Advance and support enterprise IT at NCAR and UCAR

Supporting NCAR’s computational and data services is an information technology (IT) infrastructure challenge with many cross-cutting issues that must be managed across organizational boundaries. Many of the foundational technologies such as networking, identity and access management, virtual server infrastructure and, increasingly, cloud computing are the domain of CISL’s Enterprise Systems and Services Division (ESSD). ESSD focuses on this area to meet the demands driven by rapid change, complexity, and the fact that nearly all science is delivered through some form of information technology.

Networking

ESSD began or continued important work on a number of networking priorities in FY2018.

Collage of network infrastructure and planning
Physical pathways and structured cabling (left) enable network connectivity from offices in the Mesa Lab towers. Modular wall plate infrastructure (upper right) enables connectivity in the offices. The AutoCAD diagram (lower right) illustrates detailed planning completed in FY2018 showing zones of work that will be completed in FY2019.
  • Funding was approved and cable and components were ordered for the Mesa Lab Network Access Completion (MLNAC-2) Project. This network cabling project will replace outdated network cabling to 300+ telecommunications outlets at the Mesa Lab. The Network Engineering & Telecommunications Section (NETS) will complete the work on 14 zones over 14 months, beginning in November 2018 and progressing through December 2019.

  • The new Casper data analysis and visualization nodes at the NCAR-Wyoming Supercomputing Center (NWSC) were connected to the data center network with 100GbE technology, and NETS planned for further expansion of 100GbE-connected HPC systems. The Juniper QFX10000 platform was deployed due to its high density and scaling attributes.

  • Ethernet VPN technology was piloted to facilitate movement of virtual machines between the NWSC, NCAR Foothills Lab, and Mesa Lab data centers without the need for network re-addressing.

Enterprise services

CISL implemented new two-factor authentication solutions – Duo Mobile and YubiKey4 – to ease the complexity of token distribution and management and significantly reduce costs. The FY2018 deployment of a new, self-enrolling visitor network greatly enhanced the user experience while improving cybersecurity.

Other noteworthy accomplishments included:

  • Enabling of federated identity and access management trusts for accessing science journals hosted by the University of Colorado, Boulder.

  • Migration of multiple domains to Infoblox networking to increase stability and help other labs that operate and maintain Domain Name Service servers.

  • Deployment of VMware virtual infrastructure for Research Data Archive user interfaces and key services. With the transition of a few remaining enterprise services, CISL was able to retire an aging and complex KVM hypervisor system.

  • Configuration of several services with Active Directory authentication.

Cybersecurity

CISL’s Cybersecurity Program Office (CPO) acquired and began deploying a number of services and products in FY2018 to enhance UCAR/NCAR security. These include the Tenable Security Center for a better understanding of the organization’s vulnerabilities; Protectwise to provide real time network traffic visibility and threat analysis; and next-generation Palo Alto firewalls. CISL also took several additional steps to enhance cybersecurity:

  • Purchased and began deploying Nagios Log Server for improved, central logging of operating system and application-based events throughout UCAR and NCAR.

  • Added security engineers at NWSC to work with the Cheyenne Operations Section (COS) to provide a 24X7 Security Operations Center; and established processes and procedures for meeting the center’s responsibilities. CPO staff are on call to work with COS to resolve security related issues and now resolves incidents within about 72 hours rather than a few weeks.

  • Developed a central document repository based on NIST SP 800-53r4. The common controls establish the organization’s security baseline.

  • Provided Information Security Systems Officer duties for the UCAR Community Programs COSMIC Processing, Generation and Distribution system and facilitated an independent assessment. The result was NOAA’s authorization to operate for the system.

  • Developed all-staff UCAR Security Awareness Training and readied it for deployment to improve the overall security of the organization by ensuring staff are aware of the latest trends, practices, and procedures.