Service Provider Technical Overview
BlueTie has been recognized repeatedly as an industry leader for its ability to stay ahead of messaging and collaboration trends, while delivering a completely secure, reliable, and scalable hosted solution. Our primary goal is to ensure that all of our end-users receive the highest levels of performance and accessibility.
Security
BlueTie currently works with Tier-1 data center providers in addition to a BlueTie fully-owned and operated facility to provide the highest levels of physical security for our hosting infrastructure. Having secure servers is of paramount importance; however, BlueTie feels that the physical systems and subsystems designed to protect the infrastructure are equally important.
BlueTie’s primary facility is operated by an industry-leading telecommunications provider and is located outside of the metropolitan New York City area (company and exact location not disclosed for security reasons). This facility, in addition to hosting BlueTie’s application infrastructure is responsible for several high profile Web-based companies as well as backbone infrastructure for one of the largest local, long distance and network service providers in the United States. The physical infrastructure of this facility was designed to withstand both natural and man-made assaults and is guarded by highly trained security personal at all times.
Facility Access
Authorization for access and entrance into the facility consists of multiple layers of verification. The perimeter of the facility is protected by security gates which can be controlled only by security personnel within the building after the first video-based and access control list verifications have been completed. Once within the perimeter of the facility, security personnel again unlock the main doors for entrance into the lobby and man-trap area. This stage of authorization requires visitors of the facility to surrender any personal items, including cellular phones, packages, laptops and bags for inspection as well as surrender personal, government-issued identification for further verification. All authorized individuals are provided security access cards which then can be used to access the main data center floor.
Man Traps
When visitors enter a BlueTie data center, they must first pass through a man-trap system. This system is designed to capture the individual on video surveillance systems while also detaining the individual until further security verification can be completed.
Security Personnel
Upon successful verification of identity while in the man-trap system, security personnel who control physical access to the data center floor then greet the visitor and provide temporary access cards and cabinet/cage keys for physical access to the equipment once on the data center floor.
Access Logs and Key Tracking
The security personnel keep access control logs which detail the entrance and exit times of all visitors to the facility, in addition to real time access logs of every successful or unauthorized attempt to access doors within the facility with the issued temporary access card. Keys for customer cabinets and cages are available only to those who are on the BlueTie access control list. These keys are stored in a Key-Trax vault, which monitors security personnel’s access to the vault as well as the physical location of the keys at all times. All access control logs are available to BlueTie for review.
Biometric Access Control Systems
Portions of the BlueTie data centers utilize state-of-the-art biometric scanning equipment for access to highly sensitive and restricted areas. These thumbprint or hand identifications provide the highest level of security and report access attempts to the central access control logs and to ensure only authorized individuals can access these rooms, a minimal number of operations staff are enrolled into these systems.
Continuous Video Surveillance
BlueTie’s primary data center operates in excess of 100 high-resolution, 360 degree, pan, zoom and tilt cameras. More than 20 cameras of similar abilities are located in alternate BlueTie facilities. These cameras record all movement in the facility 24x7x365 and can be enabled for remote administration and surveillance purposes. Access to these video files can be granted at the request of authorized BlueTie personnel.
Motion Sensors
Motion sensing equipment in the data center is linked to the video surveillance system which in turn automatically alerts security personnel of movement within the facility and as well as repositions cameras in the direction of the motion to ensure this movement is captured.
Data Centers
BlueTie’s data center facilities are fitted with industry-leading power and environmental controls to ensure proper operating temperatures, humidity, backup and clean power are available at all times.
The primary facility operates on two independent power grids which supply utility service to the facility. This utility service is then conditioned and sent through UPS systems which then feed each of cabinets on A and B UPS systems. This design, also know as a “wet-power” infrastructure ensures that cutover to battery backup systems is instantaneous and eliminates any potential for failure during a cutover procedure from utility to backup power. BlueTie’s architecture requires that all systems housing customer data are cross connected to both the A and B power feeds provided in rack enclosures. This ensures that the unlikely event of loss of power on one half of the grid will not affect these systems. Clustered systems are dispersed amongst the grids to ensure that no single cluster of systems can fail as a result of a grid failure.
