CSCF

UNCLASSIFIED

UNCLASSIFIED

© 2015 Lockheed Martin Corporation. All Rights Reserved.

Data Centric MLS RHELEcosystem

Sarah Storms

Altair PBS User Group

201509

CSCF

UNCLASSIFIED

UNCLASSIFIED2

Agenda

• Data-centric MLS RHEL

• Historical Perspective

• Ecosystem Description

CSCF

UNCLASSIFIED

UNCLASSIFIED3

Data-Centric MLS RHEL

• In a sentence:– Data, processes, users, etc. are given a security label

commensurate with their security level

• Security Label Application– Networks

• Data and users arriving on a particular network are labeled at the level of the network

– Users• Users are labeled based on the network they are arriving on

• Some exceptions allowed for compartments

– Data, Objects and Processes• Data, objects, and processes are labeled based on the security label of

the user or process that created them

CSCF

UNCLASSIFIED

UNCLASSIFIED4

Data-Centric MLS RHEL

• Labeling PartsSummary Definition of Security Labeling

Sensivity Levels Compartments

S15 C0 Used to be special, unused today.

S14 C1 Look Down/Pull Up for UNCLASSIFIED/ITAR

S13 C2

S12 C3

S11 TS SCI Compartment C4

S10 TS SCI ST C5

S9 C9-C99 Reserved for DoD and Coalition countries.

S8

S7 DoD TS/SAP/SAR C100-C200 DoD S, DoD TS SAP/SAR caveats

S6 DoD TS C201-C299 SCI RV World Caveats

S5 DoD S/SAP/SAR C300-C399 C300-C350 for Coalition Share Points or Bi- and Tri- Lateral sharing, e.g. NATO, SEATO, etc.

S4 DoD S C400-C499

S3 C500-C599 Compartmented Caveats

S2 C600-C699

S1 Unclassified C700-C799

S0 Special Unclassified C800-C899

C900-C999

C1000-C1023

CSCF

UNCLASSIFIED

UNCLASSIFIED5

Data-Centric MLS RHEL

• Security LabelsSensitvity Compartments

UNCLASSIFIED S1

UNCLASSIFIED/ITAR S1 C1 Using DAC owned by Admin to separate ITAR projects

DoD NF USA OTC 1 OTC 2 OTC 3 OTC 4

DoD S S4 C1,C9.C99 C9 C10 C11 C12 C13

DoD TS S6 C1,C9.C99 C9 C10 C11 C12 C13

Bi- and Tri- lateral agreements, separate logins labels add C300-C399 where C3xy lables are associated with agreements.

Gov/CSCF N World D WRLD A D WRLD B D WRLD C D WRLD D D WRLD E

DoD S/SAP/SAR S5 C1,Cy C1,C9.C99,C101,C103.C199 C1,C9.C99,C102 C1,C9.C99,C103 C1,C9.C99,C104 C1,C9.C99,C105 C1,C9.C99,C106 C1,C9.C99,C107

DoD TS/SAP/SAR S7 C1,Cy C1,C9.C99,C101,C103.C199

SCI NF REL FVEY USA OTC 1 OTC 2 OTC 3 OTC 4

TS SCI S10 C1,C9.C99 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13 C9.C13

T Type K Type R Type ? Type

TS SCI RV World S10 C1,Cy C1,C9.C99,C201 C1,C9.C99,C202 C1,C9.C99,C203 C1,C9.C99,C204

Hallway R World T World B World ? World Fusion Program

TS SCI Compartment S11 C1,C9.C99,Cy C1,C9.C99,C500.C503 C1,C9.C99,C501 C1,C9.C99,C502 C1,C9.C99,C503 C1,C9.C99,C? C1,C9.C99,C500.C502,C504,Cy y=201-299

CSCF

UNCLASSIFIED

UNCLASSIFIED6

Government Application

U

TS

SS

TSAnalyst Workstations

Non-MLS Operating Picture

HPC Servers and Storage

TS S UTSSU

MLS Operating Picture

MLS Analyst Workstation

Department or HPC

Server

Secure Data Appliance

Consolidates hardware and enables analyst driven data fusion

CSCF

UNCLASSIFIED

UNCLASSIFIED7

Commercial Application

Retail Store

Credit Card Processing,

PII, Approvals

“Bad Guy” Egress Point

Pre-MLS System Configuration

Internet

Network Access Table (assumes firewalls in place)- Unencrypted- Encrypted

CSCF

UNCLASSIFIED

UNCLASSIFIED8

Commercial Application

Retail Store

Credit Card Processing

PoS Interactions

S2

S3

MLS System Configuration

S1

Store 1 Apps

Store 2 Apps

M

L

S

D

a

t

a

b

a

s

e

Credit Card 1 Apps

Credit Card 2 Apps

S4

Other Company Processing

Inventory, etc. Apps

Internet

Network Access Table (assumes firewalls in place)- Unencrypted- Encrypted

RHEL MLS Configuration Benefits- RBAC – limits insider threat- MLS – isolates functions to limit damage- Encryption – eliminates egress points for

