ABSTRACT
Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.
- Floodlight: Open SDN Controller. http://www.projectfloodlight.org.Google Scholar
- Frenetic: A Family of Network Programming Languages. http://frenetic-lang.org/.Google Scholar
- Header Space Library. https://bitbucket.org/peymank/hassel-public.Google Scholar
- E. Al-Shaer and H. Hamed. Discovery of policy anomalies in distributed firewalls. In INFOCOM'04.Google Scholar
- G. Bianchi, M. Bonola, A. Capone, and C. Cascone. OpenState: programming platform-independent stateful openflow applications inside the switch. ACM SIGCOMM Computer Communication Review, 2014. Google ScholarDigital Library
- B. Braga, M. Mota, P. Passito, et al. Lightweight ddos flooding attack detection using nox/openflow. In Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks (LCN'10), pages 408--415. IEEE, 2010. Google ScholarDigital Library
- S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul. Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. In NSDI'14. Google ScholarDigital Library
- H. Hu, G.-J. Ahn, and K. Kulkarni. FAME: a firewall anomaly management environment. In SafeConfig'10. Google ScholarDigital Library
- H. Hu, G.-J. Ahn, and K. Kulkarni. Detecting and resolving firewall policy anomalies. IEEE Transactions on Dependable and Secure Computing, 9(3):318--331, 2012. Google ScholarDigital Library
- S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In CCS'00. Google ScholarDigital Library
- P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In NSDI'13. Google ScholarDigital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: static checking for networks. In NSDI'12. Google ScholarDigital Library
- A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: verifying network-wide invariants in real time. In NSDI'13. Google ScholarDigital Library
- D. Kreutz, F. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. In HotSDN'13. Google ScholarDigital Library
- H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. Godfrey, and S. T. King. Debugging the data plane with anteater. In SIGCOMM'11. Google ScholarDigital Library
- N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008. Google ScholarDigital Library
- S. A. Mehdi, J. Khalid, and S. A. Khayam. Revisiting traffic anomaly detection using software defined networking. In RAID'11. Google ScholarDigital Library
- C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing software-defined networks. In NSDI'13. Google ScholarDigital Library
- P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. A security enforcement kernel for openflow networks. In HotSDN'12. Google ScholarDigital Library
- M. Reitblatt, N. Foster, J. Rexford, C. Schlesinger, and D. Walker. Abstractions for network update. In SIGCOMM'12. Google ScholarDigital Library
- E. E. Schultz. A framework for understanding and predicting insider attacks. Computers & Security, 21(6):526--531, 2002. Google ScholarDigital Library
- S. Shin, V. Yegneswaran, P. Porras, and G. Gu. Avant-guard: scalable and vigilant switch flow management in software-defined networks. In CCS'13. Google ScholarDigital Library
- S. Shirali-Shahreza and Y. Ganjali. Flexam: Flexible sampling extension for monitoring and security applications in openflow. In HotSDN'13. Google ScholarDigital Library
- R. Stoenescu, M. Popovici, L. Negreanu, and C. Raiciu. Symnet: static checking for stateful networks. In HotMiddlebox'13. Google ScholarDigital Library
- J. Wang, Y. Wang, H. Hu, Q. Sun, H. Shi, and L. Zeng. Towards a security-enhanced firewall application for openflow networks. In Cyberspace Safety and Security, 2013.Google ScholarCross Ref
- L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis. Fireman: A toolkit for firewall modeling and analysis. In 2006 IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Index Terms
- FLOWGUARD: building robust firewalls for software-defined networks
Recommendations
Towards a reliable firewall for software-defined networks
AbstractSoftware-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, ...
Challenges and Preparedness of SDN-based Firewalls
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function VirtualizationSoftware-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of ...
A survey on OpenFlow-based Software Defined Networks
Software-Defined Networking (SDN) has been proposed as an emerging network architecture, which consists of decoupling the control planes and data planes of a network. Due to its openness and standardization, SDN enables researchers to design and ...
Comments