No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Flowtracker: A SDN Stateful Firewall Solution with Adaptive Connection Tracking and Minimized Controller Processing
Abstract
The introduction of Software Defined Networking (SDN) enables possibilities for the next generation of network where the network logic operation is separated from the constraints of underlying hardware. However, the new architecture of SDN also exposes many security risks such as controller DoS attack, configuration channel compromise. This paper analyzes the challenges of stateful firewall realization in SDN environment and presents FlowTracker - a novel stateful firewall solution focusing on maintaining the accuracy and agility of stateful firewall with reduced controller processing and communication overhead between control and data plane. The GENI test bed experiments validates FlowTracker its stateful packet tracking and acceptable level of latency increase.
... In detail, all the proposed solutions fall into two categories: centralized firewalls, and distributed firewalls, respectively. In centralized firewalls, such as [18], [19], [17], all packets are forwarded to the controller, which acts as a centralized firewall. Among its burdens, the controller checks each packet according to the rules that are maintained in its tables and decides which packet to allow and which packet to block. ...
... 2) FlowTracker: FlowTracker [19] is a stateful firewall for SDN network that reduces the workload of the controller and the communication overhead between the control plane and the data plane without renouncing the accuracy and agility of the solution. FlowTracker, implemented as software installed on the controller, is able to manage both TCP and UDP connections. ...
... Moreover, they do not provide any information enabling us to clearly infer these data-this because the focus of their solution is on the performance scalability in terms of network bandwidth. Therefore, we compare FORTRESS with FlowTracker [19] that, to the best of our knowledge, is the stateful firewall implemented on traditional SDN architecture that minimizes the data exchange between data plane and control plane. FlowTracker integrates a firewall within the controller. ...
The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit form this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules, that cannot be handled by data plane devices. This leads to a non-negligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architecture design: the Stand-Alone and the Cooperative one; each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state of the art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane---we require 0 packets for the Stand-Alone architecture, and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS, contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.
... It also able to indicate whether the packet is from trusted network. These firewalls are more secure than the packet filtering and the circuit level gateways [5]. ...
... The network administrator can change any switch rules whenever it is necessary, the rule may be prioritizing, de-prioritizing or even blocking specific types of packets, access control lists management. The major control plane functions include the system configuration, management, controlling the switch and exchange/updating of table information [4,5]. The heterogeneous flow table help to form association rules. ...
... It enables multi-layer programmatic access to make network administration much more flexible and the controller provides a single interface to configure all the network elements on the network. In control plane, the instruction logic, that decides where to forward the packets, which is separated from the network elements and hence the forwarding decisions are made only at SDN Controller [5]. The remote controllers are used to manage the traffic, provide the firewall policies and secure the network by forwarding the packets for further decision with help of flow ...
Networking suffers from various security vulnerabilities in the present paradigm due to the technical difficulties like static architectural design, provider-dependent and it is economically costly. To overcome these challenges a novel paradigm concept is introduced based on dynamic control in the network as Software Defined Firewall. Software Defined Network is an emerging reprogrammable technology which helps the administrator to control the overall network, on the other hand Firewall act as a single point perimeter to protect the network from network attacks. Combination of different paradigms led to reshaping of future. Software Defined Firewall is a new network platform to manage the networks by segregating the control plane from the data plane. This separation provides a programmatic control over the network traffic by writing rules, which act as a network attack defence. Hereby the firewall policy rules are written by analysing the traffic and packet log are mined using Association rule mining techniques. Analysis of these policy rules costs for generation of efficient rule set and multiple minimum support with probability will minimize the number of rule set which will result in effective network policy management. Software Defined Firewall provides a better solution to reduce ratio of attack traffic.
... The authors suggest detailed and in-depth studies on the performance of the SDN stateful firewall with more complex network topologies and various security attacks to assess its accuracy. Flow tracker, an innovative firewall solution that strives to uphold the precision and effectiveness of a firewall while minimizing the burden on the communication and processing of controllers between the data and control planes [14]. The proposed solution includes a novel approach for installing selective flow control rules based on topology learning through machine learning techniques, adaptive monitoring of connection states for TCP and user datagram protocol connections, and non-interfering connection tracking with minimized end-to-end delay. ...
