A connection management protocol for stateful inspection firewalls in multi-homed networks

Jin Ho Kim, Saewoong Bahk, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems (ASes) become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy stateful inspection firewalls in their borders. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) State sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its intial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

Original languageEnglish
Title of host publicationIEEE International Conference on Communications
Pages1887-1891
Number of pages5
Volume4
Publication statusPublished - 2004
Event2004 IEEE International Conference on Communications - Paris, France
Duration: 2004 Jun 202004 Jun 24

Other

Other2004 IEEE International Conference on Communications
CountryFrance
CityParis
Period04/6/2004/6/24

Fingerprint

Computer system firewalls
Inspection
Network protocols
HIgh speed networks
Servers
Processing
Industry

ASJC Scopus subject areas

  • Media Technology

Cite this

Kim, J. H., Bahk, S., & Lee, H. (2004). A connection management protocol for stateful inspection firewalls in multi-homed networks. In IEEE International Conference on Communications (Vol. 4, pp. 1887-1891)

A connection management protocol for stateful inspection firewalls in multi-homed networks. / Kim, Jin Ho; Bahk, Saewoong; Lee, Heejo.

IEEE International Conference on Communications. Vol. 4 2004. p. 1887-1891.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, JH, Bahk, S & Lee, H 2004, A connection management protocol for stateful inspection firewalls in multi-homed networks. in IEEE International Conference on Communications. vol. 4, pp. 1887-1891, 2004 IEEE International Conference on Communications, Paris, France, 04/6/20.
Kim JH, Bahk S, Lee H. A connection management protocol for stateful inspection firewalls in multi-homed networks. In IEEE International Conference on Communications. Vol. 4. 2004. p. 1887-1891
Kim, Jin Ho ; Bahk, Saewoong ; Lee, Heejo. / A connection management protocol for stateful inspection firewalls in multi-homed networks. IEEE International Conference on Communications. Vol. 4 2004. pp. 1887-1891
@inproceedings{1f554137a60d44719e5979500c860755,
title = "A connection management protocol for stateful inspection firewalls in multi-homed networks",
abstract = "To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems (ASes) become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy stateful inspection firewalls in their borders. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) State sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its intial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.",
author = "Kim, {Jin Ho} and Saewoong Bahk and Heejo Lee",
year = "2004",
language = "English",
volume = "4",
pages = "1887--1891",
booktitle = "IEEE International Conference on Communications",

}

TY - GEN

T1 - A connection management protocol for stateful inspection firewalls in multi-homed networks

AU - Kim, Jin Ho

AU - Bahk, Saewoong

AU - Lee, Heejo

PY - 2004

Y1 - 2004

N2 - To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems (ASes) become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy stateful inspection firewalls in their borders. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) State sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its intial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

AB - To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems (ASes) become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy stateful inspection firewalls in their borders. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) State sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its intial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

UR - http://www.scopus.com/inward/record.url?scp=4143088214&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=4143088214&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:4143088214

VL - 4

SP - 1887

EP - 1891

BT - IEEE International Conference on Communications

ER -