ESPDS Scalable and Secure
Infrastructure
Ensuring the NOAA/NESDIS Environmental Satellite Processing and Distribution Capabilities Meet the Growing User and Data Demands of Today
and Tomorrow
Rich Baker Solers, Inc.
ESPDS Development Chief Architect 2013 AMS Annual Meeting
● ESPDS: Environmental Satellite Processing and Distribution System
● Developed by the NESDIS Office of Systems Development (OSD), with Solers (“Team Solers”) as the development contractor
● Will be operated by the NESDIS Office of Satellite and Product Operations (OSPO)
● Modernizes the NESDIS Environmental Satellite Processing Center (ESPC)
● Single enterprise solution that meets the needs of existing (legacy), Suomi NPP, JPSS, and GOES-R, with scalability to meet future environmental satellite needs
● No more stovepipes!
● Includes modernization of the Ingest, Product Generation (PG), Product Distribution (PD), and Infrastructure segments of the ESPC
● Provides environmental satellite data and services to a growing user community including:
● NOAA Line Offices (NWS, NMFS, NOS, NIC, NESDIS, etc.) ● DoD (AFWA, NAVO, etc.)
● Other U.S. and international users (government agencies, universities, foreign partners, etc.)
● Will be implemented at the primary and backup ESPC sites:
● Primary ESPC site is the NOAA Satellite Operations Facility (NSOF) in Suitland, MD
● Future ESPC backup site is the Consolidated Back-Up (CBU) facility in Fairmont, WV
● Provides a scalable and secure infrastructure as a foundational building
block upon which all other system functions reside
What is ESPDS?
© 2013 Solers, Inc.
●
No Single Point of Failure
● Redundancy and fault tolerance as key design tenants throughout
●
Line Replaceable Units
● Can upgrade or replace existing hardware and software components without impacting operational availability
●
Business Process Flexibility and Extensibility
● Can change existing business processes within the system, and
integrate new business processes into the system, without impacting operational availability
●
Horizontal Scalability
● Can add additional hardware resources (computing, network, storage) and software business processing instances without impacting
operational availability
Traits of a
Scalable Infrastructure
© 2013 Solers, Inc.
●
Complies with applicable IT security policies,
procedures, and controls:
● NIST SP 800-53
● DOC/NOAA IT Security Handbook
● Center for Internet Security (CIS) Benchmarks
● DISA STIG
● Etc.
●
Provides a “defense-in-depth” foundation for
securing the system that includes:
● Network security● Centralized identity/account management, authentication, and authorization
● Host-based intrusion detection and prevention
● Anti-malware
● Integrated monitoring, logging, and reporting (Security Incident and Event Management [SIEM])
Traits of a
Secure Infrastructure
© 2013 Solers, Inc.
ESPDS Scalable and Secure
Infrastructure
© 2013 Solers, Inc. 5 Converged 10Gb IP Networking Virtualized Computing Cluster Product Generation Computing Cluster Satellite Ingest Computing ClusterCommon Infrastructure Services
• Identity/Account Management • HIDS • Anti-Malware/HIPS • Network Management • Resource Management • Communications Framework
• Logging & Reporting
• Monitoring
• Database
• Data Intake & Transmission
• Scheduling
• System Backup
Enterprise Network Attached Storage (NAS) solution with standard IP-based file access protocols (NFS, CIFS, HTTP, FTP) Enterprise Shared Storage
Scale-Out Network Attached Storage (NAS) solution with standard IP-based file access protocols (NFS, CIFS, HTTP, FTP) (EMC Isilon)
Scalable x86 hardware cluster with specialized adapters to interface with satellite antenna systems and perform RF/IF to IP conversion of the data
Scalable x86 hardware cluster that leverages a grid computing scheduler to perform PG algorithm execution and report applicable status/metrics
Scalable x86 hardware cluster that hosts the distribution and access, PG management, common infrastructure, and other services as Virtual Machines (VMs)
Includes switches, firewalls, and Network IDS components (Cisco)
• Legacy GOES
• Legacy POES
• Future Missions
• Suomi NPP and JPSS (via IDPS)
• GOES-R GS PD
• Non-NOAA Satellites (MSG, MTSAT, INSAT)
• Ancillary Data Providers
• NOAA Line Offices
• DoD
• CLASS
• Other U.S. and International Users
• Ancillary Data Users (PG Systems)
●
The following slides provide an overview of the
Common Infrastructure Services depicted in the
previous diagram
● Resource Management
● Communications Framework
● Logging & Reporting
● Monitoring ● Identity/Account Management ● HIDS ● Anti-Malware/HIPS ● Network Management ● Database
● Data Intake & Transmission
● Scheduling
● System Backup
Common Infrastructure Services
© 2013 Solers, Inc.
