ࡱ>   MbjbjAA e~#y#yDdd44444$XXXPTtX9pLbbb= ;""L,;p4#= = ##&44bb&&&#4b4b&#&&Dv{ {8&xF 09y]&]{&{\4{###&###9]#########d :   G E N I Global Environment for Network Innovations GENI Security Best Practices Draft 0.2 Document ID: GENI-SEC-2011-01 June 30th, 2011 Prepared by: Stephen Schwab USC Information Sciences Institute Rick McGeer HP Labs Table of Contents  TOC \o "1-3" 1. Document Scope  PAGEREF _Toc171098872 \h 3 1.1 Purpose of this Document  PAGEREF _Toc171098873 \h 3 1.2 Context for this Document  PAGEREF _Toc171098874 \h 3 1.3 Related Documents  PAGEREF _Toc171098875 \h 3 1.4 Document Revision History  PAGEREF _Toc171098876 \h 3 2. Security Best Practices Overarching Principles  PAGEREF _Toc171098877 \h 4 3. Security Best Practices Wired Aggregates  PAGEREF _Toc171098878 \h 5 Acknowledgements  PAGEREF _Toc171098879 \h 6  Document Scope This section describes this documents purpose, its context within the overall GENI document tree, the set of related documents, and this documents revision history. 1.1 Purpose of this Document The goal of this document is to succinctly present security best practices providing guidance to the owners and operators of GENI control frameworks, clearinghouses, and aggregate, or collections of components made available as resources to GENI experimenters. 1.2 Context for this Document This document should be interpreted in terms of the overall slice-based facility architecture defined by the control framework working group, and in terms of predecessor testbeds such as PlanetLab and Emulab which inform the future operations of GENI infrastructure. 1.3 Related Documents The material in this document is drawn from the following documents listed below. Document ID Document Title and Issue DateGENI-SE-SY-SO-02.0GENI System Overview, September 29, 2008.  HYPERLINK "http://www.geni.net/docs/GENISysOvrw092908.pdf" http://www.geni.net/docs/GENISysOvrw092908.pdfPDN-05-028Neil Spring, et. al., Using Planetlab for Network Research: Myths, Realities and Best Practices 1.4 Document Revision History Revision NoDateRevision BySummary of Changes0.1July 19 2010Stephen SchwabInitial Draft0.2June 30 2011Stephen SchwabRevised to include GENIcloud incident Introduction No system built and operated within cost and schedule constraints can be secure against all known threats; we acknowledge this in advance. Nevertheless, GENI including its clearinghouse(s), control frameworks, aggregate managers and other components is faced with a security problem that is qualitatively different than those faced by the implementers and operators of typical enterprise information systems and networks in Government, Industry or Academia. At its essence, GENI is a facility conceived of as a platform with which the future of networking and distributed systems can be prototyped, investigated and explored. While the platform and its constituent elements are built out of current technology, it must enable researchers to load alternate mechanisms including novel OS, virtual machine, network protocols or other low-level system and network software that directly manipulates aspects of the physical resources computation, memory, raw network packets or bandwidth in ways that might be fundamentally different than the current state of the art. To allow for these sorts of radical innovations, we must be willing to accept that sometimes it will not be feasible to preserve visibility into the activities