{"id":426,"date":"2019-10-24T10:05:28","date_gmt":"2019-10-24T04:05:28","guid":{"rendered":"https:\/\/www.neyduetewa.gov.bt\/?page_id=426"},"modified":"2019-11-04T10:31:43","modified_gmt":"2019-11-04T04:31:43","slug":"knowledgebase","status":"publish","type":"page","link":"https:\/\/www.neyduetewa.gov.bt\/?page_id=426","title":{"rendered":"Knowledgebase"},"content":{"rendered":"

GDC Infrastructure<\/h2>
\n

<\/span>Government Data Center (GDC) Infrastructure<\/h2>\n

Government Data Center(GDC) infrastructure is housed in Thimphu Tech Park Limited(TTPL).\r\n<\/span>It is built on 1000 sq ft block at Thimphu Tech Park Ltd (TTPL). All the required facilities like\r\ndual feed power redundancy, Diesel Generator, Uninterrupted Power Supply (UPS),\r\nredundant connectivities from ISPs (minimum of 10 Mbps each from BT and TashiCell)\r\nand Thimphu Wide Area Network (Government Network) with high bandwidth capacity,\r\nfire suppressants, Network Operation Center (NOC), Media Distribution Center (MDC),\r\nBuilding Management System with surveillance CCTV, Biometric authentication\r\nare installed and operational.<\/span><\/p>\r\n

\r\n<\/span>GDC is Tier-2 Data Center which is based on design principles such as reliability, availability, serviceability and scalability. The GDC facility is tested to ensure performance over time without failing.<\/span><\/p>\r\n

Any agency of RGoB can host their system at GDC free of cost provided that the system is approved by eGIF.<\/span><\/p>\r\n

Video about GDC Infrastructure (Accessible only for RGoB)<\/h5><\/a><\/div>\n <\/article>
\n

<\/span>Infrastructure As A Service<\/h2>\n

GDC is based on the model of Infrastructure As A Service where storage, network, compute and server resources are provisioned and managed by GDC. <\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>GDC Backup System<\/h2>\n

GDC primary backup system is hosted at TWAN\/GovNet server room located at DITT. GDC also has secondary back up being done on Tape Library.<\/p>\n

<\/span>System backup policy is dependent on respective system and it\u2019s criticality. Backup policy can be discussed with GDC and implement accordingly.<\/span><\/p>\n<\/div>\n <\/article>

Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n\n\n

GDC Network Accessibility<\/h2>
\n

<\/span>GDC Network Accessibility<\/h2>\n

GDC is facilitated with redundant internet connection with at least 10 Mbps leased line each from BT and TashiCell.\u00a0<\/span><\/p>\n

GDC is also a member of BtIX with 1Gbps fiber connection.<\/span><\/p>\n

GDC is also connected with TWAN\/GovNet with 10 Gbps fiber connection.<\/span><\/p>\n<\/div>\n <\/article>

Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n\n\n

GDC Services<\/h2>
\n

<\/span>GDC Space Request<\/h2>\n

An agency can submit server request form from GDC website : <\/span><\/p>\n

https:\/\/www.neyduetewa.gov.bt\/?page_id=93<\/h5>\n

At the submission of server request form, GDC team receives email notification. GDC team then evaluates and process it further.\u00a0<\/span><\/p>\n

\u201cneyduetewa\u201d is the translation of data center in national language Dzongkha.<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>GDC Staging & Production Environment<\/h2>\n

GDC space allocation will generally be completed <\/span>within 3 days and<\/span> user credentials will be shared with the agency\u2019s ICT personnel through <\/span>mailvelope(refer \u201cCreating Mailvelope Account for pgp Email Encryption\u201d section)<\/span>. The space provided will be in staging environment.<\/span><\/p>\n

Once staging space is provided, the agency is required to migrate copy of the system to it. GDC Security Operations Center(SOC) team, Bhutan Cyber Incident Response(BtCIRT) team will then scan the system for vulnerabilities and provide advisory of vulnerability fixes if any is found. Only after the GDC SOC team issue the system as clean, the system is processed and migrated to production environment by GDC.<\/span><\/p>\n

