Government Data Center (GDC) Infrastructure
Government Data Center(GDC) infrastructure is housed in Thimphu Tech Park Limited(TTPL). It is built on 1000 sq ft block at Thimphu Tech Park Ltd (TTPL). All the required facilities like dual feed power redundancy, Diesel Generator, Uninterrupted Power Supply (UPS), redundant connectivities from ISPs (minimum of 10 Mbps each from BT and TashiCell) and Thimphu Wide Area Network (Government Network) with high bandwidth capacity, fire suppressants, Network Operation Center (NOC), Media Distribution Center (MDC), Building Management System with surveillance CCTV, Biometric authentication are installed and operational.
GDC is Tier-2 Data Center which is based on design principles such as reliability, availability, serviceability and scalability. The GDC facility is tested to ensure performance over time without failing.
Any agency of RGoB can host their system at GDC free of cost provided that the system is approved by eGIF.
Video about GDC Infrastructure (Accessible only for RGoB)
Infrastructure As A Service
GDC is based on the model of Infrastructure As A Service where storage, network, compute and server resources are provisioned and managed by GDC.
GDC Backup System
GDC primary backup system is hosted at TWAN/GovNet server room located at DITT. GDC also has secondary back up being done on Tape Library.
System backup policy is dependent on respective system and it’s criticality. Backup policy can be discussed with GDC and implement accordingly.
GDC Network Accessibility
GDC Network Accessibility
GDC is facilitated with redundant internet connection with at least 10 Mbps leased line each from BT and TashiCell.
GDC is also a member of BtIX with 1Gbps fiber connection.
GDC is also connected with TWAN/GovNet with 10 Gbps fiber connection.
GDC Space Request
An agency can submit server request form from GDC website :
At the submission of server request form, GDC team receives email notification. GDC team then evaluates and process it further.
“neyduetewa” is the translation of data center in national language Dzongkha.
GDC Staging & Production Environment
GDC space allocation will generally be completed within 3 days and user credentials will be shared with the agency’s ICT personnel through mailvelope(refer “Creating Mailvelope Account for pgp Email Encryption” section). The space provided will be in staging environment.
Once staging space is provided, the agency is required to migrate copy of the system to it. GDC Security Operations Center(SOC) team, Bhutan Cyber Incident Response(BtCIRT) team will then scan the system for vulnerabilities and provide advisory of vulnerability fixes if any is found. Only after the GDC SOC team issue the system as clean, the system is processed and migrated to production environment by GDC.
An agency and GDC is mandated through APA to migrate their system to production environment within 5 weeks after staging space is provided.
GDC Ticketing System
After a system has been successfully migrated to GDC Production environment, a system owner is required to create a user account in GDC Ticketing System to raise any future issues regarding the system.
When a ticket is raised, notification is automatically sent to GDC Team and GDC Support Team. The raised ticket will be tended as soon as possible and GDC Team will strive to address it within a day.
Ticket status can also be tracked by an individual.
GDC VPN Facility
VPN connection can be used by an agency to connect to their server located in GDC from internet wherein there is no GovNet connection. To establish a VPN connection, agency need to raise ticket asking for VPN connection. VPN credentials will then be created and shared with the agency.
To establish VPN Connection, system owner needs to install Cisco Anyconnect VPN client on their machine.
->Visit GDC VPN Server Site https://secure.neyduetewa.gov.bt
-> use the provided VPN credentials to log into
-> follow the instructions; download and install the client
Once installed, input “https://secure.neyduetewa.gov.bt” to connect to GDC vpn server and then input the provided vpn credentials to establish connection.
GDC implements port white listing at network level. Only port TCP-80, TCP-443 and ICMP are allowed in GDC network.
Any other ports if required must be put to GDC with justification through GDC ticketing system.
Any one requiring access from global network should use GDC VPN facility.
Highlights from GDC Policy
Responsibilities of the System Owner, GDC Technical Support Team and BtCIRT are as follows:
|System Owner||Concerned agency||1. Configure, maintain, manage,update, patch application/databases and operating systems(OS) hosted inGDC.
2.Ensure OS/application’s compliance with security requirements as per BtCIRT’sbaseline requirement
3. Patch and update application and OS vulnerabilities based on BtCIRT’s security requirement.
4. Seek storage, compute and network resources to host application in the GDC. 5. Carry out migration of application to GDC.
6. Consult with GDC and BtCIRT team on security requirements of applications.
|GDC Technical Support Team||Technical team of concerned contractor||1.Configure and set up new virtual platform.
2.Allocate resources such as memory, storage, processor, network.
3.Provision and manage IP addressing scheme.
4.Implement firewall security policy(ies) needed for system management and accessibility.
6.Patch and Update OS of network devices(firewall, router, switches,storage).
7.Ensure the hardware contingencies are maintained throughout operation of GDC networks and services.
8.Monitor availability and utilization of server/storage/network resources.
10.Provide 24/7 or 9/5 on-call support, as specified for each supported server or device.
11.Diagnose and rectify hardware problems.
12.Configure, maintain and monitor servers such as DNS, Log Server, NTP, NMS and other critical servers required to operate GDCinfrastructure.
|BtCIRT||1.Decision on application’s criticality level (basic | medium| CII)
2.Compliance audit against security requirements (initial,final, yearly) and decision for GO / Not GO
3.Periodic vulnerability scanning according asset criticality
4.Basic incident detection activities through deployed sensors.
5.Incident handling activities once incident is detected
6.Escalation to a System Owner→ PMU → Management incase of major security compliance issues
Setting Up SSH with Public Private Key
***In your local machine***
$ssh-keygen //to generate public private key
$ssh-copy-id user_account@ip_address //to copy public key to destination host server
$ssh-add //adds passphrase to agent so that you don’t have to enter passphrase every time
~/.ssh/id_rsa //file location in local machine where the private key is stored
/home/user_account/.ssh/id_rsa.pub //file location in host server where public key is stored
$ssh-add -l //to see what identities (decrypted private keys) your agent has in memory
$ssh-add -d //to forget all identities
$ssh-agent bash //to start a new subshell with ssh-agent if you don’t have an agent
For more information ssh with public/private key ssh authentication agent
Configuring SSH to allow specific users
$sudo vi /etc/ssh/sshd_config //edit the the configuration file /etc/ssh/sshd_config
AllowUsers user1 user2 user3 //add the line towards the end of the file to allow ssh for only specific users,
save and exit.
$sudo systemctl restart sshd //restart sshd service to implement changes
Getting Sudo Privileges
$sudo su – //switch to sudo root user
//enter current user password to get root privileges
Linux Resource Links
Establishing SSH Remote Connection
/etc/ssh/ssh_host.pub //file location in the host server where the public key is stored
~/.ssh/known_hosts //file location in local machine where the key is stored