Categories
Cloud Computing

Distributed Fault-Tolerant Authentication Management & Identification Control System

At the rate at which technology today is moving forward with the Internet speeds increasing manifold, with IoT gaining prominence and organizations more distributed across the globe than before, the authentication software, systems and architectures remain fairly primitive.

Among the many reasons attributing to this is corporates that build these authenticating systems and software hold on to these products as their main source of income. The insight and research in these areas has also been fairly mundane. Though there’s been enough research funding, what’s missing has been the intellect and knowledge required to build large-scale distributed and decentralized authentication systems and architectures.

Large-scale authentication systems and architectures used in building them must allow both manned [computers, tablets, phones, virtual machines etc] and unmanned [IoT devices etc] to authenticate and authorize themselves without a centralized bottleneck, as seen in authentication systems like LDAP, Active Directory and others.

As experienced on a daily basis, these centralized authentication systems are not scalable or fault-tolerant without a sane fail-over MTBF [Mean Time Between Failure] causing business disruptions on a regular and long-lasting basis.

■ What can be done about this?

Let us acquaint ourselves with AuthControl. SynchroKnot designed and developed AuthControl as a result of realizing inadequacies in the centralized authentication systems [LDAP & Active Directory].

AuthControl was designed with the following flexibility in mind:

  • Ability for authentication to be either centralized, distributed, decentralized or a combination of these.
  • Ability to be seamlessly and transparently scaled on-demand across the globe with no downtime.
  • Ability to be used by standard operating systems within their security framework without custom or proprietary software, enhancements, modifications or hacks.
  • Ability to be used across all devices that can make a simple https call. and much more.

■ What is AuthControl?

AuthControl is SynchroKnot’s unique Distributed Fault-Tolerant Authentication Management & Identification Control System that serves as a scalable, secure and simple alternative to LDAP, Active Directory and other authentication systems.

In AuthControl, the user[s] can be delegated and made responsible for managing their password. Furthermore, the user’s password SHA512/GOST checksum is kept encrypted.

■ Password + Pin

The user[s] can log in to their virtual machines or physical hardware [eg. computers, tablets, mobile phones etc] with their standard username and password + 5 digit unique pin.

This 5 digit pin is not set by the user, but is rather auto or manually generated per the preference of the organization. Without having to manage separate pins for each user, and the ability to change them on a regular basis, makes logging into systems and authentication for various purposes more secure without adding the burden of lengthy procedures/steps.

Depending on the nature of the circumstance, user access can be restricted/limited by simply changing the PIN.

■ Algorithmically-ascertained decentralized numeric User and Group ID

Authcontrol also has the unique capability of creating operating system specific user and group identities that are unique. For example, AuthControl can create a Linux User ID and Group ID that are unique and always return the same numeric value for the ID.

This unique numeric user and group ID is algorithmically created in a decentralized manner without having to generate, store and poll centralized or distributed databases.

Due to the uniqueness of the user and group IDs, they can be instantly checked for changes/manipulations and reinstated automatically if changed without having to poll, check and compare with central or distributed databases. It can also report/alert in the similar manner.

AuthControl’s strong security is strengthened with the use of inter-leaved mapping of Usernames to their Blockchain IDs and further using blockchain cryptography [not the blockchain network] to ascertain authenticity. This is another unique feature you will not find anywhere else but with SynchroKnot.

■ Fault Tolerant

AuthControl algorithmically checks for failures across multiple geographically-dispersed locations [configurable up to 10] before returning unreachable.

■ Load Balanced

Each user or groups of users can be assigned different geographically-dispersed locations for load balancing [with additional option of fault-tolerance].

■ Scalable

Enable AuthControl in virtual or physical machines, point more users to them, and scale seamlessly and transparently across the globe.

■ Simple

Very easy to set up and manage. Works transparently with Linux PAM without modifying standard PAM modules, and is end-to-end encrypted [uses standard HTTPS for communication].

Since this is just an article for getting acquainted with AuthControl, we refrain from getting into technicalities which might be better reflected in a whitepaper.

■ Below are examples of different methods that users can log in or access resources transparently with their standard Username and Password + 5 Digit PIN:

├─> Graphical Login
├─> Graphical Screen Saver Login [eg. screen lock]
├─> Non-Graphical Login
├─> SUDO – Execute a command as another user
├─> SU – Super User
├─> SSH – Secure Shell
├─> SCP – Secure Copy
├─> SFTP – Secure File Transfer Protocol
├─> SSHFS – Secure Shell File System
├─> FTP – File Transfer Protocol
├─> VNC – Virtual Network Computing
├─> RDP – Remote Desktop Protocol
├─> CUPs – standards based open source printing system
├─> CRON – Execution of scheduled commands
├─> SAMBA – Windows AD and SMB/CIFS fileserver for UNIX
├─> File Manager – Create Network Place with SFTP, SAMBA and FTP
├─> All password requirements via Control Center
├─> Practically anything that uses Standard PAM for authentication!

