AURA MOWG EMOS & IST Re-Engineering 2 October 2007 Pat Johnson

Page 2  IST Online 2-factor Re-engineering Status  IST Online schedule  IST ONLINE Current Design Architecture  IST ONLINE Redesign Architecture  NASA Provided COTS to IOT  IOT IST Opscon Impacts  IST issues  IST DMZ Future Plans  EMOS Status  Q&A Agenda

Page 3 IST Online Re-engineering Status Testing replacement of RSA KeyFOB license server Current server has a limited user license (up to 50 users) and was an interim solution to get MMS IST re-engineering implemented New server will accommodate 75+ IST users between Terra, Aqua, Aura that includes IOTs, FOT engineers, System Administrators and Engineers, and Developers The server replacement will be performed after the Online 2-factor implementation

Page 4 Schedule Activities prior to Parallel Ops IOT Review(s) & discussions – Aug/Sept –AMSR-E session with MOWG on Aug. 16th –Aug. 22 session with MOPITT, CERES, HIRDLS/UK, OMIS Dutchspace –Aug. 23 session with AIRS –Aug. 27 session with MISR –Sept. 24 session with ASTER –Oct. 2 session planned during AURA MOWG Pre Ship Review – Oct Remote site IPSec Client installation – Oct/Nov –IOTs using separate PCs for Online and MMS will need to coordinate with EOC on firewall rules for Online PC as was done with the MMS effort recently Parallel Ops start – Nov/Dec ORR – Dec

Page 5 ONLINE IST Current Design Architecture EOC IST DMZ EOC Terra ONLINE hosts ONLINE server EOC Aqua ONLINE hosts ONLINE server EOC Aura ONLINE hosts ONLINE server Terra Online IST Aqua Online IST Aura Online IST closed-EBNET Firewall EBNet Firewall Remote User N TS Remote User 4 TS Remote User 3 TS Remote User 2 TS Remote User 1 Terminal Services Internet Remote User firewalls are not shown Encrypted Traffic Terra Online IST Aqua Online IST Aura Online IST DMZ Firewall

Page 6 ONLINE IST Redesign Architecture EOC IST DMZ EOC Terra ONLINE hosts ONLINE server EOC Aqua ONLINE hosts ONLINE server EOC Aura ONLINE hosts ONLINE server Terra Online IST Aqua Online IST Aura Online IST closed-EBNET Firewall Open EBNet Firewall Remote User N IPSec VPN client &TS Remote User 4 IPSec VPN client & TS Remote User 3 IPSec VPN client & TS Remote User 2 IPSec VPN client & TS Remote User 1 IPSec VPN client & Terminal Services Internet Remote User firewalls are not shown Encrypted Traffic IPSec VPN & KeyFOB Servers Terra Online IST Aqua Online IST Aura Online IST DMZ Firewall

Page 7 NASA Provided COTS COTS IOTs already have the Terminal Services client software, provided by NASA VPN client software will be provided by NASA with install instructions and user guide –For those IST users who have separate Online PCs from MMS –User PCs being used for both MMS and Online have the VPN client installed already (no changes are needed) Hardware IOTs have Online PC at their location now NASA will provide KeyFOBs, if needed, and user instructions –Current design will allow an IST user to use the KeyFOB assigned to them for both MMS and Online and FTP server DMZ access –KeyFOBs are not to be shared among users

Page 8 IOT Opscon Impacts New layered architecture requires multiple logins by the user For Online: VPN/KeyFOB login, Terminal Services Online IST DMZ login The IPSec client software prevents other logins to the remote user terminal machine Prevents back-door hacker attacks When connected to the IST DMZ, cannot connect to any other machine –NFS mounts to other IOT machines are ‘turned off’ only during Online session Remote User printing impacts Printing features allow for locally printing files from the IST’s DMZ file system –Cannot print to IOT network printer while connected to IPSec VPN Improve security with Online IST interface to meet NASA standards Adding 2-factor login authentication (KeyFOB) for remote access to EOC DMZ ISTs Adding IPSec VPN client to restrict access to the IOT PC while IOT logged into the DMZ IST

Page 9 IST Related Issues Secure copy of planning products to HIRDLS UK and MISR Linux box EOS Engineer working with the IOTs on this issue MMS error message on secure copy of planning products to ASTER EOS Engineer investigating issue MISR intermittent time outs - MIITS DR EMOS00013 (was EMOS_R0631) NASA awaiting firewall rule update to allow more testing to identify problem MISR IST data not updating when logoff VPN connection but IST session left up MIITS DR EMOS00012 (was EMOS_R0632) IST Save file from Online IST DMZ to local user PC IST is slow Known problem with using Terminal Services Recommend using the FTP DMZ file server for file transfers

Page 10 IST DMZ Future Plans Future Plans for IST DMZ Provide MMS reports and FDS planning products to FTP DMZ Server Replace the RSA server with RADIUS RSA server - to add more internal security checking capability (possibly mid to late 2008) to meet new NASA security standards Will coordinate any IST outages with the users Devise an Analysis (trending system) IST solution (year 2009) This will occur along with the Analysis system upgrade - trade study and design analysis is planned for mid 2008 Design and Implement a ‘Remote IST Interface from anywhere’ The design and prototyping work is planned to occur in early to mid 2008

Page 11 EMOS Status Completed: Promotion of Terra MMS delivery to Operations on 8/3/07 Aura Online build to Operations in July 2007 In Progress: Designing and testing the replacement of old Cabletron switches to newer CISCO 6509 switches Transition planned to occur between mid October 2007 to December 2007 Could be a major impact to Operations Aqua Build Online & Analysis delivery is no-earlier-than January 2008 Terra Analysis & Online build update planned for mid 2008 Updating the Backup EOC at Goddard with MMS & Analysis subsystems in 2008 Looking at consolidating MMS servers and upgrading to Sun Ultra 60s (from old Ultra 1s, 2s, 5s)

Page 12 Q & A 