In the event of a utility failure, the primary data center is fitted with 3 – 3 Megawatt diesel generators which are immediately engaged via transfer switch mechanisms in the event of a utility power outage. These generators supply power to the UPS system to restore depleted battery systems and provide constant power to cabinets and rack enclosures. Similar infrastructure exists at the alternate data center location, both of which maintain a diesel supply sufficient to provide power to the facility continuously for multiple days. Contracts and arrangements are in place with multiple diesel providers should a situation arise where a long-haul outage is immanent.
BlueTie’s primary data center facility utilizes Liebert 40-Ton air handling systems, positioned throughout the facility to provide cooling to servers. This glycol, chilling tower system is designed to utilize cold-northeast temperatures during winter months to chill the facility, while in the summer months utilizing the cooling tower systems. Cooled and dehumidified air is pumped throughout the facility in an intricate under-floor system which duct out of the floors directly in front of server equipment, allowing this equipment to pull cool air through the server chassis and exhaust through the rear of the cabinet. These systems are computer controlled to maintain a constant operating temperature of 69 – 71 degrees at all times, with relative humidity ranging from approx. 53 – 61%. In addition to data center monitoring systems of these environmental controls, additional sensors are installed throughout the facility and immediately notify operations personnel of any fluctuation in temperature so that appropriate actions may be taken.
Network Infrastructure
BlueTie’s network infrastructure has been designed with security and scalability in mind. BlueTie uses industry-leading suppliers of routing, switching, load balancing and firewall equipment to ensure a secure, optimized and low latency network for internal server communication and connection to the backbone infrastructure, ultimately connecting to the Internet.
Peering Relationships
BlueTie’s contract with our primary data center provides us with access to several major ISP network gateways to the internet. A combination of multiple OC-192, OC-48 and OC-12 connections from multiple carriers, routed across both primary and secondary feeds to BlueTie’s perimeter routing equipment provides BlueTie with extremely high redundancy to the Internet. BlueTie’s alternate data center facility is serviced by two major ISPs equipped with automatic failover mechanisms.
Routing Infrastructure
BlueTie utilizes Cisco carrier-class routing systems to connect our data centers to backbone networks which supply the Internet access to the BlueTie application. These routers are configured for automatic failure between primary and secondary networks, in addition to participating in our BGP implementation to ensure packets are routed efficiently and through the most readily-available network.
Firewalls
BlueTie uses a combination of Cisco PIX and SonicWall firewall technology to ensure our network infrastructure is secure from perimeter attacks to the BlueTie network. Our firewalls and security control mechanisms control access to specific ports, provide deep-packet inspection, DOS/DDOS prevention, IP filtering and more.
Switching Infrastructure
BlueTie utilizes Cisco carrier-class switching equipment to provide aggregate connectivity to our server infrastructure. These switches are equipped with fully-redundant processing modules and power supplies to provide high levels of availability. The switching infrastructure is fully-meshed with multiple, redundant pathways between switches to ensure a single failure does not compromise the entire infrastructure.
Load Balancing
BlueTie’s application and network infrastructure relies on F5 Networks load balancing technology. This technology is specifically configured to constantly monitor all network and server services and actively remove equipment and reroute connections should a failure occur within the infrastructure. This equipment allows BlueTie to failover stateful connections to alternate standby systems to ensure customers can continue working with the BlueTie application without interruption.
Inter Data Center Connectivity
BlueTie’s data centers are connected using virtual private network systems. These systems allow for the seamless, encrypted communication of servers and operators between facilities. Remote administrative access to BlueTie’s systems is also accomplished using the VPN system.
Systems Infrastructure
BlueTie’s systems infrastructure has been designed from the beginning to support high levels of customer utilization and large volumes of incoming and outgoing email. BlueTie’s approach to system architecture and high-availability includes the use of clusters of servers built on low-end commodity hardware, brought into and out of service by “smart” load balancing technology which can detect failures at the system and service level. This approach allows BlueTie to operate substantially more servers, all performing the same action, thereby reducing the potential for a single server to cause noticeable application outages to the end user.
