fault tolerant stateful firewalling with gnu linux
play

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira - PowerPoint PPT Presentation

Oct 20, 2023 •214 likes •442 views

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

  1. Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla

  2. Outline ● Introduction: – Stateless and stateful firewalls – Fault-Tolerance & firewalls ● Architecture & replication protocols ● Preliminary evaluation ● Related works. ● Conclusions & Future Work

  3. Introduction: Firewalls ● What is a Firewall ? – It is a network element that controls the traversal of packets across different network segments. – It is a mechanism to enforce an access control list (ACL). The firewall ACL is a list of linearly ordered filtering rules that define the actions that will be performed on packets that satisfy specific conditions.

  4. Introduction: Firewalls ● What is a stateless firewall? – Filtering decision based on the information available in the packet headers. ● What is a stateful firewall? – Extend stateless firewalls. A stateful firewall performs correctness checking upon the protocols that it gateways. – Filtering decision based on flows.

  5. Introduction: Firewalls ● In Linux, there are four types of states (from the user perspective!): – NEW : This is the first packet of a connection. – ESTABLISHED : We have seen packets in both directions. – INVALID : Malformed, invalid packet in the expected protocol sequence. – RELATED : This packet is related to an existing connection (ICMP traffic in response to some event). ● http://people.netfilter.org/pablo/docs/

  6. Fault-Tolerant firewalls ● Firewalls introduce a single point of failure in the network schema: The availability of the services depends on the firewall availability.

  7. Fault-Tolerant Firewalls ● Solution: replication – Extra cost to add an extra firewall replica. – Use of failure-detector to fail over a save firewall replica if a failure arises. e.g. heartbeat, keepalived...

  8. Example scenario iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -- syn -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth1 -p tcp - m state --state ESTABLISHED -j ACCEPT iptables -I FORWARD -j LOG iptables -I POSTROUTING -t nat -s 192.168.0.3 -j SNAT --to 192.168.1.100

  9. Example scenario Step 1) Workstation A initiates a SSH connection with B: ESTABLISHED

  10. Example scenario Step 1) Workstation A initiates a SSH connection with B: ESTABLISHED Step 2) A failure arises at the primary firewall FW1: the backup FW2 recovers the filtering.

  11. Example scenario Step 1) Workstation A initiates a SSH connection with B: ESTABLISHED Step 2) A failure arises at the primary firewall FW1: the backup FW2 recovers the filtering. Step 3) Applying the stateful fitering policy, the first packet seen by FW2 is in state NEW. Connection hangs. Solution? The backup node needs to know the flow states. Otherwise, it may fail to recover the flows.

  12. Conntrack-tools ● This package contains an userspace daemon written in C – conntrackd . – Configurable and extensible. – Requires Linux kernel >= 2.6.18. – Requires HA manager: keepalived, heartbeat... – Supported setups: ● Primary-Backup ● Multiprimary – Under development: current is 0.9.7 – http://conntrack-tools.netfilter.org/

  13. Conntrackd: Design

  14. Replication protocols ● Three approaches – as for now: – NOTRACK : like pfsync, best effort, no sequence tracking at all. – ALARM : Every N seconds a state message is sent (spamming but better for consistency). – FT-FW: Reliable UDP-based protocol (with sequence tracking). ● The receiver always handles all messages even those that are out of sequence ● The sender just resend the last state reached in case of message omission

  15. Supported scenarios ● Primary-Backup: One firewall replica filters and the other acts as backup. ● Multiprimary: – Simmetric or flow-based: the firewall replica always handles the same subset of flows. ● Static: client-based (set different gateways for clients). ● Dynamic: hash-based (similar to CLUSTERIP) – Asymmetric or packet-based: No guarantees on which firewall handles packets (problematic!)

  16. Preliminary evaluation Testbed: HP Proliant 145G2, AMD 2.2GHz, 1GBit ● HTTP GET requests from A to B (4 KB) ●

  17. CPU consumption

  18. Recovery time

  19. Related Work ● Apart of the interesting openBSD effort, nothing open in this area: – Proprietary : black box, only commercial papers (buy my nifty box, my solution is great!). – OpenBSD ● simple in-kernel state replication ● it also requires a HA manager, CARP ● Replication protocol: no sequence tracking at all, no message omission, reordering, duplication handling.

  20. Conclusions & Future work ● The conntrack-tools are free software (GPLv2) ● Userspace implementation. ● Still under development: 1.0 release probably by end of 2008. The remaining issues discussed during the last Netfilter Workshop (sept. 2007) are done. ● It still lacks of documentation for the multiprimary setup.

