Software Defined Networking Reactive Stateful Firewall

Network security is a crucial issue of Software Defined Networking (SDN). It is probably, one of the key features for the success and for the future pervasion of the SDN technology. In this perspective, we propose a SDN reactive stateful firewall. Our solution is integrated into the SDN architecture. It filters TCP communications according to the network security policies. It records and processes the different states of a connection and interprets their possible transitions into OpenFlow (OF) rules. The proposition uses a reactive behavior in order to reduce the number of OpenFlow rules in the data plane device and to mitigate some DOS attacks like SYN Flooding. The firewall processes the Finite State Machine of TCP so as to withdraw useless traffic not corresponding to TCP transitions’ conditions. Through our work, we put in light the advantages of our solution. In terms of cost efficiency, it empowers the behavior of Openflow compatible devices to make them behaving like stateful firewalls. Therefore, organizations do not need to spend money and resources on buying and maintaining conventional firewalls. Furthermore, we propose an orchestrator to spread and to reinforce the security policies in the whole network with a fine grained strategy. It is thereupon able to secure the network by filtering the traffic related to an application, a node, a subnetwork connected to a data plane device, a sub SDN network connected to a controller, traffic between different links, etc. The deployment of the firewall rules becomes flexible according to a holistic network view provided by the management plane. In addition, the solution enlarges the security perimeter inside the network itself by securing accesses between its nodes.