A Connection Management Protocol for Stateful Inspection Firewalls in Multi-Homed Networks
- Authors
- Kim, Jin-Ho; Lee, Heejo; Bahk, Saewoong
- Issue Date
- 12월-2008
- Publisher
- KOREAN INST COMMUNICATIONS SCIENCES (K I C S)
- Keywords
- Connection management protocol; multi-homed networks; network security; routing asymmetry; stateful inspection firewalls; SYN cookies
- Citation
- JOURNAL OF COMMUNICATIONS AND NETWORKS, v.10, no.4, pp.455 - 464
- Indexed
- SCIE
SCOPUS
KCI
- Journal Title
- JOURNAL OF COMMUNICATIONS AND NETWORKS
- Volume
- 10
- Number
- 4
- Start Page
- 455
- End Page
- 464
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/122321
- DOI
- 10.1109/JCN.2008.6389863
- ISSN
- 1229-2370
- Abstract
- To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single firewall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple firewalls tinder asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists, of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SMACK packet arrival in the absence of the trail (if its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - Graduate School > Department of Computer Science and Engineering > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.