Front-End Application Servers
BlueTie’s front-end application servers, built on ultra-reliable Linux/Apache platforms are designed to deliver the browser based collaboration product to BlueTie users. These stateless systems are responsible for service page and image content as well as assembling the presentation layer of the BlueTie collaboration application. Each of these servers is monitored for uptime, performance and overall availability by our central monitoring systems which are responsible for notifying IT Operations personnel out outages or other server problems in addition to being monitored by our load balancing system which is responsible for automatically removing systems from service should they encounter any problems. Upon a server being removed from active service by the load balancing equipment, this equipment also seamlessly transfers the connections from the customer to an alternate node that is available thereby eliminating any noticeable outages or errors within the collaboration system.
Customer POP/IMAP and SMTP Servers
BlueTie operates a large cluster of POP/IMAP and SMTP servers which are responsible for providing these services to users who which to use more traditional desktop clients such as Thunderbird, Outlook or Outlook Express. Similar to the front-end application servers, these systems are also monitored for performance by our central monitoring system, in addition to our automated load balancing solution. Outages in these clusters are handled in a similar fashion as the Front-End Application Servers.
Inbound and Outbound SMTP Servers
BlueTie manages two clusters of servers responsible for the transit of mail between service providers. Our inbound SMTP cluster is responsible for accepting connections from other service providers on the Internet, applying perimeter level spam detection (RFC compliancy checks). Inbound servers then handoff email to BlueTie’s SPAM and Virus filtering systems for analysis before ultimately being delivered to the users INBOX. The outbound SMTP cluster is responsible for sending mail outbound to other service providers from BlueTie users. This cluster also performs some perimeter level SPAM detection to ensure BlueTie users are not violating TOS agreements.
Databases
BlueTie utilizes two primary database platforms to store user data and various information regarding user accounts, Oracle Enterprise 9i and PostGres. These systems are configured in redundant, fully-replicated pair clusters to ensure all data is available to users at all times. Data is committed to the primary “active” server and then committed on the secondary “standby” server. In both platforms, automated failover mechanisms allow the databases to switch between active and standby quickly and without operations personnel intervention to ensure systems are online and available at all times for customer access to data.
LDAP Directory Services
BlueTie’s core application, email, is designed around a complex directory system housed in LDAP. This directory is responsible for providing the necessary information to processing systems so that they may route email to the appropriate destination. BlueTie operates a large cluster of “read-only” LDAP servers which provide processing systems rapid access to data, and also operates a pair of “master” servers, which are responsible for storing changes or entries to LDAP data, and then replicating down to the “read-only” cluster.
Mail Storage Servers
BlueTie’s Mail Storage servers are custom built using enterprise class Red Hat operating systems. These systems are responsible for the storage of user email and attachments as well as the indexing of those emails for fast retrieval and display to customers using the web interface. The systems are built fully redundant and utilize RAID-5 disk arrays to ensure reliable storage of user data. The mail storage servers deliver user email to the web application as well as customer POP and IMAP servers. These units are backed up using enterprise class backup and restore technology to large scale disk arrays for recovery purposes.
Administration via XML API or Extranet
BlueTie supports an XML-driven Application Programming Interface (API) for our Service Provider partners, allowing them to readily integrate BlueTie into their existing provisioning, customer service, billing, and technical systems. The API provides all of the tools necessary to create and manage accounts, retrieve data, and provide a complete list of users. For those who wish to augment or replace their use of the API, BlueTie also offers its partners a Web-based provisioning, administration, and reporting Extranet. In addition to providing administrators with all of the power of our API, Extranet users can private label the BlueTie interface for their customers.
