Data centric mls rhel ecosystem
-
Upload
inside-bigdatacom -
Category
Technology
-
view
1.054 -
download
1
Transcript of Data centric mls rhel ecosystem
CSCF
UNCLASSIFIED
UNCLASSIFIED
© 2015 Lockheed Martin Corporation. All Rights Reserved.
Data Centric MLS RHELEcosystem
Sarah Storms
Altair PBS User Group
201509
CSCF
UNCLASSIFIED
UNCLASSIFIED2
Agenda
• Data-centric MLS RHEL
• Historical Perspective
• Ecosystem Description
CSCF
UNCLASSIFIED
UNCLASSIFIED3
Data-Centric MLS RHEL
• In a sentence:– Data, processes, users, etc. are given a security label
commensurate with their security level
• Security Label Application– Networks
• Data and users arriving on a particular network are labeled at the level of the network
– Users• Users are labeled based on the network they are arriving on
• Some exceptions allowed for compartments
– Data, Objects and Processes• Data, objects, and processes are labeled based on the security label of
the user or process that created them
CSCF
UNCLASSIFIED
UNCLASSIFIED4
Data-Centric MLS RHEL
• Labeling PartsSummary Definition of Security Labeling
Sensivity Levels Compartments
S15 C0 Used to be special, unused today.
S14 C1 Look Down/Pull Up for UNCLASSIFIED/ITAR
S13 C2
S12 C3
S11 TS SCI Compartment C4
S10 TS SCI ST C5
S9 C9-C99 Reserved for DoD and Coalition countries.
S8
S7 DoD TS/SAP/SAR C100-C200 DoD S, DoD TS SAP/SAR caveats
S6 DoD TS C201-C299 SCI RV World Caveats
S5 DoD S/SAP/SAR C300-C399 C300-C350 for Coalition Share Points or Bi- and Tri- Lateral sharing, e.g. NATO, SEATO, etc.
S4 DoD S C400-C499
S3 C500-C599 Compartmented Caveats
S2 C600-C699
S1 Unclassified C700-C799
S0 Special Unclassified C800-C899
C900-C999
C1000-C1023
CSCF
UNCLASSIFIED
UNCLASSIFIED5
Data-Centric MLS RHEL
• Security LabelsSensitvity Compartments
UNCLASSIFIED S1
UNCLASSIFIED/ITAR S1 C1 Using DAC owned by Admin to separate ITAR projects
DoD NF USA OTC 1 OTC 2 OTC 3 OTC 4
DoD S S4 C1,C9.C99 C9 C10 C11 C12 C13
DoD TS S6 C1,C9.C99 C9 C10 C11 C12 C13
Bi- and Tri- lateral agreements, separate logins labels add C300-C399 where C3xy lables are associated with agreements.
Gov/CSCF N World D WRLD A D WRLD B D WRLD C D WRLD D D WRLD E
DoD S/SAP/SAR S5 C1,Cy C1,C9.C99,C101,C103.C199 C1,C9.C99,C102 C1,C9.C99,C103 C1,C9.C99,C104 C1,C9.C99,C105 C1,C9.C99,C106 C1,C9.C99,C107
DoD TS/SAP/SAR S7 C1,Cy C1,C9.C99,C101,C103.C199
SCI NF REL FVEY USA OTC 1 OTC 2 OTC 3 OTC 4
TS SCI S10 C1,C9.C99 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13
T Type K Type R Type ? Type
TS SCI RV World S10 C1,Cy C1,C9.C99,C201 C1,C9.C99,C202 C1,C9.C99,C203 C1,C9.C99,C204
Hallway R World T World B World ? World Fusion Program
TS SCI Compartment S11 C1,C9.C99,Cy C1,C9.C99,C500.C503 C1,C9.C99,C501 C1,C9.C99,C502 C1,C9.C99,C503 C1,C9.C99,C? C1,C9.C99,C500.C502,C504,Cy y=201-299
CSCF
UNCLASSIFIED
UNCLASSIFIED6
Government Application
U
TS
SS
TSAnalyst Workstations
Non-MLS Operating Picture
HPC Servers and Storage
TS S UTSSU
MLS Operating Picture
MLS Analyst Workstation
Department or HPC
Server
Secure Data Appliance
Consolidates hardware and enables analyst driven data fusion
CSCF
UNCLASSIFIED
UNCLASSIFIED7
Commercial Application
Retail Store
Credit Card Processing,
PII, Approvals
“Bad Guy” Egress Point
Pre-MLS System Configuration
Internet
Network Access Table (assumes firewalls in place)- Unencrypted- Encrypted
CSCF
UNCLASSIFIED
UNCLASSIFIED8
Commercial Application
Retail Store
Credit Card Processing
PoS Interactions
S2
S3
MLS System Configuration
S1
Store 1 Apps
Store 2 Apps
M
L
S
D
a
t
a
b
a
s
e
Credit Card 1 Apps
Credit Card 2 Apps
S4
Other Company Processing
Inventory, etc. Apps
Internet
Network Access Table (assumes firewalls in place)- Unencrypted- Encrypted
RHEL MLS Configuration Benefits- RBAC – limits insider threat- MLS – isolates functions to limit damage- Encryption – eliminates egress points for
Trojans
CSCF
UNCLASSIFIED
UNCLASSIFIED9
Historical Perspective
• The CSCF program leverages data-centric MLS OS configurations for the last 20+ years
