Nowadays is more and more difficult to meet IT service requirements by standard tools and solutions, but it is not
the case when for customer solutions are used our unique systems. Here are some examples of IP service
requirements from our clients, implemented with the help of our systems:
Implement mail server with open source environment. (For eliminating any license fees or senseless costs)
Mail server must support the secure protocols: SMTP with SSL/TLS, IMAP4s and POP3s. For eliminating unwanted emails,
mail server must have anti-spam system, antivirus system and must support protocols: SPF, DKIM and DMARK.
Mail server must be multi-domain, must also have web interface client.
For security reasons the operating
system of mail server must be hardened. The mail server must not send or receive any email, when the Email daemons or
configuration files of mail daemons are compromised.
For providing high availability, mail server must be
installed in cluster manner and must be visible in the world with 3 different real IP address, from 3 different
countries (preferably on 2 different continents, e.g. Europe and Asia, or Europe and America, etc…) The
web-interface control panel must be developed for managing the mail server, and for security reasons it must be
developed without using any known template frameworks (wordpress, joomla, etc…), it must be developed from
Control Panel must meet at least the following requirements:
Ability to add/edit/delete users, password, descriptions,
Set the mailbox size quotes for each user,
Autoreply ability for users, with Unicode text support.
Ability to create mailing list groups.
Log view ability, where each transaction is visible, and it is possible to easily identify the brute-force attacks or any errors occurred during mail send or receive.
Multi admin technique. E.g. mail server manages many domains, and few domains have to be managed from admin1 user, other two from admin2 user and so on. Also there must be the super admin user, which can manage all domains.
Add/edit/delete White/black list tables, at least by the following parameters:
Mail server Source IP address,
Mail server Destination IP address,
Source Domain name
Destination Domain name
Email address from
Email address to
It must be implement auto-learning mechanism, for automatically blacklisting and white listing the remote mail servers
IP addresses, depending from error rate of remote mail servers. E.g. if some remote mail server is trying to brute
force and get login/password for STMP server, the remote mail server must be automatically blocked after specified
count of allowed errors. Unblock must be done automatically. But if after unblock the remote mail server continues
the attack, the new block level/period must be stricter and so on. Specify at least 4 levels of strictness for each
remote mail server. Organize daily auto backup mechanism for mail server. Backup usernames/passwords/configurations
and also backup all received emails, sent emails and all users standard/custom folders created on mail server. All
backed-up emails must be stored at least 180 days. Mail server also must have ability to show all sent emails,
even when the backup of sent folders are not yet done for that period, and the user after email sent has deleted from
sent folder, and also have erased the trash folder. The same must be done for all received emails.
DNS server. Implement DNS server cluster, with open
source environment. Cluster nodes must be installed in 3 different Internet Service Providers, located in 3 different
Countries (preferably on 2 different continents).
DNS servers must support VIEW mode, i.e. the same DNS
servers must support company intranet (which is geographically spread and includes more than one country) and
For security reasons, it is required to disable any updates between DNS servers over Internet,
and implement some mechanism, which will provide the secure updates channels between DNS servers. The provided secure
channel must not be use week encryption algorithms (e.g. DES, blowfish, arcfour etc…); the minimum requirement
will be the AES-256.
Intranet/VPN. It is obligatory to create Intranet
which will include all offices of company and the server’s farms located in different
locations/cities/countries. For providing high availability, Intranet connections must be implemented with
multiple path technics, automatic switching to backup channels in case of main connections problems. Intranet
routers must be able to handle at least 1000Mbit encrypted channels.
For security reasons it is forbidden to
use any hardware VPN implementations, which can be source of unknown firmware, with bunch of hidden undiscovered bugs,
and can be exploited and compromised later when bugs are discovered by hackers’ community. It is also
forbidden to use non-hardware implementations with proprietary or non-open-source operating systems.
Except intranet, the VPN server for remote users also must be implemented. As a VPN server open-source matured
implementation with hardened version must be used. None of implementation can be accepted, which is storing
its configuration file or user credentials in plain text format. Configuration file and user login/password must be
stored in VPN server in encrypted format, it will eliminate the loss of credentials or some sensitive information
stored in configuration file, even when the VPN server is compromised and the intruder got full access to VPN server.
Implemented VPN server must support the devices with windows, linux, Mac-OS, IOS and Android. The
encryption algorithms used for Intranet and for remote VPN users must be at least AES-256.
File server. File servers accessible from intranet
users and remote users connected by VPN must be created. File server must provide multi user, multi permissions and
multi group technics, for serving users and company appropriate policies and needs. For smooth and reliable
operation of file server, it is needed to have such implementation, which doesn’t require any cloud or client
software on users’ computers. Any solutions with web interface, which are compressing the folders tree, for
downloading, also are not acceptable, due to big files problems. File server also has to be well scaled, e.g.
files count can be more than 20 000 000, and it must not affect the performance of file server. Any big file
(e.g. 20 GB video file) must be accessed without downloading it, and file server must provide ability to play, rewind
videos right on the file server. File server must be accessed from Windows, Linux, Mac and Androids.