... Another study uses network function virtualization to implement a stateful firewall, which uses a set of guidelines and rules (policies) to avoid networkhazardous connectivity [498]. A firewall called FlowTracker, which is a stateful firewall with reduced controller processing and communication overhead, uses an adaptive connection tracking policy to detect and monitor network traffic [499]. Similarly, in [500], a stateful firewall is implemented in the controller to filter traffic based on the complete context of incoming packets, having a policy to evaluate the entire context of traffic flows to filter traffic. ...
Traditional networking is hardware-based, having the control plane coupled with the data plane. Software-Defined Networking (SDN), which has a logically centralized control plane, has been introduced to increase the programmability and flexibility of networks. Knowledge-Defined Networking (KDN) is an advanced version of SDN that takes one step forward by decoupling the management plane from control logic and introducing a new plane, called a knowledge plane, decoupled from control logic for generating knowledge based on data collected from the network. KDN is the next-generation architecture for self-learning, self-organizing, and self-evolving networks with high automation and intelligence. Even though KDN was introduced about two decades ago, it had not gained much attention among researchers until recently. The reasons for delayed recognition could be due to the technology gap and difficulty in direct transformation from traditional networks to KDN. Communication networks around the globe have already begun to transform from SDNs into KDNs. Machine learning models are typically used to generate knowledge using the data collected from network devices and sensors, where the generated knowledge may be further composed to create knowledge ontologies that can be used in generating rules, where rules and/or knowledge can be provided to the control, management, and application planes for use in decision-making processes, for network monitoring and configuration, and for dynamic adjustment of network policies, respectively. Among the numerous advantages that KDN brings compared to SDN, enhanced automation and intelligence, higher flexibility, and improved security stand tall. However, KDN also has a set of challenges, such as reliance on large quantities of high-quality data, difficulty in integration with legacy networks, the high cost of upgrading to KDN, etc. In this survey, we first present an overview of the KDN architecture and then discuss each plane of the KDN in detail, such as sub-planes and interfaces, functions of each plane, existing standards and protocols, different models of the planes, etc., with respect to examples from the existing literature. Existing works are qualitatively reviewed and assessed by grouping them into categories and assessing the individual performance of the literature where possible. We further compare and contrast traditional networks and SDN against KDN. Finally, we discuss the benefits, challenges, design guidelines, and ongoing research of KDNs. Design guidelines and recommendations are provided so that identified challenges can be mitigated. Therefore, this survey is a comprehensive review of architecture, operation, applications, and existing works of knowledge-defined networks.
... We conduct our experiment on mininet emulator [16] with OpenFlow version 1.3 [6] and ONOS [1] controller. Both of them are running on Dell Desktop PC with Intel(R) Core(TM) i7-4790 CPU @ 3.60 GHz, 64 bits and 4 GB memory. ...
... Efficiently, monitoring the activity of each device and connection still an ongoing issue. In [26], author has proposed FlowTracker to address the problems of the current stateful firewall (centralized) for SDN. Hu et al. [27] author have proposed FlowGaurd to address the issue of centralized firewalls (it still suffers from controllers overhead and scalability of performance issues). ...
Software-defined networks are scalable, flexible, easier to manage, and also support adaptive nature. Our objective is to focus on how machine learning can make SDN more secure and robust. The use of machine learning not only increases efficiency but also helps to take optimal decisions. This is because machine learning algorithms can monitor each layer of the SDN paradigm and provide security both at the hardware and software levels. It also keeps track of packets flow and other malicious activities. The continuous flow of packets can be utilized as a datasets to train the SDN controller. Thus, using machine learning, we can make the controller intelligent to overcome security issues in a better way as it can detect abnormal behavior of devices, flooding of packet flows, and also it makes features such as load balancing, traffic classification, firewall monitoring, and QoS even more efficient. SDN has gained attention among researchers as its integration with emerging technologies make it more interesting. For emerging networks, SDN is the best available choice, as it is flexible, scalable, programmable, reliable, robust, and secure.
