The document discusses the challenges and solutions in creating reliable Software-Defined Networking (SDN) firewalls, specifically addressing dynamic policy updates, indirect security violations, and architecture options. It presents FlowGuard, a comprehensive framework aimed at improving violation detection and resolution in SDN firewalls. The document also outlines the evaluation of FlowGuard in real-world network environments and ongoing work for further enhancement of SDN firewalls.

3. Towards a Reliable SDN Firewall
Hongxin Hu
Delaware State University
Gail-Joon Ahn, Wonkyu Han and Ziming Zhao
Arizona State University

4. 2
SDN Security Apps
 Existing security appliances have to be
re-designed and implemented as
compatible SDN applications
 Firewall
 IDS/IPS
 DDoS detection
 Scan detection
 and more…
17:12
SDN Controller
FW IDS/IPS DDoS

5. 3
Challenges in Building SDN Firewalls
 Examining Dynamic Network Policy Updates
 A traditional firewall is only a packet filter
 An SDN firewall is both
A Packet Filter (flow packet violation)
– The first packet of each flow goes through the controller and is filtered
by the firewall
– The subsequent packets of the flow directly match the flow policy
A Policy Checker (flow policy violation)
– Existing flow policies may violate the firewall policy
 Flow policy update
 Firewall policy update
 Flow policies can be proactively installed in the switches
17:12

6. 4
Challenges in Building SDN Firewalls (cont’d)
 Checking Indirect Security Violations
 Firewalls can be bypassed
Dynamic packet modification
– OpenFlow allows an action, Set-Field, which can
rewrite the values of respective header fields in
flow packets
 E.g. a load balancer may need to dynamically change
flow paths
Rule dependency
– Flow and firewall rules may overlap each other
17:12

7. 5
Challenges in Building SDN Firewalls (cont’d)
 Architecture Option
 Centralized SDN firewall
Firewall policy is centrally defined and enforced at the
controller
Limitation: cannot deal with partial policy violations
 Distributed SDN firewall
Firewall policy is defined centrally, but propagated and
enforced at each individual flow entry (ingress switch)
Limitation: needs a complicated revocation and
repropagation mechanism to handle dynamic policy
updates
17:12

8. 6
State Of The Art
 SDN Firewall App
 Built-in firewall application in Floodlight
 Limited to check flow packet violations and unable to examine flow
policy violations
 Policy Conflict Detection and Resolution
 VeriFlow [Khurshid’13] and NetPlumber [Kazemian’13]
 Lack of automatic, effective and real-time violation resolution
 Pyretic [Monsanto’13]
 Cannot discover and resolve indirect security violations
 FortNOX [Porras’12]
 Only conducts pairwise conflict analysis without considering rule
dependencies in flow tables and firewall policies
17:13

9. 7
Our Approach
 FlowGuard: a comprehensive framework for
building reliable SDN firewalls
17:13

10. 8
Violation Detection
 Flow Path Space Analysis
 Flow tracking (NetPlumber [Kazemian’13])
Dynamic packet modification
Rule dependency
 Flow path space calculation
 Incoming space
 Outgoing space
 Tracked space
17:13

11. 9
Violation Detection (cont’d)
 Firewall Authorization Space Partition
 Decouple dependency relations between
“allow” rules and “deny” rules in the firewall
policy
 Denied authorization space
 Allowed authorization space
17:13

12. 10
Violation Detection (cont’d)
 Space Comparison
 Compare Tracked Flow Space against Firewall
Denied Authorization Space
 Entire Violation
– Denied authorization space includes whole tracked space
 Partial Violation
– Denied authorization space partially includes tracked space
17:13

13. 11
Violation Resolution
 Automatic Violation Resolution Mechanism
17:13

14. 12
Implementation & Evaluation
 Prototype of FlowGuard
 Floodlight V 0.90
 Evolution Environment
 Real-world network topology
 Stanford backbone network [kazemian’13]
 Mininet 2.0
 Violation Detection and Resolution
Table 1: Detection and resolution elapsed time (ms) for different resolution strategies
17:13

15. 13
Evaluation (cont’d)
 Performance Comparison with Floodlight
Built-in Firewall
17:13

16. 14
On-going Work
 Investigate a more sophisticated flow
tracking mechanism
 Implement stateful SDN firewalls
 Design a high-level policy language for SDN
firewalls
 Develop various toolkits for visualization,
optimization, migration, and integration of
SDN firewalls
17:13

17. 15
Q & A
hhu@desu.edu
http://www.cis.desu.edu/~hhu/
17:13

18. 16
Challenges in Building SDN Firewalls (cont’d)
 Stateful Monitoring
 Only inspects the first packet of each flow
Limited access to packet-level information in the
controller [Sajad13]
Forwarding plane is almost stateless [Hao13]
17:13