An unavailability analysis of firewall sandwich configurations

S Goddard; R Kieckhafer; Yuping Zhang

doi:10.1109/HASE.2001.966815

Back

Conference proceeding

An unavailability analysis of firewall sandwich configurations

S Goddard, R Kieckhafer and Yuping Zhang

Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking, Vol.2001-, pp.139-148

2001

DOI: 10.1109/HASE.2001.966815

View Online

Abstract

Firewalls form the first line of defense in securing internal networks from the Internet. A Firewall only provides security if all traffic into and out of an internal network passes through the firewall. However, a single firewall through which all network traffic must flow represents a single point of failure. If the firewall is down, all access is lost. A common solution to this problem is to use firewall sandwiches, comprising multiple firewall processors running in parallel. A firewall sandwich system needs load-balancing processes executing on separate processors to manage the flow of packets through the firewall processors. The number of redundant load balancing processors and their redundancy management policies have a major impact on system unavailability. We present a model to analyze the steady-state unavailability of firewall sandwiches and compare the unavailability of various load-balancing configurations. The results show that, using representative non-proprietary values for system parameters, redundancy management policies are at least as important as the number of redundant processing nodes.

Computer science

Internet

IP networks

Load management

Network servers

Portals

Protection

Steady-state

Telecommunication traffic

Web server

Details

Title: Subtitle: An unavailability analysis of firewall sandwich configurations
Creators: S Goddard - Lincoln University - Pennsylvania
R Kieckhafer - Michigan Technological University
Yuping Zhang - Michigan Technological University
Resource Type: Conference proceeding
Publication Details: Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking, Vol.2001-, pp.139-148
Publisher: IEEE
DOI: 10.1109/HASE.2001.966815
ISSN: 1530-2059
eISSN: 2640-7507
Language: English
Date published: 2001
Academic Unit: Computer Science
Record Identifier: 9984259486402771

Metrics

13 Record Views

3 Times Cited - Web of Science