– Minimize hardware, licensing, OS configuration, manpower costs
– Maximize flexibility, data fusion, system utilization
• MLS requires a full ecosystem to be truly useful
– OS configuration
– Resource management
– Direct and Network attached storage
• Including long haul data sharing
– System Monitoring including audit reduction
– Databases
CSCF
UNCLASSIFIED
UNCLASSIFIED10
MLS Partners
Current Capabilities
• LMC/CSCF/WF
• Red Hat
• Altair
• Seagate/Xyratex
• Mellanox
• ViON
• Bay Microsystems
• SGI
• Cray
• DoE LANL
• DoD HPCMO
• Splunk
Current Capabilities• Crunchy Data Systems
• Filius– RPI Consulting
– CSC
CSCF
UNCLASSIFIED
UNCLASSIFIED11
CSCF Capabilities and Path Forward
• ICD 503 Certification for Ecosystem– Running at CSCF in operations
– Classified tours and demonstrations available
• System configurations– Single System Image RHEL 6.5+ under ICD 503
– Cluster Configuration RHEL 6.5+ under IATT
• Direct attached RAID– Under xfs, EXTx, (others also handle MAC) is ICD 503 certified
• Configuration Management– SCAP through open source
• OVAL will be added for mitigation after training
– Subversion• Privileged User Guide (PUG)
• Specialized scripting
CSCF
UNCLASSIFIED
UNCLASSIFIED12
LMC Capabilities and Path Forward
• Configuration Objective– Provide SCAP profile, SVN repositories, and PUG to allow easy
build a unclassified CSCF configurations• Support vendor unclassified debugging CSCF problems
• Support new government customer interest in MLS to consolidate rather than duplicate
• MLS Ecosystem Objective– Provide MLS capable versions of software capabilities integrated
with the MLS RHEL configuration to solve complex system configuration and support problems
• Unified Cross Domain Services Management Office (UCDSMO) Engagement– LMC/CSCF will be coordinating
POC: Joe Swartz, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED13
Red Hat
• Red Hat has worked closely with CSCF to ensure that all capabilities included in the RHEL product
– Fixed SELinux and MLS policy issues as identified
– Added new or modified capabilities as requested
– Supported documentation
– Supported Government security meetings as needed
– Fully supported other vendors as they created MLS capable versions of their software packages
• Outreach
– Red Hat has fully participated in CSCF MLS outreach efforts
– Red Hat has directed potential customers to CSCF
POC: Shawn Wells, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED14
Altair
• PBS Professional Resource Management
– Queuing system with many tuning parameters
– Queuing management allowing minimum wait time, maximize
system utilization
– Multi-system management and queue sharing
– Remote job submittals
– MLS capable
• Branch until 4th quarter 2015
• Installed on all CSCF MLS HPC and Utility systems
POC: Kirk Monroe, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED15
Seagate/Xyratex
• Created MLS Lustre file system
• Integrated into their MLS Secure Data Appliance (SDA)– Based on ClusterStor product
– Uses CSCF MLS RHEL OS baseline
– Extensible to multi-petabytes per rack
• Hadoop– Demonstrating capability October 2014
– Showing 30% faster response over non-Lustre configurations
• ICD 503 certified
• Two systems in place at CSCF– Centralizing user home directories and large R&D data sets
• Customer SE Support– Multiple customers
POC: Bill Downer, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED16
Filius, RPI Consulting, CSC
• LMC working with Filius and RPI Consulting to build and provide the following training courses:– RHEL MLS Installation, configuration, and testing
• First class in July is complete
• Additional classes planned for later this year
– RHEL MLS Configuration Administration• Course outline and materials complete
• First class TBD
– RHEL MLS Security Accreditation and Administration• Course outline complete, materials in progress
• First class TBD
– MLS Aware Database Installation and Use• Course outline complete
• First class TBD
POC: John Gulick, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED17
