Pride In Performance
Intrusion Tolerant Distributed Object Systems
Providing High Reliability for Mission-Critical Information Systems
themselves be servers. Furthermore, each state regulate replication domain formation, replication
machine for a given system hosts the same domain membership, and connection
objects as the others in that system. The ITDOS establishment between clients and servers. The
performs voting in middleware to support Group Manager also provides symmetric
heterogeneous implementations. Therefore, all session keys (called communication keys), that
invocations on objects must pass through the protect communications.
middleware layer equally.
The primary function of the ITDOS firewall proxy
We term an individual process in the system that is to limit the impact of DoS attacks inside an
implements a particular well-defined state enclave hosting ITDOS clients and servers.
machine, a replication domain element. The This differs from traditional proxies that form
collection of replication domain elements TCP connections on each side of the firewall
running the same state machine is a replication and then inspect each packet as it traverses the
domain. firewall. The proxies typically apply source and
destination rules to permit or deny packets. This
The ITDOS uses active replication to maintain
type of inspection and packet blocking cannot be
the same state in each replication domain
implemented for the ITDOS for several reasons.
element; a client request is delivered to each
First, ITDOS communications are
replication domain element in a replication
connectionless, using UDP multicast, so source
domain by a totally ordered, BFTM protocol.
authentication would require digital signature
Each replication domain element executes the
validation. Secondly, the underlying BFTM
invocation and returns its result to the client in
protocol used by the ITDOS assumes that if one
the same fashion.
correct process delivers a message, all will
In this system, faulty processes in a replication eventually deliver it.
domain are detected primarily by processes
This ITDOS proxy allows legitimate retry
external to it; either by clients receiving a faulty
messages to traverse the firewall while blocking
result, or other servers receiving a faulty most messages that may be part of a denial of
request. Once a replication domain element is service attack. The firewall limits DoS attacks,
determined to be faulty, it must be removed from particularly replay flooding attacks, by caching a
its replication domain to preserve confidential hash of each message it receives and
communications. comparing the hashes to newly received
The Group Manager handles replication domain messages. If the proxy receives multiple copies
membership and virtual connection of a particular message more than a threshold
management in the ITDOS. It consists of a number of times, only a percentage of those
messages are allowed to enter the enclave.
replication domain of Group Manager
processes. These processes work together to
Client Application Server-Side Servers
Code Firewalls Server
Firewall Firewall Code Group
Proxy IT Middleware
ITDOS Firewall Application
ITDOS Code Group
Marshalling Proxy Mgr
Secure, Reliable Reliable Server
Multicast Multicast) Firewall Application
IP Multicast Proxy Mgr
For more information call us at 410-872-1515, send an e-mail to ISSOemail@example.com, or visit us on the Web at
SPARTA, Inc. 7075 Samuel Morse Drive, 2nd Floor, Columbia, MD 21046