Download This PDF! - GOES-R
Download This PDF! - GOES-R
Download This PDF! - GOES-R
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ESPDS Scalable and Secure<br />
Infrastructure<br />
Ensuring the NOAA/NESDIS Environmental Satellite Processing and<br />
Distribution Capabilities Meet the Growing User and Data Demands of Today<br />
and Tomorrow<br />
Rich Baker<br />
Solers, Inc.<br />
ESPDS Development Chief Architect<br />
2013 AMS Annual Meeting
What is ESPDS?<br />
●<br />
●<br />
●<br />
●<br />
ESPDS: Environmental Satellite Processing and Distribution System<br />
●<br />
Developed by the NESDIS Office of Systems Development (OSD), with Solers (“Team<br />
Solers”) as the development contractor<br />
● Will be operated by the NESDIS Office of Satellite and Product Operations (OSPO)<br />
Modernizes the NESDIS Environmental Satellite Processing Center<br />
(ESPC)<br />
●<br />
●<br />
●<br />
Single enterprise solution that meets the needs of existing (legacy), Suomi NPP, JPSS, and<br />
<strong>GOES</strong>-R, with scalability to meet future environmental satellite needs<br />
●<br />
No more stovepipes!<br />
Includes modernization of the Ingest, Product Generation (PG), Product Distribution (PD),<br />
and Infrastructure segments of the ESPC<br />
Provides environmental satellite data and services to a growing user community including:<br />
●<br />
●<br />
NOAA Line Offices (NWS, NMFS, NOS, NIC, NESDIS, etc.)<br />
DoD (AFWA, NAVO, etc.)<br />
● Other U.S. and international users (government agencies, universities, foreign<br />
partners, etc.)<br />
Will be implemented at the primary and backup ESPC sites:<br />
●<br />
●<br />
Primary ESPC site is the NOAA Satellite Operations Facility (NSOF) in Suitland, MD<br />
Future ESPC backup site is the Consolidated Back-Up (CBU) facility in Fairmont, WV<br />
Provides a scalable and secure infrastructure as a foundational building<br />
block upon which all other system functions reside<br />
© 2013 Solers, Inc.<br />
2
Traits of a<br />
Scalable Infrastructure<br />
●<br />
●<br />
●<br />
●<br />
No Single Point of Failure<br />
●<br />
Redundancy and fault tolerance as key design tenants throughout<br />
Line Replaceable Units<br />
●<br />
Can upgrade or replace existing hardware and software components<br />
without impacting operational availability<br />
Business Process Flexibility and Extensibility<br />
●<br />
Can change existing business processes within the system, and<br />
integrate new business processes into the system, without impacting<br />
operational availability<br />
Horizontal Scalability<br />
●<br />
Can add additional hardware resources (computing, network, storage)<br />
and software business processing instances without impacting<br />
operational availability<br />
© 2013 Solers, Inc.<br />
3
Traits of a<br />
Secure Infrastructure<br />
●<br />
●<br />
Complies with applicable IT security policies,<br />
procedures, and controls:<br />
● NIST SP 800-53<br />
●<br />
●<br />
●<br />
●<br />
DOC/NOAA IT Security Handbook<br />
Center for Internet Security (CIS) Benchmarks<br />
DISA STIG<br />
Etc.<br />
Provides a “defense-in-depth” foundation for<br />
securing the system that includes:<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Network security<br />
Centralized identity/account management, authentication, and<br />
authorization<br />
Host-based intrusion detection and prevention<br />
Anti-malware<br />
Integrated monitoring, logging, and reporting (Security Incident and<br />
Event Management [SIEM])<br />
© 2013 Solers, Inc.<br />
4
ESPDS Scalable and Secure<br />
Infrastructure<br />
• Suomi NPP and JPSS (via<br />
IDPS)<br />
• <strong>GOES</strong>-R GS PD<br />
• Non-NOAA Satellites<br />
(MSG, MTSAT, INSAT)<br />
• Ancillary Data Providers<br />
• Legacy <strong>GOES</strong><br />
• Legacy POES<br />
• Future Missions<br />
Satellite Ingest<br />
Computing Cluster<br />
