ARCHITECTURES FOR THE HIGH AVAILABILITY OF STATEFUL FIREWALLS PABLO NEIRA AYUSO UNIVERSIDAD DE SEVILLA EUROPEAN DOCTORAL DISSERTATION ADVISED BY DR. RAFAEL MARTINEZ-GASCA´ AND DR. LAURENT LEFEVRE` Contents Acknowledgements 2 Abstract 3 Resumen 4 I Preface 5 1 Introduction 6 1.1 Research Context . .6 1.1.1 Firewalls . .7 1.1.2 Stateful firewalls . .8 1.1.3 Firewalls and their challenges . .9 1.1.4 Communicating user and kernel-space in Linux . 11 1.2 Contributions . 12 1.2.1 Summary of contributions . 12 1.2.2 Publications in reverse chronological order . 12 1.2.3 Books . 14 1.2.4 Research projects . 15 1.2.5 Research visits . 15 1.2.6 Software . 16 1.3 Structure of this dissertation . 16 II Selected research work 18 III Other relevant research work 51 IV Final remarks 97 1.4 Conclusions and future works . 98 1.4.1 Conclusions . 98 1.4.2 Future works . 98 Bibliography 99 1 Acknowledgements Many people have influenced this thesis in very different ways. I have plenty of kind words for all these people, without them this dissertation would not have been possible today. Firstly, I would like to thank to Dr. Laurent Lefevre` for introducing me to the world of the academic research during my study abroad in France. As a result of that work in collaboration, I won the Spanish Ministry of Education’s Arquimedes Award for young researchers in the IT chapter. Then, I was lucky enough to meet Dr. Rafael M. Gasca, head of the QUIVIR research group, who offered me the possibility to continue my Philosophae Doctor Thesis in cooperation with Dr. Laurent Lefevre` in the University of Sevilla. I am grateful to them for providing the framework of freedom and support that I required to finish this work. I am also thankful to the RESO/LIP team and the QUIVIR research group members that shared their research experience and impressions with me along this time. I have also enjoyed the collaboration with Dr. Leonardo Maccari and the LaRT team in the University of Firenze, who contributed with their high insight on wireless mesh networks to our research works. Dr. Alberto Escudero-Pascual also helped me significantly with very useful comments and orientations in the initial stage of the research, specifically on the definition of the Fault-Tolerant FireWall (FT-FW) architecture. Many people from the Free/Open Source community have also contributed to my research with their invaluable feedback. Some of them are Harald Welte, the former head of the Netfilter project; Patrick McHardy, current head of the Netfilter project and one of the maintainers of the Linux kernel networking subsystem; Jozsef Kadlecsik, Netfilter hacker fellow; and Jamal Hadi Salim, one of the relevant Netlink developers; among many others. Finally, I thank my mother, Teresa, and my father, Jose´ Antonio, for all their unconditional love and support; and my brothers Alvaro´ and Gonzalo. I would like to thank many others that are not enumerated here but that have also been crucial in other non-academic aspects. Abstract Nowadays, stateful firewalls are key parts of the critical infrastructure of the Internet. Basically, they help to protect network services and users against attackers by means of access control and protocol conformance checkings. However, stateful firewalls cover network security aspects at the cost of introducing more problems in terms of network performance, availability and com- plexity. Many research has been done with regards to firewalls during the last decades to appro- priately address these concerns. Specifically, these works have focused on improving network performance, through efficient packet classification and specialized hardware, and complexity, by means of model-based filtering policy representations and the detection of rule-set incon- sistencies. However, high availability of stateful firewalls have remained barely studied by the research community according to the existing academic works. This dissertation aims to fill the gap in the field of high availability and stateful firewalls. In several research articles that we have compiled in this thesis, we present the Fault-Tolerant stateful Firewall (FT-FW) architecture to provide high availability, we survey existing fault- tolerant firewall architectures and we provide experimental results that allow network arquitects to select what solution fulfills their requirements. We also provide a software implementation released as free software that the IT industry widely use these days. Moreover, we have ap- plied our research work in the context of wireless mesh networks. In this challenging scenario, we provide a distributed firewalling architecture that helps to improve network-resource man- agement. This architecture is based on Bloom filters and it considers aspects such as efficient filtering policy distribution and mobility. Resumen Hoy en d´ıa, los cortafuegos con estados son parte esencial de la infraestructura cr´ıtica de Inter- net. Basicamente,´ estos dispositivos protegen los servicios de red y a los usuarios de posibles ataques mediantes mecanismos de control de acceso y comprobaciones de conformidad sobre los protocolos. No obstante, los