Towards a reliable firewall for software-defined networks

Hongxin Hu, Wonkyu Han, Sukwha Kyung, Juan Wang, Gail Joon Ahn, Ziming Zhao, Hongda Li

Research output: Contribution to journalArticlepeer-review

14 Scopus citations


Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.

Original languageEnglish (US)
Article number101597
JournalComputers and Security
StatePublished - Nov 2019


  • Firewalls
  • Network security
  • Openflow
  • Policy violation
  • Software-Defined networking

ASJC Scopus subject areas

  • General Computer Science
  • Law


Dive into the research topics of 'Towards a reliable firewall for software-defined networks'. Together they form a unique fingerprint.

Cite this