Towards a Reliable SDN Firewall

نویسندگان

  • Hongxin Hu
  • Gail-Joon Ahn
  • Wonkyu Han
  • Ziming Zhao
چکیده

fields, which are needed for checking firewall policy violations, from the pattern expression of a flow rule to represent the space of corresponding flow path. In addition, we reorganize these fields with a (source address, destination address) pair to specify a flow path space. Then, we define three kinds of spaces for representing a flow path space: (1) Incoming Space represents original header spaces of packets that can pass through the flow path; (2) Outgoing Space represents final header spaces of packets after the packets pass through the flow path; and (3) Tracked Space represents original source address and final destination address of header spaces of packets that can pass through the flow path. For accurately detecting firewall policy violations, the dependency relations between “allow” rules and “deny” rules in the firewall policy should be decoupled. We propose a concept of firewall authorization space, which represents a collection of all packets either allowed or denied by the firewall rules. We then introduce a space partition approach, which represents rules with header space and performs various set operations on rules, to convert a list of firewall rules into two disjoint authorization sub-spaces, denied authorization space and allowed authorization space. Once the space of a flow path and the firewall authorization space of the firewall policy are calculated, we identify violations through checking the tracked space of the flow path against the denied authorization space of the firewall policy. If these two spaces overlap each other, we call the overlapping space as the violated space, which indicates a firewall policy violation. There are two kinds of violations: (1) Entire Violation (the denied authorization space includes the whole tracked space); and (2) Partial Violation (the denied authorization space partially includes the tracked space).

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Towards Secured Firewalls for Software Defined Networks

Software-Defined Networking (SDN) offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller. SDN provides a promising way for the future development of Internet. SDN, however, also has some new security challenges. A critical challenge among them is how to build a reliable firewall application for SDN. Due to the stateless...

متن کامل

Implementation and Performance Analysis of Firewall on Open vSwitch

Software Defined Networking (SDN) is a current research trend that follows the ideology of physical separation of the control and data plane of the forwarding devices. SDN mainly advocates with two types of devices: (1) Controllers, that implement the control plane and (2) Switches, that perform the data plane operations. OpenFlow protocol (OFP) is the current standard through which controllers...

متن کامل

Enabling security functions with SDN: A feasibility study

Software-defined networking (SDN) is being strongly considered as the next promising networking platform, and studies regarding SDN have been actively conducted accordingly. However, the security of SDN remains undefined and unknown when considering the enhancement of network security in SDN. In this paper, we verify whether SDN can enhance network security. Specifically, the idea of enabling s...

متن کامل

Software Defined Networking Reactive Stateful Firewall

Network security is a crucial issue of Software Defined Networking (SDN). It is probably, one of the key features for the success and for the future pervasion of the SDN technology. In this perspective, we propose a SDN reactive stateful firewall. Our solution is integrated into the SDN architecture. It filters TCP communications according to the network security policies. It records and proces...

متن کامل

On the Safety and Efficiency of Virtual Firewall Elasticity Control

Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2014