FLOWGUARD: building robust firewalls for software-defined networks

Authors:
Hongxin Hu

Clemson University, Clemson, SC, USA

Clemson University, Clemson, SC, USA
View Profile

,
Wonkyu Han

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

,
Gail-Joon Ahn

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

,
Ziming Zhao

Arizona State University, Tempe, AZ, USA

Arizona State University, Tempe, AZ, USA
View Profile

HotSDN '14: Proceedings of the third workshop on Hot topics in software defined networkingAugust 2014Pages 97–102https://doi.org/10.1145/2620728.2620749

Published:22 August 2014Publication History

HotSDN '14: Proceedings of the third workshop on Hot topics in software defined networking

Pages 97–102

ABSTRACT

Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.

References

Floodlight: Open SDN Controller. http://www.projectfloodlight.org.Google Scholar
Frenetic: A Family of Network Programming Languages. http://frenetic-lang.org/.Google Scholar
Header Space Library. https://bitbucket.org/peymank/hassel-public.Google Scholar
E. Al-Shaer and H. Hamed. Discovery of policy anomalies in distributed firewalls. In INFOCOM'04.Google Scholar
G. Bianchi, M. Bonola, A. Capone, and C. Cascone. OpenState: programming platform-independent stateful openflow applications inside the switch. ACM SIGCOMM Computer Communication Review, 2014. Google ScholarDigital Library
B. Braga, M. Mota, P. Passito, et al. Lightweight ddos flooding attack detection using nox/openflow. In Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks (LCN'10), pages 408--415. IEEE, 2010. Google ScholarDigital Library
S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul. Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. In NSDI'14. Google ScholarDigital Library
H. Hu, G.-J. Ahn, and K. Kulkarni. FAME: a firewall anomaly management environment. In SafeConfig'10. Google ScholarDigital Library
H. Hu, G.-J. Ahn, and K. Kulkarni. Detecting and resolving firewall policy anomalies. IEEE Transactions on Dependable and Secure Computing, 9(3):318--331, 2012. Google ScholarDigital Library
S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In CCS'00. Google ScholarDigital Library
P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In NSDI'13. Google ScholarDigital Library
P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: static checking for networks. In NSDI'12. Google ScholarDigital Library
A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: verifying network-wide invariants in real time. In NSDI'13. Google ScholarDigital Library
D. Kreutz, F. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. In HotSDN'13. Google ScholarDigital Library
H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. Godfrey, and S. T. King. Debugging the data plane with anteater. In SIGCOMM'11. Google ScholarDigital Library
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008. Google ScholarDigital Library
S. A. Mehdi, J. Khalid, and S. A. Khayam. Revisiting traffic anomaly detection using software defined networking. In RAID'11. Google ScholarDigital Library
C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing software-defined networks. In NSDI'13. Google ScholarDigital Library
P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. A security enforcement kernel for openflow networks. In HotSDN'12. Google ScholarDigital Library
M. Reitblatt, N. Foster, J. Rexford, C. Schlesinger, and D. Walker. Abstractions for network update. In SIGCOMM'12. Google ScholarDigital Library
E. E. Schultz. A framework for understanding and predicting insider attacks. Computers & Security, 21(6):526--531, 2002. Google ScholarDigital Library
S. Shin, V. Yegneswaran, P. Porras, and G. Gu. Avant-guard: scalable and vigilant switch flow management in software-defined networks. In CCS'13. Google ScholarDigital Library
S. Shirali-Shahreza and Y. Ganjali. Flexam: Flexible sampling extension for monitoring and security applications in openflow. In HotSDN'13. Google ScholarDigital Library
R. Stoenescu, M. Popovici, L. Negreanu, and C. Raiciu. Symnet: static checking for stateful networks. In HotMiddlebox'13. Google ScholarDigital Library
J. Wang, Y. Wang, H. Hu, Q. Sun, H. Shi, and L. Zeng. Towards a security-enhanced firewall application for openflow networks. In Cyberspace Safety and Security, 2013.Google ScholarCross Ref
L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis. Fireman: A toolkit for firewall modeling and analysis. In 2006 IEEE Symposium on Security and Privacy. Google ScholarDigital Library

Index Terms

FLOWGUARD: building robust firewalls for software-defined networks
1. Networks
  1. Network services
    1. Network monitoring
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Towards a reliable firewall for software-defined networks
Abstract
Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, ...
Read More
Challenges and Preparedness of SDN-based Firewalls
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of ...
Read More
A survey on OpenFlow-based Software Defined Networks

Software-Defined Networking (SDN) has been proposed as an emerging network architecture, which consists of decoupling the control planes and data planes of a network. Due to its openness and standardization, SDN enables researchers to design and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
HotSDN '14: Proceedings of the third workshop on Hot topics in software defined networking
August 2014
252 pages
ISBN:9781450329897
DOI:10.1145/2620728
Program Chairs:
Aditya Akella
University of Wisconsin-Madison, USA
,
Albert Greenberg
Microsoft, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 August 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
firewalls
openflow
security
software-defined networking
Qualifiers
- research-article
Conference

Acceptance Rates
HotSDN '14 Paper Acceptance Rate50of114submissions,44%Overall Acceptance Rate88of198submissions,44%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 181
  Total Citations
  View Citations
- 4,512
  Total Downloads
- Downloads (Last 12 months)166
- Downloads (Last 6 weeks)26
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

FLOWGUARD: building robust firewalls for software-defined networks

HotSDN '14: Proceedings of the third workshop on Hot topics in software defined networking

ABSTRACT

References

Cited By

Index Terms

Recommendations

Towards a reliable firewall for software-defined networks

Challenges and Preparedness of SDN-based Firewalls

A survey on OpenFlow-based Software Defined Networks