Towards a Reliable SDN Firewall
نویسندگان
چکیده
fields, which are needed for checking firewall policy violations, from the pattern expression of a flow rule to represent the space of corresponding flow path. In addition, we reorganize these fields with a (source address, destination address) pair to specify a flow path space. Then, we define three kinds of spaces for representing a flow path space: (1) Incoming Space represents original header spaces of packets that can pass through the flow path; (2) Outgoing Space represents final header spaces of packets after the packets pass through the flow path; and (3) Tracked Space represents original source address and final destination address of header spaces of packets that can pass through the flow path. For accurately detecting firewall policy violations, the dependency relations between “allow” rules and “deny” rules in the firewall policy should be decoupled. We propose a concept of firewall authorization space, which represents a collection of all packets either allowed or denied by the firewall rules. We then introduce a space partition approach, which represents rules with header space and performs various set operations on rules, to convert a list of firewall rules into two disjoint authorization sub-spaces, denied authorization space and allowed authorization space. Once the space of a flow path and the firewall authorization space of the firewall policy are calculated, we identify violations through checking the tracked space of the flow path against the denied authorization space of the firewall policy. If these two spaces overlap each other, we call the overlapping space as the violated space, which indicates a firewall policy violation. There are two kinds of violations: (1) Entire Violation (the denied authorization space includes the whole tracked space); and (2) Partial Violation (the denied authorization space partially includes the tracked space).
منابع مشابه
Towards Secured Firewalls for Software Defined Networks
Software-Defined Networking (SDN) offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller. SDN provides a promising way for the future development of Internet. SDN, however, also has some new security challenges. A critical challenge among them is how to build a reliable firewall application for SDN. Due to the stateless...
متن کاملImplementation and Performance Analysis of Firewall on Open vSwitch
Software Defined Networking (SDN) is a current research trend that follows the ideology of physical separation of the control and data plane of the forwarding devices. SDN mainly advocates with two types of devices: (1) Controllers, that implement the control plane and (2) Switches, that perform the data plane operations. OpenFlow protocol (OFP) is the current standard through which controllers...
متن کاملEnabling security functions with SDN: A feasibility study
Software-defined networking (SDN) is being strongly considered as the next promising networking platform, and studies regarding SDN have been actively conducted accordingly. However, the security of SDN remains undefined and unknown when considering the enhancement of network security in SDN. In this paper, we verify whether SDN can enhance network security. Specifically, the idea of enabling s...
متن کاملSoftware Defined Networking Reactive Stateful Firewall
Network security is a crucial issue of Software Defined Networking (SDN). It is probably, one of the key features for the success and for the future pervasion of the SDN technology. In this perspective, we propose a SDN reactive stateful firewall. Our solution is integrated into the SDN architecture. It filters TCP communications according to the network security policies. It records and proces...
متن کاملOn the Safety and Efficiency of Virtual Firewall Elasticity Control
Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as ...
متن کامل