Abstract
Traditional networks are often quite static, slow to modify, dedicated for a single service and very difficult to scale, what is typical for a large number of different network devices (such as switches, routers, firewalls, and so on), with many complex protocols implemented or embedded on them. Software Defined Network (SDN) is a new technology in communication industry that promises to provide new approach attempting to overcome this weakness of the current network paradigm. The SDN provides a highly scalable and centralized control architecture in which the data plane is decoupled from the control plane; this abstraction gives more flexible, programmable and innovative network architecture. However, centralization of the control plane and ability of programming the network are very critical and challenging tasks causing security problems. In this paper we propose a framework for securing the SDN by introducing an application as an extension to the controller to make it able to check every specific flow in the network and to push the security instructions in real-time down to the network. We also compare our proposal with other existing SDN-based security solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Adrian, L., Kolasani, A., Ramamurthy, B.: Network innovation using openflow: a survey. IEEE Commun. Surv. Tutorials 16, 493–512 (2013)
Azodolmolky, S.: Software Defined Networking with OpenFlow Get Hands-on with the Platforms and Development Tools Used to Build OpenFlow Network Applications. Packt Publishing Ltd., Birmingham (2013)
Pujolle, G.: Software Networks Virtualization, SDN, 5G and Security. ISTE Ltd. and Wiley, Great Britain, United States (2015)
Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103, 14–76 (2015)
Underdahl, B., Kinghorn, G.: Software Defined Networking for Dummies. Wiley, Hoboken (2015)
Jain, R., Paul, S.: Network virtualization and software defined networking for cloud computing: a survey. IEEE Commun. Mag. 51, 24–31 (2013)
The Open Networking Foundation, OpenFlow Switch Specification (2014)
Astuto, B.N., Mendonca, M., Nguyen, X.N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16, 1617–1634 (2014)
Sharma, R.K., Kalita, H.K., Issac, B.: Different firewall techniques: a survey. In: 5th IEEE International Conference on Computing. Communications and Networking Technologies (ICCCNT), Hefei, Anhui, China, pp. 1–6 (2014)
Scarfone, K., Hoffman, P.: Guidelines on Firewalls and Firewall Policy, Gaithersburg (2009)
Duan, Q., Al-Shaer, E.: Traffic-aware dynamic firewall policy management: techniques and applications. IEEE Commun. Mag. 51, 73–79 (2013)
Trabelsi, Z.: Teaching stateless and stateful firewall packet filtering: a hands-on approach. In: 16th Colloquium for Information Systems Security Education, Lake Buena Vista, Florida, pp. 95–102 (2012)
Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_9
Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: 35th Annual IEEE Conference on Local Computer Networks, LCN, Denver, Colorado, pp. 408–415 (2010)
Jeong, C., Ha, T., Narantuya, J., Lim, H., Kim, J.: Scalable network intrusion detection on virtual SDN environment. In: 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet), Luxembourg, pp. 264–265 (2014)
Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Networking (TON) 20, 1828–1841 (2012)
Porras, Ph., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for openflow networks. In: HotSDN 2012 ACM Special Interest Group on Data Communication SIGCOMM, pp. 121–126. ACM, Helsinki (2012)
Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M.: FRESCO: Modular composable security services for software-defined networks. In: NDSS 2013 Network and Distributed System Security Symposium, San Diego, CA, pp. 1–16 (2013)
Hu, H., Han, W., Ahn, G.J., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: HotSDN 2014, pp. 97–102. ACM, Chicago (2014)
Shirali-Shahreza, S., Ganjali, Y.: Flexam: flexible sampling extension for monitoring and security applications in OpenFlow. In: HotSDN 2013, Hong Kong, China, pp. 167–168. ACM, New York (2013)
Shirali-Shahreza, S., Ganjali, Y.: Efficient implementation of security applications in openflow controller with flexam. In: IEEE 21st Annual Symposium on High-Performance Interconnects, San Jose, CA, USA, pp. 49–54 (2013)
Collings, J., Liu, J.: An openflow-based prototype of SDN-oriented stateful hardware firewalls. In: IEEE 22nd International Conference on Network Protocols, Raleigh, NC, USA, pp. 525–528 (2014)
Zerkane, S., Espes, D., Le Parc, P., Cuppens, F.: Software defined networking reactive stateful firewall. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IFIP AICT, vol. 471, pp. 119–132. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_9
Lar, S., Liao, X., ur Rehman, A., Ma, Q.: Proactive security mechanism and design. J. Inf. Secur. 2, 122–130 (2011)
Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. Mag. Global Internetworking 30, 14–20 (2016)
Suh, M., Park, S.H., Lee, B., Yang, S.: Building firewall over the software-defined network controller. In: The 16th IEEE International Conference on Advanced Communications Technology, Daejeon, South Korea, pp. 744–748 (2014)
Pena, J.G., Yu, W.E.: Development of a distributed firewall using software defined networking technology. In: 4th IEEE International Conference on Information Science and Technology, Shenzhen, China, pp. 449–452 (2014)
Vasudevan, S.: Firewall a new approach to solve issues in software define networking. In: 6th International Conference on Emerging Trends in Engineering and Technology, pp. 14–19 (2016)
Konorski, J., Pacyna, P., Kolaczek, G., Kotulski, Z., Cabaj, K., Szalachowski, P.: A virtualization-level future internet defense-in-depth architecture. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds.) SNDS 2012. CCIS, vol. 335, pp. 283–292. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34135-9_29
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nife, F., Kotulski, Z. (2017). Multi-level Stateful Firewall Mechanism for Software Defined Networks. In: Gaj, P., Kwiecień, A., Sawicki, M. (eds) Computer Networks. CN 2017. Communications in Computer and Information Science, vol 718. Springer, Cham. https://doi.org/10.1007/978-3-319-59767-6_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-59767-6_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59766-9
Online ISBN: 978-3-319-59767-6
eBook Packages: Computer ScienceComputer Science (R0)