A Centralized State Repository Approach to Highly Scalable and High-Availability Parallel Firewall

Conventional high-availability stateful parallel firewall suffers from low scalability due to two overlapping requirements: workload distribution and redundancy. To achieve high throughput, load-distribution with complex algorithm is conventionally employed, consuming a lot of resources and making the system susceptible to state-related attacks such as SYN-flooding. On the other hand, making the system redundant usually implies N-to-N crossreplication of connection-state data among firewall nodes. These make the scaling effort very difficult at best. This paper presents the novel design and implementation of a highly scalable, high-availability, stateful parallel firewall with centralized state repository intending for high-speed connection environment. The system consists of fault sensor unit(s), fully redundant load manager units, fully redundant central state repository unit(s), and an array of Linux-based machines acting as firewall nodes under the data parallel scheme. Adding more units into the system can scale every component up. Consistent Disjoint-subset Hashing and Stateless Load balancing algorithms, chosen for their superior computing overhead, provide high performance, flexibility and scalability. Centralized State Repository further enhances reliability and scalability. Actual deployment statistics confirm that the combination of centralized state repository and on-demand state restoration largely reduces the number of state synchronization transactions when the number of firewall nodes fluctuates. Therefore, the high-scalability and load balancing are gained with minimal state replications.