Spam & Virus Filtering
Recent reports from statistical analysis companies have estimated that 75% - 85% of all messages processed by email delivery systems are considered spam. This staggering number in combination with skillful and elusive spammers and techniques has left the email service industry struggling to defend their customers. BlueTie’s spam filtering infrastructure helps to deter unwanted messages and ensure only valid messages are delivered to you inbox.
DNS and RFC compliance checks
Spammers tend to construct message delivery systems in very careless ways, often times not adhering to specific internet mail specifications and many times utilizing hijacked personal computers to execute campaigns. The process of filtering spam messages begins at BlueTie perimeter inbound mail exchange clusters. These servers are configured to examine connections made to them for specific criteria with regard to the means in which the connection was established, the validity of server identification commands, the frequency and speed in which connections are made and the proper protocol followed (or in many cases not followed) when negotiating the handoff of an email message. Servers or PC’s who are sending email either from illegitimate locations or in a non-compliant manner are rejected for these violations thus ensuring spam filtering servers further into the delivery platform are not overburdened processing obvious junk-email.
Known Spam Sources (Zombies, Open Relays, Identified Spam Companies, etc)
Once initial verification of proper protocol has been completed and passes perimeter tests, message them make their way into BlueTie’s anti-spam filtering cluster. Because legitimate messages can often times “trip” a spam alert, BlueTie takes care to ensure that no single rule can effectively mark a message as spam. Instead, BlueTie uses a combination of rules (all weighted depending on severity) that add up to a messages “spam score.” This spam score is then matched against a user assigned threshold. BlueTie actively checks message source IP addresses against a BlueTie community RBL (Real Time Blacklist) which is feed through a complaint system called “mark-as junk” within the BlueTie application, as well as verifies against well known RBLs such as SPAMCOP, SORBS, and SURL. Together these RBLs are very effective in driving the spam score for an individual email to the appropriate levels to be blocked.
Virus, Phishing, HTML/Browser/Outlook Hijacking Filters
BlueTie utilizes ClamAV, an award winning antivirus system designed to analyze not only email attachments, but the entire email message for known threats and phishing attempts. This system attempts to clean attachments that have been contaminated and if unsuccessful will automatically delete the attachment. Users can select how BlueTie should treat these messages once scanned. In addition to attachment filtering, BlueTie antivirus system also scans the content of the email, looking for any code that could potentially hijack a users’ browser session or Outlook account simply by opening the email. These messages are immediately flagged for viruses.
User Interface
Private Labeling
BlueTie supports a comprehensive private labeling solution to ensure that end users see only your brand - not BlueTie's. Our private labeling opportunities encompass the Web client, the End User License Agreement, new user welcome emails, support pages, marketing materials, and more. This broad private labeling availability allows Service Providers to continue to own the relationship with their customers, and to build brand loyalty through the use of a customized interface.
Enterprise Manager
BlueTie uses the term 'enterprise' to describe a collection of end user accounts - or mailboxes - belonging to a common entity (usually a small to mid-sized business) and sharing a common domain name. The BlueTie Enterprise Manager application provides account administrators with a centralized, Web-based interface for managing their enterprise account. Enterprise Manager combines features including mailbox creation, deletion and locking, assignment of default settings, and a division-based hierarchal control system.
Customer POP/IMAP and SMTP Servers
BlueTie operates a large cluster of POP/IMAP and SMTP servers which are responsible for providing these
services to users who which to use more traditional desktop clients such as Thunderbird, Outlook or Outlook
Express. Similar to the front-end application servers, these systems are also monitored for performance by
our central monitoring system, in addition to our automated load balancing solution. Outages in these
clusters are handled in a similar fashion as the Front-End Application Servers.
Multiple Client Support
BlueTie's advanced architecture allows end-users to connect via our award-winning AJAX web client, via POP3 or IMAP4 desktop clients like Microsoft Outlook™, or via their WAP 2.0-enabled mobile devices. No special hardware or software is required to use BlueTie. Our web client currently supports all popular Java-enabled Web browsers, including Firefox 1.5/2.0 (Windows, Mac OSX, and Linux), Microsoft Internet Explorer 5.0 – 7.0 (Windows).