Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data centric mls rhel ecosystem


Published on

In this deck from the 2015 PBS Works User Group, Sarah Storms from Lockheed Martin presents: A New Multi-Level Security Initiative.

"Historically cyber security in HPC has been limited to detecting intrusions rather than designing security from the beginning in a holistic, layered approach to protect the system. SELinux has provided the needed framework to address cyber security issues for a decade, but the lack of an HPC and data analysis eco-system based on SELinux and the perception that the resulting configuration is “hard” to use has prevented SELinux configurations from being widely accepted. This presentation will discuss the eco-system that has been developed and certified, debunk the “hard” perception, and illustrate approaches for both government and commercial applications. The presentation includes discussions on SELinux architecture and features, Altair PBS Professional Queuing System, Scale-out Lustre Storage, Applications Performance on SELinux (Vectorization and Parallelization), Relational Databases, and Security Functions (Auditing and other Security Administration actions)."

Learn more:

Watch the video presentation:

Sign up for our insideHPC Newsletter:

Published in: Technology
  • I made $2,600 with this. I already have 7 days with this... 
    Are you sure you want to  Yes  No
    Your message goes here
  • Your opinions matter! get paid BIG $$$ for them! START NOW!!.. 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Data centric mls rhel ecosystem

  1. 1. CSCF UNCLASSIFIED UNCLASSIFIED © 2015 Lockheed Martin Corporation. All Rights Reserved. Data Centric MLS RHEL Ecosystem Sarah Storms Altair PBS User Group 201509
  2. 2. CSCF UNCLASSIFIED UNCLASSIFIED2 Agenda • Data-centric MLS RHEL • Historical Perspective • Ecosystem Description
  3. 3. CSCF UNCLASSIFIED UNCLASSIFIED3 Data-Centric MLS RHEL • In a sentence: – Data, processes, users, etc. are given a security label commensurate with their security level • Security Label Application – Networks • Data and users arriving on a particular network are labeled at the level of the network – Users • Users are labeled based on the network they are arriving on • Some exceptions allowed for compartments – Data, Objects and Processes • Data, objects, and processes are labeled based on the security label of the user or process that created them
  4. 4. CSCF UNCLASSIFIED UNCLASSIFIED4 Data-Centric MLS RHEL • Labeling Parts Summary Definition of Security Labeling Sensivity Levels Compartments S15 C0 Used to be special, unused today. S14 C1 Look Down/Pull Up for UNCLASSIFIED/ITAR S13 C2 S12 C3 S11 TS SCI Compartment C4 S10 TS SCI ST C5 S9 C9-C99 Reserved for DoD and Coalition countries. S8 S7 DoD TS/SAP/SAR C100-C200 DoD S, DoD TS SAP/SAR caveats S6 DoD TS C201-C299 SCI RV World Caveats S5 DoD S/SAP/SAR C300-C399 C300-C350 for Coalition Share Points or Bi- and Tri- Lateral sharing, e.g. NATO, SEATO, etc. S4 DoD S C400-C499 S3 C500-C599 Compartmented Caveats S2 C600-C699 S1 Unclassified C700-C799 S0 Special Unclassified C800-C899 C900-C999 C1000-C1023
  5. 5. CSCF UNCLASSIFIED UNCLASSIFIED5 Data-Centric MLS RHEL • Security Labels Sensitvity Compartments UNCLASSIFIED S1 UNCLASSIFIED/ITAR S1 C1 Using DAC owned by Admin to separate ITAR projects DoD NF USA OTC 1 OTC 2 OTC 3 OTC 4 DoD S S4 C1,C9.C99 C9 C10 C11 C12 C13 DoD TS S6 C1,C9.C99 C9 C10 C11 C12 C13 Bi- and Tri- lateralagreements, separate logins labels add C300-C399 where C3xy lables are associated with agreements. Gov/CSCF N World D WRLD A D WRLD B D WRLD C D WRLD D D WRLD E DoD S/SAP/SAR S5 C1,Cy C1,C9.C99,C101,C103.C199 C1,C9.C99,C102 C1,C9.C99,C103 C1,C9.C99,C104 C1,C9.C99,C105 C1,C9.C99,C106 C1,C9.C99,C107 DoD TS/SAP/SAR S7 C1,Cy C1,C9.C99,C101,C103.C199 SCI NF REL FVEY USA OTC 1 OTC 2 OTC 3 OTC 4 TS SCI S10 C1,C9.C99 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13 T Type K Type R Type ? Type TS SCI RV World S10 C1,Cy C1,C9.C99,C201 C1,C9.C99,C202 C1,C9.C99,C203 C1,C9.C99,C204 Hallway R World T World B World ? World Fusion Program TS SCI Compartment S11 C1,C9.C99,Cy C1,C9.C99,C500.C503 C1,C9.C99,C501 C1,C9.C99,C502 C1,C9.C99,C503 C1,C9.C99,C? C1,C9.C99,C500.C502,C504,Cy y=201-299
  6. 6. CSCF UNCLASSIFIED UNCLASSIFIED6 Government Application U TS SS TS Analyst Workstations Non-MLS Operating Picture HPC Servers and Storage TS S U TS S U MLS Operating Picture MLS Analyst Workstation Department or HPC Server Secure Data Appliance Consolidates hardware and enables analyst driven data fusion
