We trust what we know. And we need to trust the IT infrastructure that supports our daily activity to rest assured and to actively contribute to the reinforcement of its security. Therefore, this is a high-level presentation of INESC TEC’s IT physical and systems architectures, avoiding technical details. Most of what is presented here is already implemented. There are, however, some aspects still in the process of implementation. We would like to thank Gil Coutinho (Computer Network Service) and Jaime Dias (Systems Administration Service) for their collaboration.
The computer infrastructure is based on two modern and well-equipped data centres (A and B) that function as redundant for most of the basic services, despite being in adjoining buildings. Internet access is provided directly by FCCN at 10Gbit/s, with a redundant connection under completion. The data centres are protected by two redundant firewalls and have been progressively hosting more and more services and servers, properly managed and supported.
The network is logically divided into multiple VLANs to allow proper management of each segment. Direct access from the outside via public IP is carefully monitored and must be justified to minimise exposure to attacks. There are servers physically outside the data centres, which increases the responsibility and logistics of the research centres that maintain them and, even worse, operationally outside the firewall, which represents exceptional situations, currently under analysis.
The network services guarantee connectivity at 1Gbit/s on the various floors of the headquarters buildings and on the laboratories in the FEUP buildings – and will do so in the future on iiLab. The connection between the two data centres is at 40Gbit/s, and the upgrade to 100Gbit/s is being concluded. An intrusion detection system is operational to prevent situations of potential success from one of the many attacks that take place daily.
More than 40 servers are housed in the data centres, with an aggregate capacity of 1000 CPU cores, 350000 GPU cores and 10 TB of RAM, and a shared storage unit with 200 TB of capacity, where more than 300 virtual machines and the data from the services provided are stored. The virtualisation platforms associated with hardware, power and network redundancies, allow the virtual machines to continue to operate normally in case of common components’ failure and during maintenance periods of the network and servers’ equipment.
The data centres support:
- the central management information systems, such as IRIS, the intranet, the personnel database, the institutional and data repositories, or the website;
- cross-cutting systems such as email, drive, chat, gitlab, surveys system, Moodle, etc.
- the virtual machines and GPU servers used for research.
All relevant systems are actively monitored by a vulnerability detection system. Access to most of these systems is controlled by an LDAP directory directly fed by the human resources database.
Data is systematically backed up to a secondary storage unit, properly isolated from the operational systems. There is also another backup layer for a magnetic tape system, with storage outside the headquarters building.
The measures to increase security also include the creation of a disaster recovery centre, physically located at the University of Minho – which will initially support email and some network services.
Naturally, actions to increase computing and storage capacity, the design of good network, systems and information architectures, and the adoption of monitoring, backup and recovery procedures are essential to achieve secure systems. But they are clearly insufficient if researchers and other users do not proactively adopt good practices in their daily activity.
Gabriel David, Member of the Executive Board