FIT-LDAP: Um Serviço de Diretório Tolerante a Falhas e Intrusões

  • Rayol Neto UFAM
  • Bruno Barreto UFAM
  • Diego Kreutz University of Luxembourg
  • Aldri Santos UFPR
  • Eduardo Feitosa UFAM

Resumo

Serviços de diretório (e.g., LDAP) são frequentemente utilizados para manter informações sensíveis (e.g., dados e credenciais de usuários) em sistemas críticos como serviços de controle de domínio, servidores DNS, mecanismos de controle de acesso e infra-estrutura de chaves públicas. Este artigo apresenta a primeira arquitetura e mecanismos para prover serviços de diretórios tolerante a falhas e intrusões. Para atingir este objetivo são empregadas diferentes técnicas de sistemas distribuídos, dependabilidade e segurança. A viabilidade da solução proposta é demonstrada através da implementação e avaliação de um protótipo que utiliza protocolos e técnicas avançadas de tolerância a falhas e intrusões. Os resultados demonstram que a solução proposta é boa o suficiente para suportar as demandas de infra-estruturas de TI com mais de 136K usuários.

Referências

Ardizzone, V., Barbera, R., Calanducci, A., Fargetta, M., Ingrà, E., La Rocca, G., Monforte, S., Pistagna, F., Rotondo, R., and Scardaci, D. (2011). A european framework to build science gateways: Architecture and use cases. In Proceedings of the 2011 TeraGrid Conference: Extreme Digital Discovery, TG ’11, pages 43:1– 43:2, New York, NY, USA. ACM.

Bessani, A. (2011). From byzantine fault tolerance to intrusion tolerance (a position paper). In Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on, pages 15–18.

Bessani, A., Mendes, R., Oliveira, T., Neves, N., Correia, M., Pasin, M., and Verissimo, P. (2014a). Scfs: a shared cloud-backed file system. In Proc. of the 2014 USENIX Annual Technical Conference.

Bessani, A., Sousa, J., and Alchieri, E. (2014b). State machine replication for the masses with bft-smart. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 355–362.

bft smart (2015). Bft-smart. http://bft-smart.github.io/library/.

Borsato, L., Gaudet, M., Hamilton, I., Anderson, R., and Waters, G. (2003). Trusted network binding using ldap (lightweight directory access protocol). US Patent 6,654,891.

Boyd, A. (2014). It security shifts from prevention to resiliency. http://goo.gl/01poFz.

Brandão, L. and Bessani, A. (2012). On the reliability and availability of replicated and rejuvenating systems under stealth attacks and intrusions. Journal of the Brazilian Computer Society, 18(1):61–80.

Dwork, C., Lynch, N. A., and Stockmeyer, L. (1988). Consensus in the Presence of Partial Synchrony. J. ACM, 35(2):288–322.

Ficco, M. and Rak, M. (2012). Intrusion tolerance of stealth dos attacks to web services. In Gritzalis, D., Furnell, S., and Theoharidou, M., editors, Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 579–584. Springer Berlin Heidelberg.

Flechl, M. and Field, L. (2008). Grid interoperability: joining grid information systems. Journal of Physics: Conference Series, 119(6):062030.

Goche, M. and Gouveia, W. (2014). Why cyber security is not enough: You need cyber resilience. http://goo.gl/jNZ3Bw.

Harrison, R. (2006). Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms. RFC 4513 (Proposed Standard).

Hou, H., Wang, X., and Wu, M. (2006). Hierarchical byzantine fault tolerant secure ldap. In IEEE SMC’06, pages 3844–3849.

Howes, T. A., Smith, M. C., and Good, G. S. (2003). Understanding and Deploying LDAP Directory Services. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2 edition.

Karatsiolis, V., Lippert, M., and Wiesmaier, A. (2004). Using ldap directories for management of pki processes. In Public Key Infrastructure, pages 126–134. Springer.

Kreutz, D., Bessani, A., Feitosa, E., and Cunha, H. (2014a). Towards secure and dependable authentication and authorization infrastructures. In Dependable Computing (PRDC), 2014 IEEE 20th Pacific Rim International Symposium on, pages 43–52. IEEE.