Resource Management
© 2013 Solers, Inc.
7
●
Technologies Used
Communications Framework
© 2013 Solers, Inc.
8
● Technologies Used
● WSO2 ESB and Application Server
● Apache ActiveMQ Java Message Service (JMS) Broker
● Red Hat Linux Virtual Server (LVS) Load Balancer
Other PDA Service (S)FTP(S) Client (S)FTP(S) Server Portal VM VM VM ESB ESB JMS Broker JMS Broker Load Balancer (S)FTP(S) Client GOES-R GS PD WS Client Other System WS Client SOAP over HTTP SOAP over HTTP(S) VM Application Server ESPDS Service VM Application Server ESPDS Service VM Application Server ESPDS Service
…
Other ESPDS Service VM Load Balancer (S)FTP(S) Client SOAP over JMS 1.1 (S)FTP(S) Server (S)FTP(S) (S)FTP(S) Portal (S)FTP(S) Server User /Operator/ Admin (S)FTP(S) HTTPS HTTPS SOAP over HTTPS SOAP over JMS 1.1 SOAP over JMS 1.1 ESPDS● Technologies Used
● Tripwire Log Center
● Rsyslog (Linux-based syslog client)
● Windows Management Interface (WMI)
Logging & Reporting
© 2013 Solers, Inc.
9 Red Hat Enterprise Linux
Microsoft Windows
Logging & Reporting (Tripwire Log Center)
SAN Storage (EMC VNX) NAS Storage (Isilon) Firmware logs (Syslog) Firmware logs (Syslog) Resource Management (VMware vCenter) Data Intake/Data Transmit ([S]FTP[S] Server/Client) Communications Framework (WSO2, ActiveMQ, Red Hat LVS) Administrator Portal Apache SSHD/FTPD logs (Rsyslog) vCenter, ESXi, Resource
Coordinator, Red Hat Repository logs
(WMI)
WSO2 ESB, WSO2 AS, Red Hat LVS logs
(Rsyslog)
Other Java Components
(e.g. Subscription, Product Tailoring,
Ad-Hoc search)
Custom Java Service logs (Rsyslog) Computing HW (Cisco UCS) Firmware logs (Syslog) Monitoring (SolarWinds Orion)
SolarWinds Orion logs (WMI) Database (Oracle RDBMS) Oracle logs (Rsyslog) Layer 3 Switch (Cisco) User Portal
Web server logs (Rsyslog)
Windows Event logs (WMI) Linux OS logs (Rsyslog) Firmware logs (Syslog) Directory Server (Microsoft Active Directory)
Windows Event logs (WMI)
Monitoring
© 2013 Solers, Inc.
10
● Technologies Used
● SolarWinds Orion Network Performance Monitor (NPM) and Application Performance Monitor (APM)
● Red Hat Simple Network Management Protocol (SNMP) Agent and Secure Shell (SSH) Server
● Windows Management Interface (WMI)
Red Hat Enterprise Linux
Microsoft Windows
Monitoring
(SolarWinds Orion) NAS Storage (EMC Isilon) SAN Storage (EMC VNX) Resource Management (VMware vCenter) Data Intake/Data Transmit ([S]FTP[S] Server/Client) Comm Framework(WSO2, Red Hat LVS)
Administrator Portal
Other Java Components
(e.g., Subscription, Product Tailoring,
Ad-Hoc search) Computing HW (Cisco UCS) Directory Server (Microsoft Active Directory) Logging and Reporting
(Tripwire Log Center)
Data Management (Oracle RDBMS) Layer 3 Switch (Cisco) User Portal
I/O Data and Storage Usage (SNMP)
I/O Data and Storage Usage (SSH)
Interface Status and Bandwidth Usage (SNMP) Blade Resource Utilization (SNMP)
Connection Status and Transfer Rate
(SNMP)
VM CPU, Memory, and Network performance
measurements
(SNMP)
Service/Process Status and Resource Allocation
(SSH/RMI)
Service/Process Status and Resource Allocation
(SSH/RMI)
Red Hat OS resource and service status
(SNMP)
Microsoft Windows resource and service status
(WMI)
Service/Process Status and Resource Allocation
(SSH/RMI)
User Statistics
(SSH)
Service/Process Status and Resource Allocation
(SSH/RMI)
Web Interface Authentication
●
Centralized identity and account management
solution
●
Manages human user accounts (internal and
external users, operators, administrators)
●
Manages machine and operating system accounts
●
Provides Kerberos and web services-based
authentication and authorization services
●
Compatible with NOAA/NESDIS HSPD-12 solution
(DoD CAC PIV token, X509 PKI certificates)
●
Technologies Used
● Microsoft Active Directory
● Centrify
● ForgeRock OpenAM
Identity/Account Management
© 2013 Solers, Inc.