Below is a direct link to the demonstration video:

AuthControl Demo

Description of the demonstration:

This is a very basic impromptu demonstration of AuthControl. Here both of the virtual machines are enabled with AuthControl and show the following:

■ Login via Graphical Interface

■ Login via Non-Graphical Interface

■ Run a command with SU as another user

■ Run a command with SUDO as another user

■ Login to a remote system via SSH

■ Mount a remote filesystem via SSHFS

■ Use File Manager to create a Network Place using SFTP

All these different types of logins use AuthControl with standard Linux users and password + 5 digit pin. The basic HTTPS traffic is captured using TCPDUMP to show realtime interaction with the SynchroKnot AuthControl when the password is entered in the virtual machines for the purposes of authentication.

Note: This demo was recorded on a severely resource-constrained system. It is up to you to determine the performance.

More information and technical insights can be found @ synchroknot.com

Categories
Cloud Computing

Decentralized Network Security with Interstellars

We have heard about multifarious approaches to network security in the insecure times today with quite a few of them adding additional complexity and manageability to the already complex centralized cloud computing and data center setups.

Interstellars are a part of SynchroKnot Spatial Defined Networking and allow the creation of networks separated and secured directly at Ethernet layer 2. In Cloud Computing terminology, with Interstellars, the tenants have the ability to bifurcate and secure their network of virtual machines across decentralized hardware by simply assigning the virtual machines’ network interface card with a 28-bit Interstellar Identification.

By bifurcating and securing the decentralized network at layer 2, only the virtual machines that have the same Interstellar Identification can communicate with eachother, irrespective of their local or global location.

As an additional benefit, you can save a lot of time and energy by not having to carve separate layer 3 networks and setting up different gateways for them. Further, you may not have to configure the virtual machines to point the gateways you set up to have them communicate!

In this way you can substantially reduce the complexity, manageability and maintainence of networks and also further reduce the risks of misconfigurations which usually lead to security breaches.

Interstellars come built-in with the SynchroKnot software. The SynchroKnot software transforms any server, workstation, desktop or embedded device into a decentralized cloud or data center [data decenter].

You can use any commodity X86_64 Desktop/Workstation/Server/Embedded device and connect them to eachother in minutes.

Here are some of the highlights of how SynchroKnot Interstellar approaches network security by getting directly to the heart of layer 2 Ethernet:

■ Fully Flattens, Bifurcates and Secures the network at Layer 2. Works transparently, irrespective of stacked / unstacked vlans, and without deviating from standard Ethernet semantics.

■ Based on the design and architecture of Interstellar Identification, Interstellar Resonance Identification and Interstellar OUI [Organizationally Unique Identifier].

■ Each vNIC of the virtual machine MAC address has a 28-bit Interstellar Identification. Assign your own choice of Interstellar IDs.

■ Each virtual machine with the same Interstellar ID can communicate with eachother irrespective of their location. All other traffic from the virtual machine is not allowed to touch the network.

■ In the case where a virtual machine needs to resonate [ communicate ] across different Interstellars at the same time, additional Interstellar IDs can be accommodated in the form of Interstellar Resonance IDs. Both Interstellar and Interstellar Resonance IDs remain intact even when the virtual machines relocate to any other decentralized location.

■ Interstellar OUI allows direct interaction of the virtual machines with the existing physical data center infrastructure [ routers, switches, gateways, appliances & devices ]. Simply add the needed OUI(s) [ organizationally unique identifier – a 24-bit number that uniquely identifies a vendor or manufacturer ] and gain transparent access.

■ Interstellars [ in collaboration with other SynchroKnot features ] allow for flexible carving of the IP network(s) of the virtual machines by allowing the creation of large networks [ eg: /7, /8, /16 etc ] without having to set up routing and gateways to move across subnets or worry about broadcasts. The same flexibility is transparently possible with IPv6 and anything usually above layer 2.

More information is available at:
■ synchroknot.com

Categories
Cloud Computing

Strong Network Security with ARPless – Hapless without ARPless?

