Abstract
The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane—we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.
Highlights
Distributed networking protocols running on routers and switches are the most important key technologies enabling digital information transmission
Despite the implementation advantages that the Software-Defined Networking (SDN) architecture offers to the firewalls implementation, there is still one main pitfall; since both the stateful firewall logic and the filtering functions lie entirely in the control plane, this introduces a significant overhead in the communication channel
We propose the architectural design of FORTRESS, a distributed stateful firewall for SDN networks that, in the Stand-Alone architecture, resides entirely in the data plane
Summary
Distributed networking protocols running on routers and switches are the most important key technologies enabling digital information transmission. The implementation of firewalls with more advanced functions, like the stateful ones, is completely different: they need to store the status of every network flow, in order to forward only packets belonging to a legitimately established connection This means that data plane devices are no longer able to filter out network packets using only the static flow tables. Despite the implementation advantages that the SDN architecture offers to the firewalls implementation, there is still one main pitfall; since both the stateful firewall logic and the filtering functions lie entirely in the control plane, this introduces a significant overhead in the communication channel This is exactly the problem we address in this manuscript, providing the contributions detailed in the following.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
