UNCLASSIFIED AFTAC Review Shawn Wells (shawn@redhat.com / wellshaw@nro.ic.gov) Red Hat Public Sector UNCLASSIFIED 1
A presentation at AFTAC/RedHat Offsite in February 2013 in Melbourne, FL, USA by Shawn Wells
UNCLASSIFIED AFTAC Review Shawn Wells (shawn@redhat.com / wellshaw@nro.ic.gov) Red Hat Public Sector UNCLASSIFIED 1
UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC UNCLASSIFIED 2
UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting UNCLASSIFIED 3
UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting • Collaboration with DAA/ISSM to baseline next-generation technologies Operate under DoDIIS accreditation policies and procedures Certification & Accreditation reciprocity for DoD and IC ATO’s UNCLASSIFIED 4
UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting • Collaboration with DAA/ISSM to baseline next-generation technologies Operate under DoDIIS accreditation policies and procedures Certification & Accreditation reciprocity for DoD and IC ATO’s • Technology Training Shift to integration services, cloud providers to handle infrastructure UNCLASSIFIED 5
UNCLASSIFIED Intelligence Community Cloud Integration UNCLASSIFIED 6
UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack UNCLASSIFIED 7
UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • • Requested through POWER process Running Xen hypervisor, managed through Citrix UNCLASSIFIED 8
UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • • Requested through POWER process Running Xen hypervisor, managed through Citrix • (future) MOOSE • • Developed through QinetiQ as next generation architecture Designed for ESXi hypervisor, managed through VMWare vCenter UNCLASSIFIED 9
UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • Handles scalability, elasticity, availability requirements for tenants • Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • Requested through POWER process • Running Xen hypervisor, managed through Citrix • (future) MOOSE • Developed through QinetiQ as next generation architecture • Designed for ESXi hypervisor, managed through VMWare vCenter UNCLASSIFIED 10
UNCLASSIFIED IT As Manufacturing Consolidated Aircraft B-52 Liberator Incredibly sophisticated, ~500K parts, Assembled by unskilled labor. No Mfg. process. Parts were cast in rubber molds, every part was different. Ford Motor Co. brought a manufacturing process, went from 250 planes per year to 650 planes per month. Standardization remains our current challenge. UNCLASSIFIED 11
UNCLASSIFIED Application Application Platforms Operating System Virtualization Hardware Storage UNCLASSIFIED 12
UNCLASSIFIED UNCLASSIFIED 13
UNCLASSIFIED IaaS provider generates operating system images OS IMAGE OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 14
UNCLASSIFIED SELinux subdivides the available computing resources using technology co-developed with the NSA OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 15
UNCLASSIFIED Application Widget Developer creates “application widget,” defines the application manufacturing process. OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 16
UNCLASSIFIED Application Widget Developer creates “application widget,” defines the application manufacturing process. OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 17
UNCLASSIFIED UNCLASSIFIED 18
UNCLASSIFIED UNCLASSIFIED 19
UNCLASSIFIED Application Widget Refresh UNCLASSIFIED 20
UNCLASSIFIED Integrating with Ground Enterprise Directorate (GED) UNCLASSIFIED 21
UNCLASSIFIED Integrating with Ground Enterprise Directorate • HPC resources available through dynamic provisioning (private NRO GED cloud) • • • Resources available remotely for operations, prototypes, experiments, and disadvantaged users Dynamic resource pooling Currently accepting initial workloads Classified Testbed • • • Unclassified Testbed 1x SGI UV100 Intel Xeon Nahalem, 256 cores >1TFLOPS peak 10x TILEmpower boards Tilera TILEPro64, 640 cores >4 TFLOPS peak 3x TESLA 2050s Nvidia Fermi GPUs, 5376 cores > 4TFLOPS peak • 1x SGI UV100 Intel Xeon Nahalem, 128 cores • 10x TILEmpower boards Tilera TILEPro64, 640 cores • 3x TESLA 2050s Nvidia Fermi GPUs, 5376 cores • Commodity x86 cluster Intel Xeon Clovertown, 80 cores UNCLASSIFIED 22