File server have to log the user actions for files/folders (read/write/delete/rename) and for each action the
following information must be available in the log:
Action type (read/write/delete/rename)
Backup server. Automatic backup system must be
implemented for all servers (file servers, mail servers, DNS, VPN etc...). All files and folders in file servers must
be backed-up at the end of each day. The period of backup must be at least 180 days. For last 180 days any
version of file or folder can be restored from backup system. E.g. if some files are updated very frequently (few times
a day), we have to have all 180 versions of that file in backup system, and can restore any version of that file for
specified day. Implemented backup system must provide ability to store folders and files with 2 options.
Simple backup storage
Encrypted backup storage
Some specified folders on file server will be backed up on «Encrypted backup storage», while the
other files will be backed-up on «Simple backup storage». After each backup process, backup system
has to send the report to specified email address/addresses. Report must contain information about each node backup
status (was it completed successfully or some error occurred), how many bytes where transferred, the period of backup
process for each node and also the amount of free space of backup disks.
DHCP server. Multi-home (multi-subnet) DHCP server
must be implemented. DHCP server must have ability to distinguish network device and provide appropriate IP address
from appropriate subnet. E.g. if some device is intended for having access to intranet, it must receive the IP
addresses from intranet subnet, while the other devices must get IP addresses from restricted subnet and get access
only to internet without intranet. DHCP server must have also the ability to provider other scenarios also.
Traffic management, control and monitoring server.
Traffic management system must be implemented in network infrastructure. System must have ability to set shapes to
each IP, user or groups, open/close the internet traffic of specified user or IP. System must support cluster
architecture, e.g. there will be the central node, and sub-nodes. On central node there will be located all necessary
data (IPs, Mac addresses, groups etc.).
Central node must have web-interface control panel with multi-level
administrator logins including appropriate permissions. Sub-nodes must be installed on routers which
collect/manage/control traffics. All necessary information collected by sub-nodes must be automatically sent to
central node. Central node must support ability to work with sub-nodes even when they are not located in the same
network but are located on remote sites, on another region or city. If the connection from sub-node to central node is
lost, or the server of central node is switched off, the sub-nodes must keep all collected information inside, and when
the connection is again established (or central server is switched on) the sub-node has to synchronize all data which
are missing on central node.
Central node must have ability to see not only the total traffic of sub-nodes’
interface, but also ability to distinguish some specified groups of users or IPs. For example the company’s network
is installed on 4 locations, each location has 3 departments (finance, engineering, production) and it is obligatory to
see the traffic charts not only for each location, but also the charts of each department on each location, and also to
have ability to see all traffic in total for specified department only (e.g. the summary traffic only for 4 financial
departments). Such flexible tool will allow company to see the network current needs of each location/department/user/server
and forecast the period and the amount of resources which are needed for scale, before the disruption and network problems
Monitoring system also has to have ability to see not only the traffic amount but also traffic session count,
initiated from each IP/user. It will help to find the source of network degradation, when some computers are infected by
virus and they are generating thousands of session of unwanted traffic.
Central node must have ability to monitor
the CPU temperature, CPU usage, memory usage and HDD usage of other servers also (DNS, Mail, WEB, VPN…). It will
help to eliminate hardware faults in cases, when for example the cooler of CPU is stopped, and after few days the CPU of
some server will suffer. Such kind of statistical data also will help to determine when is the best time to start the
scaling works, before the servers start to overload due to resource insufficiency.
Video surveillance system. Video surveillance system
for company IP cams must be Implement with open source tools. For decreasing the overhead of the cams’
traffic and increasing the stability/flexibility of them, “video gateway” server must be deployed, which
will get one stream from each IP cam, and will provide the ability to transcode, encode and multiply the streams from
cams. Video gateway must provide the wide range of video codecs and formats, which are not supported even by
cams but needed for wide range of video stream players. Video gateway also must provide the ability to stream
the video from cams to YouTube or to other destinations. Video gateway input and output must support all main
video stream types and codecs (multicast, unicast, HTTP, HLS, DASH, RTP, RSTP etc…).
also have to have audio/video re-synchronizing ability, for synchronizing the video and audio streams, in cases, when
the source of stream has bad quality, and due to packet loss video and audio streams can be de-synchronized.
Implemented video server also has to have ability to log input stream errors, analyze the input stream state, and
automatically make appropriate actions if some conditions are met (e.g. analyze the input source stream, and if the
packet loss or error rate are critical, restart the input stream).