... Moreover, they allow for one-direction traffic. The architectures in [47,48] use a stateful firewall. Firewalls at the control plane suffer potentially from controller overhead and scalability issues because of the amount of traffic needed to be forwarded to the controller. ...
Software Defined Networks (SDN) is a networking paradigm that separates the control plane from the forwarding plane. There is little research on structuring the SDN data plane for security. The Robust Network and Segmentation Algorithm (RNS) is an algorithm based on Product Family Algebra (PFA) that implements layered defence and segmentation strategies to segment resources towards designing secure networks. In this paper, we present an additional plane in charge of the configuration and governance of SDN data planes that we call Dynamic Configuration and Governance (DCG) plane. It is intended to give agility to dynamic networks. It implements the RNS algorithm in SDN environment. Moreover, we propose and suggest three architectures that use DCG plane. Then we assess the three architectures. The assessment results identify an architecture that is suitable for dynamic networks and another for networks that are more stable regarding changes to policy and network topology.
... Many researchers developed firewalls with different SDN controllers such as POX, NOX, Flood-Light etc. for measuring effectiveness and efficiency. Tran and Anh [13] proposed a stateful firewall solution focusing on accuracy of the mechanism with minimized controller processing. This experiment tracks TCP flow and compare latency between Flow-tracker and learning switch. ...
The evolution of Software Defined Networks (SDN) and Network Function Virtualization (NFV) introduced a revolutionary development in network architecture. SDN together with NFV provides users a platform to design flexible virtual networks (VNs) on a shared computer infrastructure. However, network administrators have specific requirements to secure this network. There are new security demands for VN such as flexible network function migrations and user-focused security system, which may not be supported by traditional firewalls. In our work we have implemented SDN and NFV based firewalls on an open source platform mininet. POX module and Click Modular Router are used to develop our firewall modules. Then we evaluated the performance of both firewalls with packet loss and throughput measurement.
... Flowtracker is a stateful firewall implemented on SDN architecture that minimizes the data exchange between data plane and control plane. It integrates a firewall within the controller [7]. The controller is a key component in SDN. ...
Software defined networking (SDN) is an architecture that provides flexibility in network. Introduction of this technology enables efficient network configuration that helps to improve network performance. By introducing controller system in firewall, it does help in controlling the network but it also introduces new issues regarding it. As we know controller is a high value target for attacker. If attacker compromises a controller then he/she can have a total control of network. Network of this type can be improved by tweaking it bit. This paper aims to review some of the issues faced in SDN based Firewall & their origins and also their different Solutions. And a comparison between solutions based on their parameters.
... Here, Orchestrator controls many SDN controllers and is responsible for deployment of secu- rity policies in the network through all available controllers. Tran and Ahn [8] introduced topology discovery in a firewall concept called FlowTracker to improvise deployment of security policies by reducing addition of redundant entries in flow table. DeCusatis and Mueller [9] used the concept of Virtualization of Firewall for Distributed Overlay Virtual Ethernet (DOVE) to se- cure communication between VMs and implemented using IBM 5000v as virtual switch with Juniper perimeter vSRX as virtual firewall. ...
In recent years, penetration of Internet in the world is significantly increased due to technologies that enabled high speed broadband services, social networking and cloud based services. There is considerable increase in the number of users getting connected and hence large amount of user's vital data are flowing over Internet attracting serious threats and possible attacks from malicious users. To secure this free-flowing data, many security solutions have been presented, validated and implemented. But the majority of them are implemented with traditional networking techniques which itself is complex and hard to manage. This techniques primarily relies on manual configuration of devices which often results in policy conflicts that compromises network's security. This problem is addressed by Software Defined Networking, which breaks vertical integration by separating the control logic and data forwarding functionality, allowing flexible network architecture, network-wide visibility, simpler network management, etc. OpenFlow is the open standard that enables secure communication between controlling devices and data forwarding devices. In this paper, we propose and validate an approach to implement network-wide firewall in SDN by exploiting capabilities of OpenFlow standard to restrict flow of malicious and suspicious traffic flow in the network.