and behaviors of these system and networks in a manner that would permit monitoring for security purposes that are afforded by current, well-known mature technology. However, in many cases researchers are performing less far-reaching investigations, and may be exploring systems and networks that are close cousins to those deployed and used on todays Internet, varying in only a limited number of design points. Moreover, the configuration, management, allocation, and monitoring of the underlying GENI infrastructure (as distinguished from the researchers slice and its contained experiment) can and should be designed, configured and operated in a manner consistent with sound security princples. Security Best Practices Overarching Principles This section discusses overarching principles that we identify as security best practices for GENI. We strive for clarity and conciseness, anticipating that each local site, campus, aggregate manager, or other GENI participant will need to apply these, and other principles, as necessary to meet local security needs. The principle of least trust is always valuable to keep in mind. Whether for individuals (and their credentials, keys or passwords) with access to admin/root on routers, switches, servers, or firewalls or for daemons or other testbed control software with privileged access to data or interfaces it is necessary to ask if less privilege, finer-grain or more limited rights can be used in place of global privileges or more powerful super-user access. Isolation and Containment refers to the notion that GENI slices are fundamentally allocated isolated elements of the GENI substrate. Security best practices should strive to ensure that each device is in a known good state upon power-up/boot-up and remains in the proper state throughout operation. Accountability refers to the group of security best practices that enable associating any action occurring on a GENI resource with the root cause of that action. Configuration information for all elements of GENI, as well as authentication of GENI actors, and audit logs of sufficient detail should be managed in a way that supports accountability. Explicitly Stated Trust Relationships are an essential part of secure system design but in a federated environment such as GENI, security best practices suggest that these trust relationships should be identified, explicitly stated, and kept in the forefront during on-going operations, including formulation and updates to security policies and use agreements. Specifically, each deployed control framework or aggregate should document trust relationships tailored appropriately for their own organization and peering organizations. Campuses represent the interest of all 3rd parties (other users) at institutions, and in a similar vein, we also include backbone operators and regional network operators as representing the interests of all 3rd parties using their networks (other than for GENI purposes.) Provided all GENI activities are conducted appropriately (isolated, authenticated, authorized, and managed with respect to accountability) these 3rd parties will not be impacted by GENI. However, experience and best practices suggest that each GENI site provide as early as possible detailed information as to their operations, including security practices, to the appropriate campus/network operator counter-parties. This is to facilitate transparency, and