In the realm of network security we tend to hear a lot of terms like “denial of service”, “man-in-the-middle”, or “session hijacking” and so on. For those deep into the networking and network security field, dealing with these terms is a real-life situation everyday.

Also, keeping up to date with the latest trends, software and solutions is a major part of the knowledge gathering practices.

Although it is near-impossible to have a 100% final solution to the serious issues of denial of service, man-in-the-middle, or session hijacking and similar others, SynchroKnot has approached the underlying cause to help substantially reduce and, in some cases, fully alleviate these issues.

For those unfamiliar, SynchroKnot software transforms any server, workstation, desktop or embedded device into a decentralized cloud or data center [data decenter] in minutes. You can use any commodity X86_64 Desktop/Workstation/Server/Embedded device and connect them to eachother. There is no need to purchase virtualization software [VMware, OpenStack, Hyper-V etc], switches & routers or storage [SAN/NAS].

ARPless is a part of SynchroKnot Spatial Defined Networking and works with the virtual machines of the tenants. It builds a secure vacuum of multi-dimensional layers of security starting with not allowing the virtual machine’s MAC address to be spoofed. Then, it only allows the communication between groups of virtual machines with their matching 28-bit Interstellar Identification assigned to their MAC addresses, and as a last step, securely and intelligently auto-responds to the virtual machines when they make an ARP request so that they always know who is who and where to go. This practically makes ARP spoofing, ARP cache poisoning, or ARP poison routing very difficult-to-impossible.

[It is advised to read the post earlier about Interstellars]

As an additional option, ARPless can be invoked with blockchain cryptography, which ensures that security policies, accountability and awareness are at the same level across the team(s), department(s) and organization(s).

Above is just a brief description. Below are some of the highlights:

■ ARPless creates a secure vacuum for trusted communication between virtual machines, and also with the existing physical infrastructure.

■ ARPless does not allow forced traffic diversion from poisoned ARP caches of virtual machines to reach undesired destination(s).

■ ARPless ignores requests from virtual machines that impersonate the original to force divert traffic or gain access.

■ ARPless securely and intelligently auto-responds to the virtual machines when they make an ARP request [ no agent / software needs to be installed inside the virtual machine(s) ]. It does not allow ARP requests from the virtual machines to get onto the network.

■ ARPless can further limit ARP traffic within the secure vacuum.

■ ARPless practically makes ARP spoofing, ARP cache poisoning, or ARP poison routing very difficult-to-impossible, which in turn substantially reduces the possibilities of other attacks stemming from it, such as denial of service, man-in-the-middle, or session hijacking.

■ ARPless intelligently handles and manages the following opcodes : 1 Request, 2 Reply, 3 Request_Reverse, 4 Reply_Reverse, 5 DRARP_Request, 6 DRARP_Reply, 7 DRARP_Error, 8 InARP_Request and 9 ARP_NAK

We have an excellent video to sharpen your skills at the link below.

■ Network Security with Arpless Interstellar

More information is available at:
■ synchroknot.com

Categories
Cloud Computing

Decentralized Blockchain Identity Management

Blockchain is one of the fastest growing sectors world-wide. SynchroKnot focuses on different aspects of the blockchain technologies and utilizes them in its own, unique perspective.

One of the many unique blockchain innovations SynchroKnot has engineered is the Decentralized Identity Management System, which uses fast blockchain cryptography in real time to confirm user identity and all the users’ rest-based and other requests.

Here the main advantage is that there are no passwords, checksums or salts kept on the server or anywhere else, for that matter.

The inherent uniqueness is further magnified with the integration of multi-fault-tolerant standard LDAP and Active Directory, if required, for an additional layer of security.

Highlights and Steps:

■ 1] Identify the people to whom you want to give access rights and the type of access.

■ 2] Add their Blockchain ID [ public blockchain address – Eg. Bitcoin Address ]. That’s it. Nothing to do.

■ The user can log in successfully with his / her Blockchain ID and the Blockchain ID of the Spatial Cluster. The user only uses his / her Blockchain Private Key to sign a Spatial Nonce Fingerprint [ invisible to the user ]. The Private Key is only used in the browser to sign and not sent to the server.

■ Once successfully authenticated, a Signed Nonce Fingerprint, among other things, is injected into the browser cookie. No need to login again!

■ ONLY the Blockchain ID [ Bitcoin Address ] of the user(s) is present on the Spatial Fabric Array(s). No checksums, salts, signatures, hashes, keys, passwords etc. Nothing else.

The demonstration video at the link below depicts the following:

■ Authorized user logging in his/her Blockchain Identity and Active Directory / LDAP password.

