Towards a Reliable SDN Firewall

fields, which are needed for checking firewall policy violations, from the pattern expression of a flow rule to represent the space of corresponding flow path. In addition, we reorganize these fields with a (source address, destination address) pair to specify a flow path space. Then, we define three kinds of spaces for representing a flow path space: (1) Incoming Space represents original header spaces of packets that can pass through the flow path; (2) Outgoing Space represents final header spaces of packets after the packets pass through the flow path; and (3) Tracked Space represents original source address and final destination address of header spaces of packets that can pass through the flow path. For accurately detecting firewall policy violations, the dependency relations between “allow” rules and “deny” rules in the firewall policy should be decoupled. We propose a concept of firewall authorization space, which represents a collection of all packets either allowed or denied by the firewall rules. We then introduce a space partition approach, which represents rules with header space and performs various set operations on rules, to convert a list of firewall rules into two disjoint authorization sub-spaces, denied authorization space and allowed authorization space. Once the space of a flow path and the firewall authorization space of the firewall policy are calculated, we identify violations through checking the tracked space of the flow path against the denied authorization space of the firewall policy. If these two spaces overlap each other, we call the overlapping space as the violated space, which indicates a firewall policy violation. There are two kinds of violations: (1) Entire Violation (the denied authorization space includes the whole tracked space); and (2) Partial Violation (the denied authorization space partially includes the tracked space).