Iaas Demonstration San Francisco Wildfire V.02
Transcript of Iaas Demonstration San Francisco Wildfire V.02
Copyright 2005 Northrop Grumman Corporation0
4/20/2009 12:58 PM
Cloud Computing: Infrastructure-as-a-Service
DemonstrationNorthrop Grumman
Homeland Security Solutions Open HouseApril 14 – 16, 2009
Copyright 2005 Northrop Grumman Corporation
Cloud Computing Infrastructure Demonstration:GOAL
Within a realistic DHS/FEMA scenario:
• Demonstrate the ability to establish a secure and robust collaboration environment that can be quickly and easily scaled at a disruptively low cost.
• Leverage a commercial cloud platforms to host and distribute application suites that enable a robust information sharing capability
• Provide a flexible and robust security frameworks capable of meeting stringent government information assurance and information security requirements
14/20/2009 12:58 PM
Copyright 2005 Northrop Grumman Corporation2
4/20/2009 12:58 PM
Scenario:San Francisco Area Wildfires
The Federal Emergency management Agency is working with state officials and other federal agencies engaged in the response to the multiple wildfires burning across The San Francisco bay area.
President Obama issues an emergency disaster declaration for California and orders greater federal aid to supplement state and local response activities in the affected areas.
FEMA mobilizes federal resources and authorizes federal funds to be allocated to reimburse the state for certain costs incurred under FEMA's Fire Management assistance Grant Program.
Copyright 2005 Northrop Grumman Corporation3
4/20/2009 12:58 PM
San Francisco Area Wildfire:Emergency Response Organizations
FEMA Joint Field Office in Oakland
Response staging area
Federal Emergency Response Team
Regional Response Coordination Center
Department of the Interior
Bureau of Land Management
National Park Service
U.S. Fish and Wildlife Service
Bureau of Indian Affairs
Department of Transportation
United States Forest Service
United States Army Corps of Engineers
Department of Health and Human Services
Department of Homeland Security's Infrastructure Protection.
National Response Coordination Center
Environmental Protection Agency
FBI
DOJ National Terrorism Task Force
National Interagency Fire Center
DOI Wildland Firefighters
USDA Wildland Firefighters
State Emergency Operations Center in Sacramento
California Wild Land Fire Services in Marin County
California Office of Emergency Services
Department of Defense
Defense Coordinating Officers
Defense Coordinating Elements
Command Assessment Element
US Northern Command
Air Forces North National Guard Bureau
Federal Aviation Administration
U.S. Fire Service
General Services Administration
DHS/ U.S. Coast Guard
Red Cross
Southern Baptists
Copyright 2005 Northrop Grumman Corporation4
4/20/2009 12:58 PM
San Francisco Emergency:Incident Action Plan
DesignateIncident
Command
Establish Perimeter
Establish Joint Field
Office
Evaluate Scene
Assign & Manage
Responders
Decommission Joint Field
Office
Copyright 2005 Northrop Grumman Corporation5
4/20/2009 12:58 PM
San Francisco Emergency:Modified Incident Action Plan
DesignateIncident
Command
Establish Perimeter
Establish Joint Field
Office
Decommission Joint Field
Office
Evaluate Scene
Assign & Manage
Responders
Activate Collaboraton Environment
Copyright 2005 Northrop Grumman Corporation6
4/20/2009 12:58 PM
San Francisco Emergency: Modified Incident Action Plan
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint Field
Office
Decommission Joint Field
Office
Evaluate Scene
Assign & Manage
Responders
Activate Collaboraton Environment
Copyright 2005 Northrop Grumman Corporation
Designate Incident Command
74/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
NIMS: Command and Management
Incident Command System (ICS):
Integrates resources from numerous organizations into a single response structure using common terminology and common processes
Operations
Section
Planning
Section
Logistics
Section
Finance and
Admin
