A virtual firewall based on Network Function Virtualization (NFV) with Software Defined Networking (SDN) provides high scalability and flexibility for low-cost monitoring of legacy networks by dynamically deploying virtual network appliances rather than traditional hardware-based appliances. However, full utilization of virtual firewalls requires efficient management of computer virtualization resources and on-demand placement of virtual firewalls by steering traffic to the correct routing path using an SDN controller. In this paper, we design P4Guard, a software-based configurable firewall based on a high-level domain-specific language to specify packet processing logic using P4. P4Guard is a protocol-independent and platform-agnostic software-based firewall that can be incorporated into software switches that is highly usable and deployable. We evaluate the efficiency of P4Guard in processing traffic, compared to our previous virtual firewall in NFV.
more »
« less
On the Safety and Efficiency of Virtual Firewall Elasticity Control
Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as software instance (a.k.a virtual firewall). Virtual firewalls provide great flexibility and elasticity, which are necessary to protect virtualized environments. In this paper, we propose to build an innovative virtual firewall
controller, VFW Controller, to enable safe, efficient and costeffective virtual firewall elasticity control. VFW Controller addresses four key challenges with respect to semantic consistency,
correct flow update, buffer overflow avoidance, and optimal scaling in virtual firewall scaling. To demonstrate the feasibility of our approach, we implement the core components of VFW Controller on top of NFV and SDN environments. Our experimental results demonstrate that VFW Controller is efficient to provide safe elasticity control of virtual firewalls.
more »
« less
- PAR ID:
- 10047713
- Date Published:
- Journal Name:
- Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
In the Software Defined Networking (SDN) and Network Function Virtualization (NFV) era, it is critical to enable dynamic network access control. Traditionally, network access control policies are statically predefined as router entries or firewall rules. SDN enables more flexibility by re-actively installing flow rules into the switches to achieve dynamic network access control. However, SDN is limited in capturing network anomalies, which are usually important signs of security threats. In this paper, we propose to employ anomaly-based Intrusion Detection System (IDS) to capture network anomalies and generate SDN flow rules to enable dynamic network access control. We gain the knowledge of network anomalies from anomaly-based IDS by training an interpretable model to explain its outcome. Based on the explanation, we derive access control policies. We demonstrate the feasibility of our approach by explaining the outcome of an anomaly-based IDS built upon a Recurrent Neural Network (RNN) and generating SDN flow rules based on our explanation.more » « less
-
null (Ed.)Software-Defined Networking (SDN) represents a major transition from traditional hardware-based networks to programmable software-based networks. While SDN brings visibility, elasticity, flexibility, and scalability, it also presents security challenges. This paper describes some of the hands-on labs we developed for teaching SDN security using the CloudLab platform. The hands-on labs have been used in a graduate level course on SDN/NFV related technologies. Our teaching experience of the hands-on labs is discussed. The hands-on labs can be adopted by other instructors to teach SDN security.more » « less
-
null (Ed.)Optical network technology is one of the leading candidates for meeting the required backhaul transport layer latency and capacity requirements of 5G services. In addition, its physical layer programmability supports the execution of advanced methods that can improve 5G service reliability and SLA compliance in the face of equipment failure. While a number of such methods is addressed in the literature, including Virtual Network Function (VNF) fault-tolerant methods, a full proof of concept is yet to be reported.The study in this paper describes a testbed — along with its Software Defined Networking (SDN) and Network Function Virtualization (NFV) capabilities — which is used to experimentally showcase the key functionalities that are required by VNF fault-tolerant methods. The testbed makes use of OpenROADM compliant Dense Wavelength Division Multiplexing (DWDM) equipment to implement the programmable backhaul of a Next Generation Radio Access Network (NG-RAN) Non-standalone (NSA) architecture running 4G Evolved Packet Core (EPC) with the 5G next-generation NodeB (gNB). Specifically, the testbed is used to showcase the live migration of virtualized EPC components that is required to restore pre-failure VNF.more » « less
-
One of the goals of Software-Defined Networking (SDN) is to allow users to specify high-level policies into lower level network rules. Managing a network and decide what policy set is appropriate requires, however, expertise and low level know-how. An emerging SDN paradigm is to allow higher level network level decisions wishes in the form of “intents”. Despite its importance in simplifying network management, intent specification is not yet standardized. In this work, we propose a northbound interface (NBI) for intent declaration, based on Behavior-Driven Development. In our approach, intents are specified in plain English and translated by our system into pre-compiled network policies, that are in turn, converted into low-level rules by the software-defined infrastructure e.g. an SDN controller. We demonstrated our behavior-driven approach with two practical use cases: service function chaining deployed on OpenStack, supported by both ONOS and Ryu controllers, and dynamic firewall programming. We also measured the overhead and response time of our NBI. We believe that our approach is far more general and paves the way for a more expressive and simplified northbound interface for intent-driven networking.more » « less