●
Centralized Host-based Intrusion Detection System
(HIDS) solution
●
Ensures integrity of critical system and
configuration files across the infrastructure,
including:
● Computing device firmware
● Networking device firmware
● Storage device firmware
● Operating systems
● Applications and services
●
Technologies Used
● Tripwire Enterprise
HIDS
© 2013 Solers, Inc.
●
Provides virus scanning and Host-based Intrusion
Prevention System (HIPS) capabilities across all
machines and operating systems
●
Centralized virus signature and HIPS policy
management (automated deployments and
updates)
●
Technologies Used
● McAfee VirusScan Enterprise, HIPS, and ePolicy Orchestrator
Anti-Malware/HIPS
© 2013 Solers, Inc.
●
Domain Name Service (DNS) Server
●
Dynamic Host Configuration Protocol (DHCP) Server
●
Network Time Protocol (NTP) Server
●
Technologies Used
● Microsoft Windows DNS and Time Services (integrated with Active Directory)
● Red Hat DCHP Server
● Red Hat NTP Server
Network Management
© 2013 Solers, Inc.
Database
© 2013 Solers, Inc.
15
●
Highly Available Relational Database Solution
● Two Oracle Database 11gR2 Enterprise Edition Database Server instances
● One primary instance providing client access
● One identical standby instance to receive/apply redo operations from
primary database
● Oracle Data Guard configuration established between primary & standby
database servers to maintain duplicate copy of operational database
● Supports high database availability and fast start failover
●
Technologies Used
● Oracle Database 11gR2 Enterprise Edition with Data Guard
●
FTP, FTPS, and SFTP client and server solutions
●
Used to obtain product and ancillary data from
providers (intake), and deliver product and ancillary
data to consumers (transmission) via push or pull
●
Technologies Used
● Apache FtpServer (FTP and FTPS Server)
● Apache SSHD (SFTP Server)
● Apache Commons Library (FTP, FTPS, and SFTP Client)
Data Intake & Transmission
© 2013 Solers, Inc.
●
Schedules periodic operations to be performed
within the infrastructure
● Product and ancillary data inventory cleanup (expired files)
● Subscription-specific product and ancillary data acquisition
● Extensible to accommodate future scheduling needs
●
Technologies Used
● Terracotta Quartz Scheduler
Scheduling
© 2013 Solers, Inc.
●
Performs periodic backup of specific system data
and files to support on-site archive and recovery
●
Backups include:
● VM image files ● Database contents ● Log files ● Configuration files●
Technologies Used
● EMC NetWorkerSystem Backup
© 2013 Solers, Inc. 18●
To End Users
● Ensures highly available and reliable access to human and machine interfaces that scales to accommodate the growing user and data demands
● Provides flexibility to quickly adapt to changes in end user requirements
●
To System Operators/Administrators
● Easily scalable hardware and software
● Provides automated operations
● Compliant with IT security requirements for a High Impact system
●
To NOAA/NESDIS As A Whole
● Scalable and secure foundation to support enterprise environmental satellite services across NOAA/NESDIS
● Removes mission-specific stovepiping
● Paving the path toward modernized data centers
ESPDS Scalable and Secure
Infrastructure Benefits
© 2013 Solers, Inc.
Questions
© 2013 Solers, Inc.
