We propose a resilience architecture for improving the security and dependability of authenticati... more We propose a resilience architecture for improving the security and dependability of authentication and authorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion- tolerant replication, trusted components and untrusted gateways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environments, such as IT infrastructures with more than 400k users.
Electronic transactions have become the main- stream mechanism for performing commerce activities... more Electronic transactions have become the main- stream mechanism for performing commerce activities in our daily lives. Aiming at processing them, the most common ap- proach addresses the use of a switch that dispatches transactions to processing machines using the so-called Round-Robin sched- uler. Considering this electronic funds transfer (EFT) scenario, we developed a framework model denoted GetLB which comprises not only a new and efficient scheduler, but also a cooperative communication infrastructure for handling heterogeneous and dynamic environments. The GetLB scheduler uses a scheduling heuristic that combines static data from transactions and dynamic information from the processing nodes to overcome the limitations of the Round-Robin based scheduling approaches. Scheduling efficiency takes place thanks to the periodic interaction between the switching node and processing machines, enabling local deci- sion making with up-to-date information about the environment. Besides the description of the aforementioned model in detail, this article also presents a prototype evaluation by using both traces and configurations obtained with a real EFT company. The results show improvements in transaction makespan when comparing our approach with the traditional one over homogeneous and heterogeneous clusters.
In our previous work we designed and evaluated the feasibility of highly secure and dependable id... more In our previous work we designed and evaluated the feasibility of highly secure and dependable identity providers (IdPs) for the increasing requirements of future IT infrastruc- tures. In this position paper we extend our previous work by analyzing and discussing the benefits of deploying highly secure and dependable identity providers-as-a-service (IdP-as-a- Service), without compromising the confidentiality of sensitive data and operations. In order to achieve this goal, we discuss some of the forefront challenges of deploying IdP-as-a-Service as a cloud-of-clouds model to ensure important properties such as the resistance against different types of threats and attacks, arbitrary faults, and make it more realistic to improve the system availability up to the three-nines mark. Notwithstanding, the main opportunities towards IdP-as-a-Service are also analyzed. We finish the paper proposing a sustainable business model based on our previous deployments and results, showing that it can be a win-win opportunity, i.e., both IdP-as-a-Service providers and customers can benefit from it.
The correct and continuous operation of identity providers and access control services is critica... more The correct and continuous operation of identity providers and access control services is critical for new genera- tions of networks and online systems, such as virtualized networks and on-demand services of large-scale distributed systems. In this paper, we propose and describe a functional architecture and system design artifacts for prototyping fault- and intrusion- tolerant identification and authentication services. The feasibility and applicability of the proposed elements are evaluated by using two distinct prototypes. Our results and analysis show that building and deploying resilient and reliable infrastructure services is an achievable goal through a set of system design artifacts based on well-established concepts from security and dependability. We also provide a performance evaluation of our resilient RADIUS service compared with the long standing FreeRADIUS.
Elasticityisundoubtedlyoneofthemostknowncapabilitiesrelatedto cloud computing. In the high perfor... more Elasticityisundoubtedlyoneofthemostknowncapabilitiesrelatedto cloud computing. In the high performance computing area, initiatives normally use bag-of-tasks applications requiring changes in the source code in order to address elasticity. In this context, this article presents a elasticity model called AutoElastic. AutoElastic acts at middleware level over iterative parallel ap- plications, offering automatic resources provisioning. Its differential approach appears on the asynchronous elasticity concept. Besides the model itself, the article also presents a prototype built with OpenNebula and its evaluation with an iterative parallel application, showing performance gains of up to 14% and a low intrusivity.
The Internet has led to the creation of a digital society, where (almost) everything is connected... more The Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to pre- defined policies, and to reconfigure it to respond to faults, load and changes. To make matters even more difficult, current networks are also vertically integrated: the control and data planes are bundled together. Software-Defined Networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network’s control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and north- bound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms – with a focus on aspects such as resiliency, scalability, performance, security and dependability – as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.
AbstractVirtual appliances have emerged as an important concept in systems virtualization. They ... more AbstractVirtual appliances have emerged as an important concept in systems virtualization. They are conceived as data packages that can be electronically delivered and easily shared and distributed. A virtual appliance usually contains at least an operating ...
Page 1. Comportamento de Aplicações Paralelas em Aglomerados de Computadores Heterogêneos∗ Diego ... more Page 1. Comportamento de Aplicações Paralelas em Aglomerados de Computadores Heterogêneos∗ Diego Luis Kreutz1, Lucas Mello Schnorr2, Cleverton Marlon Possani1, Benhur Stein1 1 Laboratório de Sistemas de Computação ...
Software-defined networking empowers network operators with more flexibility to program their net... more Software-defined networking empowers network operators with more flexibility to program their networks. With SDN, network management moves from codifying functionality in terms of low-level device configurations to building software that facilitates network management and debugging. By separating the complexity of state distribution from network specification, SDN provides new ways to solve long-standing problems in networking --- routing, for instance --- while simultaneously allowing the use of security and dependability techniques, such as access control or multi-path.
However, the security and dependability of the SDN itself is still an open issue. In this position paper we argue for the need to build secure and dependable SDNs by design. As a first step in this direction we describe several threat vectors that may enable the exploit of SDN vulnerabilities. We then sketch the design of a secure and dependable SDN control platform as a materialization of the concept here advocated. We hope that this paper will trigger discussions in the SDN community around these issues and serve as a catalyser to join efforts from the networking and security & dependability communities in the ultimate goal of building resilient control planes.
We propose a resilience architecture for improving the security and dependability of authenticati... more We propose a resilience architecture for improving the security and dependability of authentication and authorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion- tolerant replication, trusted components and untrusted gateways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environments, such as IT infrastructures with more than 400k users.
Electronic transactions have become the main- stream mechanism for performing commerce activities... more Electronic transactions have become the main- stream mechanism for performing commerce activities in our daily lives. Aiming at processing them, the most common ap- proach addresses the use of a switch that dispatches transactions to processing machines using the so-called Round-Robin sched- uler. Considering this electronic funds transfer (EFT) scenario, we developed a framework model denoted GetLB which comprises not only a new and efficient scheduler, but also a cooperative communication infrastructure for handling heterogeneous and dynamic environments. The GetLB scheduler uses a scheduling heuristic that combines static data from transactions and dynamic information from the processing nodes to overcome the limitations of the Round-Robin based scheduling approaches. Scheduling efficiency takes place thanks to the periodic interaction between the switching node and processing machines, enabling local deci- sion making with up-to-date information about the environment. Besides the description of the aforementioned model in detail, this article also presents a prototype evaluation by using both traces and configurations obtained with a real EFT company. The results show improvements in transaction makespan when comparing our approach with the traditional one over homogeneous and heterogeneous clusters.
In our previous work we designed and evaluated the feasibility of highly secure and dependable id... more In our previous work we designed and evaluated the feasibility of highly secure and dependable identity providers (IdPs) for the increasing requirements of future IT infrastruc- tures. In this position paper we extend our previous work by analyzing and discussing the benefits of deploying highly secure and dependable identity providers-as-a-service (IdP-as-a- Service), without compromising the confidentiality of sensitive data and operations. In order to achieve this goal, we discuss some of the forefront challenges of deploying IdP-as-a-Service as a cloud-of-clouds model to ensure important properties such as the resistance against different types of threats and attacks, arbitrary faults, and make it more realistic to improve the system availability up to the three-nines mark. Notwithstanding, the main opportunities towards IdP-as-a-Service are also analyzed. We finish the paper proposing a sustainable business model based on our previous deployments and results, showing that it can be a win-win opportunity, i.e., both IdP-as-a-Service providers and customers can benefit from it.
The correct and continuous operation of identity providers and access control services is critica... more The correct and continuous operation of identity providers and access control services is critical for new genera- tions of networks and online systems, such as virtualized networks and on-demand services of large-scale distributed systems. In this paper, we propose and describe a functional architecture and system design artifacts for prototyping fault- and intrusion- tolerant identification and authentication services. The feasibility and applicability of the proposed elements are evaluated by using two distinct prototypes. Our results and analysis show that building and deploying resilient and reliable infrastructure services is an achievable goal through a set of system design artifacts based on well-established concepts from security and dependability. We also provide a performance evaluation of our resilient RADIUS service compared with the long standing FreeRADIUS.
