Skip to main content
SpringerLink
Log in

A Proactive Stateful Firewall for Software Defined Networking

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10158))

Included in the following conference series:

Abstract

Security solutions in conventional networks are complex and costly because of the lack of abstraction, the rigidity and the heterogeneity of the network architecture. However, in Software Defined Networking (SDN), flexible, reprogrammable, robust and cost effective security solutions can be built over the architecture. In this context, we propose a SDN proactive stateful Firewall. Our solution is completely integrated into the SDN environment and it is compliant with the OpenFlow (OF) protocol. The proposed Firewall is the first implemented stateful SDN Firewall. It uses a proactive logic to mitigate some fingerprinting and DoS attacks. Furthermore, it improves the network performance by steering network communications in order to fulfil network protocol FSM (Finite State Machine). Besides, an Orchestrator layer is integrated in the Firewall in order to manage the deployment of the Firewall applications. This integration empowers the interactions with the administrator and the data plane elements. We conduct two tests to prove the validity of our concept and to show that the proposed Firewall is efficient and performant.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-Defined Networking: a comprehensive survey. In: Proceedings of the IEEE, pp. 14–76 (2014)

    Google Scholar 

  2. The Open Networking Foundation, OpenFlow Switch Specification (2014)

    Google Scholar 

  3. Schehlmann, L., Abt, S., Baier, H.: Blessing or curse? Revisiting security aspects of Software-Defined Networking. In: 10th International Conference on Network and Service Management, pp. 382–387 (2014)

    Google Scholar 

  4. Kreutz, D., Ramos, F.M.V., Verissimo, P.: Towards secure and dependable software-defined networks, In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, pp. 55–60 (2013)

    Google Scholar 

  5. Guo, F., Chiueh, T.: Traffic analysis: from stateful firewall to network intrusion detection system. RPE report, New York (2004)

    Google Scholar 

  6. Trabelsi, Z: Teaching stateless and stateful firewall packet filtering: a hands-on approach. In: 16th Colloquium for Information Systems Security Education, pp. 95–102 (2012)

    Google Scholar 

  7. Bidgoli, H.: Packet filtering and stateful firewalls. In: Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management, pp. 526–536. Wiley, Hooboken (2006)

    Google Scholar 

  8. Suh, M., Park, S.H., Lee, B., Yang, S.: Building firewall over the software-defined network controller, In: The 16th International Conference on Advanced Communications Technology, pp. 744–748 (2014)

    Google Scholar 

  9. Indiana University: FlowSpaceFirewall. https://github.com/GlobalNOC/FlowSpaceFirewall. Accessed 9 Nov 2015

  10. Poxstuff: [On ligne]. https://github.com/hip2b2/poxstuff/blob/master/of_Firewall.py. Accessed 19 Nov 2015

  11. Collings, J., Liu, J.: An OpenFlow-based prototype of SDN-oriented stateful hardware firewalls. In: IEEE 22nd International Conference on Network Protocols. Chapel Hill (2014)

    Google Scholar 

  12. Pena, J., Yu, W.: Development of a distributed firewall using Software Defined Networking technology. In: 4th IEEE International Conference on Information Science and Technology, pp. 449–452 (2014)

    Google Scholar 

  13. Shirali-Shahreza, S., Ganjali, Y.: Efficient implementation of security applications in OpenFlow controller with FleXam. In: 21st Annual Symposium on High-Performance Interconnects, pp. 49–54 (2013)

    Google Scholar 

  14. Shirali-Shahreza, S., Ganjali, Y.: Empowering software defined network controller. In: IEEE International Conference on Communication, pp. 1335–1339 (2013)

    Google Scholar 

  15. Shirali-Shahreza, S., Ganjali, Y.: FleXam: flexible sampling extension for monitoring and security applications in OpenFlow. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 167–168 (2013)

    Google Scholar 

  16. Shin, S., Porras, P., Yegneswaran, V., Fong, M, Gu, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: Network and Distributed System Security Symposium, pp. 1–16 (2013)

    Google Scholar 

  17. Shin, S., Porras, P., Yegneswaran, V., Gu, G.: A framework for integrating security services into software-defined networks. In: Open Networking Summit (2013)

    Google Scholar 

  18. Hu, H., Ahn, G.W., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2014 (2014)

    Google Scholar 

  19. Hu, H., Ahn, G.W., Zhao, Z.: Towards a reliable SDN firewall. In: Open Networking Summit (2014)

    Google Scholar 

  20. Juan, W., Jiang, W., Shiya, C., Hongyang, J., Qianglong, K.: SDN (self-defending network) firewall state detecting method and system based on openflow protocol. China Patent CN 104104561 A (2014)

    Google Scholar 

  21. Gross, J.: Open vSwitch with conntrack. In: Netfilter workshop 2014, Montpellier, France (2014)

    Google Scholar 

  22. Ayuso, P.N.: Conntrack-tools: connection tracking userspace tools for Linux. http://conntrack-tools.netfilter.org. Accessed 19 Nov 2015

  23. Bianchi, G., Bonola, M., Capone, A., Cascone, C.: OpenState: programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Commun. Rev. 44, 45–51 (2014)

    Article  Google Scholar 

  24. RFC 793: Transmission Control Protocol (1981)

    Google Scholar 

  25. Natarajan, S.: RYU controller tutorial. http://sdnhub.org/tutorials/ryu/. Accessed 12 Nov 2015

  26. Heller, B.: Reproducible network research with high-fidelity emulation. Doctoral thesis, Stanford University (2013)

    Google Scholar 

  27. Openvswitch. http://openvswitch.org/. Accessed 12 Nov 2015

  28. Allen, J.M.: OS and Application Fingerprinting Techniques, InfoSec Reading Room, SANS Institute (2007)

    Google Scholar 

  29. Lyon, G.: NMAP security scanner. https://nmap.org/. Accessed 18 Jan 2016

Download references

Author information

Authors and Affiliations

  1. IRT B<>COM, UBO, Télécom Bretagne, 35510, Cesson-Sévigné, France

    Salaheddine Zerkane

  2. IRT B<>COM, UBO, 29200, Brest, France

    David Espes & Philippe Le Parc

  3. IRT B<>COM, Télécom Bretagne, 35510, Cesson-Sévigné, France

    Frederic Cuppens

Authors
  1. Salaheddine Zerkane
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Espes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philippe Le Parc
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frederic Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Salaheddine Zerkane .

Editor information

Editors and Affiliations

  1. Telecom Bretagne , Cesson Sevigne CX, France

    Frédéric Cuppens

  2. Telecom Bretagne , Brest Cedex 3, France

    Nora Cuppens

  3. Inria , Rennes Cedex, France

    Jean-Louis Lanet

  4. Inria , Rennes Cedex, France

    Axel Legay

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Zerkane, S., Espes, D., Le Parc, P., Cuppens, F. (2017). A Proactive Stateful Firewall for Software Defined Networking. In: Cuppens, F., Cuppens, N., Lanet, JL., Legay, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2016. Lecture Notes in Computer Science(), vol 10158. Springer, Cham. https://doi.org/10.1007/978-3-319-54876-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54876-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54875-3

  • Online ISBN: 978-3-319-54876-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation