Firewall Implementations in Software-Defined Networking (SDN

2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), 2015

Network Function Virtualization (NFV) together with cloud technology enables users to request creating flexible virtual networks (VNs). Users also have specific security requirements to protect their VNs. Especially, due to changeable network perimeters, constant VM migrations, and usercentric security needs, VNs require new security features that traditional firewalls fail to provide, because traditional firewalls rely greatly on restricted network topology and entry points to provide effective security protection. To address this challenge, we propose VNGuard, a framework for effective provision and management of virtual firewalls to safeguard VNs, leveraging features provided by NFV and Software Defined Networking (SDN). VNGuard defines a high-level firewall policy language, finds optimal virtual firewall placement, and adapts virtual firewalls to VN changes. To demonstrate the feasibility of our approach, we have implemented core components of VNGuard on top of ClickOS. Our experimental results demonstrate the effectiveness and efficiency of virtual firewalls built on VNGuard.

ArXiv, 2018

SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall policy management functions, which is impractical for implementing stateful firewalls since SDN switches only send session's initial packets and statistical data of flows to their controllers. For a data center networking environment, applying a Distributed FireWall (DFW) system to prevent attacker's lateral movements is highly desired, in which designing and implementing an SDN-based Stateful DFW (SDFW) demand a scalable distributed states management solution at the data plane to track packets and flow states. Our performance results show that SDFW achieves scalable security agains...

IRJET, 2020

Software-Defined Networking (SDN) is an architecture that aims to make networks agile and flexible by introducing programmability in networks. In SDN, the functionality of the network device is divided into control plane and forwarding plane. At the control plane, the SDN Controller provides APIs which can be used by the applications. It gives the forwarding logic in the form of flow rules to the OpenFlow Switches, at the forwarding plane, to forward the packets. We propose to implement a centralized firewall for SDN which will get the network details from the SDN Controller, analyze it, and will push the rules to the SDN controller using RESTful APIs.

Applied Mathematics & Information Sciences, 2018

Software-Defined Network (SDN) is a network technology aimed to open new possibilities in network management and orchestration. This is important in future (especially mobile) networks, where virtualization of resources and network functions is the basic paradigm. SDN has been proposed to programmatically control networks, facilitating deployment of new applications and services, as well as tuning network policy and performance. It represents an important change in the way networks are architected, built, and managed. In this new networking paradigm, a network control plane is physically decoupled from a forwarding plane and is directly programmable. In SDN networks, the control plane supports a logically centralized controller which has a global view of the entire network; it gathers information from the data plane to be processed by the management tasks which are implemented as applications running on the top of the controller. Based on the global view, these applications make packets processing decisions and distribute them to the data plane via the controller. However, security of such networks with their programmability and centralized points of control is not currently ensured on a sufficient level. In this paper, we present the concept of a new security system for SDN-based networks, which can be easily integrated with the existing network infrastructure as well as can provide security of all network components. It consists of two main subsystems: the network authentication and access control system to protect the network control and the distributed firewall system to protect data transmission. Such a system enables creating additional boundaries within the network to provide a multi-plane system of defense, solves the problem of a single point of failure, and makes it easy to protect the network from external attacks as well as from internal malicious users.

Journal of Network and Computer Applications, 2019

Software Defined Networking (SDN) has emerged as a new networking paradigm for managing different kinds of networks ranging from enterprise to home network through software enabled control. The logically centralized control plane and programmability offers a great opportunity to improve network security, like implementing new mechanisms to detect and mitigate various threats, as well as enables deploying security as a service on the SDN controller. Due to the increasing and fast development of SDN, this paper provides an extensive survey on the application of SDN on enhancing the security of computer networks. In particular, we survey recent research studies that focus on applying SDN for network security including attack detection and mitigation, traffic monitoring and engineering, configuration and policy management, service chaining, and middlebox deployment, in addition to smart grid security. We further identify some challenges and promising future directions on SDN security, compatibility and scalability issues that should be addressed in this field.

International Journal of Computer Sciences and Engineering, 2019

A firewall is a critical security appliance for the mitigation of the security attacks not only in the traditional network, but also in software-defined networking (SDN). Previous firewall applications over SDN controller are implemented with one of two firewall concepts: centralized firewall and distributed firewall. Centralized firewall method incurs controller overhead problem as the controller acts as a centralized firewall which maintains firewall rules and filters out the traffic. Distributed firewall method comes out the complicated firewall configuration, additional cost in rules maintenance in each switch, and less sensitive to the topology. This system proposes a firewall rules installation based on topology-aware selectively distributed stateful firewall with source-based DoS attack defense mechanism. The purpose of this system is to overcome not only the performance issues but also security issues. This paper finally shows that the stateful firewall application can not only track the TCP flow, but also reduce latency plus table lookup time up to 16% in long-lived flow and 50% in short-lived flow. Moreover, according to the security perspective, the accuracy for the DOS detection and mitigation of stateful firewall application is 98.93 % of SYN flooding attack and 92.09% for UDP flooding attack.

Firewalls are network devices which enforce an organization's security policy. Since their development, various methods have been used to implement firewalls. These methods filter network traffic at one or more of the seven layers of the ISO network model, most commonly at the application, transport, and network, and data-link levels. In addition, researchers have developed some newer methods, such as protocol normalization and distributed firewalls, which have not yet been widely adopted. Firewalls involve more than the technology to implement them. Specifying a set of filtering rules, known as a policy, is typically complicated and error-prone. High-level languages have been developed to simplify the task of correctly defining a firewall's policy. Once a policy has been specified, the firewall needs to be tested to determine if it actually implements the policy correctly. Little work exists in the area of firewall theory; however, this article summarizes what exists. Because some data must be able to pass in and out of a firewall, in order for the protected network to be useful, not all attacks can be stopped by firewalls. Some emerging technologies, such as Virtual Private Networks (VPN) and peer-to-peer networking pose new challenges for firewalls.

Software defined networking is an emerging network architecture with promising future in network field. It is dynamic, manageable, cost effective, and adaptable networking where control and data plane are decoupled, and control plane is centrally located to control application and dataplanes. OpenFlow is an example of Software Defined Networking (SDN) Southbound, which provides an open standard based interface between the SDN controller and data plane to control how data packets are forwarded through the network. As a result of rapid changes in networking, network program-ability and control logic centralization capabilities introduces new fault and easily attack planes, that open doors for threats that did not exist before or harder to exploit. This paper proposed SDN architecture with some level of security control, this will provide secured SDN paradigm with machine learning white/black list, where users application can be easily test and group as malicious attack or legitimate packet. Keyword - Software Defined Networking (SDN); OpenFow; Flow table; Security control; white/black list http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Design Engineering, 2021

As a novel approach to network management and control, the SDN that is Software Defined Networking is gaining traction quickly. In the advancement of network security, Logical network intelligence centralization is a fascinating challenge and an important opportunity. With it, new methods to combat, detect, and respond to threats can be developed, and new security services and applications can be created that leverage SDN capabilities. In this article, we carry out a detailed analysis of current and future studies that use SDN to security, and highlight several interesting areas of future study that might be of interest to those looking to help in that field.

The existing networking devices (switches) are complex because they have control plane and data forwarding plane interwined in same devices. This affects the network performance in terms of delayed delivery and repeated functionality. The proposed network software system gives the technique to separate control functionality from the forwarding functionality from such devices which results in efficient network communication. OpenFlow, one of the techniques of Software Defined Network Technology, is a new approach to networking and its key attribute is: separation of data and control planes. With OpenFlow, a researcher or network administrator can introduce a new capability by writing a simple software program that manipulates the logical map of a slice of the network. The rest is taken care by the network operating system. In addition, in proposed system an openflow switch is used in network systems as firewall, which improves the network performance.