  21. Thank you! ● Questions ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37, Manchester Caveats I am not pushing 80Gbits yet (sorry if you were expecting Netflix levels of awesome) See: Sort of Who am I? Gareth Llewellyn

424 views • 38 slides
Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

EDA421/DIT171 - Parallel and Distributed Real-Time Systems, Chalmers/GU, 2011/2012 Lecture #14 Updated May 2, 2012 Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the effects if the

374 views • 9 slides
FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09, Gdask Canonical Control Engineering Problem Disturbance Controlled output Set-point Filter Controller Plant Sensor Noise This problem is

639 views • 29 slides
Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

1 Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and Validation Reflective Design and Validation Marc-Olivier Killijian Dependable Computing and Fault Tolerance Research Group Toulouse - France 2

865 views • 50 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent

Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent

Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent Monitoring Networks Networks Heterogeneous Intelligent Monitoring Jing Deng Department of Computer Science University of North Carolina at

335 views • 18 slides
A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09,

A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09,

A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09, MS 12 W. Robert Daasch, Professor Integrated Circuits Design and Test Laboratory Problem Statement In a fault tolerant system containing

478 views • 35 slides
Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction

Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction

1/21/2014 Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction Kewal K.Saluja Kewal K Saluja Fault models at different levels (HW) Department of Electrical and Computer Engineering Error

304 views • 5 slides
A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel Developer SUSE Linux GmbH, jgross@suse.com Status Quo Standard Xen Virtualization Server dom0 HVM pv Net- Block- xenstore qemu backend backend

421 views • 23 slides
4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design Replication, TMR Distributed Systems Fully fault tolerant system will offer non-stop availability Clusters You cant achieve this! Problem:

458 views • 11 slides
Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural

Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural

Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural Abstraction Tolerant Architectural Abstraction Fault Patrick H. S. Brito - Unicamp, Brazil Rogrio de Lemos - University of Kent, UK Eliane

381 views • 21 slides
REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK

REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK

REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK SHINGNE Outline General view of Fault Tolerance Ft-Design approaches Trees Meshes &amp; Hypercubes conclusion Introduction Fault

584 views • 44 slides
Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element

Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element

Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element Rog rio rio de Lemos de Lemos Rog University of Kent, UK University of Kent, UK Motivation architectural fault tolerance; iFTE

350 views • 16 slides
Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi, Rehana Mahfuz, Vidyasagar Sadhu CSOI-Data Science Workshop May 27th, 2016 Lili Su et al. (SOI-DSWKSP) Fault-tolerant distributed optimization May

854 views • 6 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

428 views • 40 slides
Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso, Rafael M. Gasca, Laurent Lefevre &lt;pneira@us.es&gt;, &lt;gasca@us.es&gt;, &lt;lefevre@inria.fr&gt; Quivir Research Group, University of Sevilla,

1.07k views • 17 slides
Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche University of Kiel November 10, 2017 @ SSP Holger Knoche Refactoring Kiekers I/O Infrastructure November 10, 2017 @ SSP 1 / 16 Agenda 1.

182 views • 16 slides
Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A

Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A

Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A deployment diagram Source: wikipedia Presentation Business Data Presentation Business Data Why run on Mesos? Services are decoupled from the

950 views • 50 slides
&amp; session languages Erik Poll Joeri de Ruiter Aleksy Schubert LangSec

&amp; session languages Erik Poll Joeri de Ruiter Aleksy Schubert LangSec

Protocol state machines &amp; session languages Erik Poll Joeri de Ruiter Aleksy Schubert LangSec workshop @ IEEE Security &amp; Privacy, 2015 Input languages: messages &amp; sessions Handling inputs involves language of

405 views • 26 slides
Operating System Principles: Accessing Remote Data CS 111 Operating Systems Peter Reiher

Operating System Principles: Accessing Remote Data CS 111 Operating Systems Peter Reiher

Operating System Principles: Accessing Remote Data CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Fall 2017 Outline Data on other machines Remote file access architectures Challenges in remote data access

925 views • 56 slides
Distributed Systems Distributed File Systems Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Distributed File Systems Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Distributed File Systems Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 1 Accessing files FTP,

507 views • 18 slides
CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects

CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects

CPSC 410 / 611 : Operating Systems CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects of Distributed File Systems Communication Processes Naming Synchronization Fault Tolerance Caching and

315 views • 9 slides
Sub-millisecond Stateful Stream Querying over Fast-evolving Linked Data Yunhao Zhang, Rong Chen,

Sub-millisecond Stateful Stream Querying over Fast-evolving Linked Data Yunhao Zhang, Rong Chen,

Sub-millisecond Stateful Stream Querying over Fast-evolving Linked Data Yunhao Zhang, Rong Chen, Haibo Chen Institute of Parallel and Distributed Systems (IPADS) Shanghai Jiao Tong University Stream Query is Important Multiple data sources are

683 views • 34 slides

More recommend