Architectures for the high availability of stateful firewalls

  1. Neira Ayuso, Pablo
Dirigida por:
  1. Laurent Lefèvre Director/a
  2. Rafael Martínez Gasca Director/a

Universidad de defensa: Universidad de Sevilla

Fecha de defensa: 22 de julio de 2010

Tribunal:
  1. Antonio Maña Presidente/a
  2. Mikel Larrea Álava Secretario
  3. Leonardo Macarini Vocal
  4. Geoffroy Vallée Vocal
  5. Eduardo Fernández-Medina Patón Vocal

Tipo: Tesis

Teseo: 299243 DIALNET

Resumen

Nowadays, stateful firewalls are key parts of the critical infrastructure of the Internet. Basically, they help to protect network services and users against attackers by means of access control and protocol conformance checkings. However, stateful firewalls cover network security aspects at the cost of introducing more problems in terms of network performance, availability and complexity. Many research has been done with regards to firewalls during the last decades to appropriately address these concerns. Specifically, these works have focused on improving network performance, through efficient packet classification and specialized hardware, and complexity, by means of model-based filtering policy representations and the detection of rule-set inconsistencies. However, high availability of stateful firewalls have remained barely studied by the research community according to the existing academic works. This dissertation aims to fill the gap in the field of high availability and stateful firewalls. In several research articles that we have compiled in this thesis, we present the Fault-Tolerant stateful Firewall (FT-FW) architecture to provide high availability, we survey existing fault-tolerant firewall architectures and we provide experimental results that allow network arquitects to select what solution fulfills their requirements. We also provide a software implementation released as free software that the IT industry widely use these days. Moreover, we have applied our research work in the context of wireless mesh networks. In this challenging scenario, we provide a distributed firewalling architecture that helps to improve network-resource management. This architecture is based on Bloom filters and it considers aspects such as efficient filtering policy distribution and mobility.