Joint Field Office Coordination Group
Technical Staff
Copyright 2005 Northrop Grumman Corporation
Activate Collaboration Environment
84/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
STEALTH Network Security
Policy Manager
Incident Activator
Em
erg
en
cy D
ata
Ce
nte
r
Copyright 2005 Northrop Grumman Corporation9
4/20/2009 12:58 PM
IAAS Specifications
Virtual
Cores
Compute Units 32/64 Bit Memory Storage $/hr
Small 1 1 32 bit 1.7 G 160 G 0.10
High-CPU Medium
2 2.5 32 bit 1.7 G 350 G 0.20
Large 2 2 64 bit 7.5 G 850 G 0.40
Extra Large 4 2 64 bit 15 G 1690 G 0.80
High CPU XL 8 2.5 64 bit 7 G 1690 G 0.80
EC2 Compute Unit = 1.0-1.2 GHz 2007 Opteron or 2007 Xeon Procesor
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
Copyright 2005 Northrop Grumman Corporation
Establish Perimeter
104/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
Incident
action plan
Area Commander
Operational Space
Incident Action Plan
Initial W
ind Wind Shift
Incident
action plan
Incident
action plan
Fire station
FIREFIRE
Copyright 2005 Northrop Grumman Corporation
Establish Joint Field Office
114/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
Department of
Defense
Representative
Defense
Coordinating
Officer
Joint Field Office
Copyright 2005 Northrop Grumman Corporation
Designate Incident Command
124/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
STEALTH Network Security
Policy Manager
Em
erg
en
cy D
ata
Ce
nte
r
Copyright 2005 Northrop Grumman Corporation13
4/20/2009 12:58 PM
Evaluate Scene
RespondeToEmergency
Events
Public Affairs
ApproveFMAG
OpenJointFiledOffic
e
IdentifyandEstablish
JointFieldArea
OpenRegionalResponseC
oordinationCenter
ActivateNationalRespon
seCoordinationCenter
SendLiaisonToStateEmer
gencyOperationsCenter
«inherits»
«inherits»
San Francisco CA - Area WildFire
Red Cross
Federal
National Ass. Of State Forresters
Office of Aircraft Services
National Weather Service
Forest Area Safety Task Force (FAST)
National Park Service
US Dept. Of Fish and Wildlife
US Forrest Service
National-Interagency Fire Center
DoD, National Guard Bureau
Customes And Borders
Dept of Interior, Dept of Transportation
HHS
EPA
GSA
FAA
FBI, DOJ National Terrorism Task
Force
California
California Dept. Of Forrestry
Office of Emergency Services
(OES)
Geographical Area
Coordination Center (GAAC)
Emergency Operations Center
(EOC)
Joint Information Center (JIC)
Mountain Area Safety
Taskorce (MAST)
County
Fire Departments
Sheriff’s Department
Municipal
Fire
Departments
Sheriff’s
Department
FEMA
«inherits» «inherits»
State Police
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
Copyright 2005 Northrop Grumman Corporation
Assign/Manage Responders
144/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
STEALTH Network Security
Policy Manager
Em
erg
en
cy D
ata
Ce
nte
r
Copyright 2005 Northrop Grumman Corporation
Designate Incident Command
154/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
STEALTH Network Security
Policy Manager
Update DHS Datacenter
Em
erg
en
cy D
ata
Ce
nte
r
Copyright 2005 Northrop Grumman Corporation
Decommission Joint Field Office
164/20/2009 12:58 PM
Deactivate Collaboration Environment
DesignateIncident
Command
Establish Perimeter
Establish Joint FieldOffice
Decommission Joint Field Office
Evaluate SceneAssign & Manage
Responders
Activate Collaboraton Environment
Copyright 2005 Northrop Grumman Corporation17
4/20/2009 12:58 PM
San Francisco Emergency Wildfire Scenario
1. Establish an incident command structure
2. Deployed Emergency Data Center from Amazon S3 and activated secure collaboration environment in Amazon EC2
3. Supported Joint Field Office operations
4. Completed Operations
5. Transferred all operational data to DHS
6. Deactivated collaboration environment
7. Decommission Joint Field Office
Copyright 2005 Northrop Grumman Corporation
Cloud Computing Infrastructure Demonstration:Summary
• Demonstrated the ability to establish a secure and robust collaboration environment that can be quickly and easily scaled at a disruptively low cost.