ensure that the campus/network operator is familiar with GENI operations should a coordinated security response be needed at a future date. Security Best Practices Wired Aggregates Many sources of security best practices exist for configuring individual systems and networks. We assume that organizations and individuals follow some set of appropriate best practices for securing their enterprise networks and systems as well as their personal networks and systems used to access GENI resources. Security Best Practices for a GENI Aggregate include: Deploy and operate the GENI Aggregates resources on a separate physical network, including switches, routers, and firewalls. Use a separate Internet/backbone connection, either physical or virtual, to minimize interaction between GENI slices (and experiments) and the organizations enterprise network. Harden operating system images Linux, FreeBSD, Windows, etc. that are loaded on GENI platforms whenever possible. Provide a planned refresh/update path to incorporate changes that address security vulnerabilities, and monitor adherence to that plan. Consider whether common user-loaded OS/virtual machine images can be monitored (for type), scanned for vulnerabilities, or automatically updated/patched without unduly impacting researchers. If not, provide the means to notify research users when security-updates are available to experimental OS images or other software that might go stale in their experiments. Provide a means to boot or configure each node or resource in a known good state that the system admins can use to debug/diagnose problems, reload fresh copies of software, and capture/preserve logs or other data from the machine. In this state, the resource should be off-line to general GENI users. Limit access to the control and management interfaces of the aggregates systems and network equipment to a small number of physical machines. Require remote administrative users to log in to a bastion or restricted machine accessible only to administrative users before connecting or accessing the GENI aggregate as root/super-user. Carefully control access to privileged systems or interfaces from inside the GENI aggregate. Do not allow root/super-user access from any system that may be loaded/re-loaded/operated at the root level by an ordinary GENI researcher. While we trust our GENI researchers, the risk of an attacker gaining access to a researchers system and then using a privilege escalation attack should not be discounted. Strategically use firewalls to limit traffic by subnet, protocol and port between the local enterprise network and GENI aggregate networks and systems. Limit re-distribution of authentication credentials (ssh private keys, etc.) to machines where those credentials are not essential. Encourage researchers and administrators to minimize such re-distribution beyond their desktops. Provide examples of how to accomplish common tasks with an economy of private keys/secret passwords being stored or exposed. Separately, GENI clearinghouses and control frameworks should provide guidance as to their own local best practices for experimenters to follow. Such a list might include: Dont blindly do things that might be interpreted as an attack or malicious behavior. Run experiments locally or on one GENI aggregate with limited resources before scaling up. If experimental traffic will be monitored by intrusion detection systems, keep in