[KSCI] Korea Science Citation Index Service

A Connection Management Protocol for Stateful Inspection Firewalls in Multi-Homed Networks

Kim, Jin-Ho (Google)
Lee, Hee-Jo (Division of Computer and Communication Engineering, Korea University)
Bahk, Sae-Woong (Department of EE, INMC, Seoul National University)

Publication Information

Journal of Communications and Networks / v.10, no.4, 2008 , pp. 455-464 More about this Journal

Abstract

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single firewall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple fire walls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

Keywords

Connection management protocol; multi-homed networks; network security; routing asymmetry; stateful inspection firewalls; SYN cookies;

Citations & Related Records

Times Cited By Web Of Science : 0 (Related Records In Web of Science)
Times Cited By SCOPUS : 0

Reference

1	S. Bellovin, Distributed Firewalls; login: Magazine, special issue on security, Nov. 1999.
2	J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway, "UMAC: Fast and secure message authentication," in Proc. Advances in Cryptology-CRYPTO, 1999.
3	M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker, "Cookies along trust-boundaries (CAT): Accurate and deployable flood protection," Usenix SRUTI'06: 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006.
4	CERT/CC, "TCP SYN flooding and IP spoofing attacks," CERT Advisory CA-1996-21, Sept. 1996.
5	Stonesoft. (Oct. 2001).Multi-Link Technology. [Online]. Available: http:// www.stonesoft.com/products/whitepapers.
6	Netfilter Homepage. [Online]. Available: http://www.netfilter.org.
7	K. Park and H. Lee, "On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack," in Proc. IEEE INFOCOM, Apr. 2001, pp.338-347.
8	G. Rooij, "Real stateful TCP packet filtering in IP filter," 10th USENIX Security Symposium invited talk, Aug. 2001.
9	V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," Computer Communications Review 31 (3), July 2000.
10	Check Point Software Technologies Ltd. (Aug. 2005). Stateful Inspection Technology. Check Point Tech Note. [Online]. Available: http://checkpoi nt.com/products/downloads/Stateful_Inspection.pdf.
11	D. J. Bernstein, SYN Cookies Homepage, 1996. [Online]. Available: http: //cr.yp.to/syncookies.html.
12	D. Vukadinovic, P. Huang, and T. Erlebach, "A spectral analysis of the Internet topology," Technical Report ETH-TIK-NR 118, 2001.
13	A. Akella, A. Shaikh, and R. Sitaraman, "A measurement-based analysis of multihoming," in Proc. ACM SIGCOMM, 2003.
14	Q. Vohra and E. Chen, "BGP support for four-octet AS number space," Work in progress, Internet Draft draft-ietf-idr-as4bytes-13.txt, Feb. 2007.
15	R. Russel and H. Welte, Linux netfilter Hacking HOWTO, June 2002.
16	D. Welch-Abernathy, Essential Check Point FireWall-1, Addison-Wesley Publishers, Jan. 2002.
17	K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets," in Proc. ACM SIGCOMM, Aug. 2001, pp.15-26.
18	A. Rijsinghani, "Computation of the Internet checksum via incremental update," RFC 1624, May 1994.
19	R. Braden, "Requirements for Internet hosts-communication layers," STD 3, RFC 1122, Oct. 1989.
20	S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith, "Implementing a distributed firewall," in Proc. ACM CCS, 2000.
21	Y. He, M. Faloutsos, S. Krishnamurthy, and B. Huffaker, "On routing asymmetry in the Internet," in Proc. IEEE GLOBECOM, 2005.
22	J. Postel, Transmission Control Protocol, STD 7, RFC 793, Sept. 1981.
23	J. Johnson. (June 2002). BGP Is A Reachability Protocol. A NANOG Presentation. [Online]. Available: http://www.nanog.org/mtg-0206/ppt/jerm 2/.
24	Y. He, M. Faloutsos, and S. Krishnamurthy, "Quantifying routing asymmetry in the Internet at the AS level," in Proc. IEEE GLOBECOM, 2004.
25	J. Han, D. Watson, and F. Jahanian, "An experimental study of Internet path diversity," IEEE Trans. Dependable and Secure Computing, vol. 3, no. 4, pp.273-288, Oct.-Dec. 2006. DOI ScienceOn
26	V. Paxson, "End-to-end routing behavior in the Internet," in Proc. ACM SIGCOMM, 1996.
27	Nmap Homepage. [Online]. Available: http://www.insecure.org/nmap.
28	J. Kim, S. Bahk, and H. Lee, "A connection management protocol for stateful inspection firewalls in multi-homed networks," in Proc. IEEE ICC, June 2004.
29	G. Wright and W. Stevens, TCP/IP Illustrated, Volume 2: The Implementation, Addison-Wesley, 1995.