Scalable x86 hardware cluster<br />
with specialized adapters to<br />
interface with satellite antenna<br />
systems and perform RF/IF to<br />
IP conversion of the data<br />
• Resource Management<br />
• Communications Framework<br />
• Logging & Reporting<br />
• Monitoring<br />
Product Generation<br />
Computing Cluster<br />
Scalable x86 hardware cluster<br />
that leverages a grid computing<br />
scheduler to perform PG<br />
algorithm execution and report<br />
applicable status/metrics<br />
Common Infrastructure Services<br />
• Identity/Account Management<br />
• HIDS<br />
• Anti-Malware/HIPS<br />
• Network Management<br />
Converged 10Gb IP Networking<br />
Virtualized<br />
Computing Cluster<br />
Scalable x86 hardware cluster<br />
that hosts the distribution and<br />
access, PG management,<br />
common infrastructure, and<br />
other services as Virtual<br />
Machines (VMs)<br />
• Database<br />
• Data Intake & Transmission<br />
• Scheduling<br />
• System Backup<br />
Enterprise Shared Storage<br />
Scale-Out Enterprise Network Network Attached Attached Storage Storage (NAS) (NAS) solution solution with with standard standard IP-based IP-based file file access access protocols protocols (NFS, (NFS, CIFS, CIFS, HTTP, HTTP, FTP) FTP)<br />
(EMC Isilon)<br />
Includes switches, firewalls, and Network IDS components<br />
(Cisco)<br />
• NOAA Line Offices<br />
• DoD<br />
• CLASS<br />
• Other U.S. and<br />
International Users<br />
• Ancillary Data<br />
Users (PG Systems)<br />
© 2013 Solers, Inc.<br />
5
Common Infrastructure Services<br />
●<br />
The following slides provide an overview of the<br />
Common Infrastructure Services depicted in the<br />
previous diagram<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Resource Management<br />
Communications Framework<br />
Logging & Reporting<br />
Monitoring<br />
Identity/Account Management<br />
HIDS<br />
Anti-Malware/HIPS<br />
Network Management<br />
Database<br />
Data Intake & Transmission<br />
Scheduling<br />
System Backup<br />
© 2013 Solers, Inc.<br />
6
Resource Management<br />
●<br />
Technologies Used<br />
●<br />
VMware vSphere/ESXi, vCenter, and Orchestrator<br />
© 2013 Solers, Inc.<br />
7
Communications Framework<br />
User<br />
/Operator/<br />
Admin<br />
HTTPS<br />
(S)FTP(S)<br />
Load Balancer<br />
(S)FTP(S)<br />
Client<br />
(S)FTP(S)<br />
VM<br />
(S)FTP(S)<br />
Server<br />
<strong>GOES</strong>-R<br />
GS PD<br />
WS Client<br />
Other<br />
System<br />
WS Client<br />
ESPDS<br />
SOAP over HTTP<br />
HTTPS<br />
Portal<br />
Portal<br />
(S)FTP(S)<br />
(S)FTP(S)<br />
(S)FTP(S)<br />
Server<br />
Server<br />
(S)FTP(S) Other Other<br />
(S)FTP(S)<br />
PDA<br />
Client<br />
Client<br />
Service ESPDS<br />
Service<br />
Load Balancer<br />
SOAP over HTTPS<br />
VM<br />
SOAP over HTTP(S)<br />
ESB<br />
ESB<br />
SOAP over JMS 1.1<br />
JMS Broker<br />
VM<br />
SOAP over<br />
JMS 1.1<br />
JMS Broker<br />
VM<br />
SOAP over JMS 1.1<br />
Application<br />
Server<br />
ESPDS<br />
Service<br />
VM<br />
Application<br />
Server<br />
ESPDS<br />
Service<br />
VM<br />
Application<br />
Server<br />
ESPDS<br />
Service<br />
VM<br />
…<br />
●<br />
Technologies Used<br />
●<br />
●<br />
●<br />
WSO2 ESB and Application Server<br />
Apache ActiveMQ Java Message Service (JMS) Broker<br />
Red Hat Linux Virtual Server (LVS) Load Balancer<br />
© 2013 Solers, Inc.<br />
8
Logging & Reporting<br />
Windows Event logs<br />
(WMI)<br />
Microsoft Windows<br />
Layer 3 Switch<br />
(Cisco)<br />
Firmware logs<br />
(Syslog)<br />
Monitoring<br />
(SolarWinds Orion)<br />
Directory Server<br />
(Microsoft Active<br />
Directory)<br />
vCenter, ESXi, Resource<br />
Coordinator, Red Hat<br />
Repository logs<br />
(WMI)<br />
Resource<br />
Management<br />
(VMware vCenter)<br />
Computing HW<br />
(Cisco UCS)<br />
Firmware logs<br />
(Syslog)<br />
SolarWinds Orion logs<br />
(WMI)<br />