UNCLASSIFIED Intelligence Data Sharing UNCLASSIFIED 23
UNCLASSIFIED DCGS-IC System Architecture Security Gateway DCGS-IC 2D Situation Awareness WMS/WFS UI Component Business Logic Component Data Access Component Web Browser GE Client Node Boundary Web UI Framework Workspace Mgr KML Export Infra Component Content Discovery Wrapper CDW (CD 1.3 compliant) Content Discovery Engine CDE (CD 1.3 compliant) Enterprise Content Discovery eCD (CD 1.3 compliant) DDMS DoD Discovery Metadata Specification (incl IC ISM) MDC DIB Metadata Catalog Data Source KML Search Standing Query Other Widgets Mashlets External System SIGINT Status SAVANT Chat Surfer ICES Chat GVS Syndication Manager Alert Mgmt & Subscription System Health & Status ECD Image Analyst other Systems Security Gateway RSS/GeoRSS Rules Engine Format Translation Emitter Correlation other eSvcs Faceted Filtering eCD Mashup Engine DDMS other NCES CD DDMS UDDI CDE GALE LT ASA ELINT SIGINT Events IPL Metrics Service CDW Exploited Imagery Multi-INT DDA FD/FI DDMS DDMS GSRP GeoTagger Chipping Service Metadata Services MDC DDMS Security Gateway AFWA Other GSRP IBS-N other IPL NDS(PDSE) IMINT Col Status PESO Virtualization Security OS Foundation A&A EIFIC, FINTEL CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDW CDW CDW CDW CDW MIND DDA Security Gateway ICDL UNICORN AF Tac IMINT Status iVAP WIRE E-Space WARP IMINT Classified SIGINT IMINT MASINT Portal Reports CDW NTIPS SIGINT 4 PESO DB WebThreads WIDOW OSS CEDRIC ONI MIDB EIFIC, FINTEL HUMINT OPIR Classified COMEXT Seawatch Facilities UNCLASSIFIED MIND IMINT Col Plans other DCGS 24
UNCLASSIFIED DCGS-IC System Architecture Security Gateway DCGS-IC 2D Situation Awareness WMS/WFS UI Component Business Logic Component Data Access Component Web Browser GE Client Node Boundary Web UI Framework Workspace Mgr KML Export Infra Component Content Discovery Wrapper CDW (CD 1.3 compliant) Content Discovery Engine CDE (CD 1.3 compliant) Enterprise Content Discovery eCD (CD 1.3 compliant) DDMS DoD Discovery Metadata Specification (incl IC ISM) MDC DIB Metadata Catalog Data Source KML Search Standing Query Other Widgets Mashlets External System SIGINT Status SAVANT Chat Surfer ICES Chat GVS Syndication Manager Alert Mgmt & Subscription System Health & Status ECD Image Analyst other Systems Security Gateway RSS/GeoRSS Rules Engine Format Translation Emitter Correlation other eSvcs Faceted Filtering eCD Mashup Engine DDMS other NCES CD DDMS UDDI CDE GALE LT ASA ELINT SIGINT Events IPL Metrics Service CDW Exploited Imagery Multi-INT DDA FD/FI DDMS DDMS GSRP GeoTagger Chipping Service Metadata Services MDC DDMS Security Gateway AFWA Other GSRP IBS-N other IPL NDS(PDSE) IMINT Col Status PESO Virtualization Security OS Foundation A&A EIFIC, FINTEL CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDW CDW CDW CDW CDW MIND DDA Security Gateway ICDL UNICORN AF Tac IMINT Status iVAP WIRE E-Space WARP IMINT Classified SIGINT IMINT MASINT Portal Reports CDW NTIPS SIGINT 4 PESO DB WebThreads WIDOW OSS CEDRIC ONI MIDB EIFIC, FINTEL HUMINT OPIR Classified COMEXT Seawatch Facilities UNCLASSIFIED MIND IMINT Col Plans other DCGS 25
UNCLASSIFIED Intelligence Community Data Standards • DoD Discovery Metadata Specification (DDMS) • Defines discovery metadata elements for all resources posted to community and organizational shared spaces • Mandated by DCGS, powers metadata catalog and the DGCS Integration Backbone (DIB) • Integrates with IC Trusted Data Format (TDF), supports: • IC-TDF • Information Security Metadata • Need-to-Know • IC-Commons • http://metadata.ces.mil/dse/irs/DDMS/ UNCLASSIFIED 26
UNCLASSIFIED Ozone Widget Framework UNCLASSIFIED 27
UNCLASSIFIED Ozone Widget Framework UNCLASSIFIED 28
UNCLASSIFIED Fused Product Generation UNCLASSIFIED 29
UNCLASSIFIED Security UNCLASSIFIED 30
UNCLASSIFIED Security CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLIMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) UNCLASSIFIED 31
UNCLASSIFIED Security CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLIMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) UNCLASSIFIED 32