DOC PREVIEW
UI CS 448 - SITAR

This preview shows page 1-2-3-27-28-29 out of 29 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CS448/548 Sequence 20Case Study: SITARWe consider SITAR–Source of the discussion is the paper: »SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services, »by Feiyi Wang, Fengmin Gong, Chandramouli Sargor, Katerina Goseva-Popstojanova, Kishor Trivedi, Frank Jou, »Proc 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 5–6 June 20011CS448/548 Sequence 20SITARMain issues–focus on “continuation of operation”–utilize redundancy and diversity–architecture components:»proxy servers»acceptance monitor»ballot monitors»adaptive reconfiguration»audit control2CS448/548 Sequence 20Focus on attacks or their effect?Should we focus on attacks?–if yes, then what attacks?–all attacks are not even known.3CS448/548 Sequence 20Focus on attacks or their effect?Shift from attacks or attacker to target of protection.–“the effect of attack is more important than the cause of the attack”–Focus on essential functionalities instead»recall that we specified a system as the union of all functionalities»these functionalities may have different fault assumptions4CS448/548 Sequence 20SITAR objectivesScalable Intrusion-tolerant Architecture for Distributed Services (SITAR)1.uses network-distributed services based on COTS components (paper discusses web services)2.utilize fault-tolerance (FT) mechanisms»FT specific: redundancy and diversity»malicious act: external attacks & compromised components3.dynamic reconfiguration5CS448/548 Sequence 20SITAR ArchitectureFig. 1 generic intrusion-tolerant service architecture6S2S1A2A1requestB2B1AdaptiveReconfigurationProxy ServerMonitorAcceptance Ballot Monitor COTS ServersP2P1requestresponsecontrolAudit ControlAiBiPi SiresponseFig. 1. A generic intrusion-tolerant service architectureControl module and the Adaptive Reconfiguration mod-ule, will maintain full reachability among themselves. Thisreachability is critical for coordination among them and forimplementing fully dynamic reconfigurations.Our proposed intrusion tolerant system architecture doesnot require any change to the COTS client or the COTSserver applications. In fact, it is completely transparent toboth end users and server applications. In the followingsections, we discuss each of the key architecture compo-nents in further detail.III. Proxy ServersIn the intrusion tolerant architecture proposed above,the Proxy Servers constitute the set of machines that arevisible to the end user and that provide the services in anintrusion tolerant manner. Typically, an end user will notcontact a COTS server directly, in fact, the identities (IPaddresses) of the COTS servers may not even be publiclyknown. As far as the end user is concerned, it is the ProxyServer that is providing the service. Many high availabilityproject such as Piranha [1] is designed for Primary/Backupclassical scenarios, as illustrated in Figure 2. SITAR ProxyServer aims to provide higher degree of tolerance throughshared control on dynamic resource pool, as illustrated inFigure 3. We elaborate this design idea as follows.As shown in Figure 1, a cluster of Proxy Servers willbe utilized in our architecture. While each server will havedistinct physical IP addresses that are tied to distinct phys-ical network interfaces, they will also share a pool of virtualIP addresses amongst themselves. Only the virtual IP ad-dresses are made known to the clients. There may be asingle pool of virtual IP addresses or there could be onepool per intrusion tolerant service that is being provided.The main advantage in using virtual IP addresses is thatit allows easy migration of addresses from one machine toanother in case of a fault or intrusion. We will design tech-niques to share these virtual IP addresses among the activemachines in the proxy cluster in such a fashion that as longas even one of the machines in the cluster is active, all of thevirtual IP addresses advertised to the clients will be avail-able. This is achieved by migrating virtual IP addressesfrom a faulty Proxy Server to the Proxy Servers that arefunctioning correctly. Migrating addresses directly makesit possible to do load balancing by moving virtual IP ad-dresses from a heavily loaded machine to a lightly loadedone. Also, since clients access services using virtual IP ad-dresses, migration also enables dynamic reconfiguration ofproxies. For instance, under normal circumstances a spe-cific service may be provided only on one Proxy Server.When under attack, the service could be migrated to allthe proxies to improve survivability. It must be empha-sized that all such migrations/reconfigurations are com-pletely transparent to the end user.RFloating IP addressprimary serverbackup serverRR can be a generic resource objectR:Fig. 2. Primary/backup operation modeWhile migrating virtual IP addresses from one ProxyServer to another is in itself fairly simple, the main issueassociated with migration is to ensure that the “state” as-sociated with services being proxied is correctly migratedas well. For instance, a Proxy Server will need to main-tain state to keep track of requests issued by clients, theparticular set of servers, Ballot and Acceptance monitorsused to fulfill specific requests, the virtual IP address usedby the client to make the request and other such parame-ters. Clearly, one cannot expect a compromised or faultyProxy Server to migrate this state upon detection of a faultor intrusion. The state information would therefore needto be shared in such a way that all of the Proxy Servershave a consistent view of the global shared state. Thereare many possible approaches to sharing such state infor-mation. For example, reliable multicast or shared memorytechniques could be used to exchange such information.However, there are problems with both approaches. Withreliable multicast, there can be a significant impact on net-work performance especially if the state does not need tobe updated frequently. Shared memory implementationsISBN 0-7803-9814-9/$10.00c�2001 IEEE 40CS448/548 Sequence 20Proxy ServersWhat is a Proxy Server?Proxy Servers–requests are »not made to servers may not be known»made to proxy –have physical IP addr. –share pool of virtual IP addresses7S2S1A2A1requestB2B1AdaptiveReconfigurationProxy ServerMonitorAcceptance Ballot Monitor COTS ServersP2P1requestresponsecontrolAudit ControlAiBiPi SiresponseFig. 1. A generic intrusion-tolerant service


View Full Document

UI CS 448 - SITAR

Download SITAR
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view SITAR and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view SITAR 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?