Customers often ask what makes up the infrastructure that serves Kolab Now. This article outlines some of the high-level details about the current state of affairs.
Let’s start with a basic outline of the underlying infrastructure; Kolab Now, at the time of this writing, runs 14% Red Hat Enterprise Linux 8 and 86% Red Hat Enterprise Linux 9, all under support. Naturally, the number of RHEL 8 systems will decrease, and the number of RHEL 9 servers will increase over time. We’re not in the sentimental type of business.
This environment is largely made up of virtualized guests seated on fat IBM Open Power hardware as hypervisors — also under support. These hypervisors are “fat” in that they each have quite a few CPU sockets with multi-core CPUs, and are fully stuffed with RAM. These are some enterprise-grade systems — they even come with a chassis, and they are connected to a heavy set of hardware encrypted IBM storage canisters (this means that data at rest is encrypted).
The servers live in a rack in Bern, Switzerland, behind 3 sets of locks to which only Kolab Now employees has the key.
Kolab Now runs completely on Free Software, available as Kolab to the community, and supported by Apheleia IT. What makes the difference for Kolab Now is the perpetual and continuous attention of seniors employed by Apheleia IT, the patron of Kolab and proprietor of Kolab Now.
External services — facing the Internet — are separated from internal services. To this end, there’s a few outer perimeter firewalls, some select perimeter networks and some groups of separate inner perimeter firewalls. Each of these firewalls is redundant, shares connection tracking tables and entertains back-end service high-availability through load-balancing with health checks. Both outer and inner perimeter firewalls perform traffic shaping in order to ensure fair and balanced network traffic for all customers alike. Note this is a scheduling matter, and not a bandwidth limitation.
Further network segmentation and separation, in combination with Policy Enforcement Points and the use of Split Horizon DNS allows systems and services to know as little as possible about the rest of the environment — in other words, they only know what they need to know, and are allowed only what they need to be allowed to — and allows very fine-grained control of traffic patterns.
It is worth noting Kolab Now does not ever terminate SSL/TLS. This means that the Web Client will connect to LDAP, MariaDB, IMAP and other such services under a secure transport layer — not only is it encrypted, it also entertains Perfect Forward Secrecy. This significantly increases computing costs, and increases latency, but ensures no unsecured traffic descends any wire (physical or virtual) anywhere throughout the network.