Kreutz, D. and Charao, A. (2009). Flexvaps: a system for managing virtual appliances in heterogeneous virtualized environments. In Network Operations and Management Symposium, 2009. LANOMS 2009. Latin American, pages 1–12.

Kreutz, D. and Feitosa, E. (2014). Identity providers-as-a-service built as cloud-ofclouds: challenges and opportunities. In Position Papers of the 2014 Federated Conference on Computer Science and Information Systems, pages 101–108.

Kreutz, D., Feitosa, E., and Cunha, H. (2014b). Provedores de identidade resilientes e confiáveis. In Anais do XXXII SBRC XV WTF, pages 174–187.

Kreutz, D., Feitosa, E., Cunha, H., Niedermayer, H., and Kinkelin, H. (2014c).

Increasing the resilience and trustworthiness of openid identity providers for future networks and services. In ARES 2014, pages 317–324.

Kreutz, D., Malichevskyy, O., Feitosa, E., Barbosa, K. R. S., and Cunha, H. (2014d).

System design artifacts for resilient identification and authentication infrastructures. In ICNS. IARIA.

Kushner, D. (2013). The real story of stuxnet. IEEE Spectrum, 50(3):48–53.

Malichevskyy, O., Kreutz, D., Pasin, M., and Bessani, A. (2012). O vigia dos vigias: um serviço radius resiliente. In INForum.

Niedermayer, H., Kreutz, D., Feitosa, E., Malichevskyy, O., Bessani, A., Fraga, J., Cunha, H. A., and Kinkelin, H. (2014). Trustworthy and resilient authentication service architectures. Technical report, SecFuNet Consortium.

OpenLDAP (2014). OpenLDAP Software 2.4 Administrator’s Guide.

Park, J., Ahn, G.-J., and Sandhu, R. (2002). Role-based access control on the web using ldap. In Olivier, M. and Spooner, D., editors, Database and Application Security XV, volume 87 of IFIP The International Federation for Information Processing, pages 19–30. Springer US.

Prince, M. (2013). The DDoS that almost broke the internet. http://goo.gl/oeDrMY.

Sermersheim, J. (2006). Lightweight Directory Access Protocol (LDAP): The Protocol. RFC 4511 (Proposed Standard).

Shoker, A. and Bahsoun, J.-P. (2012). Towards byzantine resilient directories. In Proceedings of NCA ’12, pages 52–60.

Sousa, P., Bessani, A. N., Correia, M., Neves, N. F., and Verissimo, P. (2007). Resilient intrusion tolerance through proactive and reactive recovery. In Proceedings of PRDC ’07, pages 373–380.

Tankard, C. (2011). Advanced Persistent threats and how to monitor and deter them. Network Security, (8).

UnboundID (2015). Unboundid ldap sdk for java. https://www.ldap.com/unboundid-ldap-sdk-for-java.

Vasiliadis, D., Rizos, G., Stergiou, E., and Margariti, S. (2007). A trusted network model using the lightweight directory access protocol. In Proceedings of AIC, pages 252–256.

Verissimo, P., Neves, N., Cachin, C., Poritz, J., Powell, D., Deswarte, Y., Stroud, R., and Welch, I. (2006). Intrusion-tolerant middleware: the road to automatic security. Security Privacy, IEEE, 4(4):54–62.

Wang, X., Hou, H., and Zhuang, Y. (2006). Secure byzantine fault tolerant ldap system. In Proceedings of IMSCCS ’06, pages 34–39.

Wang, X., Schulzrinne, H., Kandlur, D., and Verma, D. (2008). Measurement and analysis of ldap performance. Networking, IEEE/ACM Transactions on, 16(1):232–243.

Zhou, W. and Meinel, C. (2004). Implement role based access control with attribute certificates. In Advanced Communication Technology, 2004. The 6th International Conference on, volume 1, pages 536–540.
Publicado
2015-11-09
Como Citar
NETO, Rayol et al. FIT-LDAP: Um Serviço de Diretório Tolerante a Falhas e Intrusões. Anais do Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), [S.l.], p. 44-57, nov. 2015. ISSN 0000-0000. Disponível em: <https://sol.sbc.org.br/index.php/sbseg/article/view/20084>. Acesso em: 18 maio 2024. doi: https://doi.org/10.5753/sbseg.2015.20084.