Abstract
Firewalls are a fundamental element of network security systems with the ability to block network data traffic flows according to pre-defined rules. Software-defined networking (SDN) technology, which can provide flexibility, elasticity, and programmability for network management, has been applied to network security systems. We propose a software-defined firewall cyber-security system, which securely gathers the firewall rules of the host/network-based firewalls through the SDN control plane, converts the collected firewall rules in the form of SDN flow rules, and deploys them on OpenFlow (OF)-enabled switches. Furthermore, we formulate an optimization problem to find appropriate OF-enabled switches to which the SDN flow rules are to be sent. The proposed firewall system makes the traffic flows that are destined to be dropped by a firewall be dropped in advance at the OF-enabled switch with the corresponding SDN flow rules. The SDN-based testbed experiments demonstrate that the proposed firewall system reduces the aggregate network traffic volume and the resource utilization of end-hosts in the network.
Highlights
Firewalls are a network security system widely used for filtering inbound and outbound data traffic to protect a host or network system from network anomalies and malicious attacks
We assume that the malicious flows, which will be blocked by firewall rules with denying action, are average 30% of total flows
Firewall rules are securely collected and converted into Software-defined networking (SDN) flow rules to be deployed on OF-enabled switches while conserving the semantics of the firewall rules
Summary
Firewalls are a network security system widely used for filtering inbound and outbound data traffic to protect a host or network system from network anomalies and malicious attacks. The SDN functions such as dynamic forwarding table update and data traffic steering can be utilized for packet-filtering firewall implementation for the switch and stateful inspection on a virtualized firewall using the VNF. Depending on the network topology and routing information, the converted firewall rules are deployed as SDN flow rules at OF-enabled switches from the network core to the edge, to perform packet-filtering anywhere on VOLUME 8, 2020 the network. The proposed system formulates the placement problem to maximize the reduction of aggregate data traffic volume in the network for the deployment of firewall rules, unlike previous works It attempts to mitigate the performance degradation due to the SDN flow matching processing by distributing the flow rules over the switches. The deployment process of firewall rules sends SDN flow rules to suitable switches to perform firewall operations with the aggregate data traffic reduced. The firewall manager updates the public key and broadcasts it to every firewall device periodically and whenever it detects changes in the topology information such as newly added or deleted hosts, using a link layer discovery protocol
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