Windows Event logs<br />
(WMI)<br />
Apache SSHD/FTPD logs<br />
(Rsyslog)<br />
Data Intake/Data<br />
Transmit<br />
([S]FTP[S]<br />
Server/Client)<br />
NAS Storage<br />
(Isilon)<br />
SAN Storage<br />
(EMC VNX)<br />
Firmware logs<br />
(Syslog)<br />
Firmware logs<br />
(Syslog)<br />
Linux OS logs<br />
(Rsyslog)<br />
Red Hat Enterprise Linux<br />
Administrator<br />
Portal<br />
Logging & Reporting<br />
(Tripwire Log Center)<br />
Web server logs<br />
(Rsyslog)<br />
User<br />
Portal<br />
Custom Java Service logs<br />
(Rsyslog)<br />
Other Java<br />
Components<br />
(e.g. Subscription,<br />
Product Tailoring, Ad-<br />
Hoc search)<br />
WSO2 ESB, WSO2 AS,<br />
Red Hat LVS logs<br />
(Rsyslog)<br />
Oracle logs<br />
(Rsyslog)<br />
Communications<br />
Framework<br />
(WSO2, ActiveMQ,<br />
Red Hat LVS)<br />
Database<br />
(Oracle RDBMS)<br />
●<br />
Technologies Used<br />
●<br />
Tripwire Log Center<br />
●<br />
Rsyslog (Linux-based syslog client)<br />
●<br />
Windows Management Interface (WMI)<br />
© 2013 Solers, Inc.<br />
9
Monitoring<br />
Microsoft Windows<br />
resource and service status<br />
(WMI)<br />
Microsoft Windows<br />
Layer 3 Switch<br />
(Cisco)<br />
Computing HW<br />
(Cisco UCS)<br />
SAN Storage<br />
(EMC VNX)<br />
NAS Storage<br />
(EMC Isilon)<br />
Interface Status and<br />
Bandwidth Usage<br />
(SNMP)<br />
Blade<br />
Resource<br />
Utilization<br />
(SNMP)<br />
I/O Data and Storage<br />
Usage (SNMP)<br />
I/O Data and Storage<br />
Usage (SSH)<br />
Red Hat OS resource and<br />
service status<br />
(SNMP)<br />
Red Hat Enterprise Linux<br />
Administrator<br />
Portal<br />
Logging and<br />
Reporting<br />
(Tripwire Log Center)<br />
Service/Process Status and<br />
Resource Allocation<br />
(SSH/RMI)<br />
Directory Server<br />
(Microsoft Active<br />
Directory)<br />
Monitoring<br />
(SolarWinds Orion)<br />
User Statistics<br />
(SSH)<br />
User<br />
Portal<br />
Web Interface<br />
Authentication<br />
(LDAPS)<br />
Service/Process Status and<br />
Resource Allocation<br />
(SSH/RMI)<br />
VM CPU, Memory, and<br />
Network performance<br />
measurements<br />
(SNMP)<br />
Other Java<br />
Components<br />
(e.g., Subscription,<br />
Product Tailoring, Ad-<br />
Hoc search)<br />
Connection Status and<br />
Transfer Rate<br />
(SNMP)<br />
Service/Process Status and<br />
Resource Allocation<br />
(SSH/RMI)<br />
Service/Process Status and<br />
Resource Allocation<br />
(SSH/RMI)<br />
Resource<br />
Management<br />
(VMware vCenter)<br />
Data Intake/Data<br />
Transmit<br />
([S]FTP[S]<br />
Server/Client)<br />
Comm Framework<br />
(WSO2, Red Hat LVS)<br />
Data Management<br />
(Oracle RDBMS)<br />
●<br />
Technologies Used<br />
● SolarWinds Orion Network Performance Monitor (NPM) and Application Performance Monitor (APM)<br />
● Red Hat Simple Network Management Protocol (SNMP) Agent and Secure Shell (SSH) Server<br />
● Windows Management Interface (WMI)<br />
© 2013 Solers, Inc.<br />
10
Identity/Account Management<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Centralized identity and account management<br />
solution<br />
Manages human user accounts (internal and<br />
external users, operators, administrators)<br />
Manages machine and operating system accounts<br />
Provides Kerberos and web services-based<br />
authentication and authorization services<br />
Compatible with NOAA/NESDIS HSPD-12 solution<br />
(DoD CAC PIV token, X509 PKI certificates)<br />
●<br />
Technologies Used<br />
● Microsoft Active Directory<br />
● Centrify<br />
● ForgeRock OpenAM<br />
© 2013 Solers, Inc.<br />
11
HIDS<br />
●<br />
●<br />
Centralized Host-based Intrusion Detection System<br />
(HIDS) solution<br />
Ensures integrity of critical system and<br />
configuration files across the infrastructure,<br />
including:<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Computing device firmware<br />