O gerenciamento de políticas de segurança em firewalls de redes híbridas é um processo desafiador, principalmente devido a diversidade de soluções e fabricantes (e.g., Cisco NGFW, Check Point, Fortigate, IPTables), cada um com suas linguagens, interfaces e modelos de operação. Neste trabalho é proposta uma linguagem genérica para representação de políticas de segurança utilizadas em firewalls, denominada FWlang. A linguagem foi especificada para representar os seis tipos de políticas de firewalls modernos, incluindo ACL, NAT 1to1, NAT Nto1, traffic shapping, roteamento estático e filtros de URL, e implementada e incorporada à solução de gerenciamento de firewalls FWunify. A avaliação demonstra o potencial de simplificação apresentado pela linguagem, chegando a uma redução de 72% no número de termos necessários para aplicar um determinado grupo de políticas a três firewall diferentes.
Network segmentation or compartmentalization, and layered protection are two strategies that are critical in building a secure network. In the literature, layered protection has been formalized and termed as the Defense in Depth (DD) strategy. However, network segmentation has been described vaguely, and without any formal approach, thus making the secure design of large networks unwieldy. In this paper, we formally define network segmentation using a formalism based on product family algebra and guarded commands. Then we propose two algorithms that take a set of resources and their access control policies as input, and output a robust network topology and the policies of its firewalls. The firewall policies are computed based on the network segmentation formalism, and are strategically placed in the network to achieve DD. Further, we use the proposed algorithms to build Software Defined Networks (SDN), and discuss its use in dynamic networks and Internet of Things.
The numerical control separation in the Software-Defined Network (SDN) allows the control plane to have the absolute management rights of the network. As a new management plane of the SDN, once it is attacked, it will cause the entire network to face flaws. For this reason, this paper proposes a SDN control plane attack detection scheme based on deep learning, which can detect and respond to attacks on the SDN control plane in time. In this scenario, we propose a new pooling scheme that uses the TF-IDF idea to weight the characteristics of network traffic. Ultimately, our method achieved an accuracy of 99.8% in the SDN network’s traffic data set including 24 attack types.
Software Defined Networking (SDN) is an emerging paradigm that promises to resolve the limitations of the conventional network architecture.SDN and cyber security have a reciprocal relationship. In this thesis, we study and explore two aspects of this relationship. On the one hand, we study security for SDN by performing a vulnerability analysis of SDN. Such security analysis is a crucial process in identifying SDN security flaws and in measuring their impacts. It is necessary for improving SDN security and for understanding its weaknesses.On the other hand, we explore SDN for security. Such an aspect of the relationship between SDN and security focusses on the advantages that SDN brings into security.The thesis designs and implements an SDN stateful firewall that transforms the Finite State Machine of network protocols to an SDN Equivalent State Machine. Besides, the thesis evaluates SDN stateful firewall and NetFilter regarding their performance and their resistance to Syn Flooding attacks.Furthermore, the thesis uses SDN orchestration for policy enforcement. It proposes a firewall policy framework to express, assess, negotiate and deploy firewall policies in the context of SDN as a Service in the cloud.
Software defined networking (SDN) presents a new network architecture that separates the control logic of a network from its physical infrastructure. This allows for easy programmable networks without having to manually configure every network device individually. However, there are not much studies on security applications for SDN based networks. Hence, the goal of this work is to explore security possibilities by focusing on the development of a firewall prototype that maximizes the advantages of SDN. By building around the features of OpenFlow, an open SDN standard, a distributed flow-based firewall prototype was developed and tested on a simulated network through Mininet. The prototype was tested to show full functionality through ping tests in a distributed configuration without causing any delays in terms of latency.