Bay Microsystems
• Global high-performance Fabric Extension
– Including Long-haul InfiniBand (IB) and RDMA
– Global clustering of CloudStor data centers
– Sharing MLS SDA CloudStor data to all local & remote systems
– Demonstrations
• Full motion video stream via Pixia from MLS SDA to work station
– Simulating east coast to west coast
• Data sharing for home directories and work directories
• Supporting both SC14 and GEOINT MLS demonstrations
• CSCF in process of installing capability
2,798.33 min
6,898.33 min
14.18 min
15.50 min
46.63 hours
116.63 hours
POC: Gerry Jankauskas, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED18
Mellanox
• Native MLS extended attributes in IB protocol
– Beta demonstration in September 2015
– Final capability at SC15 mid-November 2015
• Cluster configuration implications
– MLS cluster configurations become much easier
• No need for TCP/IP over IB to carry MLS labels
POC: Alex Neefus, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED19
Splunk
• System monitoring and audit reduction
• Splunk came SELinux compliant
• Provides
– Centralized monitoring capabilities
– SELinux audit log reduction and warning capabilities
• Worked straight out of the box
– CSCF evaluating multiple other plug in capabilities
POC: Katy and Pam, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED20
Crunchy Data Systems
• Postgres expert company serving DoD / IC with Committer and Major Contributors to Postgres Project on team
• Developing Postgres Security Enhancements (Row Level Security, fine grain permissions and auditing) with open source community under IC community contract
• Developing implementation of Postgres using RLS to integrate with SELinux to meet MLS requirements
• Demonstrations
– Working with ViON and Seagate re JCDX capability
– Working with ViON re Enterprise Challenge 2015 (EC15) capability
– Working with CSCF to demonstration MLS database for use with 3-4 CSCF user groups
POC: Bob Laurence, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED21
ViON
• Providing customer integration support for demonstrations– Enterprise Challenge 2015
• LOE leading up to EC 15
– MLS Postgres• Supporting AF, Navy, and other customers
• Customer SE support– Multiple AF projects
– Multiple NGA projects
– Multiple IC customers
– Multiple Army customers
– Reseller for Xyratex/Seagate SDA at CSCF and cleared engineering support
POC: Mike Meister, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED22
SGI
• Supported Single System Image development and ICD
503 certification
– Working to get MLS Message Passing Toolkit (MPT) working
• Will reduce MPI communications overhead by at least 10%
• Demonstrations
– Working to support SC14 MLS demonstration
– Planning to support GEOINT demonstration
• Eight systems installed at CSCF
POC: Mark Carhart, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED23
Cray
• Supporting development of MLS RHEL Cluster
configuration
– Basic configuration complete including PBS Pro and direct
attached storage
– Installing Seagate/Xyratex SDA for integration verification
– Proceeding with security hardening and testing
• Demonstrations
– Supporting DoD Mod Office demonstration
– Planning to participate in GEOINT MLS demonstration
POC: Louis Hackerman, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED24
DoE LANL
• Working with CSCF to deploy MLS cluster configuration
– IC support area
• Working to deploy MLS configurations for Q level
processing
– Consolidate section servers
– About 30k cores
• Procured MLS SDA ClusterStor for evaluation
– CSCF providing system MLS configurations
POC: Gary Grider, [email protected]
CSCF
UNCLASSIFIED
UNCLASSIFIED25
DoD HPCMO
• Planning a MLS Cluster configuration based on CSCF
configuration
– Including direct attached and MLS SDA ClusterStor demo
– Testing and evaluation for software products not already tested
at CSCF completed
– Evaluating additional options to configure current systems with
the MLS capability
POC: Jeff Gosciniak, [email protected]