Posted on by wp_fossit_admin

Example setup for startup business:

LMNOP Ltd Small Business example:
(Last Man Not On Pills)

  • Fewer than 6 EIT users
  • 1 site
  • Regular remote working required
  • Sensitive information
  • Occasional subcontractor staff
  • Occasional client visits to site

EIT hardware/external subscription services:

  1. Consumer grade custom tower server (host) based on AMD AM4 Ryzen 8-core processor (~GBP 1,750)
    • 32 GB RAM (more if possible, ECC preferred depends on motherboard)
    • 2 x 250GB SATA III SSD
    • 4 x 4TB SATA III HDD
    • 6 x Internal SATA ports total
    • 2 x ethernet ports (preferred, single port can be made to work)
  2. 8 port vlan-capable (semi-) managed switch (eg TP-Link TL-SG2008, ~GBP 50)
    • Multiple vLANs for managment, users, servers, DMZ (web site), guests
  3. Multi-vlan WiFi Access Point (eg TP-LINK Wireless N Access Point WA901ND, ~GBP 40)
    • WiFi SSIDs for users and guests vLANs
  4. Printer (B/W or Colour and paper sizes as appropriate – avoid inkjet!, ~GBP 300)
  5. Internet service delivered on ethernet (eg ASDL ‘modem’ with ethernet port, ~GBP 600/yr)
    • Static IP address
    • Registered domain name (eg lmnop.co.uk, ~GBP 20/yr)
  6. First year cost ~GBP 2,740 (plus user workstations/laptops)

Host server configuration:

  1. FOSS operating system (eg Ubuntu 16.04 LTS)
    • Configure partitions in 2 x SSD in RAID 1 array (software RAID)
    • Install OS on RAID (leave 100GB+ unpartitioned)
  2. QEMU/KVM based virtual machine manager software
    • Configure multiple vLANs for managment, users, servers, DMZ (web site), guests
  3. ZFS (storage management) with scheduled snapshot management
    • Configure 4 x 4TB drives as RAID-Z2 array
    • Configure 2 x 70GB partition on SSD as cache
    • Configure 2 x 4GB partition on SSD (mirror two partitions) as ZIL (“intent log”, write cache)
  4. Environment
    • No keyboard/monitor/mouse except during initial setup or major maintenance
    • Adequate ventillation – should not need air-con
    • Reliable mains electricity – 500W UPS otherwise
    • Physical security against theft

Software/application configuration:

  1. VM (virtual machine) for firewall
    • Multiple NICs, one connected to each vLAN
    • Install pfsense firewall (BSD based)
      • Snort package
      • HAproxy package
      • Tinc package
  2. VM for e-mail, calendar, contacts and tasks
    • Connect to Servers vLAN
    • Install Zimbra Community edition
  3. VM for external web server
    • Connect to DMZ vLAN
    • Install LAMP stack (Linux, Apache, MySQL, PHP)
    • Install NextCloud
      • Calendar package
      • Contacts package
      • Tasks package
      • TOTP package
      • Collabora package
      • Video calls package
      • Notes package
  4. VM for online office application
    • Connect to DMZ vLAN
    • Install Docker engine
    • Set up Collabora Docker image
  5. VM for XMPP (chat) server
    • Connect to DMZ vLAN
    • Install eJabberd
  6. VM for monitoring
    • Connect to management vLAN
    • Install Zabbix, Nagios or Icinga (Nagios fork)
  7. VM for vulnerability management
    • Connect to DMZ vLAN (initially)
    • Install OpenVas
    • Install OWASP/ZAP
  8. VM for SSL certificate subscription
    • Connect to users vLAN
    • Install Certbot (let’s encrypt client)

Limitations/caveats/recommendations and other considerations:

  1. Single server, all data stored locally. Risk of loss due to fire/theft/damage. Growth is limited.
    • Position server to avoid risk of impacts, flood, spillages, heat sources, theft
    • Consider second server in separate room as backup/replica
    • Monitoring of server health is essential – single point of failure
    • Storage service requires plenty of memory. So do running Virtual Machines.
  2. Single site
    • Consider second server in separate site as backup/replica
      • Consider using owner’s/trusted employee’s home
      • Check impact on insurances
      • Check impact on data security/access/theft
      • Check impact on network bandwidth for data replication
    • Use commercial cloud instead?
      • Costs. Lower CapEx, higher running costs
      • Risk of vendor lock in
      • Higher integration/customisation costs
      • Where is your data stored?
  3. Business growth. Successful businesses will grow.
    • Effective monitoring will foresee EIT growth requirements
    • Business expansion planning must include EIT provision
    • Exploit growth opportunities to add resillience to EIT – not just capacity
  4. External support
    • Be a smart customer – understand what you’re buying
    • Purchase appropriate external support if you cannot maintain internal capabilities
    • Conform to standards – it helps if you need ad-hoc external support
    • What relationship does the business want with its EIT support? Purely commercial/waged or mutual loyalty?

Leave a Reply

Your email address will not be published. Required fields are marked *