Non-STOP PKI, Non-STOP LDAP and other security issues

Dominique Chabord Dominique Chabord" <dominique.chabord@bluedjinn.com
Sat, 1 Apr 2000 10:00:12 +0200 

Hello,

my question was not aimed at confusing anyone.

Thank you for your precise answers. Important words were not non-STOP, nor
SCSI.If you are sued by Compaq lawyers, you can denounce me. Sorry if this
misled anyone. and I'm not either pushing SCSI against any distributed
solution of any kind.

Alan:
I got an answer from Derek about LDAP servers synchronization. I understand
from Derek that LDAP usually integrates its replication mechanisms and
doesn't need to swap disks. Therefore it doesn't need drbd nor journalized
file system. Do you mean it does need them ? Does it depend on the product
we use or is it part of LDAP standard ? From other sources, I thought LDAP
could even be parallelised, avoiding failover mechanism as heartbeat. Is
this mode recommended in secured environments when secret keys are written
in LDAP directory ?

Derek:
Can we have several replicated copies of LDAP data ? for example two local
copies for high availability inside a site and another two copies in a
remote mirror site ? Is it as safe against hackers when data are replicated
as when they are kept private on a local disk ? Is replication encrypted ?

For a PKI solution with "no-single point of failure" (don't call it non-stop
! :-)), should we use one X509 certificate of several ?

Another point I have in mind is IP failover. Are there some secured routers
that might control MAC addresses and refuse "floating" IP addresses in order
to protect against a potential attack by IP redirection ? Would this prevent
heartbeat to failover ? Would it then support a list of backup MAC addresses
?

As you may figure out, it is difficult for me to understand how to
articulate security products (PKI and SSO based) with high-availability.
Maybe it ends easier than I think ! If some of you have done it already,
would you tell us how and educate me a little bit ?

Thank you for any other contribution if any.
Dominique

-----Message d'origine-----
De : Alan Robertson <alanr@suse.com>
À : Dominique Chabord <dominique.chabord@bluedjinn.com>
Cc : Linux-HA Mailing List <linux-ha@muc.de>
Date : jeudi 30 mars 2000 15:29
Objet : Re: Non-STOP PKI, Non-STOP LDAP and other security issues


>Dominique Chabord wrote:
>>
>> Thank you for this answer.
>> I understand the mechanism you describe works, even if very sensible
>> information is in, but this is only a security issue. The reason why I
was
>> asking is that I remember problem with X500 directory on DECnet.
>> Thank you
>>
>> >On Sun, 26 Mar 2000, Dominique Chabord wrote:
>> >
>> >> Hello,
>> >>
>> >>
>> >> By non-STOP, I'm refering here to unattended failover, of course, as
>> >> heartbeat can do it.
>> >>
>> >>
>> >> The questions I'm trying to answer is the following:
>> >>
>> >> How difficult is it to implement failover on secure environments ? Is
>> >> LDAP
>> >> an application as usual that can be stopped on a computer and
restarted
>> >> on
>> >> another one. Is there any trick in swaping the LDAP data files to
another
>> >> node via a shared disk ? Do I need special care when moving IP
addresses,
>> >> is
>> >> node name checked by authentification protocoles, routing tools,
>> >> firewalls
>> >> ...?
>
>> Derek Martin wrote:
>>
>> >With LDAP, it is not necessary to swap data files, as you can have your
>> >failover database replicate the active one.  Depending on how frequently
>> >you replicate and how often you make changes, you can use this scheme to
>> >keep your LDAP databases in sync with very little data loss under a
>> >failover situation.
>
>Dominique,
>
>It sounds like drbd combined with a journalling filesystem, is right on
>the edge of being a production-quality tool.  I understand that the
>newer versions of ReiserFS are production quality.  ReiserFS ships with
>SuSE 6.4, which will be shipping April 3 in Europe.  From the new with
>6.4 area of the SuSE web site:
>       ReiserFS support (journaling filesystem, online growable
>partitions)
>
>Of course, as other journalling filesystems become production quality,
>you will have other choices of filesystems.  And, of course, you can
>always add ReiserFS to another distribution as well...
>
>You could use a shared SCSI or fiber channel disk if you wish instead of
>drbd.
>
>The interesting question here is whether your LDAP server's database is
>robust with respect to crashes.  If it is, then you should be OK.  If
>not, then you have a problem...   But it wasn't created by making this
>an HA solution ;-)
>
>If you use heartbeat in this application, I *highly* recommend using a
>second independent heartbeat medium.  If you're going to use drbd, then
>your drbd ethernet could be one of them.  If you connect the pair of
>machines to each other using a private lan with a crossover cable
>(highly recommended), then you wouldn't have a hub/switch to fail or
>lose power either.  If the second heartbeat medium was serial (i.e.
>serial ports), then it would also be quite reliable (no hub/switch)
>too.  This would seem like a good combination to me.
>
>When you have any kind of shared filesystem, then think *very* seriously
>about the impact of the two machines losing communication with each
>other, but both staying up (cluster partition) and try and prevent it.
>In your case, the impact would be potentially the loss of a few server
>updates.
>
> -- Alan Robertson
>    alanr@suse.com
>
>---------------------------------------------------------------------------
---
>Linux HA Web Site:
>  http://linux-ha.org/
>Linux HA HOWTO:
>
http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html
>---------------------------------------------------------------------------
---
>