FLOWGUARD

Building robust firewalls for software-defined networks

Hongxin Hu, Wonkyu Han, Gail-Joon Ahn, Ziming Zhao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

141 Citations (Scopus)

Abstract

Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.

Original languageEnglish (US)
Title of host publicationHotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking
PublisherAssociation for Computing Machinery
Pages97-102
Number of pages6
ISBN (Print)9781450329897
DOIs
StatePublished - 2014
Event3rd ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking, HotSDN 2014 - Chicago, IL, United States
Duration: Aug 22 2014Aug 22 2014

Other

Other3rd ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking, HotSDN 2014
CountryUnited States
CityChicago, IL
Period8/22/148/22/14

Fingerprint

Computer system firewalls
Visibility
Topology
Experiments
Software defined networking

Keywords

  • firewalls
  • openflow
  • security
  • software-defined networking

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Computer Vision and Pattern Recognition
  • Human-Computer Interaction
  • Software

Cite this

Hu, H., Han, W., Ahn, G-J., & Zhao, Z. (2014). FLOWGUARD: Building robust firewalls for software-defined networks. In HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking (pp. 97-102). Association for Computing Machinery. https://doi.org/10.1145/2620728.2620749

FLOWGUARD : Building robust firewalls for software-defined networks. / Hu, Hongxin; Han, Wonkyu; Ahn, Gail-Joon; Zhao, Ziming.

HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking. Association for Computing Machinery, 2014. p. 97-102.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hu, H, Han, W, Ahn, G-J & Zhao, Z 2014, FLOWGUARD: Building robust firewalls for software-defined networks. in HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking. Association for Computing Machinery, pp. 97-102, 3rd ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking, HotSDN 2014, Chicago, IL, United States, 8/22/14. https://doi.org/10.1145/2620728.2620749
Hu H, Han W, Ahn G-J, Zhao Z. FLOWGUARD: Building robust firewalls for software-defined networks. In HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking. Association for Computing Machinery. 2014. p. 97-102 https://doi.org/10.1145/2620728.2620749
Hu, Hongxin ; Han, Wonkyu ; Ahn, Gail-Joon ; Zhao, Ziming. / FLOWGUARD : Building robust firewalls for software-defined networks. HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking. Association for Computing Machinery, 2014. pp. 97-102
@inproceedings{b322991d87da4e09a0809eb540eb88a2,
title = "FLOWGUARD: Building robust firewalls for software-defined networks",
abstract = "Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.",
keywords = "firewalls, openflow, security, software-defined networking",
author = "Hongxin Hu and Wonkyu Han and Gail-Joon Ahn and Ziming Zhao",
year = "2014",
doi = "10.1145/2620728.2620749",
language = "English (US)",
isbn = "9781450329897",
pages = "97--102",
booktitle = "HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - FLOWGUARD

T2 - Building robust firewalls for software-defined networks

AU - Hu, Hongxin

AU - Han, Wonkyu

AU - Ahn, Gail-Joon

AU - Zhao, Ziming

PY - 2014

Y1 - 2014

N2 - Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.

AB - Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.

KW - firewalls

KW - openflow

KW - security

KW - software-defined networking

UR - http://www.scopus.com/inward/record.url?scp=84907014880&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84907014880&partnerID=8YFLogxK

U2 - 10.1145/2620728.2620749

DO - 10.1145/2620728.2620749

M3 - Conference contribution

SN - 9781450329897

SP - 97

EP - 102

BT - HotSDN 2014 - Proceedings of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking

PB - Association for Computing Machinery

ER -