Software-Defined Networking (SDN) is a new networking paradigm that decouples the forwarding and control planes---traditionally being coupled with one another---while adopting a logically centralized architecture aiming to increase network agility and programability. While many efforts are currently being made to standardize this emerging paradigm, careful attentions need to be paid to security at this early design stage too, rather than waiting until the technology becomes mature, thereby potentially avoiding previous pitfalls made when designing the Internet in the 80's. This article focuses on the security aspects of SDN networks. We begin by discussing the new security pros that SDN brings and by showing how some of the long-lasting issues in network security can be addressed by exploiting SDN capabilities. Then, we describe the new security threats that SDN is faced with and discuss possible techniques that can be used to prevent and mitigate such threats.
The idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a "radical new idea in networking", promises to dramatically simplify network management and enable innovation through network programmability. This paper surveys the state-of-the-art in programmable networks with an emphasis on SDN. We provide a historic perspective of programmable networks from early ideas to recent developments. Then we present the SDN architecture and the OpenFlow standard in particular, discuss current alternatives for implementation and testing of SDN-based protocols and services, examine current and future SDN applications, and explore promising research directions based on the SDN paradigm.
Software defined networking (SDN) and its enabling standards, OpenFlow promise flexible and faster evolving networks, by separating the control plane from data plane so that the control plane becomes more responsive to the changes in topology, load balancing requirement, and suspicious traffics. To ever-changing security attacks, SDN also offers new potentials to handle security threats in more robust and reactive way. The previous SDN firewall proposals suffer from firewall long setup up latency and controller overhead. This paper presents a topology aware selective firewall distribution solution, which sends only necessary firewall configuration rules considering the traffic flows and network topology. The Mininet simulation results in various network sizes show the proposed solution reduces the firewall setup traffic and lessens the firewall-violated traffic travel route significantly, so suitable for large-scale SDN networks.
The proposition of increased innovation in network applications and reduced cost for network operators has won over the networking world to the vision of software-defined networking (SDN). With the excitement of holistic visibility across the network and the ability to program network devices, developers have rushed to present a range of new SDN-compliant hardware, software, and services. However, amidst this frenzy of activity, one key element has only recently entered the debate: Network Security. In this paper, security in SDN is surveyed presenting both the research community and industry advances in this area. The challenges to securing the network from the persistent attacker are discussed, and the holistic approach to the security architecture that is required for SDN is described. Future research directions that will be key to providing network security in SDN are identified.
Emerging mega-trends (e.g., mobile, social, cloud, and big data) in information and communication technologies (ICT) are commanding new challenges to future Internet, for which ubiquitous accessibility, high bandwidth, and dynamic management are crucial. However, traditional approaches based on manual configuration of proprietary devices are cumbersome and error-prone, and they cannot fully utilize the capability of physical network infrastructure. Recently, software-defined networking (SDN) has been touted as one of the most promising solutions for future Internet. SDN is characterized by its two distinguished features, including decoupling the control plane from the data plane and providing programmability for network application development. As a result, SDN is positioned to provide more efficient configuration, better performance, and higher flexibility to accommodate innovative network designs. This paper surveys latest developments in this active research area of SDN. We first present a generally accepted definition for SDN with the aforementioned two characteristic features and potential benefits of SDN. We then dwell on its three-layer architecture, including an infrastructure layer, a control layer, and an application layer, and substantiate each layer with existing research efforts and its related research areas. We follow that with an overview of the de facto SDN implementation (i.e., OpenFlow). Finally, we conclude this survey paper with some suggested open research challenges.
Software-defined network (SDN) has become one of the most important architectures for the management of largescale complex networks, which may require repolicing or reconfigurations from time to time. SDN achieves easy repolicing by decoupling the control plane from data plane. Thus, the network routers/switches just simply forward packets by following the flow table rules set by the control plane. Currently, OpenFlow is the most popular SDN protocol/standard and has a set of design specifications. Although SDN/OpenFlow is a relatively new area, it has attracted much attention from both academia and industry. In this paper, we will conduct a comprehensive survey of the important topics in SDN/OpenFlow implementation, including the basic concept, applications, language abstraction, controller, virtualization, quality of service, security, and its integration with wireless and optical networks. We will compare the pros and cons of different schemes and discuss the future research trends in this exciting area. This survey can help both industry and academia R&D people to understand the latest progress of SDN/OpenFlow designs.
