hFT-FW: Hybrid Fault-Tolerance for Cluster-Based Stateful Firewalls

Failures are a permanent menace for the availability of Internet services. During the last decades, numerous fault-tolerant approaches have been proposed for the wide spectrum of Internet services, including stateful firewalls. Most of these solutions adopt reactive approaches to mask failures by replicating state-changes between replicas. However, reactive replication is a resource consuming task that reduces scalability and performance: the amount of computational and bandwidth resources to propagate state-changes among replicas might be high. On the other hand, more and more commercial off-the-shelf platforms provide integrated hardware error-detection facilities. As a result, some current fault-tolerance research works aim to replace the reactive fault-handling with proactive fault-avoidance. However, pure proactive approaches are risky and they currently face serious limitations. In this work, we propose a hybrid proactive and reactive model that exploits the stateful firewall semantics to increase the overall performance of cluster-based fault-tolerant stateful firewalls. The proposed solution reduces the amount of resources involved in the reactive state-replication by means of Bayesian techniques to perform lazy replication while, at the same time, benefits from proactive fault-tolerance. Preliminary experimental results are also provided.