A stateful CSG-based distributed firewall architecture for robust distributed security

摘要

Distributed firewalls have been developed in order to provide networks with a higher level of protection than traditional firewalling mechanisms like gateway and host-based firewalls. Although distributed firewalls provide higher security, they too have limitations. This work presents the design & implementation of a new distributed firewall model, based on stateful Cluster Security Gateway (CSG) architecture, which addresses those shortcomings. This distributed security model adopts a bottom-up approach such that each cluster of end-user hosts is first secured using the CSG architecture. These different CSGs are then centrally managed by the Network Administrator. A file-based firewall update mechanism is used for dynamic real-time security. IPsec is used to secure the firewall policy update distribution while X.509 certificates cater for sender/receiver authentication. The major benefits of this approach to distributed security include tamper resistance, anti-spoofing, anti-sniffing, secure real-time firewall updating, low overall network load, high scalability and low firewall convergence times.