Standardization and compliance: why Afnic chose Rudder?

AFNIC (French Association for Cooperative Internet Naming) operates the country code top-level domain “.fr” (over 4 million registered domain names) as well as several other TLD of overseas departments and territories, and a dozen of generic TLD. As the “.fr” registry manager, Afnic has been ISO 27001 certified since 2016 and designated as an Essential Service Operator (OSE) in 2019 (an operator providing a service that depends on network and information systems and essential for maintaining critical societal and/or economic activities). This entails significant security and compliance obligations.

To meet these more effectively, Afnic has chosen to rely on the French open-source “systems infrastructure management” solution Rudder.

Make industrialization more reliable in term of compliance

Afnic infrastructure is composed of several hundred nodes (one node is a physical or cloud system such as a server, a desktop…). Whose deployment industrialized through templates. “It’s ideal to standardize a fleet. The issue is that once in production, some systems’ configurations can drift. So we had to update the templates every month and run campaigns to check the configurations regularly. We were looking for a tool able to continuously deploy and update our security policies without having to apply templatesco, without needing to manually access systems”.
Regularly audited, in particular for ISO 27001 certification, Afnic also had difficulty proving the correct application of security rules: “We are using Ansible to provision systems and apply templates. Ansible is very efficient at executing commands, but there is no reporting. Unless we explore the logs, a failure in the application of the template can be missed. And this tool is designed to deploy systems, not to maintain their state over time. However, some actions can cause problems: for instance, cloning a system without being sure that the configuration is correct or the most recent.”
This is precisely what Rudder brings to Afnic: maintenance in operational and security conditions. “It is no longer necessary to log into the systems: everything is centralized with Rudder ; we push our rules and they are deployed, monitored and enforced. If there is a drift because of human action or update, Rudder raises an alert and restores the configurations to the required state. The team saves time and gains more peace of mind.”
Incidentally, Rudder also helped Afnic implement a minimization policy: “when installing a Linux server, it carries by default services that are not necessary for us. Now we remove unnecessary things and it’s beneficial for performance and safety”.

An easy-to-use tool

Afnic liked the idea that Rudder is a French solution. But it was not the only reason why Afnic chose Rudder. Compared to other solutions on the market, Rudder has the advantage of being easy to learn and use, especially thanks to its ergonomic graphical user interface, which allows it to create rules and acts as a dashboard. “Previously, we were using inventory applications. With Rudder, we have an overview of the entire fleet and we can create dynamic groups to gather systems that must be configured in a similar way. It only takes a glance to view all compliance-related items and recent change history. We have developed a script through the REST API (which allows for data extraction and also command line management of the different Rudder features) that retrieves the information and produces a graph with the compliance history for our CISO.”
The rule definition is also very intuitive: “There’s no need to learn a new language: a sys admin can easily create rules once he has the logic”. In terms of architecture, it’s just as simple: “Rudder runs on a single server for now, which is connected to the agent installed on each system in the infrastructure. Later, we may add relay servers, without it becoming a convoluted mess. The same goes for Rudder updates, which we do on our own without worrying.” As a result, the standardization provided by Rudder, initially adopted for the infrastructure perimeter that manages the .fr, has been extended to other top-level domains. For Afnic, simplicity is “the assurance of maintaining control and not being dependent on a service provider.”
Technique editor Rudder
Furthermore, Rudder works on heterogeneous infrastructures, in terms of operating system and distribution versions. “We now have a deployment system managed by Ansible, which calls Rudder’s REST APIs to register new systems. Once in the right group, based on the criteria previously defined to create these dynamic groups, the new server inherits all the properties of the group and the rules are automatically applied. It’s impossible to forget anything, this makes the process reliable. Even in case of network failure, Rudder tries again 5 minutes later, until the machine is properly configured. Whatever happens, we always land on our feet and that’s very reassuring.”

Robustness and adaptability

“We have about twenty rules, including some testing rules. We also have directives (instance of a technique, that defines the parameters of the latter) to update packages, check that a service is running… For access rights on systems, we use configuration file templates applied by Rudder through its templating engine.”
Configuration rules Rudder

Since installing Rudder a year and a half ago, Afnic has extended its use to its microservices architectures on Kubernetes, without any particular issues: “Kubernetes nodes are managed by Rudder as if they were physical systems or VMs.” And, whatever happens, Afnic can rely on Rudder responsive support: “We are generally autonomous: we ask Rudder for a review every year to make sure everything is in order. Otherwise, the support is efficient: we quickly get a workaround, if not an immediate complete resolution of the issue, as well as valuable advice to understand why a rule is not applied as we expected.”

Share this post

Scroll to Top
Rudder robot named Ruddy makes an announcement.

Release 8.2: simplify IT security compliance with Policy and benchmark solution

Security management module details

This module targets maximum security and compliance for managing your infrastructure, with enterprise-class features such as:
Learn more about this module on the Security management page

Configuration & patch management module details

This module targets maximum performance and reliability for managing your infrastructure and patches, with enterprise-class features such as:

Learn more about this module on the Configuration & patch management page