Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: Trusted Internet Workshop (TIW) 2004
Article type: Research Article
Authors: Huang, Yih | Arsenault, David | Sood, Arun
Affiliations: Department of Computer Science and the Center for Image Analysis, George Mason University, Fairfax, VA, USA E-mail: {huangyih, darsenau,asood}@cs.gmu.edu.
Abstract: Domain Name Systems (DNS) provide the mapping between easily remembered host names and their IP addresses. While domain name information is typically created and updated off-line, dynamic DNS updates allow clients to manage domain names online, in real time. The current secure DNS standards (DNSSEC) require private keys to be kept online to sign dynamic updates, leaving private keys subject to network-based attacks. In this work, we develop a secure implementation framework of DNS servers that voids the above requirement. Our approach, called Self-Cleansing Intrusion Tolerance (SCIT), strengthens DNSSEC through hardware redundancy. Our system uses a highly integrated cluster of DNS servers that constantly rotates the role of individual servers, handles one-server failures gracefully, confines the damages of successful intrusion to a limited time, and digitally signs dynamic updates by a clean server using the DNS zone key while keeping the key offline at all times. It is our belief that the availability and integrity of critical communications infrastructure, such as DNS, far outweigh the costs of hardware redundancy. In this paper, we present (1) the architecture of SCIT DNS clusters that achieves the above goals, (2) a secure Cluster Coordination Protocol (CCP) that servers in the cluster use to coordinate role changes without ever opening a port, and (3) the designs of our ongoing SCIT DNS cluster prototype. Preliminary experiences of our prototype show that role rotation and self-cleansing cycles are in the range of minutes, restricting the damages of even undetected but successful attacks to short time windows.
Keywords: Computer security, fault-tolerance, information assurance, intrusion containment, self-cleansing systems
Journal: Journal of High Speed Networks, vol. 15, no. 1, pp. 5-19, 2006
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl