Multiprimary Support for the Availability of Cluster-Based Stateful Firewalls Using FT-FW

  • P. Neira
  • R. M. Gasca
  • L. Lefèvre
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5283)


Many research has been done with regards to firewalls during the last decade. Specifically, the main research efforts have focused on improving the computational complexity of packet classification and ensuring the rule-set consistency. Nevertheless, other aspects such as fault-tolerance of stateful firewalls still remain open. Continued availability of firewalls has become a critical factor for companies and public administration. Classic fault-tolerant solutions based on redundancy and health checking mechanisms does not success to fulfil the requirements of stateful firewalls. In this work we detail FT-FW, a scalable software-based transparent flow failover mechanism for stateful firewalls, from the multiprimary perspective. Our solution is a reactive fault-tolerance approach at application level that has a negligible impact in terms of network latency. On top of this, quick recovery from failures and fast responses to clients are guaranteed. The solution is suitable for low cost off-the-shelf systems, it supports multiprimary workload sharing scenarios and no extra hardware is required.


Flow Durability State Proxy Reply Packet Remote Direct Memory Access Replication Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)CrossRefGoogle Scholar
  2. 2.
    Mayer, A., Wool, A., Ziskind, E.: Offline Firewall Analysis. International Journal of Computer Security 5(3), 125–144 (2005)Google Scholar
  3. 3.
    Al-Shaer, E., Hamed, H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3) (2006)Google Scholar
  4. 4.
    Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications (JSAC) 23(10) (2005)Google Scholar
  5. 5.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems 22(4), 381–420 (2004)CrossRefGoogle Scholar
  6. 6.
    Pozo, S., Ceballos, R., Gasca, R.M.: CSP-Based Firewall Rule Set Diagnosis using Security Policies. In: 2nd International Conference on Availability, Reliability and Security (2007)Google Scholar
  7. 7.
    Taylor, D.E.: Survey and taxonomy of packet classification techniques. ACM Computing Surveys 37(3), 238–275 (2005)CrossRefGoogle Scholar
  8. 8.
    Neira, P.: Netfilter’s Connection Tracking System. In: LOGIN; The USENIX magazine, vol. 32(3), pp. 34–39 (2006)Google Scholar
  9. 9.
    Neira, P.: Conntrack-tools: Test Case (2007),
  10. 10.
    Neira, P., Gasca, R.M., Lefevre, L.: FT-FW: Efficient Connection Failover in Cluster-based Stateful Firewalls. In: Proceedings of the 16th Euromicro Conference on Parallel, Distributed and Network-Based Processing (PDP 2008), February 2008, pp. 573–580 (2008)Google Scholar
  11. 11.
    Zhang, R., Adelzaher, T., Stankovic, J.: Efficient TCP Connection Failover in Web Server Cluster. In: IEEE INFOCOM 2004 (March 2004)Google Scholar
  12. 12.
    Marwah, M., Mishra, S., Fetzer, C.: TCP server fault tolerance using connection migration to a backup server. In: Proc. IEEE Intl. Conf. on Dependable Systems and Networks (DSN), June 2003, pp. 373–382 (2003)Google Scholar
  13. 13.
    Aghdaie, N., Tamir, Y.: Client-Transparent Fault-Tolerant Web Service. In: 20th IEEE International Performance, Computing, and Communication conference, pp. 209–216 (2001)Google Scholar
  14. 14.
    Ayari, N., Barbaron, D., Lefevre, L., Primet, P.: T2CP-AR: A system for Transparent TCP Active Replication. In: AINA 2007: Proceedings of the 21st International Conference on Advanced Networking and Applications, pp. 648–655 (2007)Google Scholar
  15. 15.
    Sultan, F., Bohra, A., Smaldone, S., Pan, Y., Gallard, P., Neamtiu, I., Iftode, L.: Recovering Internet Service Sessions from Operating System Failures. In: IEEE Internet Computing (April 2005)Google Scholar
  16. 16.
    Chen, R.M.Y.: Highly-Available Firewall Service using Virtual Redirectors, University of the Witwatersrand, Johannesburg, Tech. Rep. (1999)Google Scholar
  17. 17.
    Maloy, J.: TIPC: Transparent Inter Protocol Communication protocol (May 2006)Google Scholar
  18. 18.
    Neira, P., Lefevre, L., Gasca, R.M.: High Availability support for the design of stateful networking equipments. In: Proceedings of the 1st International Conference on Availability, Reliability and Security (ARES 2006) (April 2006)Google Scholar
  19. 19.
    McBride, R.: Pfsync: Firewall Failover with pfsync and CARP,
  20. 20.
    Robertson, A.: Linux HA project,
  21. 21.
    Gouda, M., Liu, A.: A model of stateful firewalls and its properties. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2005, pp. 128–137 (2005)Google Scholar
  22. 22.
    Hinden, R.: RFC 3768: Virtual Router Redundancy Protocol (VRRP) (April 2004)Google Scholar
  23. 23.
    Zhang, X., Hiltunen, M.A., Marzullo, K., Schlichting, R.D.: Customizable Service State Durability for Service Oriented Architectures. In: IEEE Proceedings of EDCC-6: European Dependable Computing Conference, October 2006, pp. 119–128 (2006)Google Scholar
  24. 24.
    Wiesmann, M., Pedone, F., Schiper, A., Kemme, B., Alonso, G.: Understanding Replication in Databases and Distributed Systems. In: International Conference on Distributed Computing Systems, pp. 464–474 (2000)Google Scholar
  25. 25.
    Jimenez-Peris, R., Patino-Martinez, M., Kemme, B., Alonso, G.: How to Select a Replication Protocol According to Scalability, Availability, and Communication Overhead. In: International Conference on Reliable Distributed Systems, p. 24 (2001)Google Scholar
  26. 26.
    Moy, J.: RFC 1247 - OSPF Version 2 (July 1991)Google Scholar
  27. 27.
    Neira, P.: conntrackd: The netfilter’s connection tracking userspace daemon,
  28. 28.
    Morton, A.: cyclesoack: a tool to accurately measure CPU consumption on Linux systems,

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • P. Neira
    • 1
  • R. M. Gasca
    • 1
  • L. Lefèvre
    • 2
  1. 1.QUIVIR Research GroupUniversity of SevillaSpain
  2. 2.INRIA RESOUniversity of LyonFrance

Personalised recommendations