Towards a reliable firewall for software-defined networks

Software-Defined Networking (SDN) is an emerging paradigm in networking where network control plane is decoupled from forwarding plane through programmable control. OpenFlow – the most popular SDN platform – introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build a reliable firewall for protecting OpenFlow networks where network states and traffic are frequently changed. To address this challenge, we introduce FLOWMON, an OpenFlow-based firewall, to support network-wide access control by facilitating not only accurate violation detection but also effective violation resolution in dynamic OpenFlow networks. FLOWMON detects firewall policy violations by checking flow path space against firewall authorization space when a flow entry or firewall rule is inserted, modified, or deleted. In particular, FLOWMON conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies applied to diverse network update situations. We also implement a prototype of FLOWMON in Floodlight. Our experimental results demonstrate FLOWMON effectively addresses violations in a real-world network topology, and produces manageable performance overhead with effective violation detection and resolution.