Towards a security-enhanced firewall application for openflow networks

Abstract

Software-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but also provides a promising way for the future development of Internet. SDN, however, also brings forth many new security challenges. One of such critical challenges is how to build a robust firewall application for SDN. Due to the stateless of SDN firewall based on OpenFlow, the first standard for SDN, and the lack of audit and tracking mechanisms for SDN controllers, the existing firewall applications in SDN can be easily bypassed by rewriting the flow entries in switches. Aiming at this threat, we introduce a systematic solution for conflict detection and resolution in OpenFlow-based firewalls through checking flow space and firewall authorization space. Unlike FortNOX [1], our approach can check the conflicts between the firewall rules and flow policies based on the entire flow paths within an OpenFlow network. We also add intra-table dependency checking for flow tables and firewall rules. Finally, we discuss a proof-of-concept implementation of our approach, and our experimental results demonstrate our approach can effectively hinder the bypass threat in real OpenFlow networks. © Springer International Publishing Switzerland 2013.