cortafuegos con estados tratan aspectos relacionados con la seguridad a cambio de introducir mas´ problemas en relacion´ con el rendimiento de la red, la disponibilidad y la complejidad. Es por ello que los cortafuegos han sido sujeto de estudio a lo largo de las ultimas´ decadas´ con el fin de abordar tales problemas. Concretamente, dichos trabajos de investigacion´ se han centrado en mejorar el rendimiento de la red, mediante tecnicas´ eficaces para la clasificacion´ de paquetes y el uso de hardware especializado; y la complejidad, mediante representaciones de las pol´ıticas de filtrado basadas en modelos y la deteccion´ de in- consistencias en el conjunto reglas de reglas de cortafuegos. Sin embargo, la alta disponibilidad de los cortafuegos con estados ha sido escasamente estudiada por la comunidad investigadora de acuerdo con los trabajos existentes. Esta tesis pretende completar el vac´ıo existente en el dominio de la alta disponibilidad y los cortafuegos con estados. En varios art´ıculos de investigacion´ que hemos seleccionado y que incluimos en este documento presentamos la arquitectura Fault-Tolerant stateful Firewall (FT-FW) que nos brinda la alta disponibilidad. Ademas,´ hemos realizado un estudio de las arquitecturas de cortafuegos tolerantes a fallos existentes y ofrecemos resultados experimen- tales que permiten a los arquitectos de red seleccionar la solucion´ que mejor se adecua´ a sus requisitos. Tambien´ ofrecemos una implementacion´ disponible bajo licencia de software libre que es usada por la industria TIC en la actualidad. Por otro lado, hemos aplicado nuestra inves- tigacion´ en el contexto de las redes inalambricas´ de malla. En este exigente entorno, ofrecemos una arquitectura distribuida de cortafuegos que ayuda a mejorar la gestion´ de los recursos de la red. Dicha arquitectura esta´ basada en filtros de Bloom y considera aspectos tales como la distribucion´ de la pol´ıtica de filtrado de manera eficiente y la movilidad. Part I Preface 5 Chapter 1 Introduction Failures are a permanent menace for the availability of Internet services. During the last decades, numerous fault-tolerant approaches have been proposed for the wide spectrum of Internet services to provide high availability. However, relatively few research work have ad- dressed the specific aspects of fault-tolerant stateful firewalls and distributed stateful firewalls in wireless mesh networks. Continued availability of firewalls has become a critical factor for the IT industry. Classic fault-tolerant solutions based on redundancy and health-checking mechanisms does not success to fulfill the requirements of stateful firewalls. On the other hand, emerging mobile technolo- gies, such as wireless mesh networks, proliferate in organizations more and more. However, existing network-resource management approaches in this environment remain rudimentary. In this scenario, a distributed firewall architecture that considers mobility and efficiency can help to administer network resources. This dissertation is presented as a compilation of research articles that aim to address these concerns. Basically, we provide several architectures that cover high availability of stateful firewalls and network-resource management through distributed firewalling in wireless mesh networks that supports mobility and efficient filtering policy distribution. 1.1 Research Context The research work that we performed in the frame of this thesis is composed of three parts: The research work in the context of cluster-based fault-tolerant firewalls in wired net- • works to survey existing solutions and to provide the Fault-Tolerant FireWall (FT-FW) architecture. The application of these research advances regarding FT-FW to distributed stateful fire- • walls in wireless mesh/ad-hoc networks. Our implementation released under free software license that uses Netlink sockets to • communicate the in-kernel firewalling subsystem with our user-space high availability state-proxy (as defined in the FT-FW architecture). Specifically, in wireless mesh/ad-hoc networks, we found no works that have focused on providing a distributed firewalling architecture for these environments. Thus, we initially de- 6 fined a stateless packet filtering solution that we extended to become stateful. Then, we applied the FT-FW architecture to enable high avalability and to support mobility. Moreover, with regards to the existing previous research of the high availability of stateful firewalls, most of the results were not established as laws or theories from an epistemological point of view. For that matter, this dissertation provides a wide empirical research as a valid approach to improve epistemological foundations in this topic. To summarize the connection between the different research works that have been compiled in this document, we provide the following concept map in Fig. 1.1. Figure 1.1: Concept map on this dissertation We continue with the basic concepts of this dissertation. In Section. 1.1.1, we provide an introduction to firewalls. Then, Section. 1.1.2 describe stateful firewalls. We overview firewalls and their problems in Section.