Towards a Security-Enhanced Firewall Application for OpenFlow Networks
Software-Defined Networking (SDN), which offers program mers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge im pact on the development of current networks, but also provides a promis ing way for the future development of Internet.SDN, however, also brings forth many new security challenges.One of such critical challenges is how to build a robust firewall application for SDN.Due to the stateless of SDN firewall based on OpenFlow, the first standard for SDN, and the lack of audit and tracking mechanisms for SDN controllers, the exist ing firewall applications in SDN can be easily bypassed by rewriting the flow entries in switches.Aiming at this threat, we introduce a sys tematic solution for conflict detection and resolution in OpenFlow-based firewalls through checking flow space and firewall authorization space.Unlike FortNOX 1, our approach can check the conflicts between the firewall rules and flow policies based on the entire flow paths within an OpenFlow network.We also add intra-table dependency checking for flow tables and firewall rules.Finally, we discuss a proof-of-concept im plementation of our approach, and our experimental results demonstrate our approach can effectively hinder the bypass threat in real OpenFlow networks.
SDN Firewall Openflow Security
Juan Wang Yong Wang Hongxin Hu Qingxin Sun He Shi Longjie Zeng
School of Computer,Wuhan University,Wuhan 430072,Hubei,China;Key Laboratory of Aerospace Information School of Computer,Wuhan University,Wuhan 430072,Hubei,China Delaware State University,Dover,DE19901,USA
国际会议
The 5th International Symposium on Cyberspace Safety and Security ( CSS2013)(第五届国际网络空间安全和安保研讨会)
张家界
英文
92-103
2013-11-13(万方平台首次上网日期,不代表论文的发表时间)