Trojans

CSCF

UNCLASSIFIED

UNCLASSIFIED9

Historical Perspective

• The CSCF program leverages data-centric MLS OS configurations for the last 20+ years

– Minimize hardware, licensing, OS configuration, manpower costs

– Maximize flexibility, data fusion, system utilization

• MLS requires a full ecosystem to be truly useful

– OS configuration

– Resource management

– Direct and Network attached storage

• Including long haul data sharing

– System Monitoring including audit reduction

– Databases

CSCF

UNCLASSIFIED

UNCLASSIFIED10

MLS Partners

Current Capabilities

• LMC/CSCF/WF

• Red Hat

• Altair

• Seagate/Xyratex

• Mellanox

• ViON

• Bay Microsystems

• SGI

• Cray

• DoE LANL

• DoD HPCMO

• Splunk

Current Capabilities• Crunchy Data Systems

• Filius– RPI Consulting

– CSC

CSCF

UNCLASSIFIED

UNCLASSIFIED11

CSCF Capabilities and Path Forward

• ICD 503 Certification for Ecosystem– Running at CSCF in operations

– Classified tours and demonstrations available

• System configurations– Single System Image RHEL 6.5+ under ICD 503

– Cluster Configuration RHEL 6.5+ under IATT

• Direct attached RAID– Under xfs, EXTx, (others also handle MAC) is ICD 503 certified

• Configuration Management– SCAP through open source

• OVAL will be added for mitigation after training

– Subversion• Privileged User Guide (PUG)

• Specialized scripting

CSCF

UNCLASSIFIED

UNCLASSIFIED12

LMC Capabilities and Path Forward

• Configuration Objective– Provide SCAP profile, SVN repositories, and PUG to allow easy

build a unclassified CSCF configurations• Support vendor unclassified debugging CSCF problems

• Support new government customer interest in MLS to consolidate rather than duplicate

• MLS Ecosystem Objective– Provide MLS capable versions of software capabilities integrated

with the MLS RHEL configuration to solve complex system configuration and support problems

• Unified Cross Domain Services Management Office (UCDSMO) Engagement– LMC/CSCF will be coordinating

POC: Joe Swartz, joseph.h.swartz@lmco.com

CSCF

UNCLASSIFIED

UNCLASSIFIED13

Red Hat

• Red Hat has worked closely with CSCF to ensure that all capabilities included in the RHEL product

– Fixed SELinux and MLS policy issues as identified

– Added new or modified capabilities as requested

– Supported documentation

– Supported Government security meetings as needed

– Fully supported other vendors as they created MLS capable versions of their software packages

• Outreach

– Red Hat has fully participated in CSCF MLS outreach efforts

– Red Hat has directed potential customers to CSCF

POC: Shawn Wells, sdw@redhat.com

CSCF

UNCLASSIFIED

UNCLASSIFIED14

Altair

• PBS Professional Resource Management

– Queuing system with many tuning parameters

– Queuing management allowing minimum wait time, maximize

system utilization

– Multi-system management and queue sharing

– Remote job submittals

– MLS capable

• Branch until 4th quarter 2015

• Installed on all CSCF MLS HPC and Utility systems

POC: Kirk Monroe, kmonroe@altair.com

CSCF

UNCLASSIFIED

UNCLASSIFIED15

Seagate/Xyratex

• Created MLS Lustre file system

• Integrated into their MLS Secure Data Appliance (SDA)– Based on ClusterStor product

– Uses CSCF MLS RHEL OS baseline

– Extensible to multi-petabytes per rack

• Hadoop– Demonstrating capability October 2014

– Showing 30% faster response over non-Lustre configurations

• ICD 503 certified

• Two systems in place at CSCF– Centralizing user home directories and large R&D data sets

• Customer SE Support– Multiple customers

POC: Bill Downer, bill.downer@seagate.com

CSCF

UNCLASSIFIED

UNCLASSIFIED16

Filius, RPI Consulting, CSC

• LMC working with Filius and RPI Consulting to build and provide the following training courses:– RHEL MLS Installation, configuration, and testing

• First class in July is complete

• Additional classes planned for later this year

– RHEL MLS Configuration Administration• Course outline and materials complete

• First class TBD

– RHEL MLS Security Accreditation and Administration• Course outline complete, materials in progress

