Multi-level Stateful Firewall Mechanism for Software Defined Networks

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 718)


Traditional networks are often quite static, slow to modify, dedicated for a single service and very difficult to scale, what is typical for a large number of different network devices (such as switches, routers, firewalls, and so on), with many complex protocols implemented or embedded on them. Software Defined Network (SDN) is a new technology in communication industry that promises to provide new approach attempting to overcome this weakness of the current network paradigm. The SDN provides a highly scalable and centralized control architecture in which the data plane is decoupled from the control plane; this abstraction gives more flexible, programmable and innovative network architecture. However, centralization of the control plane and ability of programming the network are very critical and challenging tasks causing security problems. In this paper we propose a framework for securing the SDN by introducing an application as an extension to the controller to make it able to check every specific flow in the network and to push the security instructions in real-time down to the network. We also compare our proposal with other existing SDN-based security solutions.


Software Defined Network Stateful-Packet filtering Flow table OpenFlow protocol 


  1. 1.
    Adrian, L., Kolasani, A., Ramamurthy, B.: Network innovation using openflow: a survey. IEEE Commun. Surv. Tutorials 16, 493–512 (2013)Google Scholar
  2. 2.
    Azodolmolky, S.: Software Defined Networking with OpenFlow Get Hands-on with the Platforms and Development Tools Used to Build OpenFlow Network Applications. Packt Publishing Ltd., Birmingham (2013)Google Scholar
  3. 3.
    Pujolle, G.: Software Networks Virtualization, SDN, 5G and Security. ISTE Ltd. and Wiley, Great Britain, United States (2015)Google Scholar
  4. 4.
    Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103, 14–76 (2015)CrossRefGoogle Scholar
  5. 5.
    Underdahl, B., Kinghorn, G.: Software Defined Networking for Dummies. Wiley, Hoboken (2015)Google Scholar
  6. 6.
    Jain, R., Paul, S.: Network virtualization and software defined networking for cloud computing: a survey. IEEE Commun. Mag. 51, 24–31 (2013)CrossRefGoogle Scholar
  7. 7.
    The Open Networking Foundation, OpenFlow Switch Specification (2014)Google Scholar
  8. 8.
    Astuto, B.N., Mendonca, M., Nguyen, X.N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16, 1617–1634 (2014)CrossRefGoogle Scholar
  9. 9.
    Sharma, R.K., Kalita, H.K., Issac, B.: Different firewall techniques: a survey. In: 5th IEEE International Conference on Computing. Communications and Networking Technologies (ICCCNT), Hefei, Anhui, China, pp. 1–6 (2014)Google Scholar
  10. 10.
    Scarfone, K., Hoffman, P.: Guidelines on Firewalls and Firewall Policy, Gaithersburg (2009)Google Scholar
  11. 11.
    Duan, Q., Al-Shaer, E.: Traffic-aware dynamic firewall policy management: techniques and applications. IEEE Commun. Mag. 51, 73–79 (2013)CrossRefGoogle Scholar
  12. 12.
    Trabelsi, Z.: Teaching stateless and stateful firewall packet filtering: a hands-on approach. In: 16th Colloquium for Information Systems Security Education, Lake Buena Vista, Florida, pp. 95–102 (2012)Google Scholar
  13. 13.
    Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23644-0_9 CrossRefGoogle Scholar
  14. 14.
    Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: 35th Annual IEEE Conference on Local Computer Networks, LCN, Denver, Colorado, pp. 408–415 (2010)Google Scholar
  15. 15.
    Jeong, C., Ha, T., Narantuya, J., Lim, H., Kim, J.: Scalable network intrusion detection on virtual SDN environment. In: 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet), Luxembourg, pp. 264–265 (2014)Google Scholar
  16. 16.
    Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Networking (TON) 20, 1828–1841 (2012)CrossRefGoogle Scholar
  17. 17.
    Porras, Ph., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for openflow networks. In: HotSDN 2012 ACM Special Interest Group on Data Communication SIGCOMM, pp. 121–126. ACM, Helsinki (2012)Google Scholar
  18. 18.
    Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M.: FRESCO: Modular composable security services for software-defined networks. In: NDSS 2013 Network and Distributed System Security Symposium, San Diego, CA, pp. 1–16 (2013)Google Scholar
  19. 19.
    Hu, H., Han, W., Ahn, G.J., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: HotSDN 2014, pp. 97–102. ACM, Chicago (2014)Google Scholar
  20. 20.
    Shirali-Shahreza, S., Ganjali, Y.: Flexam: flexible sampling extension for monitoring and security applications in OpenFlow. In: HotSDN 2013, Hong Kong, China, pp. 167–168. ACM, New York (2013)Google Scholar
  21. 21.
    Shirali-Shahreza, S., Ganjali, Y.: Efficient implementation of security applications in openflow controller with flexam. In: IEEE 21st Annual Symposium on High-Performance Interconnects, San Jose, CA, USA, pp. 49–54 (2013)Google Scholar
  22. 22.
    Collings, J., Liu, J.: An openflow-based prototype of SDN-oriented stateful hardware firewalls. In: IEEE 22nd International Conference on Network Protocols, Raleigh, NC, USA, pp. 525–528 (2014)Google Scholar
  23. 23.
    Zerkane, S., Espes, D., Le Parc, P., Cuppens, F.: Software defined networking reactive stateful firewall. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IFIP AICT, vol. 471, pp. 119–132. Springer, Cham (2016). doi: 10.1007/978-3-319-33630-5_9 CrossRefGoogle Scholar
  24. 24.
    Lar, S., Liao, X., ur Rehman, A., Ma, Q.: Proactive security mechanism and design. J. Inf. Secur. 2, 122–130 (2011)Google Scholar
  25. 25.
    Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. Mag. Global Internetworking 30, 14–20 (2016)CrossRefGoogle Scholar
  26. 26.
    Suh, M., Park, S.H., Lee, B., Yang, S.: Building firewall over the software-defined network controller. In: The 16th IEEE International Conference on Advanced Communications Technology, Daejeon, South Korea, pp. 744–748 (2014)Google Scholar
  27. 27.
    Pena, J.G., Yu, W.E.: Development of a distributed firewall using software defined networking technology. In: 4th IEEE International Conference on Information Science and Technology, Shenzhen, China, pp. 449–452 (2014)Google Scholar
  28. 28.
    Vasudevan, S.: Firewall a new approach to solve issues in software define networking. In: 6th International Conference on Emerging Trends in Engineering and Technology, pp. 14–19 (2016)Google Scholar
  29. 29.
    Konorski, J., Pacyna, P., Kolaczek, G., Kotulski, Z., Cabaj, K., Szalachowski, P.: A virtualization-level future internet defense-in-depth architecture. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds.) SNDS 2012. CCIS, vol. 335, pp. 283–292. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34135-9_29 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Faculty of Electronics and Information TechnologyWarsaw University of TechnologyWarsawPoland
  2. 2.Faculty of ScienceAl-Muthanna UniversityMuthannaIraq

Personalised recommendations