Clustered Firewall Systems

Since the twenty-first century, Internet is developing rapidly, but it is facing flinty security challenge also. Network menace presents the trends of diversification development. More and more harmful softwares ,such as Spyware, Adware, Phishing, are imperiling network securities badly besides traditional viruses and junk mails. With all kinds of applications boost to network, more and more key applications enter network. Enterprises and users enhance the desire for network security. Security problem of network resources is more and more important. Firewall is a network security device that used widely, plays a very important role in protecting network security.But traditional firewall connects network by the single point mode, it becomes a network bottleneck easily. Traditional firewall restricts network's actual applications, debases network's performance and scalability. Once traditional firewall goes wrong, it will be the single point of failure, debases network availability.This paper analyzes and researchs the technologies related with firewall and cluster firstly, then puts forward the conception of CFS (Cluster Firewall System). CFS is made up of several traditional firewall which connects by parallel mode, implements function of traditional firewall with the method of coopration. CFS can avoid single point of failure and improves network's high availability effectively.CFS is a new solution to improve firewall's process ability and throughput. Contrast to traditional firewall, CFS has the traits such as high availability, high scalabilty, high performance and high price/performance. According to different disposal mode to datagram, CFS is devided into CFS based on flux dispatch mechanism and CFS based on negotiation mechanism.This paper designs a brand-new CFS model, which is devided into three subsystem: Load-Balancing Subsystem, Fail-Over Firewall Subsystem, On-Line Monitoring Subsystem. Then this paper analyzes and designs every subsystem. Load-Balancing Subsystem implements the distribute of load averagely. Fail-Over Firewall Subsystem implements fail-over and packet filter. On-Line Monitoring Subsystem implements management to CFS conveniently. This paper researchs CFS based on negotiation mechanism mainly, and experiments and tests the CFS based on negotiation mechanism by use of linux kernel firewall, gets better results.