  7. 7. CSCF UNCLASSIFIED UNCLASSIFIED7 Commercial Application Retail Store Credit Card Processing, PII, Approvals “Bad Guy” Egress Point Pre-MLS System Configuration Internet Network Access Table (assumes firewalls in place) - Unencrypted - Encrypted
  8. 8. CSCF UNCLASSIFIED UNCLASSIFIED8 Commercial Application Retail Store Credit Card Processing PoS Interactions S2 S3 MLS System Configuration S1 Store 1 Apps Store 2 Apps M L S D a t a b a s e Credit Card 1 Apps Credit Card 2 Apps S4 Other Company Processing Inventory, etc. Apps Internet Network Access Table (assumes firewalls in place) - Unencrypted - Encrypted RHEL MLS Configuration Benefits - RBAC – limits insider threat - MLS – isolates functions to limit damage - Encryption – eliminates egress points for Trojans
  9. 9. CSCF UNCLASSIFIED UNCLASSIFIED9 Historical Perspective • The CSCF program leverages data-centric MLS OS configurations for the last 20+ years – Minimize hardware, licensing, OS configuration, manpower costs – Maximize flexibility, data fusion, system utilization • MLS requires a full ecosystem to be truly useful – OS configuration – Resource management – Direct and Network attached storage • Including long haul data sharing – System Monitoring including audit reduction – Databases
  10. 10. CSCF UNCLASSIFIED UNCLASSIFIED10 MLS Partners Current Capabilities • LMC/CSCF/WF • Red Hat • Altair • Seagate/Xyratex • Mellanox • ViON • Bay Microsystems • SGI • Cray • DoE LANL • DoD HPCMO • Splunk Current Capabilities • Crunchy Data Systems • Filius – RPI Consulting – CSC
  11. 11. CSCF UNCLASSIFIED UNCLASSIFIED11 CSCF Capabilities and Path Forward • ICD 503 Certification for Ecosystem – Running at CSCF in operations – Classified tours and demonstrations available • System configurations – Single System Image RHEL 6.5+ under ICD 503 – Cluster Configuration RHEL 6.5+ under IATT • Direct attached RAID – Under xfs, EXTx, (others also handle MAC) is ICD 503 certified • Configuration Management – SCAP through open source • OVAL will be added for mitigation after training – Subversion • Privileged User Guide (PUG) • Specialized scripting
  12. 12. CSCF UNCLASSIFIED UNCLASSIFIED12 LMC Capabilities and Path Forward • Configuration Objective – Provide SCAP profile, SVN repositories, and PUG to allow easy build a unclassified CSCF configurations • Support vendor unclassified debugging CSCF problems • Support new government customer interest in MLS to consolidate rather than duplicate • MLS Ecosystem Objective – Provide MLS capable versions of software capabilities integrated with the MLS RHEL configuration to solve complex system configuration and support problems • Unified Cross Domain Services Management Office (UCDSMO) Engagement – LMC/CSCF will be coordinating POC: Joe Swartz,
  13. 13. CSCF UNCLASSIFIED UNCLASSIFIED13 Red Hat • Red Hat has worked closely with CSCF to ensure that all capabilities included in the RHEL product – Fixed SELinux and MLS policy issues as identified – Added new or modified capabilities as requested – Supported documentation – Supported Government security meetings as needed – Fully supported other vendors as they created MLS capable versions of their software packages • Outreach – Red Hat has fully participated in CSCF MLS outreach efforts – Red Hat has directed potential customers to CSCF POC: Shawn Wells,
  14. 14. CSCF UNCLASSIFIED UNCLASSIFIED14 Altair • PBS Professional Resource Management – Queuing system with many tuning parameters – Queuing management allowing minimum wait time, maximize system utilization – Multi-system management and queue sharing – Remote job submittals – MLS capable • Branch until 4th quarter 2015 • Installed on all CSCF MLS HPC and Utility systems POC: Kirk Monroe,
  15. 15. CSCF UNCLASSIFIED UNCLASSIFIED15 Seagate/Xyratex • Created MLS Lustre file system • Integrated into their MLS Secure Data Appliance (SDA) – Based on ClusterStor product – Uses CSCF MLS RHEL OS baseline – Extensible to multi-petabytes per rack • Hadoop – Demonstrating capability October 2014 – Showing 30% faster response over non-Lustre configurations • ICD 503 certified • Two systems in place at CSCF – Centralizing user home directories and large R&D data sets • Customer SE Support – Multiple customers POC: Bill Downer,
