A connection management protocol for stateful inspection firewalls in multi-homed networks

Jin Ho Kim, Heejo Lee, Saewoong Bahk

Research output: Contribution to journalArticle

Abstract

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single fire-wall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

Original languageEnglish
Pages (from-to)455-464
Number of pages10
JournalJournal of Communications and Networks
Volume10
Issue number4
Publication statusPublished - 2008 Dec 1

Fingerprint

Inspection
Network protocols
HIgh speed networks
Fires
Servers
Communication
Processing
Industry

Keywords

  • Connection management protocol
  • Multi-homed networks
  • Network security
  • Routing asymmetry
  • Stateful inspection firewalls
  • SYN cookies

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

A connection management protocol for stateful inspection firewalls in multi-homed networks. / Kim, Jin Ho; Lee, Heejo; Bahk, Saewoong.

In: Journal of Communications and Networks, Vol. 10, No. 4, 01.12.2008, p. 455-464.

Research output: Contribution to journalArticle

@article{724aaf2b6bf14d2f96ce95d59d6d4ef7,
title = "A connection management protocol for stateful inspection firewalls in multi-homed networks",
abstract = "To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single fire-wall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.",
keywords = "Connection management protocol, Multi-homed networks, Network security, Routing asymmetry, Stateful inspection firewalls, SYN cookies",
author = "Kim, {Jin Ho} and Heejo Lee and Saewoong Bahk",
year = "2008",
month = "12",
day = "1",
language = "English",
volume = "10",
pages = "455--464",
journal = "Journal of Communications and Networks",
issn = "1229-2370",
publisher = "Korean Institute of Communication Sciences",
number = "4",

}

TY - JOUR

T1 - A connection management protocol for stateful inspection firewalls in multi-homed networks

AU - Kim, Jin Ho

AU - Lee, Heejo

AU - Bahk, Saewoong

PY - 2008/12/1

Y1 - 2008/12/1

N2 - To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single fire-wall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

AB - To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single fire-wall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

KW - Connection management protocol

KW - Multi-homed networks

KW - Network security

KW - Routing asymmetry

KW - Stateful inspection firewalls

KW - SYN cookies

UR - http://www.scopus.com/inward/record.url?scp=58849134931&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=58849134931&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:58849134931

VL - 10

SP - 455

EP - 464

JO - Journal of Communications and Networks

JF - Journal of Communications and Networks

SN - 1229-2370

IS - 4

ER -