FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN

Caprolu, Maurantonio; Raponi, Simone; Pietro, Roberto Di

doi:10.1155/2019/6874592

Cited by 23 publications

(11 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To provide programmability to the data plane, some of the proposals are the following: SDPA [172], which proposes a "match-state-action" abstraction instead of OpenFlow's "match-action" processing; SNAP [173], which bases its programmability on an abstract network and persistent global arrays; and those proposals based on XFSM tables (eXtensible Finite State Machines) for flow processing in switches, such as FAST [174], OpenState [175], OPP [176], and the best-known P4 [177]. Supported by the programmability solutions described above, multiple network abstractions have been developed in a Stateful Data Plane, including firewalls [178], [179], traffic management applications [180], and load balancers [181], [182], among others [183].…”

Section: ) Stateful Data Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

The software-defined networking (SDN) paradigm proposes the decoupling of control and data planes and a centralized software-oriented management approach based on a central controller, easing the development of new applications and services. These design principles pave the way for a more flexible, fast, and dynamic software-controlled network. However, in terms of security, the elements that comprise the SDN architecture present several vulnerabilities, which could be exploited by attackers to carry out malicious actions and thus affect the network and its services. Although for several years, some studies have already focused on identifying the weaknesses of the SDN layer structure, the nature of the attacks, and possible solutions for this paradigm, the literature contains few contributions that review and discuss this topic in an integral fashion. This paper provides a comprehensive, updated, and detailed review of the main security issues and mitigating measures for all layers and interfaces of the SDN architecture, classifying the contributions according to the STRIDE threat modeling methodology categories. Finally, this manuscript identifies, discusses, and synthesizes open challenges and future research directions in this area.

show abstract

Section: ) Stateful Data Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Halpern et al studied the service function chain SFC [15], using flow rules to control the flow. Caprolu et al designed FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane [16]. Fayaz et al implemented Bohatei, a flexible and elastic DDoS defense system [17].…”

Section: Related Workmentioning

confidence: 99%

Attribute-Guard: Attribute-Based Flow Access Control Framework in Software-Defined Networking

Zhu

Chang

Qin

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

Software-defined networking (SDN) decouples the control plane from the data plane, offering flexible network configuration and management. Because of this architecture, some security features are missing. On the one hand, because the data plane only has the packet forwarding function, it is impossible to effectively authenticate the data validity. On the other hand, OpenFlow can only match based on network characteristics, and it is impossible to achieve fine-grained access control. In this paper, we aim to develop solutions to guarantee the validity of flow in SDN and present Attribute-Guard, a fine-grained access control and authentication scheme for flow in SDN. We design an attribute-based flow authentication protocol to verify the legitimacy of the validity flow. The attribute identifier is used as a matching field to define a forwarding control. The flow matching based on the attribute identifier and the flow authentication protocol jointly implement fine-grained access control. We conduct theoretical analysis and simulation-based evaluation of Attribute-Guard. The results show that Attribute-Guard can efficiently identify and reject fake flow.

show abstract

“…Stand‐alone model cancels the network overhead and control load of the controller. Cooperative model reduces the network overhead in TCP . A near‐globally optimal distributed controller is proposed to achieve stable static distributed controller, the performance of proposed method equalize with centralized controller.…”

Section: Related Workmentioning

confidence: 99%

Stateful firewall‐enabled software‐defined network with distributed controllers: A network performance study

Prabakaran

Ramalakshmi

2019

Int J Communication

View full text Add to dashboard Cite

SummarySoftware-defined network (SDN) is constructed by decoupling the control and data plane from the forwarding devices. The control plane operations are managed by centralized or distributed controllers, and the data plane operation is managed by respective forwarding devices. SDN provides an easy and efficient management solutions for software-programmed consolidated middlebox in virtual machines. Additionally, SDN with centralized controller faces complications like scalability, network bottle neck, and single point failure. In this study, a stateful inspection firewall acts as a middlebox in distributed SDN-controlled network. The controller is programmed with a failure detection and recovery mechanism to provide reliability and redundancy and enhance the overall performance of the network. The objective of stateful firewall on SDN architecture is to secure the network by monitoring the current connections and maintain its state information until the connection is active. In this paper, the performance of firewall-enabled SDN with centralized and distributed controllers are measured, compared, and analyzed. The experiments are done using POX controller, and the results are verified by Mininet network emulation tool. The results show that the stateful firewall-enabled SDN with distributed controller network improves the security, reliability, availability, and overall performance of the network. In the proposed SDN, average network throughput is improved by 43%, average network delay is reduced by 4%, average channel utilization is increased by 40%, average network overhead is reduced by 26%, and average network response time is reduced by 23%. KEYWORDSdistributed controller, middlebox, OpenFlow, SDN, software-defined network, stateful firewall | INTRODUCTIONSoftware-defined network (SDN) is a promising network model that is utilized to build an adaptable and less expensive alternative for an existing network. SDN decouples the control plane and data plane from the forwarding device. The decoupled control planes from all the forwarding devices are centralized by the SDN controller. A single centralized controller network in SDN has issues like network bottle neck, which cause a single point network failure, less reliability, and scalability. Network bottle neck problem occurs in single centralized SDN controller when there is a rapid increase of ingress traffic. To solve the above-mentioned issue, distributed controllers are configured to handle ingress and egress

show abstract

FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN

Cited by 23 publications

References 29 publications

A Survey of the Main Security Issues and Solutions for the SDN Architecture

A Survey of the Main Security Issues and Solutions for the SDN Architecture

Attribute-Guard: Attribute-Based Flow Access Control Framework in Software-Defined Networking

Stateful firewall‐enabled software‐defined network with distributed controllers: A network performance study

Contact Info

Product

Resources

About