The stateful cluster security gateway (CSG) architecture for robust switched Linux cluster security

This work presents a new cluster security model for securing switched Linux clusters. The stateful CSG improves upon the stateless CSG in the sense that it supports stateful firewalling, provides high availability, greater scalability and load balancing capability. This model combines various mechanisms like distributed sender-initiated Layer 2 per-packet firewall load balancing, firewall state synchronization, failover, MAC address takeover, Network Access Control using switch MAC ACLs and port security, and Layer 2 and Layer 3 packet filtering in order to provide robust, scalable and reliable cluster-level security. Experimental results of performance not only give an idea of the effectiveness of the new scheme at boosting firewall performance and reliability, but also at improving network performance and security. In addition, the response of the new scheme in the face of threats is assessed qualitatively and its salient characteristics like tamper resistance, anti-spoofing, anti-sniffing and low end-user host processing strain, are highlighted.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Wendell Odom Ccent/ccna icnd1 official exam certification guide (ccent exam 640-822 and ccna exam 640-802), second edition , 2007 .

[3]  Kai Hwang,et al.  Intranet security with micro-firewalls and mobile agents for proactive intrusion response , 2001, Proceedings 2001 International Conference on Computer Networks and Mobile Computing.

[4]  Kai Hwang,et al.  Micro-firewalls for dynamic network security with distributed intrusion detection , 2001, Proceedings IEEE International Symposium on Network Computing and Applications. NCA 2001.

[5]  Reinhard Riedl,et al.  Classification of load distribution algorithms , 1996, Proceedings of 4th Euromicro Workshop on Parallel and Distributed Processing.

[6]  Angelos D. Keromytis,et al.  Transparent Network Security Policy Enforcement , 2000, USENIX Annual Technical Conference, FREENIX Track.

[7]  Chandra Kopparapu,et al.  Load Balancing Servers, Firewalls, and Caches , 2002 .

[8]  William H. Sanders,et al.  Barbarians in the Gate: An Experimental Validation of NIC-based Distributed Firewall Performance and Flood Tolerance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[9]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.