8 May 2010 Stateful Firewall Presentation (Reston Library)

DATE: 8 May 2010
LOCATION: Reston Library
TIME: 10 am
TOPIC: Stateful Firewall
PRESENTER: Ivan Makfinsky

The Netfilter kernel module, popularly known as iptables, provides a
powerful and, often, very flexible toolbox for building Linux based
firewalls. While clustering Linux based firewalls may not be new, these
clusters are often not capable or configured to maintain stateful
connections during fail-over scenarios, connections such as SSL
transactions and SSH connections. By combining Netfilter with a couple
of open source projects, one can construct a cluster of Linux systems
that enable seamless firewall failover such that stateful connections
are protected and maintained.

Senior Systems Architect, Ivan Makfinsky, of Endosys, Inc., a Linux and
Open Source Software consulting company, will demonstrate how clustered,
stateful Linux based firewalls can be constructed using Red Hat
Enterprise Linux and software from the Fedora EPEL (Extra Packages for
Enterprise Linux) repository.

Ivan Makfinsky will use Red Hat Enterprise Linux virtual machines
running in KVM to demonstrate:

- Simple(non-stateful) clustered Linux based firewalls and the effect on
stateful connections during fail-over.
- Stateful clustered Linux based firewalls and the effect on stateful
protocols during fail-over.
- A brief discussion of the configuration required to accomplish the
stateful firewall cluster.

Attendees will leave with a clear understanding of the limitations of
non-stateful Linux firewall clusters, the value of a stateful firewall
cluster, and how to implement a stateful firewall cluster using Red Hat
Enterprise Linux, Conntrackd, and Keepalived.