: special purpose single devices connected from anywhere that act as if within a department or location, yet external and provide capabilities of the client’s choosing. Think of it as something in-between a ‘road warrior VPN’ conenction and a device within an established department location. For example, a quantum computer or other special purpose high performance device shared among locations.
- Advanced firewalls, logging and monitoring. Each RSS installation has at least two ‘gate’ internal routers, a hot standby and an active router isolated in its own virtual machine. The full suite of logging, diagnostic and related capabilities are there and can be extended to the limit of known technologies available today.
- Time Service: Each RSS system maintains multiple internal time servers, and publishes the address of one of them to be the reference for the overall location. One server occasionally references external time services — but your company’s information layout and activity metadata is not leaked to seemingly innocuous ‘time service providers’ since all requests for time of day and date information is provided internally — these multiple requests by each device in your organization never crosses the net and so can’t be logged, mapped or disrupted by the various denial of service attacks that aim to corrupt data by confusing participating systems as to which has the latest information.
- ‘Public’ or ‘Guest’ access: Each RSS server, optionally, provides a ‘guest’ ethernet port. Anything plugged into that has the benefit of being able to access the internet as if in a coffee house, but otherwise has no more access to company systems than the general public. No amount of ‘packet spoofing’ can overcome the security provided by the segregated port and related internal isolation technologies.
- WIFI Access Points: Access to RSS services by other than wired lan connections is via wifi access points of the client’s choosing connected to the lan switch as any wired system might. As of 3/2022: Access points need provide nothing other than wifi connectivity.
- High Availability: There is no single point of failure within the RSS design (so all internal services work even when the internet does not) you have until the second unit of a kind breaks to get the first one fixed. However — if you have but one internet service provider to a location: access to the internet from within your location and access to your location’s capabilities from outside will depend on that service. Remember: Two is one, and one is none. If you require any manner of internet connection to accomplish your work, at least for your primary location: get a second ‘on-ramp’ to the internet, even if it is a cell-phone hotspot and wifi. Many internet service providers will offer affordable backup service plans.
- Local “ISP restricted” services remain available even when hosting publicly available websites and capabilities. Companies such as Hulu, Neflix and many internet service providers limit their services to clients they prove to be locally connected. People using systems connected at RSS locations, when reaching out to access the internet, use what their internet service provider considers to be ‘normal and approved’ addresses and methods, and as such all purchased services remain available. Activities that require client specific ‘static global’ IP addresses, such as hosting websites or sending/receiving email, only make use of those addresses in the context of those specific services. This is a competitive feature of RSS design. You’ll get access to all your ISP provides, in addition to globally fixed addressing and those benefits.