• Leveraged Amazon EC2 to host and distribute application suites that enabled a robust information sharing capability
• Through the use of cryptographic bit splitting technology, provided a flexible and robust security framework capable of meeting stringent government information assurance and information security requirements
184/20/2009 12:58 PM
Copyright 2005 Northrop Grumman Corporation
Additional Information
194/20/2009 12:58 PM
Copyright 2005 Northrop Grumman Corporation20
4/20/2009 12:58 PM
Amazon Web Services
Amazon Web Services are a set of services that provide programmatic access the Amazon’s ready-to-use computing infrastructure.
Storage Storage for files, documents, user downloads, or backups. Store anything your application needs in Amazon Simple Storage Service (S3) and take advantage of scalable, reliable, highly available low-cost storage.
ComputingAmazon Elastic Cloud Computing (EC2) provides the ability to scale your Computing resources up or down based on demand and makes provisioning new server instances very easy.
Messaging Decouple your application components by using the unlimited reliable messaging provided by Amazon Simple Queue Service (SQS).
Datasets Amazon SimpleDB (SDB) provides scalable, indexed, zero-maintenance storage, along with processing and querying for datasets.
Copyright 2005 Northrop Grumman Corporation21
4/20/2009 12:58 PM
Elastic Compute Cloud (EC2)
Instances
XEN Virtualization
Hardware
Simple Storage
Service
(S3)
Hosting of virtual
machine images
(AMI)
•Web service that lets users requisition virtual machines within minutes and easily scale needed capacity up or down based on demand. •Users pay for only the compute time you use •The EC2 environment itself is built on top of the open source Xen hypervisor•Users create Amazon machine images (AMIs) that act as the templates for y instances.•Access to the instances can be controlled by specifying the permissions.•Provides true Web-scale computing, which makes it easy to scale computing resources up and down. •Five types of servers available; users can pick the ones that fit their application needs. The servers range from commodity single-core x86 servers to eight-core x86_64 servers. •Users can place the instances in different geographical locations or availability zones to ensure resistance to failure. •Elastic IP addresses that can be dynamically allocated to instances•Pay by the hour ($0.10-0.80/hour) + external•Bandwidth ($0.10-0.18/Gbyte)
Copyright 2005 Northrop Grumman Corporation22
4/20/2009 12:58 PM
Oracle Technology: SOA Suite and Oracle 11g DB
Oracle SOA Suite The Oracle SOA Suite is a packaged set of standards-based components for enabling web
services-based SOA.
Oracle SOA Suite covers web services development, orchestration, monitoring, and security.
Oracle BPEL Process Manager orchestrates transactions across disparate applications within and across corporate boundaries.
Web-service enabled support a cloud computing model where several low-cost servers can be deployed in a cluster to provide scalability and high availability.
The Oracle SOA suite contains the following components
• Oracle Enterprise Service Bus
• Oracle BPEL Process Manage
• Oracle Technology Adapters
• Oracle BPM Human Workflow
• Oracle B2B
• Oracle Business Activity Monitoring
• Oracle Data Integrator
Oracle SOA Suite Security
Copyright 2005 Northrop Grumman Corporation23
4/20/2009 12:58 PM
SF Wildfire Implementation Technology –Oracle Beehive
Oracle Beehive
Software platform for enterprise collaboration. Provides collaborative tools built around a unified collaborative model. These tools help teams to collaborate efficiently across multiple geographies and organizations with:
• Content Management Services
• Discussions Service
• E-mail Service
• Instant Message Services
• Time Management Services
• Voice Message Service
Beehive supported protocols:
• Calendaring Extensions for WebDAV (CalDAV)
• Extensible Messaging and Presence Protocol (XMPP)
• File Transfer Protocol (FTP)
• Internet Message Access Protocol (IMAP)
• Open Mobile Alliance Data Synchronization (OMA-DS)
• Simple Mail Transfer Protocol (SMTP)
• Web-based Distributed Authoring and Versioning
Copyright 2005 Northrop Grumman Corporation24
4/20/2009 12:58 PM
SF Wildfire Implementation Technology - Appistry
Appistry’s Enterprise Application Fabric (EAF) provides:
A ―Cloud Application Platform‖ for enabling highly scalable cloud computing
Services/applications on private intranets and external networks.