mind that these tools are sensitive to malformed packets and error conditions. Consider whether new experimental protocol features might look like something else to these tools. Especially important is to test against standard network services (DNS, DHCP, routing), which, if accidentally interfered with, would impact a large number of other end-systems and researchers. Dont automatically assume that standard services are never shared. Experiments in slices, even if encapsulated, may interact with the Campus network or the Internet/backbone in a non-trivial manner. Sustained bursts of high-bandwidth are likely visible especially if they consume all the allocated bandwidth on a substantial virtual link. Consider whether advanced notice of these sorts of experiments may be communicated to GENI substrate owners or operators. Consider updating to or using operating system versions/images that are maintained by the GENI Aggregate if you lack the resources and expertise to keep your own OS and environment up to date. Especially avoid very old OS versions with known vulnerabilities or vulnerable software unless required by your experiment. Incident Response Security Best Practices should include a plan for incident response. Incidents should be responded to with the goal of stopping the immediate problem while simultaneously preserving information needed to understand the extent of the attack and to enable longer-term corrective actions to be taken to avoid similar attacks from taking place in the future. This includes controlled sharing of incident response information with peering organizations and other GENI participants, with an eye especially toward prioritizing sharing of information regarding known vulnerabilities that may be attacked in other GENI aggregates. We include details of a recent incident and response both as a model, and to underscore the nature and prevalence of the threat. In late April, the GENICloud site at HP Labs was exploited by a multinational malware organization, the Romanian Black Hats. The attempt appears to have been intended to recruit bots. HP Labs discovered the incident when other Internet sites reported probing from GENICloud nodes. Forensics indicated that unauthorized logins had occurred from the following hosts, among others: [n.b. Should precise details (IP addresses be redacted in this list prior to public release?] 213.128.64.10: server-213.128.64.10.radore.net.tr 198.104.48.94: HYPERLINK "http://spcnj.jp/"spcnj.jp. Hosted by Verio Web hosting, Englewood, CO, ISP is NTT America. Blacklisted by Barracuda and HYPERLINK "http://no-more-funn.moensted.dk/"no-more-funn.moensted.dk 46.102.9.42: ISP is Jump Management SR, Geolocation is Rovinari, Romania. Blacklisted by Spamhaus (pbl and zen), uceprotect. This is a Zone 3 blacklist entry in UCE Protect, which is to say, unremovable: these are genuine bad guys. 46.34.33.197: ISP is Esystel Servicios Multimedia, Geolocation is Cocentaina (near Valencia) in Spain In addition, there were unauthorized logins from machines in the Republic of China, South Korea, and the People's Republic of China. The root cause appeared to be that the standard Ubuntu tool used to bundle a VM image for use with Eucalyptus had a default, privileged account with a default password. The attacker worms used this login to corrupt virtual machines. As nearly as the GENICloud operators could determine, no spam was sent, and no