  16. 16. CSCF UNCLASSIFIED UNCLASSIFIED16 Filius, RPI Consulting, CSC • LMC working with Filius and RPI Consulting to build and provide the following training courses: – RHEL MLS Installation, configuration, and testing • First class in July is complete • Additional classes planned for later this year – RHEL MLS Configuration Administration • Course outline and materials complete • First class TBD – RHEL MLS Security Accreditation and Administration • Course outline complete, materials in progress • First class TBD – MLS Aware Database Installation and Use • Course outline complete • First class TBD POC: John Gulick,
  17. 17. CSCF UNCLASSIFIED UNCLASSIFIED17 Bay Microsystems • Global high-performance Fabric Extension – Including Long-haul InfiniBand (IB) and RDMA – Global clustering of CloudStor data centers – Sharing MLS SDA CloudStor data to all local & remote systems – Demonstrations • Full motion video stream via Pixia from MLS SDA to work station – Simulating east coast to west coast • Data sharing for home directories and work directories • Supporting both SC14 and GEOINT MLS demonstrations • CSCF in process of installing capability 2,798.33 min 6,898.33 min 14.18 min 15.50 min 46.63 hours 116.63 hours POC: Gerry Jankauskas,
  18. 18. CSCF UNCLASSIFIED UNCLASSIFIED18 Mellanox • Native MLS extended attributes in IB protocol – Beta demonstration in September 2015 – Final capability at SC15 mid-November 2015 • Cluster configuration implications – MLS cluster configurations become much easier • No need for TCP/IP over IB to carry MLS labels POC: Alex Neefus,
  19. 19. CSCF UNCLASSIFIED UNCLASSIFIED19 Splunk • System monitoring and audit reduction • Splunk came SELinux compliant • Provides – Centralized monitoring capabilities – SELinux audit log reduction and warning capabilities • Worked straight out of the box – CSCF evaluating multiple other plug in capabilities POC: Katy and Pam,
  20. 20. CSCF UNCLASSIFIED UNCLASSIFIED20 Crunchy Data Systems • Postgres expert company serving DoD / IC with Committer and Major Contributors to Postgres Project on team • Developing Postgres Security Enhancements (Row Level Security, fine grain permissions and auditing) with open source community under IC community contract • Developing implementation of Postgres using RLS to integrate with SELinux to meet MLS requirements • Demonstrations – Working with ViON and Seagate re JCDX capability – Working with ViON re Enterprise Challenge 2015 (EC15) capability – Working with CSCF to demonstration MLS database for use with 3- 4 CSCF user groups POC: Bob Laurence,
  21. 21. CSCF UNCLASSIFIED UNCLASSIFIED21 ViON • Providing customer integration support for demonstrations – Enterprise Challenge 2015 • LOE leading up to EC 15 – MLS Postgres • Supporting AF, Navy, and other customers • Customer SE support – Multiple AF projects – Multiple NGA projects – Multiple IC customers – Multiple Army customers – Reseller for Xyratex/Seagate SDA at CSCF and cleared engineering support POC: Mike Meister,
  22. 22. CSCF UNCLASSIFIED UNCLASSIFIED22 SGI • Supported Single System Image development and ICD 503 certification – Working to get MLS Message Passing Toolkit (MPT) working • Will reduce MPI communications overhead by at least 10% • Demonstrations – Working to support SC14 MLS demonstration – Planning to support GEOINT demonstration • Eight systems installed at CSCF POC: Mark Carhart,
  23. 23. CSCF UNCLASSIFIED UNCLASSIFIED23 Cray • Supporting development of MLS RHEL Cluster configuration – Basic configuration complete including PBS Pro and direct attached storage – Installing Seagate/Xyratex SDA for integration verification – Proceeding with security hardening and testing • Demonstrations – Supporting DoD Mod Office demonstration – Planning to participate in GEOINT MLS demonstration POC: Louis Hackerman,
  24. 24. CSCF UNCLASSIFIED UNCLASSIFIED24 DoE LANL • Working with CSCF to deploy MLS cluster configuration – IC support area • Working to deploy MLS configurations for Q level processing – Consolidate section servers – About 30k cores • Procured MLS SDA ClusterStor for evaluation – CSCF providing system MLS configurations POC: Gary Grider,
  25. 25. CSCF UNCLASSIFIED UNCLASSIFIED25 DoD HPCMO • Planning a MLS Cluster configuration based on CSCF configuration – Including direct attached and MLS SDA ClusterStor demo – Testing and evaluation for software products not already tested at CSCF completed – Evaluating additional options to configure current systems with the MLS capability POC: Jeff Gosciniak,