SNOWMAN

From FnordWiki
Jump to navigation Jump to search

SNOWMAN? WTF?

s spiffy
n NSA resistant
o OpenStack driven
w windows-inclusive
m mainframe-with-a-click
a astonishlingly-encrypted
n next-generation-computing-environment

We get a theme song for free this way. And we also get a mascot, even though Olaf is just about my least favorite part of that movie.

Spiffy/scrappy/shiny/somethinglikethat

It'll be cool when it's working. And it's scrappy because it's built entirely from second-hand stuff. As for shiny... it's got some copper, silicon, chromed, and silver painted hardware...

NSA resistant

The idea here is that an adversary with NSA's capabilities will not be able to intercept or corrupt computation within the environment. (Denial of service is another thing, but turning the power off at the panel coming into the house is hard for a residential person to protect against. Lots of solar panels might do it.) Here are the capabilities we'll assume an NSA sort of adversary to have:

OpenStack driven

OpenStack is the leading open cloud platform (as this is being written.) It's also what my employer pays me to work with.

Windows-inclusive

Gotta run on (at least some) Windows. Hyper-V is actually a pretty decent tool.

Mainframe?

Who wouldn't want to run an IBM mainframe in their compute environment. I'll put together a (almost) one click deployment tool to build one.

Maybe we'll even get to the point of running it on a machine with a CPU manufactured by IBM. I've got an Apple Xserve G5 for that.

Astonishingly encrypted

Crypto. Wherever we can cram it in! On the bits written to our disks. On the wires between our compute nodes. Between the VMs and their hypervisors. Between CPUs and RAM (OK, that might be a stretch.) IPSEC, LUKS, BitLocker, SSH, TLS, DNSSEC, and on and on. Replacing an Ethernet switch with one from Fort Meade, should not be cause for concern.

Next generation

The hardware may be 2-3 (or more) generations old, but the software is all top notch. And super flexible. And (hopefully) reasonably robust.

SNOWMAN's adversaries

  • Universe's trend toward entropy: broken capacitors, unplugged cables, etc. Not a terribly active opponent.
  • Human error. Lots of that in the universe, I think.
  • Law enforcement sorts who can get warrants to remove hard drives, computers, and other hardware
  • NSA or equivalent, able to insert wiretaps on all network communications. Lots and lots of compute available, but no magic ability to factor large prime numbers. No quantum computers of greater than 2 qubits computing capacity.

Approach for this whole project

I find much of the OpenStack documentation to be reference oriented. "Allowed values for option 'foo' are 'X', 'Y', or 'Z'". The explanation for those options is often lacking. I'll attempt to explore them in more detail. At least those that I find interesting.

The idea is also to gain a deeper understanding of all the components and how they interact. Again, this is something I haven't found much discussion of in the OpenStack docs. (I may well be looking at the wrong ones.)

So, "Let's explore various options and explain where we can."

Parts and pieces

Hardware

  • There are 3 SunFire_X4170 sitting in the rack. One is without RAM or processor currently. These are fairly reasonable machines for what I'm doing: 2 Xeon 5500 series (4 cores, hyperthreaded) sockets, up to 144Gbytes of DDR3 RAM, 3 (low profile) PCIe slots, and 4 onboard Gigabit Ethernet ports, and real network management. It may be possible to run Xeon 5600 series CPUs (same socket and generally compatible) but the Suns' firmware may not like that.
  • One of the Dell PowerEdge 1950s or the 2950 may get pulled in to do some work, too.

Software

And some normalish Linux components such as:

  • ISC BIND for DNS
  • ISC DHCPD for DHCP
  • OpenSSH for all kinds of stuff
  • One of LibreSWAN, StrongSWAN as part of the IPSEC implementation
  • OpenVPN (because VPNs with IPSEC is hard)
  • OpenSSL for x509 certificates and such

System management software options:

  • cfengine
  • puppet
  • ansible
  • salt

Haven't done enough research to decide which I like best yet.

SNOWMAN build log

June 2015

  • 18 June: Create a Keepass database. Because, well, there will be a lot of these secrets to keep track of. Having trouble coming up with the database's master password? I like http://passphra.se/ for that. I'll get multiple sets of passphrases from there, from different browsers. (Anyone else want a tin foil hat?)
  • 18 June: x4170 ILOM reset and firmware update performed on X4170 s/n 1004XF510D
  • 18 June: Begin cataloging SNOWMAN assets
  • 25-26 June: cleaned up cabling mess
  • 27-29 June: Enterasys switch configuration. VLANs, DHCP helper, etc. See Enterasys_Securestack_C3.
  • 30 June: X4170s are updated and attached to VLAN 100

July 2015

  • 10-15 July: Debian 8 installed on 0919XF5044. Put the disk encryption on hold for a bit. Debian installer having a hard time doing what I want it to.
  • 17 July: Getting started on IPSECification.

May 2016

  • 18-20 May: Got a trio of Nortel 5520 48port PoE 1000baseT switches.
  • 20 May: New network design using Nortel switches. VLANs and subnets for a SNOWMAN world.
Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=SNOWMAN&oldid=887"