Networking device firmware<br />
Storage device firmware<br />
Operating systems<br />
Applications and services<br />
●<br />
Technologies Used<br />
●<br />
Tripwire Enterprise<br />
© 2013 Solers, Inc.<br />
12
Anti-Malware/HIPS<br />
●<br />
●<br />
Provides virus scanning and Host-based Intrusion<br />
Prevention System (HIPS) capabilities across all<br />
machines and operating systems<br />
Centralized virus signature and HIPS policy<br />
management (automated deployments and<br />
updates)<br />
●<br />
Technologies Used<br />
●<br />
McAfee VirusScan Enterprise, HIPS, and ePolicy Orchestrator<br />
© 2013 Solers, Inc.<br />
13
Network Management<br />
●<br />
●<br />
●<br />
Domain Name Service (DNS) Server<br />
Dynamic Host Configuration Protocol (DHCP) Server<br />
Network Time Protocol (NTP) Server<br />
●<br />
Technologies Used<br />
●<br />
●<br />
●<br />
Microsoft Windows DNS and Time Services (integrated with Active<br />
Directory)<br />
Red Hat DCHP Server<br />
Red Hat NTP Server<br />
© 2013 Solers, Inc.<br />
14
Database<br />
●<br />
Highly Available Relational Database Solution<br />
●<br />
●<br />
Two Oracle Database 11gR2 Enterprise Edition Database Server instances<br />
●<br />
●<br />
One primary instance providing client access<br />
One identical standby instance to receive/apply redo operations from<br />
primary database<br />
Oracle Data Guard configuration established between primary & standby<br />
database servers to maintain duplicate copy of operational database<br />
●<br />
Supports high database availability and fast start failover<br />
●<br />
Technologies Used<br />
● Oracle Database 11gR2 Enterprise Edition with Data Guard<br />
● Hibernate (database client access)<br />
© 2013 Solers, Inc.<br />
15
Data Intake & Transmission<br />
●<br />
●<br />
FTP, FTPS, and SFTP client and server solutions<br />
Used to obtain product and ancillary data from<br />
providers (intake), and deliver product and ancillary<br />
data to consumers (transmission) via push or pull<br />
●<br />
Technologies Used<br />
● Apache FtpServer (FTP and FTPS Server)<br />
● Apache SSHD (SFTP Server)<br />
● Apache Commons Library (FTP, FTPS, and SFTP Client)<br />
© 2013 Solers, Inc.<br />
16
Scheduling<br />
●<br />
Schedules periodic operations to be performed<br />
within the infrastructure<br />
●<br />
●<br />
●<br />
Product and ancillary data inventory cleanup (expired files)<br />
Subscription-specific product and ancillary data acquisition<br />
Extensible to accommodate future scheduling needs<br />
●<br />
Technologies Used<br />
●<br />
Terracotta Quartz Scheduler<br />
© 2013 Solers, Inc.<br />
17
System Backup<br />
●<br />
●<br />
Performs periodic backup of specific system data<br />
and files to support on-site archive and recovery<br />
Backups include:<br />
●<br />
●<br />
●<br />
●<br />
VM image files<br />
Database contents<br />
Log files<br />
Configuration files<br />
●<br />
Technologies Used<br />
●<br />
EMC NetWorker<br />
© 2013 Solers, Inc.<br />
18
ESPDS Scalable and Secure<br />
Infrastructure Benefits<br />
●<br />
●<br />
●<br />
To End Users<br />
●<br />
●<br />
Ensures highly available and reliable access to human and machine<br />
interfaces that scales to accommodate the growing user and data<br />
demands<br />
Provides flexibility to quickly adapt to changes in end user<br />
requirements<br />
To System Operators/Administrators<br />
●<br />
●<br />
●<br />
Easily scalable hardware and software<br />
Provides automated operations<br />
Compliant with IT security requirements for a High Impact system<br />
To NOAA/NESDIS As A Whole<br />
●<br />
●<br />
●<br />
Scalable and secure foundation to support enterprise environmental<br />
satellite services across NOAA/NESDIS<br />
Removes mission-specific stovepiping<br />
Paving the path toward modernized data centers<br />
© 2013 Solers, Inc.<br />
19
Questions<br />
© 2013 Solers, Inc.<br />
20