Dynamic methodologies and the future of information assurance

The critical problems facing the security community today are management problems, not software or engineering problems. Most worms and viruses can be overcome with a combination of network hardening, patch management and user education. In fact, patches were available for all of the headline-grabbing worms that appeared in 2003. The damage they caused is attributable to the inability of modern organizations to apply patches, harden networks and educate users and these threats will not be overcome by purchasing more software or the invention of some fortuitous new self-healing technology. The real challenge is to disseminate the knowledge required to overcome vulnerabilities to a distributed staff at a reasonable cost. Historically organizations have turned to two methods to disseminate knowledge, structured methodologies and discussion forums. Structured methodologies provide explicit instructions but are costly to develop and notoriously out of date. Discussion forums allow for instant communications but suffer from information overload and an extreme lack of context, where the same questions get asked over and over again. This paper presents a framework for developing dynamic methodologies that combines the explicit instructions and context of methodologies with the instant feedback and timeliness of discussion forums. It describes the principles upon which the framework is based and the technology required realize its goals. This paper then details the proof-of-concept application that implements the framework and provides a walk-through of the operations of the program. Finally, a developer guide is presented that explains the code and critical decisions that were made in its construction

Contribución al diseño de arquitecturas distribuidas de nodos de red programable

Hoy en día, los nodos de red que forman Internet son complejos sistemas hardware/software que soportan un gran número de protocolos, servicios de red, o funcionalidades avanzadas como rewall o NAT. Sin embargo el proceso para añadir un nuevo protocolo o servicio es extremadamente largo y costoso, debido a múltiples causas, pero especialmente a que los routers siguen siendo sistemas propietarios, integrados verticalmente por los fabricantes. En este sentido, la investigación en redes programables intenta simpli car el desarrollo y el despliegue de los servicios de red mediante la de nición de interfaces abiertos entre todos los elementos que forman el router. Sin embargo hasta que los primeros diseños de nodos de red totalmente programables lleguen a comercializarse, es necesario aportar soluciones a corto y medio plazo que permitan ampliar las capacidades y servicios de los routers de alto rendimiento actuales. Esta tesis presenta una arquitectura de nodo de red programable de transici ón y bajo coste, denominada Simple Assistant-Router Architecture (SARA), que permite extender las capacidades de un router comercial delegando el procesamiento avanzado de los paquetes a un cluster de asistentes , lo que simpli ca el desarrollo y despliegue dinámico de los nuevos servicios de red. Un aspecto fundamental de esta arquitectura distribuida es la de nición de mecanismos de coordinación de los asistentes entre sí y con el router legado. Para ello se propone la utilización del Router-Assistant Protocol (RAP), un protocolo de control que permite a los asistentes con gurar el plano de datos del router, recibir eventos, así como desviar paquetes de señalización y ujos de datos para su procesamiento en los asistentes. Dada la heterogeneidad de los requisitos de las aplicaciones de red es necesario proporcionar varios mecanismos para asegurar un reparto de carga efectivo en el cluster de asistentes. Esta Tesis Doctoral propone dos algoritmos de Fast Robust Hashing que permiten la asignación equitativa y persistente de ujos a asistentes, mejorando el rendimiento de las técnicas de Robust Hashing actuales, por lo que son lo su cientemente e cientes como para ser implementados en el plano de datos de un router comercial. Además, este trabajo especi ca el eXtensible Service Discovery Framework (XSDF), un marco de trabajo sencillo y escalable, que integra en un único proceso el descubrimiento de servicios y el reparto de carga entre servidores desacoplados.Nowadays, the network nodes that build Internet are complex hardware/ software systems, that support many signalling protocols, network services, and complex functionalities such as rewalling or NAT. However adding a new capability is a long, complex and costly process, due to many causes, but specially because routers are still proprietary systems, vertically integrated by the vendors. In this sense, the research in programmable networks tries to simplify the development and deployment of network services by specifying open interfaces among all the elements that make up a router. However, before the rst programmable network nodes start being deployed, it is necessary to provide short and medium term solutions that allow current high-performance routers to add advanced capabilities and new network services. This PhD. Thesis presents a low-cost transition architecture for programmable network nodes named Simple Assistant-Router Architecture (SARA), that allows a commercial router to easily extend its capabilities by delegating the advanced packet processing to a cluster of assistants , which greatly simpli es the development and dynamic deployment of new network services. A key aspect of this distributed architecture is the need of several coordination mechanisms between the router and the assistants, and among assistant themselves. Therefore, the Router-Assistant Protocol (RAP) has been proposed, which is a control protocol based on ForCES, that allows assistants to con gure the router's data plane, to notify events, as well as to divert signalling packets and data ows to the assistants. As network application requirements could be very heterogeneous, it is necessary to provide several mechanisms in order to load-balance the assistant cluster. Thus, this Thesis presents two novel Fast Robust Hashing algorithms that provides a permanent and fair mapping of ows to assistants, and improves existing Robust Hash techniques as it is e cient enough to be implemented in the data plane of a commercial router. Moreover this research work also de - nes the eXtensible Service Discovery Framework (XSDF), which integrates in a single process: scalable service location, and load-sharing among lightly-coupled servers

Reliable Server Pooling - Evaluierung, Optimierung und Erweiterung einer neuen IETF-Architektur

The Reliable Server Pooling (RSerPool) architecture currently under standardization by the IETF RSerPool Working Group is an overlay network framework to provide server replication and session failover capabilities to applications using it. These functionalities as such are not new, but their combination into one generic, application-independent framework is. Initial goal of this thesis is to gain insight into the complex RSerPool mechanisms by performing experimental and simulative proof-of-concept tests. The further goals are to systematically validate the RSerPool architecture and its protocols, provide improvements and optimizations where necessary and propose extensions if useful. Based on these evaluations, recommendations to implementers and users of RSerPool should be provided, giving guidelines for the tuning of system parameters and the appropriate configuration of application scenarios. In particular, it is also a goal to transfer insights, optimizations and extensions of the RSerPool protocols from simulation to reality and also to bring the achievements from research into application by supporting and contributing relevant results to the IETF's ongoing RSerPool standardization process. To achieve the described goals, a prototype implementation as well as a simulation model are designed and realized at first. Using a generic application model and appropriate performance metrics, the performance of RSerPool systems in failure-free and server failure scenarios is systematically evaluated in order to identify critical parameter ranges and problematic protocol behaviour. Improvements developed as result of these performance analyses are evaluated and finally contributed into the standardization process of RSerPool

An efficient approach for state sharing in server pools

Many Internet services require high availability. Server pooling provides a high availability solution using redundant servers. If one server fails, the service is continued by another one. A challenge for server pooling is efficient state sharing: The new server requires the old one’s state to continue service. This paper proposes a simple, efficient and scalable solution, usable for a large subset of applications.

An Efficient Approach for State Sharing in Server Pools

Many Internet services require high availability. That is, downtimes cause loss of money (e.g. electronic shops) or damages of equipment (e.g. control systems for production processes). Server pooling provides a high availability solution using multiple redundant servers. If one server fails, the service is continued by another one. A big challenge for server pooling is efficient state sharing. That is, servers contain states for each client (e.g. user identity or media position). To continue the service in case of a failover, the new server has to know the old server’s state. The goal of this paper is to present an efficient, simple and scalable approach, applicable to a large range of server pooling applications, that provides secure transfer of states by the client itself, using an extended cookie mechanism. Finally, it also provides implementation considerations. Keywords: high availability, server pooling, state sharing, client, server