skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: On the Safety and Efficiency of Virtual Firewall Elasticity Control
Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as software instance (a.k.a virtual firewall). Virtual firewalls provide great flexibility and elasticity, which are necessary to protect virtualized environments. In this paper, we propose to build an innovative virtual firewall controller, VFW Controller, to enable safe, efficient and costeffective virtual firewall elasticity control. VFW Controller addresses four key challenges with respect to semantic consistency, correct flow update, buffer overflow avoidance, and optimal scaling in virtual firewall scaling. To demonstrate the feasibility of our approach, we implement the core components of VFW Controller on top of NFV and SDN environments. Our experimental results demonstrate that VFW Controller is efficient to provide safe elasticity control of virtual firewalls.  more » « less
Award ID(s):
1642143 2128607 2128107
PAR ID:
10047713
Author(s) / Creator(s):
; ; ; ; ; ;
Date Published:
Journal Name:
Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017)
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; (, IEEE Military Communications Conference (MILCOM))
    A virtual firewall based on Network Function Virtualization (NFV) with Software Defined Networking (SDN) provides high scalability and flexibility for low-cost monitoring of legacy networks by dynamically deploying virtual network appliances rather than traditional hardware-based appliances. However, full utilization of virtual firewalls requires efficient management of computer virtualization resources and on-demand placement of virtual firewalls by steering traffic to the correct routing path using an SDN controller. In this paper, we design P4Guard, a software-based configurable firewall based on a high-level domain-specific language to specify packet processing logic using P4. P4Guard is a protocol-independent and platform-agnostic software-based firewall that can be incorporated into software switches that is highly usable and deployable. We evaluate the efficiency of P4Guard in processing traffic, compared to our previous virtual firewall in NFV. 
    more » « less
  2. ; ; (, Proceedings of the 2019 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization)
    In the Software Defined Networking (SDN) and Network Function Virtualization (NFV) era, it is critical to enable dynamic network access control. Traditionally, network access control policies are statically predefined as router entries or firewall rules. SDN enables more flexibility by re-actively installing flow rules into the switches to achieve dynamic network access control. However, SDN is limited in capturing network anomalies, which are usually important signs of security threats. In this paper, we propose to employ anomaly-based Intrusion Detection System (IDS) to capture network anomalies and generate SDN flow rules to enable dynamic network access control. We gain the knowledge of network anomalies from anomaly-based IDS by training an interpretable model to explain its outcome. Based on the explanation, we derive access control policies. We demonstrate the feasibility of our approach by explaining the outcome of an anomaly-based IDS built upon a Recurrent Neural Network (RNN) and generating SDN flow rules based on our explanation. 
    more » « less
  3. ; ; ; ; ; ; ; (, 2021 International Conference on Optical Network Design and Modeling (ONDM))
    null (Ed.)
    Optical network technology is one of the leading candidates for meeting the required backhaul transport layer latency and capacity requirements of 5G services. In addition, its physical layer programmability supports the execution of advanced methods that can improve 5G service reliability and SLA compliance in the face of equipment failure. While a number of such methods is addressed in the literature, including Virtual Network Function (VNF) fault-tolerant methods, a full proof of concept is yet to be reported.The study in this paper describes a testbed — along with its Software Defined Networking (SDN) and Network Function Virtualization (NFV) capabilities — which is used to experimentally showcase the key functionalities that are required by VNF fault-tolerant methods. The testbed makes use of OpenROADM compliant Dense Wavelength Division Multiplexing (DWDM) equipment to implement the programmable backhaul of a Next Generation Radio Access Network (NG-RAN) Non-standalone (NSA) architecture running 4G Evolved Packet Core (EPC) with the 5G next-generation NodeB (gNB). Specifically, the testbed is used to showcase the live migration of virtualized EPC components that is required to restore pre-failure VNF. 
    more » « less
  4. ; ; ; ; (, Journal of the Colloquium for Information System Security Education)
    null (Ed.)
    Software-Defined Networking (SDN) represents a major transition from traditional hardware-based networks to programmable software-based networks. While SDN brings visibility, elasticity, flexibility, and scalability, it also presents security challenges. This paper describes some of the hands-on labs we developed for teaching SDN security using the CloudLab platform. The hands-on labs have been used in a graduate level course on SDN/NFV related technologies. Our teaching experience of the hands-on labs is discussed. The hands-on labs can be adopted by other instructors to teach SDN security. 
    more » « less
  5. (, IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    For the past decade, botnets have dominated network attacks in spite of significant research advances in defending against them. The distributed attack sources, the network size, and the diverse botnet attack techniques challenge the effectiveness of a single-point centralized security solution. This paper proposes a distributed security system against largescale disruptive botnet attacks by using SDN/NFV and machinelearning. In our system, a set of distributed network functions detect network attacks for each protocol and to collect real-time traffic information, which also gets relayed to the SDN controller for more sophisticated analyses. The SDN controller then analyzes the real-time traffic with the only forwarded information using machine learning and updates the flow rule or take routing/bandwidth-control measures, which get executed on the nodes implementing the security network functions. Our evaluations show the proposed system to be an efficient and effective defense method against botnet attacks. The evaluation results demonstrated that the proposed system detects large-scale distributed network attacks from botnets at the SDN controller while the network functions locally detect known attacks across different networking protocols. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email