information was compromised. All that the compromised machines appeared to have been used for was an attempt to propagate a number of worms. Once the incident was reported, the operators took all the GENICloud sites off the network: HP Labs, UC San Diego, Northwestern, and Kaiserslautern, and did not, as had previously been planned, bring up a TransCloud site at the University of Amsterdam. Instead, the GENICloud operators devoted approximately two months to bringing up a secure Cloud service which will be attack resistant and remain usable by the GENI community. As a first step, the GENICloud operators removed password access from the GENICloud boss node, all Eucalyptus servers, and all virtual machines: access is now by ssh key only. They then leveraged experience with the PlanetLab control framework to build a secure but usable environment, with much more real-time monitoring than in a standard Eucalyptus environment. The GENICloud operators installed the SFA as a controller over the Eucalyptus software, so the only authorized Eucalyptus user is the SFA Aggregate Manager. Users allocate GENICloud resources via the SFA using their PlanetLab credentials, and login to VMs using their PlanetLab ssh keys. They now use the PlanetLab tools to manage the node configurations and maintain a uniform software distribution. GENICloud nodes are simply PlanetLab nodes using a private MyPLC installation dedicated to the GENICloud project, hosted at Princeton. The nodes run Fedora 12 as a base image, and Eucalyptus is used to create VMs, just as before the incident. The GENICloud operators use the PlanetLab software to manage the physical machines. On node boots a small image from USB. After a node boots, it pulls down the full OS image from the MyPLC server and installs it on the node. It's also possible to boot the node into a "Safe" mode where only admins can login, e.g., for diagnosing problems with the node or doing forensic investigations following an incident. In addition, GENICloud made the following changes to their operating procedures: 1. Established a support list where people can complain if they suspect a problem. 2. In the process of building a traffic auditing tool that maps traffic back to slices based on IP address. This will allow operators to rapidly identify the experiment responsible for specific complaints. 3. Now have the ability to quickly shut down experiments that are causing problems. 4. Now have the ability to quickly reinstall a PlanetLab node (e.g. GENICloud node) and recreate most of its configuration state if operators suspect a compromise. A specific area that GENICloud operators spent a great deal of time on was network connectivity. Most nodes require only connectivity within the cluster; many more require connectivity only to a few external, gateway nodes. A very few require promiscuous connectivity. The goal, as always, was to maintain experimenter capability while balancing against security risks. The ultimate response was to, by default, permit connectivity freely within the clusters but only fromspecified nodes outside the cluster, with the whitelist determined by the experimenter. This is also the policy on EC-2. VMs requiring promiscuous connections are subject to more rigorous security screening, which GENICloud operators and the experimenter jointly, as well as the site IT managers, collaborate on. Iptables implement these connectivity restrictions. GENICloud plans to use OpenFlow switches and a controller in the future to do this on a more dynamic, transparent, and centralized basis Acknowledgements The author thanks Larry Peterson (PlanetLab), Rob Ricci (Emulab), John Wroclawski (DETER) and Ted Faber (DETER) for their contributions and inputs on various aspects of GENI security.      