Confidentiality, Integrity and High Availability with Open Source IT green

This paper presents elements that form the structure of a network of data using secure stable and mature technologies that meet the requirement of having code free. The principle would be conflicting code open Tuesday where he wants to keep maximum control over the data but is already evidence that open source does not hide the famous backdoor possible in closed systems code. Basearemos this work experience gained in a real environment and using paravirtualization to show a situation more critical and now real in most companies, the virtualization of servers.

💡 Research Summary

The paper titled “Confidentiality, Integrity and High Availability with Open Source IT” describes a practical implementation of a high‑availability (HA) infrastructure built entirely from open‑source components, aimed at protecting data confidentiality and integrity while ensuring continuous service. The authors base their work on real‑world experience in a company that provides IT services to municipal networks, a setting that is frequently targeted by external and internal attacks. To avoid the high costs of proprietary software, they propose a solution that relies on mature, stable open‑source technologies and paravirtualization.

Hardware platform – Four low‑end servers are used: two primary servers (dual‑core 1.6 GHz CPUs, 1 GB RAM, 80 GB HDD) and two secondary servers (single‑core 1.6 GHz CPUs, 512 MB RAM, 40 GB HDD). One of the primary servers runs Windows, the other runs Debian Linux. A 100 Mbps switch interconnects all machines. Xen is chosen as the hypervisor to provide paravirtualized virtual machines (VM1‑VM4).

Software stack – The authors assemble a comprehensive stack:

• Database – PostgreSQL (version unspecified) is selected for its full ACID compliance, foreign‑key support, stored procedures, and broad platform compatibility. The authors argue that PostgreSQL offers greater stability and easier recovery than MySQL.
• File sharing – Samba (for Windows clients) and NFS (for Linux‑to‑Linux sharing) are deployed in parallel, allowing heterogeneous client environments to access a common data repository.
• Security – OpenSSH provides encrypted remote access; Snort, together with the BASE/SGUIL visualization tools, acts as an intrusion detection system (IDS); IPTABLES implements packet‑filtering firewalls. The paper lists typical attack patterns (buffer overflows, stealth scans, web‑app attacks) that Snort can detect.
• High‑availability – DRBD (Distributed Replicated Block Device) mirrors block devices between the two physical nodes. The configuration uses the “allow‑two‑primaries” option so that both nodes can act as primary simultaneously. Heartbeat‑2 (the Linux‑HA project) monitors node health, detects failures, and triggers automatic failover of virtual machines.
• Web services – Apache HTTP Server 2 and PHP 5 provide a dynamic web platform. The authors note that PHP 5 offers better object‑oriented features and security updates compared with the deprecated PHP 4.

Installation and configuration – The paper gives step‑by‑step commands for installing Debian Etch, partitioning with the journaling file system ext3, setting up NFS exports, configuring Samba shares, compiling DRBD kernel modules, creating the DRBD resource file, and establishing Heartbeat clusters. Scripts are provided to mount the DRBD device at boot and to start Heartbeat before Xen virtual machines.

Test methodology – Two physical servers each host two virtual machines (Server 1: VM1, VM2; Server 2: VM3, VM4). The authors conduct failure injection experiments:

1. Stopping the Heartbeat service on Server 1, causing Heartbeat on Server 2 to detect the failure and boot VM1 and VM2 on Server 2.
2. Power‑off of Server 2, with Heartbeat on Server 1 detecting the outage and booting VM3 and VM4.
3. Simulating DRBD disk failures and forcing primary/secondary role changes.

Metrics recorded include time to detect failure, time to bring the affected VMs back online, DRBD synchronization latency, and overall service continuity. The reported results show that failover typically completes within 20‑30 seconds, and DRBD keeps the block devices synchronized with a latency of 1‑2 seconds.

Critical assessment – The paper succeeds in demonstrating that a fully open‑source HA solution can be assembled with modest hardware and achieve rapid recovery. The detailed configuration snippets are valuable for practitioners. However, several limitations reduce the scholarly impact:

• Performance data – The evaluation relies on qualitative statements; quantitative benchmarks such as transactions per second (TPS), CPU utilization, or network throughput under load are absent. This makes it difficult to compare the solution against commercial alternatives.
• Scalability – All tests are performed on low‑end machines with a total of four VMs. No discussion is provided on how the architecture would behave with dozens of nodes, higher I/O workloads, or multi‑tenant environments.
• Security depth – While SSH, Snort, and IPTABLES are mentioned, the paper does not address key management, certificate rotation, or hardening of the DRBD/Heartbeat communication channels, which are critical for maintaining confidentiality and integrity in production.
• Virtualization choices – Xen is used in paravirtualized mode, but the authors do not compare it with full virtualization (HVM) or other hypervisors (KVM, VMware). Consequently, readers lack guidance on selecting the optimal virtualization layer for their workload.

Conclusion and future work – The authors conclude that open‑source technologies can meet the triad of confidentiality, integrity, and high availability without incurring the licensing costs of proprietary products. They suggest future research directions including extensive performance benchmarking, automated deployment pipelines (e.g., using Ansible or Puppet), and integration with cloud‑native orchestration frameworks such as OpenStack or Kubernetes.

Overall, the paper provides a useful, hands‑on blueprint for building a cost‑effective HA infrastructure with open‑source tools, but it would benefit from deeper performance analysis, broader scalability testing, and more comprehensive security hardening guidelines.