Stateful Distributed Firewall as a Service in SDN

Software-defined networking (SDN) is a newly emerging approach in computer networking which abstracts network control functionalities and enables its direct programmability at the management plane. A new framework of communication between the control-plane and the data-plane is gaining a lot of attraction recently, which combines the advantages of the proactive approach, in pre-installing the flow rules in the data-plane, and the advantages of the reactive approach, in its ability to dynamically react to network events. This hybrid approach utilizes the potential of the SDN switches to recognize and host state machines. While the trending success of SDN is set to continue, this evolving network paradigm requires a new set of tools and strategies to secure the network elements against intrusions and at the same time maintain its efficiency and reliability. In this paper, we take advantage of the hybrid approach of network controllability and management to offload the processing of stateful applications from the control-plane to the data-plane and propose our framework, SDFS, which optimizes a distributed stateful application in the data-plane to transform the SDN network into one big firewall. While maintaining modularity of the framework, SDFS offers an optimized processing burden distribution of the stateful application in the data-plane among the switches in the network with inherent fault-tolerance mechanisms that eliminate the need for immediate controller intervention even in cases of network failure or attacks.

[1]  Ahmed Toumanari,et al.  Survey of Security in Software-Defined Network , 2017 .

[2]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[3]  Chen Sun,et al.  SDPA: Enhancing Stateful Forwarding for Software-Defined Networking , 2015, 2015 IEEE 23rd International Conference on Network Protocols (ICNP).

[4]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[5]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[6]  Ying Zhang,et al.  An adaptive flow counting method for anomaly detection in SDN , 2013, CoNEXT.

[7]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[8]  Sajad Shirali-Shahreza,et al.  Efficient Implementation of Security Applications in OpenFlow Controller with FleXam , 2013, 2013 IEEE 21st Annual Symposium on High-Performance Interconnects.

[9]  Mohamed Cheriet,et al.  A Software-Defined Scalable and Autonomous Architecture for Multi-tenancy , 2014, 2014 IEEE International Conference on Cloud Engineering.

[10]  Yifei Yuan,et al.  NetEgg: Programming Network Policies by Examples , 2014, HotNets.

[11]  Byrav Ramamurthy,et al.  Network Innovation using OpenFlow: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[12]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[13]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[14]  David Walker,et al.  SNAP: Stateful Network-Wide Abstractions for Packet Processing , 2015, SIGCOMM.

[15]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[16]  Timothy L. Hinrichs Expressing and Enforcing Flow-Based Network Security Policies , 2008 .

[17]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[18]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[19]  Nicholas I. M. Gould,et al.  On the Complexity of Steepest Descent, Newton's and Regularized Newton's Methods for Nonconvex Unconstrained Optimization Problems , 2010, SIAM J. Optim..

[20]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[21]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[22]  Ye Wang,et al.  NetFuse: Short-circuiting traffic surges in the cloud , 2013, 2013 IEEE International Conference on Communications (ICC).

[23]  Azer Bestavros,et al.  Software-Defined IDS for securing embedded mobile devices , 2013, 2013 IEEE High Performance Extreme Computing Conference (HPEC).

[24]  Albert G. Greenberg,et al.  Ananta: cloud scale load balancing , 2013, SIGCOMM.

[25]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[26]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[27]  Jun Liu,et al.  An OpenFlow-Based Prototype of SDN-Oriented Stateful Hardware Firewalls , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[28]  Ramesh Govindan,et al.  Flow-level state transition as a new switch primitive for SDN , 2014, SIGCOMM.

[29]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[30]  Vainius Dangovas,et al.  SDN-Driven Authentication and Access Control System , 2014 .

[31]  Sam Hartman,et al.  Security Analysis of the Open Networking Foundation (ONF) OpenFlow Switch Specification , 2013 .

[32]  George Varghese,et al.  Design principles for packet parsers , 2013, Architectures for Networking and Communications Systems.

[33]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[34]  Kuang-Ching Wang,et al.  State-aware Network Access Management for Software-Defined Networks , 2016, SACMAT.

[35]  Tooska Dargahi,et al.  A Survey on the Security of Stateful SDN Data Planes , 2017, IEEE Communications Surveys & Tutorials.

[36]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.