TY - GEN
T1 - Towards a security-enhanced firewall application for openflow networks
AU - Wang, Juan
AU - Wang, Yong
AU - Hu, Hongxin
AU - Sun, Qingxin
AU - Shi, He
AU - Zeng, Longjie
PY - 2013
Y1 - 2013
N2 - Software-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but also provides a promising way for the future development of Internet. SDN, however, also brings forth many new security challenges. One of such critical challenges is how to build a robust firewall application for SDN. Due to the stateless of SDN firewall based on OpenFlow, the first standard for SDN, and the lack of audit and tracking mechanisms for SDN controllers, the existing firewall applications in SDN can be easily bypassed by rewriting the flow entries in switches. Aiming at this threat, we introduce a systematic solution for conflict detection and resolution in OpenFlow-based firewalls through checking flow space and firewall authorization space. Unlike FortNOX [1], our approach can check the conflicts between the firewall rules and flow policies based on the entire flow paths within an OpenFlow network. We also add intra-table dependency checking for flow tables and firewall rules. Finally, we discuss a proof-of-concept implementation of our approach, and our experimental results demonstrate our approach can effectively hinder the bypass threat in real OpenFlow networks.
AB - Software-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but also provides a promising way for the future development of Internet. SDN, however, also brings forth many new security challenges. One of such critical challenges is how to build a robust firewall application for SDN. Due to the stateless of SDN firewall based on OpenFlow, the first standard for SDN, and the lack of audit and tracking mechanisms for SDN controllers, the existing firewall applications in SDN can be easily bypassed by rewriting the flow entries in switches. Aiming at this threat, we introduce a systematic solution for conflict detection and resolution in OpenFlow-based firewalls through checking flow space and firewall authorization space. Unlike FortNOX [1], our approach can check the conflicts between the firewall rules and flow policies based on the entire flow paths within an OpenFlow network. We also add intra-table dependency checking for flow tables and firewall rules. Finally, we discuss a proof-of-concept implementation of our approach, and our experimental results demonstrate our approach can effectively hinder the bypass threat in real OpenFlow networks.
KW - Firewall
KW - Openflow
KW - SDN
KW - Security
UR - https://www.scopus.com/pages/publications/84894196540
U2 - 10.1007/978-3-319-03584-0_8
DO - 10.1007/978-3-319-03584-0_8
M3 - Conference contribution
AN - SCOPUS:84894196540
SN - 9783319035833
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 92
EP - 103
BT - Cyberspace Safety and Security - 5th International Symposium, CSS 2013, Proceedings
T2 - 5th International Symposium on Cyberspace Safety and Security, CSS 2013
Y2 - 13 November 2013 through 15 November 2013
ER -