Abstract
Software-defined networking (SDN) paradigm brings great flexibility to the network by decoupling control plane from the data plane. However, one of the great security challenges in SDN is to maintain consistency among firewall-rules and actual-flows in the network. The present article proposes one such scheme “consistent firewalls and flows (CFF)” safeguards the network from firewall policy violation and maintains consistency among firewall rules and flow tables. Firewall rule table presented in SDN controller and flow tables present in switches that connect some hosts to the network are treated as critical sections protected by semaphores. We have implemented the CFF framework to demonstrate the efficiency of the proposed scheme and simulation results clearly show benefits of CFF compared to the inbuilt firewall.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, J. Turner, Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. (2008)
S. Jadala, S. Pelluri, Energy optimization at cloud data centers using SDN. Int. J. Eng. Trends Technol. Special issue (2017, April)
K. Xie, S. Hao, M. Ma, E3MC: Improving Energy Efficiency via Elastic Multi-controller SDN in Data Center Networks, IEEE Access, November 2016
M. Rifai et. al., MINNIE: an SDN world with few compressed forwarding rules. Comput. Netw. 121 (2017, July)
H. Hu, W. Han, G.J. Ahn, Z. Zhao, FLOWGUARD: building robust firewalls for software-defined networks, in ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN) 2014
B. Braga, M. Mota, P. Passito et al., Lightweight DDoS flooding attack detection using NOX/OpenFlow, in LCN’10
D. Kreutz, F. Ramos, P. Verissimo, Towards secure and dependable software-defined networks, in HotSDN’13
S. Shin, V. Yegneswaran, P. Porras, G. Gu, Avant-guard: scalable and vigilant switch flow management in software-defined networks, in CCS’13
Floodlight: Open SDN Controller. http://www.projectfloodlight.org
P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, G. Gu, A security enforcement kernel for openflow networks, in HotSDN’12
P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, S. Whyte, Real time network policy checking using header space analysis, in NSDI’13
P. Kazemian, G. Varghese, N. McKeown, Header space analysis: static checking for networks, in NSDI’12
A. Khurshid, X. Zou, W. Zhou, M. Caesar, P.B. Godfrey, Veriflow: verifying network-wide invariants in real time, in NSDI’13
H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. Godfrey, S.T. King, Debugging the data plane with anteater, in SIGCOMM’11
L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, C. Davis, Fireman: a toolkit for firewall modeling and analysis, in 2006 IEEE Symposium on Security and Privacy
Frenetic: A Family of Network Programming Languages. http://frenetic-lang.org/
Header Space Library. https://bitbucket.org/peymank/hassel-public
E. Al-Shaer, H. Hamed, Discovery of policy anomalies in distributed firewalls, in INFOCOM’04
G. Bianchi, M. Bonola, A. Capone, C. Cascone, OpenState: programming platform-independent stateful openflow applications inside the switch. ACM SIGCOMM Comput. Commun. Rev. (2014)
S.K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, J.C. Mogul, Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags, in NSDI’14
H. Hu, G.-J. Ahn, K. Kulkarni, FAME: a firewall anomaly management environment, in SafeConfig’10
H. Hu, G.-J. Ahn, K. Kulkarni, Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secur. Comput. 9(3), 318–331 (2012)
S. Ioannidis, A.D. Keromytis, S.M. Bellovin, J.M. Smith, Implementing a distributed firewall, in CCS’00
S.A. Mehdi, J. Khalid, S.A. Khayam, Revisiting traffic anomaly detection using software defined networking, in RAID’11
C. Monsanto, J. Reich, N. Foster, J. Rexford, D. Walker, Composing software-defined networks, in NSDI’13
M. Reitblatt, N. Foster, J. Rexford, C. Schlesinger, D. Walker, Abstractions for network update, in SIGCOMM’12
E.E. Schultz, A framework for understanding and predicting insider attacks. Comput. Secur. 21(6), 526–531 (2002)
S. Shirali-Shahreza, Y. Ganjali, Flexam: flexible sampling extension for monitoring and security applications in openflow, in HotSDN’13
R. Stoenescu, M. Popovici, L. Negreanu, C. Raiciu, Symnet: static checking for stateful networks, in HotMiddlebox’13
J. Wang, Y. Wang, H. Hu, Q. Sun, H. Shi, L. Zeng, Towards a security-enhanced firewall application for openflow networks, in Cyberspace Safety and Security (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Banerjee, A., Akbar Hussain, D.M. (2019). Maintaining Consistent Firewalls and Flows (CFF) in Software-Defined Networks. In: Elhoseny, M., Singh, A. (eds) Smart Network Inspired Paradigm and Approaches in IoT Applications. Springer, Singapore. https://doi.org/10.1007/978-981-13-8614-5_2
Download citation
DOI: https://doi.org/10.1007/978-981-13-8614-5_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-8613-8
Online ISBN: 978-981-13-8614-5
eBook Packages: Computer ScienceComputer Science (R0)