A Proactive Stateful Firewall for Software Defined Networking

Security solutions in conventional networks are complex and costly because of the lack of abstraction, the rigidity and the heterogeneity of the network architecture. However, in Software Defined Networking (SDN), flexible, reprogrammable, robust and cost effective security solutions can be built over the architecture. In this context, we propose a SDN proactive stateful Firewall. Our solution is completely integrated into the SDN environment and it is compliant with the OpenFlow (OF) protocol. The proposed Firewall is the first implemented stateful SDN Firewall. It uses a proactive logic to mitigate some fingerprinting and DoS attacks. Furthermore, it improves the network performance by steering network communications in order to fulfil network protocol FSM (Finite State Machine). Besides, an Orchestrator layer is integrated in the Firewall in order to manage the deployment of the Firewall applications. This integration empowers the interactions with the administrator and the data plane elements. We conduct two tests to prove the validity of our concept and to show that the proposed Firewall is efficient and performant.

[1]  Sajad Shirali-Shahreza,et al.  FleXam: flexible sampling extension for monitoring and security applications in openflow , 2013, HotSDN '13.

[2]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[3]  William Emmanuel Yu,et al.  Development of a distributed firewall using software defined networking technology , 2014, 2014 4th IEEE International Conference on Information Science and Technology.

[4]  Sebastian Abt,et al.  Blessing or curse? Revisiting security aspects of Software-Defined Networking , 2014, 10th International Conference on Network and Service Management (CNSM) and Workshop.

[5]  Zouheir Trabelsi Teaching Stateless and Stateful Firewall Packet Filtering: A Hands-on Approach , 2012 .

[6]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[7]  Sajad Shirali-Shahreza,et al.  Empowering Software Defined Network controller with packet-level information , 2013, 2013 IEEE International Conference on Communications Workshops (ICC).

[8]  Avishai Wool Packet Filtering and Stateful Firewalls , 2004 .

[9]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[10]  Tzi-cker Chiueh,et al.  Traffic Analysis : From Stateful Firewall to Network Intrusion Detection System , 2004 .

[11]  Jun Liu,et al.  An OpenFlow-Based Prototype of SDN-Oriented Stateful Hardware Firewalls , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[12]  Sunhee Yang,et al.  Building firewall over the software-defined network controller , 2014, 16th International Conference on Advanced Communication Technology.

[13]  Ziming Zhao,et al.  Towards a Reliable SDN Firewall , 2014, ONS.

[14]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[15]  Sajad Shirali-Shahreza,et al.  Efficient Implementation of Security Applications in OpenFlow Controller with FleXam , 2013, 2013 IEEE 21st Annual Symposium on High-Performance Interconnects.

[16]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[17]  Vinod Yegneswaran,et al.  A Framework For Integrating Security Services into Software-Defined Networks , 2013 .