Abstract
Security solutions in conventional networks are complex and costly because of the lack of abstraction, the rigidity and the heterogeneity of the network architecture. However, in Software Defined Networking (SDN), flexible, reprogrammable, robust and cost effective security solutions can be built over the architecture. In this context, we propose a SDN proactive stateful Firewall. Our solution is completely integrated into the SDN environment and it is compliant with the OpenFlow (OF) protocol. The proposed Firewall is the first implemented stateful SDN Firewall. It uses a proactive logic to mitigate some fingerprinting and DoS attacks. Furthermore, it improves the network performance by steering network communications in order to fulfil network protocol FSM (Finite State Machine). Besides, an Orchestrator layer is integrated in the Firewall in order to manage the deployment of the Firewall applications. This integration empowers the interactions with the administrator and the data plane elements. We conduct two tests to prove the validity of our concept and to show that the proposed Firewall is efficient and performant.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-Defined Networking: a comprehensive survey. In: Proceedings of the IEEE, pp. 14–76 (2014)
The Open Networking Foundation, OpenFlow Switch Specification (2014)
Schehlmann, L., Abt, S., Baier, H.: Blessing or curse? Revisiting security aspects of Software-Defined Networking. In: 10th International Conference on Network and Service Management, pp. 382–387 (2014)
Kreutz, D., Ramos, F.M.V., Verissimo, P.: Towards secure and dependable software-defined networks, In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, pp. 55–60 (2013)
Guo, F., Chiueh, T.: Traffic analysis: from stateful firewall to network intrusion detection system. RPE report, New York (2004)
Trabelsi, Z: Teaching stateless and stateful firewall packet filtering: a hands-on approach. In: 16th Colloquium for Information Systems Security Education, pp. 95–102 (2012)
Bidgoli, H.: Packet filtering and stateful firewalls. In: Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management, pp. 526–536. Wiley, Hooboken (2006)
Suh, M., Park, S.H., Lee, B., Yang, S.: Building firewall over the software-defined network controller, In: The 16th International Conference on Advanced Communications Technology, pp. 744–748 (2014)
Indiana University: FlowSpaceFirewall. https://github.com/GlobalNOC/FlowSpaceFirewall. Accessed 9 Nov 2015
Poxstuff: [On ligne]. https://github.com/hip2b2/poxstuff/blob/master/of_Firewall.py. Accessed 19 Nov 2015
Collings, J., Liu, J.: An OpenFlow-based prototype of SDN-oriented stateful hardware firewalls. In: IEEE 22nd International Conference on Network Protocols. Chapel Hill (2014)
Pena, J., Yu, W.: Development of a distributed firewall using Software Defined Networking technology. In: 4th IEEE International Conference on Information Science and Technology, pp. 449–452 (2014)
Shirali-Shahreza, S., Ganjali, Y.: Efficient implementation of security applications in OpenFlow controller with FleXam. In: 21st Annual Symposium on High-Performance Interconnects, pp. 49–54 (2013)
Shirali-Shahreza, S., Ganjali, Y.: Empowering software defined network controller. In: IEEE International Conference on Communication, pp. 1335–1339 (2013)
Shirali-Shahreza, S., Ganjali, Y.: FleXam: flexible sampling extension for monitoring and security applications in OpenFlow. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 167–168 (2013)
Shin, S., Porras, P., Yegneswaran, V., Fong, M, Gu, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: Network and Distributed System Security Symposium, pp. 1–16 (2013)
Shin, S., Porras, P., Yegneswaran, V., Gu, G.: A framework for integrating security services into software-defined networks. In: Open Networking Summit (2013)
Hu, H., Ahn, G.W., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2014 (2014)
Hu, H., Ahn, G.W., Zhao, Z.: Towards a reliable SDN firewall. In: Open Networking Summit (2014)
Juan, W., Jiang, W., Shiya, C., Hongyang, J., Qianglong, K.: SDN (self-defending network) firewall state detecting method and system based on openflow protocol. China Patent CN 104104561 A (2014)
Gross, J.: Open vSwitch with conntrack. In: Netfilter workshop 2014, Montpellier, France (2014)
Ayuso, P.N.: Conntrack-tools: connection tracking userspace tools for Linux. http://conntrack-tools.netfilter.org. Accessed 19 Nov 2015
Bianchi, G., Bonola, M., Capone, A., Cascone, C.: OpenState: programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Commun. Rev. 44, 45–51 (2014)
RFC 793: Transmission Control Protocol (1981)
Natarajan, S.: RYU controller tutorial. http://sdnhub.org/tutorials/ryu/. Accessed 12 Nov 2015
Heller, B.: Reproducible network research with high-fidelity emulation. Doctoral thesis, Stanford University (2013)
Openvswitch. http://openvswitch.org/. Accessed 12 Nov 2015
Allen, J.M.: OS and Application Fingerprinting Techniques, InfoSec Reading Room, SANS Institute (2007)
Lyon, G.: NMAP security scanner. https://nmap.org/. Accessed 18 Jan 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zerkane, S., Espes, D., Le Parc, P., Cuppens, F. (2017). A Proactive Stateful Firewall for Software Defined Networking. In: Cuppens, F., Cuppens, N., Lanet, JL., Legay, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2016. Lecture Notes in Computer Science(), vol 10158. Springer, Cham. https://doi.org/10.1007/978-3-319-54876-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-54876-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54875-3
Online ISBN: 978-3-319-54876-0
eBook Packages: Computer ScienceComputer Science (R0)