Skip to main content
Springer Nature Link
Log in

Towards a Security-Enhanced Firewall Application for OpenFlow Networks

  • Conference paper
Cyberspace Safety and Security (CSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8300))

Included in the following conference series:

  • 2938 Accesses

Abstract

Software-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but also provides a promising way for the future development of Internet. SDN, however, also brings forth many new security challenges. One of such critical challenges is how to build a robust firewall application for SDN. Due to the stateless of SDN firewall based on OpenFlow, the first standard for SDN, and the lack of audit and tracking mechanisms for SDN controllers, the existing firewall applications in SDN can be easily bypassed by rewriting the flow entries in switches. Aiming at this threat, we introduce a systematic solution for conflict detection and resolution in OpenFlow-based firewalls through checking flow space and firewall authorization space. Unlike FortNOX [1], our approach can check the conflicts between the firewall rules and flow policies based on the entire flow paths within an OpenFlow network. We also add intra-table dependency checking for flow tables and firewall rules. Finally, we discuss a proof-of-concept implementation of our approach, and our experimental results demonstrate our approach can effectively hinder the bypass threat in real OpenFlow networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Porras, P., Shin, S., Yegneswaran, V., Fong, M.: A Security Enforcement Kernel for OpenFlow Networks. In: Proc. of HotSDN 2012, pp. 123–125 (2012)

    Google Scholar 

  2. Wen, X., Chen, Y., Hu, C., Shi, C.: Towards a Secure Controller Platform for OpenFlow. In: Proc. of HotSDN 2013 (2013)

    Google Scholar 

  3. Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proc. of HotSDN 2013 (2013)

    Google Scholar 

  4. Son, S., Shin, S., Yegneswaran, V., Porras, P.: Model Checking Invariant Security Properties in OpenFlow. In: Proc. of ICC 2013, pp. 2–6 (2013)

    Google Scholar 

  5. Kazemian, P., Varghese, G., McKeown, N.: Header Space Analysis: Static Checking For Networks. In: Proceedings of the Symposium on Network Systems Design and Implementation (NSDI), pp. 3–5 (2012)

    Google Scholar 

  6. Kazemian, P., Chang, M., Zeng, H.: Real Time Network Policy Checking using Header Space Analysis. In: Proceedings of the Symposium on Network Systems Design and Implementation (NSDI), pp. 4–6 (2013)

    Google Scholar 

  7. Tootoonchian, A., Gorbunov, S., Ganjali, Y., Casado, M., Sherwood, R.: On controller performance in software-defined networks. In: Proceedings of the 2nd USENIX Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE), pp. 4–6 (2012)

    Google Scholar 

  8. Al-shaer, E., Marrero, W., El-atawy, A., Elbadawi, K.: Network Configuration in A Box: Towards End-to-End Verification of Network Reachability and Security. In: Proceedings of the IEEE International Conference on Network Protocols, pp. 125–127 (2009)

    Google Scholar 

  9. Canini, M., Venzano, D., Peresini, P., Kostic, D., Rexford, J.: A NICE Way to Test OpenFlow Applications. In: Proceedings of the Symposium on Network Systems Design and Implementation, pp. 3–5 (2012)

    Google Scholar 

  10. Cai, Z., Cox, A.L., Ng, T.E.: Maestro: A System for Scalable OpenFlow Control. In: Rice University Technical Report, pp.2-3 (2010)

    Google Scholar 

  11. Liu, A.: Formal Verification of Firewall Policies. In: Proceedings of the International Conference on Communications (ICC), pp. 1495–1497 (2008)

    Google Scholar 

  12. OpenFlow. OpenFlow 1.1.0 Specification, http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf

  13. OpenFlowHub. BEACON, www.openflowhub.org/display/Beacon

  14. Sanfilippo, S.: HPing home page, http://www.hping.org

  15. FloodLight, http://www.projectfloodlight.org/documentation/

  16. Kanizo, Y., Hay, D., Keslassy, I.: Palette: Distributing Tables in SofteWare-Defind Networks. In: Technical Report, pp. 1–3 (2012)

    Google Scholar 

  17. Clean Slate, http://cleanslate.stanford.edu/

  18. Mininet: An Instant Virtual Network on your Laptop (or other PC), http://mininet.org//

Download references

Author information

Authors and Affiliations

  1. School of Computer, Wuhan University, Wuhan, 430072, Hubei, China

    Juan Wang, Yong Wang, Qingxin Sun, He Shi & Longjie Zeng

  2. Key Laboratory of Aerospace Information Security and Trust Computing, Ministry of Education, Wuhan, 430072, Hubei, China

    Juan Wang & Qingxin Sun

  3. Delaware State University, Dover, DE, 19901, USA

    Hongxin Hu

Authors
  1. Juan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hongxin Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qingxin Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. He Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Longjie Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Science and Engineering, Central South University, 410083, Changsha, Hunan, P.R. China

    Guojun Wang

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523-1873, Fort Collins, CO, USA

    Indrakshi Ray

  3. Chinese Academy of Sciences, Institute of Software, 100190, Beijing, P.R. China

    Dengguo Feng

  4. information Security Group, City University London, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Wang, J., Wang, Y., Hu, H., Sun, Q., Shi, H., Zeng, L. (2013). Towards a Security-Enhanced Firewall Application for OpenFlow Networks. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03584-0_8

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03583-3

  • Online ISBN: 978-3-319-03584-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics