Skip to content

Defense in Depth

Classification: CONFIDENTIAL — Internal Use Only

Greenpeace US IT applies a layered security model (defense in depth) across all infrastructure. No single control is relied upon; each layer independently limits the blast radius of a compromise.

Security Layers

Layer 1 — Physical & Hypervisor

  • VMware ESXi 6.7 hosts are physically secured at the WDC data center
  • ESXi management interface is isolated on the management VLAN (192.168.124.0/24)
  • Thin-provisioned VMDKs with no guest-to-host escape paths in the current workload profile

Layer 2 — Network Segmentation

  • Production (192.168.120.0/23) and management (192.168.124.0/24) networks are physically separated via vSwitch
  • GCP VPC (172.16.0.0/24) is isolated; only VPN traffic from on-prem is permitted
  • Default-deny firewall posture on all servers (firewalld drop zone)
  • Inbound rules are whitelisted per service and source range only

Layer 3 — Operating System Hardening

  • Rocky Linux 8 CIS Benchmark applied to all four servers
  • SELinux in enforcing mode
  • Minimal package installs — no GUI, no unnecessary services
  • Automatic security updates via dnf-automatic
  • AIDE daily file integrity monitoring

Layer 4 — Service Hardening

  • BIND running in chroot jail
  • All admin interfaces (Webmin, Grafana, Kibana, Prometheus) restricted to management network
  • SSH: root login disabled, key authentication only, management network source restriction
  • Service accounts use nologin shell

Layer 5 — Access Control

  • Single named admin user per role (dnsadmin on SKY/RAIN, monitadmin on SUN/WIND)
  • Password policy: 14-character minimum, 90-day maximum, 5-attempt lockout
  • sudo with full logging; all privileged commands are audited
  • SSH public key authentication only

Layer 6 — Encryption

  • DNSSEC: All wdc.us.gl3 zone responses are cryptographically signed (ZSK + KSK)
  • VPN: IKEv2 with AES-256-GCM for all on-prem to GCP transit
  • Backups: Encrypted in transit (VPN) and at rest in GCS
  • Webmin TLS on all four servers

Layer 7 — Monitoring & Detection

  • Prometheus scrapes all four servers every 15 seconds
  • Grafana P1–P4 alerting with defined escalation paths
  • ELK stack centralizes and indexes all logs from SKY and RAIN
  • Dedicated index for firewall drops, auth events, and DNS activity

Layer 8 — Backup & Recovery

  • Daily automated backups on all four servers
  • ESXi snapshots: daily, weekly, monthly
  • Offsite backup to GCS via encrypted VPN tunnel
  • Defined RTO/RPO for each server (see WDC On-Premises)

Layer 9 — Compliance & Auditing

  • CIS Controls v8 at 100% across all four servers
  • auditd rules capture DNS changes, DHCP events, SSH logins, and sudo activity
  • Monthly CIS compliance checks by Security Ops
  • Change log maintained at /var/log/asset-inventory.log

Control Mapping

See CIS Controls v8 and PCI DSS Compliance for the full control-to-implementation mapping.

Defense In Depth · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only