Towards a reliable firewall for software-defined networks

Hongxin Hu, Wonkyu Han, Sukwha Kyung, Juan Wang, Gail-Joon Ahn, Ziming Zhao, Hongda Li

Research output: Contribution to journalArticle

Abstract

Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.

Original languageEnglish (US)
Article number101597
JournalComputers and Security
Volume87
DOIs
StatePublished - Nov 1 2019

Fingerprint

Computer system firewalls
networking
Access control
Visibility
Topology
authorization
Software defined networking
software
flexibility
traffic
paradigm

Keywords

  • Firewalls
  • Network security
  • Openflow
  • Policy violation
  • Software-Defined networking

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Cite this

Towards a reliable firewall for software-defined networks. / Hu, Hongxin; Han, Wonkyu; Kyung, Sukwha; Wang, Juan; Ahn, Gail-Joon; Zhao, Ziming; Li, Hongda.

In: Computers and Security, Vol. 87, 101597, 01.11.2019.

Research output: Contribution to journalArticle

Hu, Hongxin ; Han, Wonkyu ; Kyung, Sukwha ; Wang, Juan ; Ahn, Gail-Joon ; Zhao, Ziming ; Li, Hongda. / Towards a reliable firewall for software-defined networks. In: Computers and Security. 2019 ; Vol. 87.
@article{9fb659f56c5d4bb2998e00d43cac2d40,
title = "Towards a reliable firewall for software-defined networks",
abstract = "Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.",
keywords = "Firewalls, Network security, Openflow, Policy violation, Software-Defined networking",
author = "Hongxin Hu and Wonkyu Han and Sukwha Kyung and Juan Wang and Gail-Joon Ahn and Ziming Zhao and Hongda Li",
year = "2019",
month = "11",
day = "1",
doi = "10.1016/j.cose.2019.101597",
language = "English (US)",
volume = "87",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Towards a reliable firewall for software-defined networks

AU - Hu, Hongxin

AU - Han, Wonkyu

AU - Kyung, Sukwha

AU - Wang, Juan

AU - Ahn, Gail-Joon

AU - Zhao, Ziming

AU - Li, Hongda

PY - 2019/11/1

Y1 - 2019/11/1

N2 - Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.

AB - Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.

KW - Firewalls

KW - Network security

KW - Openflow

KW - Policy violation

KW - Software-Defined networking

UR - http://www.scopus.com/inward/record.url?scp=85072038962&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072038962&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2019.101597

DO - 10.1016/j.cose.2019.101597

M3 - Article

AN - SCOPUS:85072038962

VL - 87

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 101597

ER -