PAGE 8 359:DRY\]^t{}Ÿq`OAO3h6RCJOJQJ^JaJhTqCJOJQJ^JaJ h>h>CJOJQJ^JaJ ho3h@wCJ OJQJ^JaJ h6R5CJ$OJQJ\^JaJ$ hu[5CJ$OJQJ\^JaJ$&ho3h>5CJ$OJQJ\^JaJ$ h>5CJ$OJQJ\^JaJ$ho3h>OJQJ^J ho3h>CJOJQJ^JaJ&ho3h>5CJ0OJPJQJ\aJ0*ho3h>5CJ0OJPJQJ\^JaJ0345D]^|}$a$gdf$a$gd>     " # % & 5 6 P ĺİ~vrviUiGijh6RUmHnHu'h3h6ROJPJQJmHnHtHuh6RmHnHuh6Rjh6RUhe h6RCJ$ h2"CJ$heh2"CJ$h&hlnhlnOJQJ^Jhlnh Gh6ROJQJ^Jh>OJQJ^Jho3h>OJQJ^Jh6RCJOJQJ^JaJh>CJOJQJ^JaJ#hfhfCJH*OJQJ^JaJ   U  D  !  !  @ ^@ `gdln h^hgdlnh^hgd2"gdln$a$gd>P Q R S T U r s       $ % ? @ A B C D F G x y سآؑ؀o jqh6RUmHnHu jh6RUmHnHu jwh6RUmHnHu jh6RUmHnHu j}h6RUmHnHu'h3h6ROJPJQJmHnHtHuh6RmHnHujh6RUmHnHu jh6RUmHnHu+          )     !"իtplhla hu[hu[h|cFhu[hehu[CJOJQJaJh!ihCJOJQJaJh|cFCJOJQJaJhFh&h2"hyjh6RU jkh6RUmHnHu jh6RUmHnHu'h3h6ROJPJQJmHnHtHuh6RmHnHujh6RUmHnHu&    * +   "9: $Ifgd7h^hgd|cFgd8gdeh^hgdu[gdu[h^hgdgd2"h^hgdF & F gd2"h^hgdu ! "&9:=678fghist'*+28FVYZfguv,y}$%=žžŷh0 hshs6hshs hjhjhv ~h Ghu[h1Rhj h8h8 h7=h~+h~+h;8Ch80JjghWUjh8U h7=h8h8h h|cFhFhe3h}}} $Ifgd7ykd$$Ifl0$t t0$44 lahit}} $Ifgd7ykdN$$Ifl0$t t0$44 la&|wnnnn $Ifgdjgdjgdegd8ykd$$Ifl0$t t0$44 la&'+8GUaXXXX $IfgdjkdL$$Ifl\$fv  t0$644 laUVZgvaXXXO $Ifgdv ~ $Ifgdjkd$$Ifl\$fv  t0$644 la%&a\SKFFFFgds & F gdeh^hgdFgdjkd~$$Ifl\$fv  t0$644 la&>opvw  ####$$#%$%% & F gd>tkgd"gdNP & F gdu[gdu[gd|gd0 h^hgdqK & F gdegds=>nBGw+MlG_)   % E ÿؿؿؿسؿh|hNP5hNPhVh|h4-h4-h4-5huhF hmhmhH2Chm5hhH2C hH2C5hH2Ch5hH2ChH2C5h0 h~+ hm5hmhm5hmhqKhu[ hsh0 0E G N !!T#U#########$$"%#%V&n&&S'T'()+,,..M/Y////01020u0}0001:1<1G1W111111A2B2C2D2N2n2p2|222233ддааааа̴̰̰̰̰̰̰h"hOhjhZ\ghBh+h>tkhq*hyTh-hu[ hu[hu[h|hjhjH*hjhNPhNPhNPH*E%%U&V&T'U'(())A+B+,,p-q-..////4050;1gd" & Fgdq*gdjgdZ\ggdBgd>tk & F gd>tkgdNP;1<1B2C233 55 57788999:;;P<Q<<<>> 1$7$8$H$gdv ~ & F gdv ~gd>tkgdNP & Fgdq*gd"3u444 5 55 58-8L888888999.:/:K:L:M:U:V::::::::;;;;Q<<ɽɭɚɭrffhfs OJPJQJ^J%jhv ~OJPJQJU^J(hv ~>*B* OJPJQJ^Jph7wh7%jhv ~OJPJQJU^Jjhv ~OJPJQJU^JhOJPJQJ^Jhv ~OJPJQJ^JhhbuPJhhv ~PJhhlnPJhv ~h"hBh>tk&<<<==;=====>>>>7?B?T?a????? @/@`@w@AAOAPAaAbAAAAABBRCnCCDDD'D]DDDEEEEEE F1F8F9FFFFGWG^GGGGHH:HRHzHEIeIIIǾǾǾǾǾǾǾǾǾǾǾǾǾhhPJhhv ~PJhv ~OJPJQJ^JhhZ\gPJhhbuPJhhv ~PJhhfs PJK>N@O@AATBBBDDDEE3F4FFWGGQHRHII)L:L;LLgd-gdgdv ~ 1$7$8$H$gdv ~IIIIIJ.JKK/K7K9KCKRKsK~KKKKKK(L)L9L:L;LALELFLMLLLLLLLLLLLLMMMM M M M Mhh0J)mHnHu h0J)jh0J)Uh3jh3Uh&h/Yhj h-h- hhh hhv ~hhPJhhPJhhv ~PJ0LLLLLLLLL M M M M$a$gd Ggd2" ,1h/ =!"#$% 5 01h:p G/ =!"#$% }DyK _Toc171098872}DyK _Toc171098873}DyK _Toc171098874}DyK _Toc171098875}DyK _Toc171098876}DyK _Toc171098877}DyK _Toc171098878}DyK _Toc171098879}$$If!vh#vt#v:V l t0$5t5DyK yK vhttp://www.geni.net/docs/GENISysOvrw092908.pdfyX;H,]ą'c}$$If!vh#vt#v:V l t0$5t5}$$If!vh#vt#v:V l t0$5t5$$If!vh#vf#v#vv #v :V l t0$65f55v 5 $$If!vh#vf#v#vv #v :V l t0$65f55v 5 $$If!vh#vf#v#vv #v :V l t0$65f55v 5 DyK yK "http://spcnj.jp/DyK yK Bhttp://no-more-funn.moensted.dk/1xxx00002 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XVx8XV~PJ_HmH nH sH tH D`D >NormalCJPJ_HaJmH sH tH ^@^ 2" Heading 1$<@&"5CJ KH OJPJQJ\^JaJ `@` 2" Heading 2$<@&$56CJOJPJQJ\]^JaJZ@Z "V Heading 3$<@&5CJOJPJQJ\^JaJDA`D Default Paragraph FontRi@R  Table Normal4 l4a (k (No List b@b  List Paragraphd^m$CJOJPJQJaJP0@P MYI List Bullet$ & FPPa$nHtH8"@8 MYICaption5CJ\aJB^"B =0 Normal (Web)dd[$\$V1V 2"Heading 1 Char"5CJ KH OJPJQJ\^JaJ \A\ 2"p TOC Heading$d@& B*CJKHaJph6_4R4 2"Header  H$:a: 2" Header Char CJPJaJ4 @r4 2"Footer  H$:: 2" Footer Char CJPJaJXX 2"Heading 2 Char$56CJOJPJQJ\]^JaJ&`& 2"pTOC 1.