■ For the purpose of demonstration, the user first logs in without the password and is prompted to enter the password as Level 2 Security [ie LDAP and Active Directory] is enabled. Then the user enters a wrong password which is rejected by the designated Active Directory / LDAP server(s). On the third attempt the user succesfully logs into the SynchroKnot Infrastructure Engine.

■ In this demonstration, for the purposes of testing, the password is authenticated against the first 3 LDAP servers designated to the user and fails, and then successfully authenticates against the 4th LDAP server.

■ Speed is clearly visible, in spite of multiple, complex security and cryptographic operations being performed by SynchroKnot.

Note: The demonstration video does not depict the latest version, but does gives a clear visual understanding.

This demonstration video is available at the link below:

■ Decentralized Heterogeneous Blockchain Identity Management

More information is available at:
synchroknot.com

Categories
Cloud Computing

Decentralized Virtual Machines : What Are They?

Decentralized virtual machines are those in the sense that do not have a centralized orchestrator as seen with software such as VMware, OpenStack, Kubernetes, Docker, Hyper-V and others.

In other words, they are not managed via a centralized control point(s) but instead are managed by their de-orchestrator [decentralized orchestrator] on the hardware where they operate. The de-orchestrator additionally allows the management of all other virtual machines running on separate hardware at decentralized locations anywhere in the world and in parallel!

The only known de-orchestrator that can do this today, along with a myriad of extra add-on features, is a small yet important part of the SynchroKnot Cloud Computing Software.

In this article we will talk about the creation, storing, snapshots and relocation [live migration] of these decentralized virtual machines.

The SynchroKnot software imbibes and enables regular standard QEMU KVM virtual machines [the same ones used in OpenStack] with decentralized features and capabilities.

Let’s count a few unique features before moving forward:

■ They can be used as High-Performance Desktop and Server Virtual Machines, as they sit directly on storage. There is no Network Latency and Dependency, since the hard drives are NOT accessed over wire. Furthermore, there is no complexity as there is NO SAN / NAS / Distributed File or Block Storage used.

■ Copy-on-Write based independent replica(s) [ writable snapshots ] can be created in under a second even if the virtual machine is running under high-load situations.

■ Replication, Recovery and Disaster Recovery is possible with FASTR [Fast Asynchronous Triggered Replication] which is very simple to set up, replicate and recover.

■ Automatic or Static Virtual Machine creation on any or a specific refined group anywhere on any commodity hardware [x86_64] in the world.

■ Efficient direct access to the virtual machine console using VNC and/or SPICE without proxies / brokers.

The direct access offers web browser view via HTML5 and/or Java [applet]. It also displays the IP address and port(s) for access via regular [non-web-browser-based] clients. Dynamic-static automatic port allotment without the use of any database allows the same port to be accessed every time, which is very useful for non-web-browser-based clients.

■ Dynamic Static Public and Private IP addresses and related other features with decentralized DHCP. You don’t have to depend on a centralized DHCP server unless you want to, and you do not have to manually configure the virtual machines to give them IP addresses, among other things.

Eg. you can assign ANY Name, IP Address [Public/Private IPv4 IP Address], Netmask, Broadcast, Default Gateway, MTU [Maximum Transfer Unit], NTP, DNS, Domain Name, Domain Search, Log Server, NETBIOS [Name Servers, Datagram Distribution and Node-Type], SMTP server, POP3 server, plus also, Enable IP Forwarding, Set TCP Keepalive, Set Multiple Classless Static Routes and more.

Further, if you need to point your virtual machine[s] to a centralized DHCP server[s] then you can use secure DHCPCAST feature which is built-in. This feature allows the virtual machine[s] to get their IP address[es] from a specific DHCP server.

■ Automatic or Static Decentralized Creation and Relocation [we will learn about that below].

■ Extreme ease and flexibility in management and de-orchestration with the built-in infrastructure engine which has the simplicity and look of a search engine, but instead, has actual intelligence built-in to control and manage end-to-end decentralized infrastructure in real-time.

■ Extreme ease in control, as the user interface is designed and built at the intersection and fusion of commandline interface and graphical web user interface for scalable precision control.

■ Password-less login using proven blockchain cryptography. Simply login with just your Blockchain/Bitcoin ID to manage the virtual machines. No passwords, checksums, salts etc. used or kept anywhere. Further, if your organization requires, you can additionally and easily integrate it with your existing LDAP and/or Active Directory servers.

■ Strong network security is provided at layer 2 with a special feature of Interstellars and ARPless Interstellars.