Scalability and reliability at the application level
Abstracts applications across underlying infrastructure
Simplifies and automates application deployment and management
Essential cloud application services via APIs state, workload mgmt)
Compliments VMWare, Xen deployments
Copyright 2005 Northrop Grumman Corporation
SF Wildfire Implementation Technology:Appistry Cloud IQ
Appistry’s CloudIQ Manager :
Unified application management for the cloud. Enables application migration to cloud/virtualized environment. Provides multi-application, multi-cloud management. Provides application deployment and configuration management.
Appistry’s CloudIQ Engine:
Distributed application container that enables highly scalable cloud computing services/applications on private intranets and external networks. Abstracts applications across underlying infrastructure. Distributes application workload with no single point of failure. Access cloud application services via APIs (workload monitoring, etc.). Compliments virtualized (VMWare, Xen) or non-virtualized commodity hardware deployments.
Copyright 2005 Northrop Grumman Corporation
SF Wildfire Implementation Technology:Appistry Cloud IQ Manager
Amazon EC2
Private Cloud
Tomcat Service
XML deployment scripts
Port applications across “clouds”
Enables choosing the right cloud for the job
Minimize cloud provider lock-in
Drag-and-drop deployment of application between clouds
Geodata
files
CloudIQ Manager in the SF Wildfire Technology
Demonstration
Copyright 2005 Northrop Grumman Corporation27
4/20/2009 12:58 PM
SF Wildfire Implementation Technology- Geoserver
GeoServer is an open source software server written in Java.
Designed for interoperability. Allows users to share and edit geospatial data.
Publishes data from any major spatial data source using open standards.
Reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards, as well as a high performance certified compliant Web Map Service (WMS).
The Gesoserver is deploy on the Appistry servers in the Amazon cloud. It is accessed by users via the Oracle Beehive collaboration tool.
Demonstrate ability to request a map via WMS via GeoServer directly.
Demonstrate ability of Beehive to request the map from GeoServer and create a version-controlled editable document and whiteboard session with it.
Demonstrate Appistry's management and monitoring features through the cloud.
Exported desktop sessions will NOT be accessible on cloud-hosted applications through the Northrop Grumman firewall.
Copyright 2005 Northrop Grumman Corporation28
4/20/2009 12:58 PM
SF Wildfire Implementation Technology: Unisys Stealth
Secure Cross-Domain Sharing
Enables the secure share information across domains.
This solution matches communities of interest to specific data access and sharing rights.
A community of interest can be people within the same domain or people from different domains working together on a special project.
Each user can easily access data authorized for that user—wherever the data is — but only that data. Other data remains completely private, safe, and hidden.
Copyright 2005 Northrop Grumman Corporation29
4/20/2009 12:58 PM
SF Wildfire Implementation Technology –Unisys Stealth - COI
Communities of Interest (COI) The members of a community of interest are assigned a workgroup key.
Controlled sharing and access to the community of interest’s data is based on the strong authentication via workgroup key and log-on credentials.
Without the correct workgroup key, network packets are ignored.
The workgroup key construct provides a stronger way to control access to data.
Users can belong to more than one workgroup. This facilitates multi-level sharing for agency operations and multi-national information sharing for cooperating partners operations.
Users in different departments, organizations, or projects can work securely on the same network.
The result is a cloaked network that secures data-in-motion and hides servers and PCs in plain sight.
Devices that do not have the same workgroup key remain cloaked from unauthorized eyes. Without the correct key, users cannot ask for the data from the server or send data to the server or workstation. They can’t even ping the server or workstation.
Copyright 2005 Northrop Grumman Corporation30
4/20/2009 12:58 PM
SF Wildfire Implementation Technology –Unisys Stealth/SecureParser
Certification The Stealth Solution cryptographic module is FIPS 140-2 certified through the use of
SecureParser by Security First Corp.
EAL4+ ―under evaluation‖ status in the first half of 2008 and full EAL4+ certification by early 2009.
Stealth Solution for Network will enable Multi-Level Security, permitting data classified at different security levels to coexist on a single network.
The Stealth Solution permits the consolidation of NIPR, SIPR, and JWICS-connected LANs into a single IT infrastructure.
The SecureParser security architecture is based on provable security techniques. The techniques implemented include Robust Computational Secret Sharing (RCSS), Perfect Secret Sharing (PSS), and AES block cipher.
Attacking the SecureParser data security can be shown at a minimum to be as difficult as attacking AES.