An agency and GDC is mandated through APA to migrate their system to production environment within 5 weeks after staging space is provided.<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>GDC Ticketing System<\/h2>\n

After a system has been successfully migrated to GDC Production environment, a system owner is required to create a user account in GDC Ticketing System <\/a><\/span>\u00a0to raise any future issues regarding the system.\u00a0<\/span><\/p>\n

When a ticket is raised, notification is automatically sent to GDC Team and GDC Support Team. The raised ticket will be tended as soon as possible and GDC Team will strive to address it within a day.\u00a0<\/span><\/p>\n

Ticket status can also be tracked by an individual.<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>GDC VPN Facility<\/h2>\n

VPN connection can be used by an agency to connect to their server located in GDC from internet wherein there is no GovNet connection. To establish a VPN connection, agency need to raise ticket asking for VPN connection. VPN credentials will then be created and shared with the agency.<\/span><\/p>\n

To establish VPN Connection, system owner needs to install Cisco Anyconnect VPN client on their machine.
\n->Visit GDC VPN Server Site https:\/\/secure.neyduetewa.gov.bt<\/a>
\n-> use the provided VPN credentials to log into
\n-> follow the instructions; download and install the client <\/span><\/span><\/p>\n

Once installed, input “https:\/\/secure.neyduetewa.gov.bt” to connect\u00a0 to GDC vpn server and then input the provided vpn credentials to establish connection.<\/span><\/p>\n

 <\/p>\n<\/div>\n <\/article>

Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n\n\n

GDC Policy<\/h2>
\n

<\/span>Ports Policy<\/h2>\n

GDC implements port white listing at network level. Only port TCP-80, TCP-443 and ICMP are allowed in GDC network.\u00a0<\/span><\/p>\n

Any other ports if required must be put to GDC with justification through GDC ticketing system<\/b>.<\/a><\/span><\/p>\n

Any one requiring access from global network should use GDC VPN facility.<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>Highlights from GDC Policy<\/h2>\n

Responsibilities of the System Owner, GDC Technical Support Team and BtCIRT are as follows:<\/h3>\n\n\n\n\n\n\n
<\/td>\nComposition<\/span><\/td>\nResponsibilities<\/span><\/td>\n<\/tr>\n
System Owner<\/span><\/td>\nConcerned agency<\/span><\/td>\n1. Configure, maintain, manage,update, patch application\/databases and operating systems(OS) hosted inGDC.<\/span><\/p>\n

2.Ensure\u00a0 OS\/application\u2019s compliance with\u00a0 security requirements as per BtCIRT’sbaseline requirement<\/span><\/p>\n

3. Patch and update application and OS vulnerabilities based on BtCIRT’s security requirement.\u00a0\u00a0\u00a0<\/span><\/p>\n

4. Seek storage, compute and network resources to host application in the GDC. \u00a0 5. Carry out migration of application to GDC.<\/span><\/p>\n

6. Consult with GDC and BtCIRT team on security requirements of applications.<\/span><\/td>\n<\/tr>\n

GDC Technical Support Team<\/span><\/td>\nTechnical team of concerned contractor<\/span><\/td>\n1.Configure and set up new virtual platform.<\/span><\/p>\n

2.Allocate resources such as memory, storage, processor, network.<\/span><\/p>\n

3.Provision and manage\u00a0 IP addressing scheme.<\/span><\/p>\n

4.Implement firewall security policy(ies) needed for system management and accessibility.<\/span><\/p>\n

6.Patch and Update OS of network devices(firewall, router, switches,storage).<\/span><\/p>\n

7.Ensure the hardware contingencies are maintained throughout operation of GDC networks and services.<\/span><\/p>\n

8.Monitor availability and utilization of server\/storage\/network resources.<\/span><\/p>\n

10.Provide 24\/7 or 9\/5 on-call support, as specified for each supported server or device.\u00a0<\/span><\/p>\n

11.Diagnose and rectify hardware problems.\u00a0<\/span><\/p>\n

12.Configure, maintain and monitor servers such as DNS, Log Server, NTP, NMS and other critical servers required to operate GDCinfrastructure.<\/span><\/td>\n<\/tr>\n

BtCIRT<\/span><\/td>\n<\/td>\n1.Decision on application\u2019s criticality level (basic | medium| CII)<\/span><\/p>\n