In this paper, for the first time we show a new attack to fin- gerprint SDN networks and further launch efficient resource consumption attacks. This attack demonstrates that SDN brings new security issues that may not be ignored. We provide the first feasibility study of such attack and hope to stimulate further studies in SDN security research.
The pull of Software-Defined Networking (SDN) is magnetic. There are few in the networking community who have escaped its impact. As the benefits of network visibility and network device programmability are discussed, the question could be asked as to who exactly will benefit? Will it be the network operator or will it, in fact, be the network intruder? As SDN devices and systems hit the market, security in SDN must be raised on the agenda. This paper presents a comprehensive survey of the research relating to security in software-defined networking that has been carried out to date. Both the security enhancements to be derived from using the SDN framework and the security challenges introduced by the framework are discussed. By categorizing the existing work, a set of conclusions and proposals for future research directions are presented.
Cloud services are exploding, and organizations are converging their data centers in order to take advantage of the predictability, continuity, and quality of service delivered by virtualization technologies. In parallel, energy-efficient and high-security networking is of increasing importance. Network operators, and service and product providers require a new network solution to efficiently tackle the increasing demands of this changing network landscape. Software-defined networking has emerged as an efficient network technology capable of supporting the dynamic nature of future network functions and intelligent applications while lowering operating costs through simplified hardware, software, and management. In this article, the question of how to achieve a successful carrier grade network with software-defined networking is raised. Specific focus is placed on the challenges of network performance, scalability, security, and interoperability with the proposal of potential solution directions.
OpenFlow is currently the most commonly deployed Software Defined Networking (SDN) technology. SDN consists of decoupling the control and data planes of a network. A software-based controller is responsible for managing the forwarding information of one or more switches; the hardware only handles the forwarding of traffic according to the rules set by the controller. OpenFlow is an SDN technology proposed to standardize the way that a controller communicates with network devices in an SDN architecture. It was proposed to enable researchers to test new ideas in a production environment. OpenFlow provides a specification to migrate the control logic from a switch into the controller. It also defines a protocol for the communication between the controller and the switches.
As discussed in this survey paper, OpenFlow-based architectures have specific capabilities that can be exploited by researchers to experiment with new ideas and test novel applications. These capabilities include software-based traffic analysis, centralized control, dynamic updating of forwarding rules and flow abstraction. OpenFlow-based applications have been proposed to ease the configuration of a network, to simplify network management and to add security features, to virtualize networks and data centers and to deploy mobile systems. These applications run on top of networking operating systems such as Nox, Beacon, Maestro, Floodlight, Trema or Node.Flow. Larger scale OpenFlow infrastructures have been deployed to allow the research community to run experiments and test their applications in more realistic scenarios. Also, studies have measured the performance of OpenFlow networks through modelling and experimentation.We describe the challenges facing the large scale deployment of OpenFlow-based networks and we discuss future research directions of this technology.
Software-Defined Networking: A Comprehensive Survey
- D Kreutz
- F M V Ramos
- Esteves Verissimo
- P Esteve Rothenberg
Kreutz D., Ramos F.M.V., Esteves Verissimo P., Esteve Rothenberg C,
"Software-Defined
Networking:
A
Comprehensive
Survey",
Proceedings of the IEEE, pp. 14-76, January 2015.
Attacking software-defined network: a feasibility study
- Seungwon Shin
- Guofei Gu
Programmable firewall using Software Defined Networking
- K Kaur
- K Kumar
- J Singh
- N S Ghumman
Kaur K., Kumar K., Singh J., Ghumman N.S., "Programmable firewall
using Software Defined Networking," in Computing for Sustainable
Global Development (INDIACom) International Conference, March
2015, pp.2125-2129
SDN Prerequisite: Stateful versus Stateless
- Lori Macvittie
NOXRepo.org, POX documentation
- Noxrepo
OpenFlow specification v1.1.0
- Openflow
- Org
OpenFlow.org, "OpenFlow specification v1.1.0", February 2011,
http://archive.openflow.org/documents/openflow-spec-v1.1.0.pdf