A connection management protocol for stateful inspection firewalls in multi-homed networks

Jin Ho Kim, Heejo Lee, Saewoong Bahk

Research output: Contribution to journalArticle

Abstract

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single fire-wall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

Original languageEnglish
Pages (from-to)455-464
Number of pages10
JournalJournal of Communications and Networks
Volume10
Issue number4
DOIs
Publication statusPublished - 2008 Dec

Keywords

  • Connection management protocol
  • Multi-homed networks
  • Network security
  • Routing asymmetry
  • SYN cookies
  • Stateful inspection firewalls

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'A connection management protocol for stateful inspection firewalls in multi-homed networks'. Together they form a unique fingerprint.

  • Cite this