Journal of Communications and Networks

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

A Connection Management Protocol for Stateful Inspection Firewalls in Multi-Homed Networks

  • Published : 2008.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

To provide network services consistently under various network failures, enterprise networks increasingly utilize path diversity through multi-homing. As a result, multi-homed non-transit autonomous systems become to surpass single-homed networks in number. In this paper, we address an inevitable problem that occurs when networks with multiple entry points deploy firewalls in their borders. The majority of today's firewalls use stateful inspection that exploits connection state for fine-grained control. However, stateful inspection has a topological restriction such that outgoing and incoming traffic of a connection should pass through a single firewall to execute desired packet filtering operation. Multi-homed networking environments suffer from this restriction and BGP policies provide only coarse control over communication paths. Due to these features and the characteristics of datagram routing, there exists a real possibility of asymmetric routing. This mismatch between the exit and entry firewalls for a connection causes connection establishment failures. In this paper, we formulate this phenomenon into a state-sharing problem among multiple fire walls under asymmetric routing condition. To solve this problem, we propose a stateful inspection protocol that requires very low processing and messaging overhead. Our protocol consists of the following two phases: 1) Generation of a TCP SYN cookie marked with the firewall identification number upon a SYN packet arrival, and 2) state sharing triggered by a SYN/ACK packet arrival in the absence of the trail of its initial SYN packet. We demonstrate that our protocol is scalable, robust, and simple enough to be deployed for high speed networks. It also transparently works under any client-server configurations. Last but not least, we present experimental results through a prototype implementation.

Keywords

References

  1. A. Akella, A. Shaikh, and R. Sitaraman, "A measurement-based analysis of multihoming," in Proc. ACM SIGCOMM, 2003.
  2. S. Bellovin, Distributed Firewalls; login: Magazine, special issue on security, Nov. 1999.
  3. D. J. Bernstein, SYN Cookies Homepage, 1996. [Online]. Available: http: //cr.yp.to/syncookies.html.
  4. J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway, "UMAC: Fast and secure message authentication," in Proc. Advances in Cryptology-CRYPTO, 1999.
  5. M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker, "Cookies along trust-boundaries (CAT): Accurate and deployable flood protection," Usenix SRUTI'06: 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006.
  6. CERT/CC, "TCP SYN flooding and IP spoofing attacks," CERT Advisory CA-1996-21, Sept. 1996.
  7. Check Point Software Technologies Ltd. (Aug. 2005). Stateful Inspection Technology. Check Point Tech Note. [Online]. Available: http://checkpoi nt.com/products/downloads/Stateful_Inspection.pdf.
  8. J. Han, D. Watson, and F. Jahanian, "An experimental study of Internet path diversity," IEEE Trans. Dependable and Secure Computing, vol. 3, no. 4, pp.273-288, Oct.-Dec. 2006. https://doi.org/10.1109/TDSC.2006.43
  9. Y. He, M. Faloutsos, and S. Krishnamurthy, "Quantifying routing asymmetry in the Internet at the AS level," in Proc. IEEE GLOBECOM, 2004.
  10. Y. He, M. Faloutsos, S. Krishnamurthy, and B. Huffaker, "On routing asymmetry in the Internet," in Proc. IEEE GLOBECOM, 2005.
  11. S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith, "Implementing a distributed firewall," in Proc. ACM CCS, 2000.
  12. J. Johnson. (June 2002). BGP Is A Reachability Protocol. A NANOG Presentation. [Online]. Available: http://www.nanog.org/mtg-0206/ppt/jerm 2/.
  13. J. Kim, S. Bahk, and H. Lee, "A connection management protocol for stateful inspection firewalls in multi-homed networks," in Proc. IEEE ICC, June 2004.
  14. Stonesoft. (Oct. 2001).Multi-Link Technology. [Online]. Available: http:// www.stonesoft.com/products/whitepapers.
  15. Netfilter Homepage. [Online]. Available: http://www.netfilter.org.
  16. R. Russel and H. Welte, Linux netfilter Hacking HOWTO, June 2002.
  17. Nmap Homepage. [Online]. Available: http://www.insecure.org/nmap.
  18. V. Paxson, "End-to-end routing behavior in the Internet," in Proc. ACM SIGCOMM, 1996.
  19. V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," Computer Communications Review 31 (3), July 2000.
  20. K. Park and H. Lee, "On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack," in Proc. IEEE INFOCOM, Apr. 2001, pp.338-347.
  21. K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets," in Proc. ACM SIGCOMM, Aug. 2001, pp.15-26.
  22. J. Postel, Transmission Control Protocol, STD 7, RFC 793, Sept. 1981.
  23. R. Braden, "Requirements for Internet hosts-communication layers," STD 3, RFC 1122, Oct. 1989.
  24. A. Rijsinghani, "Computation of the Internet checksum via incremental update," RFC 1624, May 1994.
  25. G. Rooij, "Real stateful TCP packet filtering in IP filter," 10th USENIX Security Symposium invited talk, Aug. 2001.
  26. Q. Vohra and E. Chen, "BGP support for four-octet AS number space," Work in progress, Internet Draft draft-ietf-idr-as4bytes-13.txt, Feb. 2007.
  27. D. Vukadinovic, P. Huang, and T. Erlebach, "A spectral analysis of the Internet topology," Technical Report ETH-TIK-NR 118, 2001.
  28. D. Welch-Abernathy, Essential Check Point FireWall-1, Addison-Wesley Publishers, Jan. 2002.
  29. G. Wright and W. Stevens, TCP/IP Illustrated, Volume 2: The Implementation, Addison-Wesley, 1995.