Elasticityisundoubtedlyoneofthemostknowncapabilitiesrelatedto cloud computing. In the high perfor... more Elasticityisundoubtedlyoneofthemostknowncapabilitiesrelatedto cloud computing. In the high performance computing area, initiatives normally use bag-of-tasks applications requiring changes in the source code in order to address elasticity. In this context, this article presents a elasticity model called AutoElastic. AutoElastic acts at middleware level over iterative parallel ap- plications, offering automatic resources provisioning. Its differential approach appears on the asynchronous elasticity concept. Besides the model itself, the article also presents a prototype built with OpenNebula and its evaluation with an iterative parallel application, showing performance gains of up to 14% and a low intrusivity.
The Internet has led to the creation of a digital society, where (almost) everything is connected... more The Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to pre- defined policies, and to reconfigure it to respond to faults, load and changes. To make matters even more difficult, current networks are also vertically integrated: the control and data planes are bundled together. Software-Defined Networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network’s control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and north- bound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms – with a focus on aspects such as resiliency, scalability, performance, security and dependability – as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.
AbstractVirtual appliances have emerged as an important concept in systems virtualization. They ... more AbstractVirtual appliances have emerged as an important concept in systems virtualization. They are conceived as data packages that can be electronically delivered and easily shared and distributed. A virtual appliance usually contains at least an operating ...
Page 1. Comportamento de Aplicações Paralelas em Aglomerados de Computadores Heterogêneos∗ Diego ... more Page 1. Comportamento de Aplicações Paralelas em Aglomerados de Computadores Heterogêneos∗ Diego Luis Kreutz1, Lucas Mello Schnorr2, Cleverton Marlon Possani1, Benhur Stein1 1 Laboratório de Sistemas de Computação ...
Software-defined networking empowers network operators with more flexibility to program their net... more Software-defined networking empowers network operators with more flexibility to program their networks. With SDN, network management moves from codifying functionality in terms of low-level device configurations to building software that facilitates network management and debugging. By separating the complexity of state distribution from network specification, SDN provides new ways to solve long-standing problems in networking --- routing, for instance --- while simultaneously allowing the use of security and dependability techniques, such as access control or multi-path.
However, the security and dependability of the SDN itself is still an open issue. In this position paper we argue for the need to build secure and dependable SDNs by design. As a first step in this direction we describe several threat vectors that may enable the exploit of SDN vulnerabilities. We then sketch the design of a secure and dependable SDN control platform as a materialization of the concept here advocated. We hope that this paper will trigger discussions in the SDN community around these issues and serve as a catalyser to join efforts from the networking and security & dependability communities in the ultimate goal of building resilient control planes.
Uploads
Papers by Diego Kreutz
In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and north- bound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms – with a focus on aspects such as resiliency, scalability, performance, security and dependability – as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.
However, the security and dependability of the SDN itself is still an open issue. In this position paper we argue for the need to build secure and dependable SDNs by design. As a first step in this direction we describe several threat vectors that may enable the exploit of SDN vulnerabilities. We then sketch the design of a secure and dependable SDN control platform as a materialization of the concept here advocated. We hope that this paper will trigger discussions in the SDN community around these issues and serve as a catalyser to join efforts from the networking and security & dependability communities in the ultimate goal of building resilient control planes.
In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and north- bound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms – with a focus on aspects such as resiliency, scalability, performance, security and dependability – as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.
However, the security and dependability of the SDN itself is still an open issue. In this position paper we argue for the need to build secure and dependable SDNs by design. As a first step in this direction we describe several threat vectors that may enable the exploit of SDN vulnerabilities. We then sketch the design of a secure and dependable SDN control platform as a materialization of the concept here advocated. We hope that this paper will trigger discussions in the SDN community around these issues and serve as a catalyser to join efforts from the networking and security & dependability communities in the ultimate goal of building resilient control planes.