2.Compliance audit against security requirements (initial,final, yearly) and decision for GO \/ Not GO<\/span><\/p>\n

3.Periodic vulnerability scanning according asset criticality<\/span><\/p>\n

4.Basic incident detection activities through deployed sensors.<\/span><\/p>\n

5.Incident handling activities once incident is detected<\/span><\/p>\n

6.Escalation to a System Owner\u2192 PMU \u2192 Management incase of major security compliance issues<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For more details please refer to the document.<\/a><\/h3>\n<\/div>\n <\/article>
Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n\n\n

Linux Tutorials<\/h2>
\n

<\/span>Getting Sudo Privileges<\/h2>\n

$sudo su –<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/switch to sudo root user
\n<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/enter current user password to get root privileges<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>Linux Resource Links<\/h2>\n

Linux System Induction 2019 Presentation<\/a>
\nLinux System Induction 2019 Lab Practices<\/a>
\nLinux.com<\/a>
\nRed Hat<\/a>
\nNSRC<\/a><\/strong><\/p>\n<\/div>\n <\/article>

\n

<\/span>Establishing SSH Remote Connection<\/h2>\n

$ssh user_account@ip_address
\n<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/etc\/ssh\/ssh_host.pub<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/file location in the host server where the public key is stored
\n<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ~\/.ssh\/known_hosts\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span> \/\/file location in local machine where the key is stored<\/span><\/p>\n<\/div>\n <\/article>

\n

<\/span>Setting Up SSH with Public Private Key<\/h2>\n

(For Linux\/BSD)<\/span><\/p>\n

***In your local machine***
\n$ssh-keygen<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0\/\/to generate public private key
\n<\/span>$ssh-copy-id user_account@ip_address<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/span>\/\/to copy public key to destination host server
\n<\/span>$ssh-add<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span>\/\/adds passphrase to agent so that you don\u2019t have to enter passphrase every time
\n<\/span>$ssh user_account@ip_address \u00a0 \u00a0<\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ~\/.ssh\/id_rsa<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span>\/\/file location in local machine where the private key is stored
\n<\/span><\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/home\/user_account\/.ssh\/id_rsa.pub<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span>\/\/file location in host server where public key is stored<\/span><\/p>\n

$ssh-add -l<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/span>\/\/to see what identities (decrypted private keys) your agent has in memory
\n<\/span>$ssh-add -d<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\/\/to forget all identities
\n<\/span>$ssh-agent bash<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/span>\/\/to start a new subshell with ssh-agent if you don’t have an agent
\n<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span>
\n<\/span>For more information <\/span>ssh with public\/private key<\/span> <\/a>ssh authentication agent<\/span><\/a><\/p>\n<\/div>\n <\/article>

\n

<\/span>Configuring SSH to allow specific users<\/h2>\n

$sudo vi \/etc\/ssh\/sshd_config<\/span> \/\/edit the the configuration file \/etc\/ssh\/sshd_config
\n<\/span>\u00a0 \u00a0 \u00a0AllowUsers user1 user2 user3\u00a0 \u00a0 \u00a0\u00a0<\/span>\/\/add the line towards the end of the file to allow ssh for only\u00a0<\/span>specific users,
\nsave and exit.<\/span><\/p>\n

$sudo systemctl restart sshd<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/restart sshd service to implement changes<\/span><\/p>\n<\/div>\n <\/article>

Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n\n\n

Other Resources<\/h2>
\n

<\/span>Creating Mailvelope Account for pgp Email Encryption<\/h2>\n

Manual for mailvelope can be found in the link : <\/span><\/p>\n

https:\/\/www.mailvelope.com\/en\/help<\/h5>\n

<\/span><\/a><\/p>\n<\/div>\n <\/article>

Powered by HTML5 Responsive FAQ<\/a><\/article><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/pages\/426"}],"collection":[{"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=426"}],"version-history":[{"count":21,"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/pages\/426\/revisions"}],"predecessor-version":[{"id":495,"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=\/wp\/v2\/pages\/426\/revisions\/495"}],"wp:attachment":[{"href":"https:\/\/www.neyduetewa.gov.bt\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}