• First class TBD

– MLS Aware Database Installation and Use• Course outline complete

• First class TBD

POC: John Gulick, jg@filius.us

CSCF

UNCLASSIFIED

UNCLASSIFIED17

Bay Microsystems

• Global high-performance Fabric Extension

– Including Long-haul InfiniBand (IB) and RDMA

– Global clustering of CloudStor data centers

– Sharing MLS SDA CloudStor data to all local & remote systems

– Demonstrations

• Full motion video stream via Pixia from MLS SDA to work station

– Simulating east coast to west coast

• Data sharing for home directories and work directories

• Supporting both SC14 and GEOINT MLS demonstrations

• CSCF in process of installing capability

2,798.33 min

6,898.33 min

14.18 min

15.50 min

46.63 hours

116.63 hours

POC: Gerry Jankauskas, gerry@baymicrosystems.com

CSCF

UNCLASSIFIED

UNCLASSIFIED18

Mellanox

• Native MLS extended attributes in IB protocol

– Beta demonstration in September 2015

– Final capability at SC15 mid-November 2015

• Cluster configuration implications

– MLS cluster configurations become much easier

• No need for TCP/IP over IB to carry MLS labels

POC: Alex Neefus, alex@mellanoxfederal.com

CSCF

UNCLASSIFIED

UNCLASSIFIED19

Splunk

• System monitoring and audit reduction

• Splunk came SELinux compliant

• Provides

– Centralized monitoring capabilities

– SELinux audit log reduction and warning capabilities

• Worked straight out of the box

– CSCF evaluating multiple other plug in capabilities

POC: Katy and Pam, team@splunk.com

CSCF

UNCLASSIFIED

UNCLASSIFIED20

Crunchy Data Systems

• Postgres expert company serving DoD / IC with Committer and Major Contributors to Postgres Project on team

• Developing Postgres Security Enhancements (Row Level Security, fine grain permissions and auditing) with open source community under IC community contract

• Developing implementation of Postgres using RLS to integrate with SELinux to meet MLS requirements

• Demonstrations

– Working with ViON and Seagate re JCDX capability

– Working with ViON re Enterprise Challenge 2015 (EC15) capability

– Working with CSCF to demonstration MLS database for use with 3-4 CSCF user groups

POC: Bob Laurence, bob.Laurence@crunchydatasolutions.com

CSCF

UNCLASSIFIED

UNCLASSIFIED21

ViON

• Providing customer integration support for demonstrations– Enterprise Challenge 2015

• LOE leading up to EC 15

– MLS Postgres• Supporting AF, Navy, and other customers

• Customer SE support– Multiple AF projects

– Multiple NGA projects

– Multiple IC customers

– Multiple Army customers

– Reseller for Xyratex/Seagate SDA at CSCF and cleared engineering support

POC: Mike Meister, mike.meister@vion.com

CSCF

UNCLASSIFIED

UNCLASSIFIED22

SGI

• Supported Single System Image development and ICD

503 certification

– Working to get MLS Message Passing Toolkit (MPT) working

• Will reduce MPI communications overhead by at least 10%

• Demonstrations

– Working to support SC14 MLS demonstration

– Planning to support GEOINT demonstration

• Eight systems installed at CSCF

POC: Mark Carhart, mcarhart@sgi.com

CSCF

UNCLASSIFIED

UNCLASSIFIED23

Cray

• Supporting development of MLS RHEL Cluster

configuration

– Basic configuration complete including PBS Pro and direct

attached storage

– Installing Seagate/Xyratex SDA for integration verification

– Proceeding with security hardening and testing

• Demonstrations

– Supporting DoD Mod Office demonstration

– Planning to participate in GEOINT MLS demonstration

POC: Louis Hackerman, lhackerman@cray.com

CSCF

UNCLASSIFIED

UNCLASSIFIED24

DoE LANL

• Working with CSCF to deploy MLS cluster configuration

– IC support area

• Working to deploy MLS configurations for Q level

processing

– Consolidate section servers

– About 30k cores

• Procured MLS SDA ClusterStor for evaluation

– CSCF providing system MLS configurations

POC: Gary Grider, ggrider@lanl.gov

CSCF

UNCLASSIFIED

UNCLASSIFIED25

DoD HPCMO

• Planning a MLS Cluster configuration based on CSCF

configuration

– Including direct attached and MLS SDA ClusterStor demo

– Testing and evaluation for software products not already tested

at CSCF completed

– Evaluating additional options to configure current systems with

the MLS capability

POC: Jeff Gosciniak, jeffrey.j.gosciniak@lmco.com

CSCF

UNCLASSIFIED

UNCLASSIFIED26

Questions?