…… and much more.

[Demonstration videos and an in-depth explanation of features is available at the official website for those who are interested.]

Before we get started here is a brief warm up of the used terminology:

Spacesuit: virtual machine template. New virtual machines are created from this.
Spatial Fabric Satellite: any physical machine [commodity [x86_64] server/workstation/desktop/embedded device] where the tenant has the hardware resource to run their virtual machines.
Spatial Fabric Array: bifurcated hardware resources [CPU, Memory, Network, Storage] assigned to the tenant on the Spatial Fabric Satellite.
Microcosm: tag(s) related to where the Spatial Fabric Array is located [eg. row, rack/shelf, CPU type, network type, topology etc]. 
Macrocosm: tag(s) related to region where the Spatial Fabric Array is located [town, city, state, country, zip code, north, south, east, west, ne, nw, se, sw etc]. 
Intercosm: tag(s) related to group/team/provider identification [names/Blockchain id] for correspondence, management and support, and a combination of Microcosm and Macrocosm.

Note: Microcosm, Macrocosm and Intercosm can be set and updated by the tenant.

█║ Virtual Machine Creation

Virtual machines can be created with great ease and speed with minimal storage utilization due to the copy-on-write feature of the ZFS file system. The complexity of management and maintenance of virtual machine volumes, snapshots, clones and their deeply intertwined inter-dependencies is greatly minimized-to-eliminated with the built-in automatic Transparent Interdependent Volume Removal feature, so there is no need for user intervention.

Here are some of the multifarious ways you can create virtual machines:

■ Auto Create a Virtual Machine from a Spacesuit [ ie. from a virtual machine template ].
■ Auto Create a Virtual Machine from a Spacesuit on a Spatial Fabric Array with high or low performance.
■ Auto Create a Virtual Machine from a Spacesuit on a Spatial Fabric Array from a refined group using Microcosm / Macrocosm / Intercosm or their combination. Further automatically choose a Spatial Fabric Array with high or low performance.
■ Manually Create Virtual Machine from Spacesuit on a specific Spatial Fabric Array.
■ Auto Create Virtual Machine from an existing Virtual Machine [not Spacesuit].
■ Manually Create Virtual Machine from an existing Virtual Machine on a specific Spatial Fabric Array.
■ Auto Create a Spacesuit from an existing Virtual Machine.
■ Manually Create a Spacesuit from an existing Virtual Machine on a specific Spatial Fabric Array.
■ Create from Spacesuits or Virtual Machines while they are running [ switched on ] without disruption.

All these complex operations use the Decentralized Resource Radar to ascertain and intelligently trigger after retrieving metadata in real-time.

Below is a link of a video demonstration from an older version, but enough to give an idea:

Create decentralized virtual machines


█║ Decentralized Automatic and Manual Virtual Machine Relocation

Similar to the creation, the relocation [live migration] is also quite unique:

■ Auto Relocate virtual machines with their storage without knowing where the virtual machine you intend to relocate resides and without knowing who the receiver will be. Further, the receiver does not know who the sender will be. Just the name with the relocate trigger or the click of the Auto Relocate button. Everything is auto-ascertained and executed by the decentralized resource radar, without reading a central or distributed database or resource.
■ Manually relocate to a specific Spatial Fabric Array by simply giving its IP address.
■ Auto relocate to a refined group of Spatial Fabric Arrays with the help of Microcosm, Macrocosm and Intercosm [ individually or their combination ].
■ Auto relocate to high or low performance Spatial Fabric Arrays by simply adding performance:[high / low]. Further, use it with Microcosm, Macrocosm and Intercosm [ individually or their combination ].

Here is a demonstration video:

Decentralized Automatic and Manual Virtual Machine Relocation

█║ Virtual Machine Replicas [Snapshots]

Replicas are writable snapshots of virtual machines which can be created in under a second even if the virtual machine is active and running under high-load situations.

Replicas don’t relocate with the virtual machines, reducing the burden of tugging along snapshots, yet still available to be reverted to the original or created into new virtual machines.

Replicas allow you to move back and forth in time with specific granularity and ease.

Here is a demonstration video:
Virtual Machine Replica

Moving virtual machines from VMware, Openstack and related virtualization technologies onto SynchroKnot can be as simple as converting/changing their virtual disk format and sometimes not even that!

In this article, we have made an attempt to present some of the qualities of decentralized virtual machines. Now you can be in a better position to ascertain the real-world benefits [if any] to your organization.

For full description and technical overview of all the features please visit synchroknot.com