`. 2"pTOC 2 ^6U@6 2"0 Hyperlink >*B*phH`H 2"pTOC 3dd^CJOJQJaJRR "VHeading 3 Char5CJOJPJQJ\^JaJ<#< y0Table of Figures  iconDZ@D "$?0 Plain Text!CJOJ QJ ^J aJF!F !$?0Plain Text CharOJ PJQJ ^J VO2V 8 Table text#d((CJOJPJQJ^JaJjCj j Table Grid7:V$0$B'QB FComment ReferenceCJaJ<@b< F Comment Text&CJaJ@j@ab@ FComment Subject'5\H@H F Balloon Text(CJOJ QJ ^J aJ.)@.  G Page Number<< wh Heaidng 2*$h^ha$.`. 6RTOC 4 +^.`. 6RTOC 5 ,^.`. 6RTOC 6 -^.`. 6RTOC 7 .^.`. 6RTOC 8 /^.`. 6RTOC 9 0^PK!pO[Content_Types].xmlj0Eжr(΢]yl#!MB;.n̨̽\A1&ҫ QWKvUbOX#&1`RT9<l#$>r `С-;c=1g~'}xPiB$IO1Êk9IcLHY<;*v7'aE\h>=^,*8q;^*4?Wq{nԉogAߤ>8f2*<")QHxK |]Zz)ӁMSm@\&>!7;wP3[EBU`1OC5VD Xa?p S4[NS28;Y[꫙,T1|n;+/ʕj\\,E:! t4.T̡ e1 }; [z^pl@ok0e g@GGHPXNT,مde|*YdT\Y䀰+(T7$ow2缂#G֛ʥ?q NK-/M,WgxFV/FQⷶO&ecx\QLW@H!+{[|{!KAi `cm2iU|Y+ ި [[vxrNE3pmR =Y04,!&0+WC܃@oOS2'Sٮ05$ɤ]pm3Ft GɄ-!y"ӉV . `עv,O.%вKasSƭvMz`3{9+e@eՔLy7W_XtlPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-!pO[Content_Types].xmlPK-!֧6 -_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!!Z!theme/theme/theme1.xmlPK-! ѐ'( theme/theme/_rels/themeManager.xml.relsPK]# E;~8;.~8 P "=E 3<I M')+,.67:;= h&U&%;1>L M(*-/01234589<>"5QSr$@Bx7f.2L2U2222 E %%%%%%%%XXX !8@0( DL- B S  ? _Toc178827001 _Toc176220177 _Toc176220262 _Toc178827002 _Toc176220178 _Toc176220263 _Toc176220179 _Toc176220264 _Toc178827004 _Toc178827007 _Toc171098872 _Toc171098873 _Toc171098874 _Toc171098875 _Toc171098876 _Toc171098877 _Toc171098878 _Toc17109887933::^")DE 22255ppp)7n9DE3<%%$0-01#11111c2h2(33373?3Z3b3d3g3l3o3r3|33334444(4,4645566m7w777d8m88888(91999m:v:::::::::S;\;n;w;;;;;J<S<f<o<<===????g@p@CCkCsCCCCC]DfDtDzDDDDDDDDDD EE1111 3&3(3H3447 888::<<>>BXCZChCDDDDDDDDD EE::::::::::::: i0g,=% t[BG{^f |@n*/Y>5dzNF6F`y#i9{$*M%&,(Akx. SF/Nfa4>5K;4i9 (5wQ) ?Y4FYIJI HHOXd2;^qO&./{YBo_Nf[bǞtl&NxEs(As 4cuaBF}Nf ^`OJQJo( 8^8`OJQJo(^`OJ QJ ^J o(o  p^ `OJ QJ o(  @ ^ `OJ QJ o( x^x`OJQJo(H^H`OJ QJ ^J o(o ^`OJ QJ o( ^`OJ QJ o(`^`OJQJo(hH`^`OJ QJ ^J o(hHo`h h ^h `OJ QJ o(hH`8 8 ^8 `OJQJo(hH`^`OJ QJ ^J o(hHo`^`OJ QJ o(hH`^`OJQJo(hH`xx^x`OJ QJ ^J o(hHo`HH^H`OJ QJ o(hH^`o(. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.h^h`o(.^`o(.0^`0o(..0^`0o(...  ^ `o( .... @ ^@ `o( ..... `^``o( ...... x`^x``o(....... H^H`o(........h ^`hH)h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.^`CJOJQJo(^`CJOJ QJ o(opp^p`CJOJ QJ o(@ @ ^@ `CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(PP^P`CJOJ QJ o(h^h`o(8^8`o(.p0^p`0o(..@ 0^@ `0o(... x^x`o( .... H^H`o( ..... `^``o( ...... P`^P``o(....... ^`o(........h^`OJQJo(hHh^`OJ QJ o(hHohp^p`OJ QJ o(hHh@ ^@ `OJQJo(hHh^`OJ QJ o(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ o(hHohP^P`OJ QJ o(hH8^8`OJ PJQJ ^Jo(n^`OJ QJ ^J o(hHo ^ `OJ QJ o(hH ^ `OJQJo(hHx^x`OJ QJ ^J o(hHoH^H`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^J o(hHo^`OJ QJ o(hHz^`zo(0^`0o(.p0^p`0o(.. ^ `o(... `^``o( .... `^``o( ..... ^`o( ...... ^`o(....... ^`o(........^`o(. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.^`OJ PJQJ ^Jo(n^`OJ QJ ^J o(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJ QJ ^J o(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^J o(hHoPP^P`OJ QJ o(hHh^h`o(^`o(.0^`0o(..0^`0o(...  ^ `o( .... @ ^@ `o( ..... `^``o( ...... x`^x``o(....... H^H`o(........h^h`o(^`o(.@ 0^@ `0o(..x0^x`0o(... ^`o( .... P^P`o( ..... `^``o( ...... (#`^(#``o(....... (^(`o(........h^h`o(8^8`o(.p0^p`0o(..@ 0^@ `0o(... x^x`o( .... H^H`o( ..... `^``o( ...... P`^P``o(....... ^`o(........h^h`o(8^8`o(.p0^p`0o(..@ 0^@ `0o(... x^x`o( .... H^H`o( ..... `^``o( ...... P`^P``o(....... ^`o(........z^`zo(0^`0o(.p0^p`0o(.. ^ `o(... `^``o( .... `^``o( ..... ^`o( ...... ^`o(....... ^`o(........h^h`o(. 8^8`hH. L^`LhH.  ^ `hH.  ^ `hH. xL^x`LhH. H^H`hH. ^`hH. L^`LhH.^`CJOJQJo(^`CJOJ QJ o(opp^p`CJOJ QJ o(@ @ ^@ `CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(PP^P`CJOJ QJ o(>^`>o(.0^`0o(..0^`0o(...8^8`o(.... `^``o( ..... `^``o( ...... ^`o(....... p^p`o(........ p^p`o(.........^`OJPJQJ^Jo(-^`OJ QJ ^J o(hHoq^q`OJ QJ o(hHA ^A `OJQJo(hH ^ `OJ QJ ^J o(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^J o(hHoQ^Q`OJ QJ o(hHh^h`o(^`o(.@ 0^@ `0o(..x0^x`0o(... ^`o( .... P^P`o( ..... `^``o( ...... (#`^(#``o(....... (^(`o(........^`OJPJQJ^Jo(-^`OJ QJ ^J o(o p^p`OJ QJ o( @ ^@ `OJQJo(^`OJ QJ ^J o(o ^`OJ QJ o( ^`OJQJo(^`OJ QJ ^J o(o P^P`OJ QJ o(h^`OJQJo(hHh^`OJ QJ o(hHohp^p`OJ QJ o(hHh@ ^@ `OJQJo(hHh^`OJ QJ o(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ o(hHohP^P`OJ QJ o(hH^`o(. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.h^h`o(8^8`o(.p0^p`0o(..@ 0^@ `0o(... x^x`o( .... H^H`o( ..... `^``o( ...... P`^P``o(....... ^`o(........t^`to(() ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.^`OJPJQJ^Jo(^`OJ QJ ^J o(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJ QJ ^J o(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^J o(hHoPP^P`OJ QJ o(hHh^h`o(^`o(.0^`0o(..0^`0o(...  ^ `o( .... @ ^@ `o( ..... `^``o( ...... x`^x``o(....... H^H`o(........h^h`o(.h^h`o(.0^`0o(..0^`0o(... 8^8`o( .... 8^8`o( ..... `^``o( ...... `^``o(....... ^`o(........h ^`o(hH. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.h^h`o(8^8`o(.p0^p`0o(..@ 0^@ `0o(... x^x`o( .... H^H`o( ..... `^``o( ...... P`^P``o(....... ^`o(........ *M%tl/{YsHHO0gcu{$ t[ (5/Ya4y#K;4BF}SF/o_kx.JINxEs&,|@Q) ?G{[b4F6YI^qOdz QP1                                                             |        V$U                                  C$                                   ! H A&L>=uQ~A yw8F0 @Bu[r_==3ym-Tqfs 2"$%H%Z%0 &;E&M 'd()%*q*~+r ,4-E-2.d/0D1k1333u 4%6P^7;I; <R!=$?UT@AH2CKqK>vMTNONPL[P)Q1RMS>OT:UAUiRU"VWoXzX/YuZl]W)`-` bCcc0deZ\g whv.iXk>tkd\l%niinQHrNsJtftbuvVw yJ{|v ~*~Wsps1 G/twfd~ F[|7X /&- NXghos}b#?u|G+S|l^m#1IdeL q=e36R=|c<j9{:VFJGpCGyTF;I[K4FFAMI4d MV%t1$ ivFklnZEPH Isj> `#{*";5S]Q`(6JxW2j0s.+7~O>Zo/8@w"BDD@11l11@{ E@Unknown G*Ax Times New Roman5Symbol3 *Cx Arial;SimSun[SO7@Cambria3Nj-3 fg; Batang;[xPHelvetica7@ Calibri? *Cx Courier New5 Tahoma;WingdingsA$BCambria Math"1h. 3c xJ : #}J : #}!4DD 2qHP?>2! xx ,G E N IStephen SchwabStephen Schwab                            Oh+'0  4 @ L Xdlt|'G E N IStephen Schwab Normal.dotmStephen Schwab10Microsoft Macintosh Word@Ј@ZJ @?7@V[8 J : ՜.+,D՜.+,@ hp  'SPARTA, Inc.}#D G E N I Title 8@ _PID_HLINKS'Ah!!http://no-more-funn.moensted.dk/Ihttp://spcnj.jp/~|/http://www.geni.net/docs/GENISysOvrw092908.pdf  !"#$%&'()*+,-./0123456789:;<=>?ABCDEFGIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FPR{8Data @1TableHWordDocumente~SummaryInformation(DocumentSummaryInformation8CompObj` F Microsoft Word 97-2004 DocumentNB6WWord.Document.8