FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN
<p dir="ltr">The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit from this novel p...
محفوظ في:
| المؤلف الرئيسي: | |
|---|---|
| مؤلفون آخرون: | , |
| منشور في: |
2019
|
| الموضوعات: | |
| الوسوم: |
إضافة وسم
لا توجد وسوم, كن أول من يضع وسما على هذه التسجيلة!
|
| _version_ | 1864513505651064832 |
|---|---|
| author | Maurantonio Caprolu (16928412) |
| author2 | Simone Raponi (14158911) Roberto Di Pietro (16864155) |
| author2_role | author author |
| author_facet | Maurantonio Caprolu (16928412) Simone Raponi (14158911) Roberto Di Pietro (16864155) |
| author_role | author |
| dc.creator.none.fl_str_mv | Maurantonio Caprolu (16928412) Simone Raponi (14158911) Roberto Di Pietro (16864155) |
| dc.date.none.fl_str_mv | 2019-02-19T03:00:00Z |
| dc.identifier.none.fl_str_mv | 10.1155/2019/6874592 |
| dc.relation.none.fl_str_mv | https://figshare.com/articles/journal_contribution/FORTRESS_An_Efficient_and_Distributed_Firewall_for_Stateful_Data_Plane_SDN/27003544 |
| dc.rights.none.fl_str_mv | CC BY 4.0 info:eu-repo/semantics/openAccess |
| dc.subject.none.fl_str_mv | Information and computing sciences Cybersecurity and privacy Distributed computing and systems software Software Defined Networking (SDN) Firewall Stateful Firewall OpenFlow Control Plane Data Plane FORTRESS |
| dc.title.none.fl_str_mv | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| dc.type.none.fl_str_mv | Text Journal contribution info:eu-repo/semantics/publishedVersion text contribution to journal |
| description | <p dir="ltr">The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane—we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.</p><h2>Other Information</h2><p dir="ltr">Published in: Security and Communication Networks<br>License: <a href="http://creativecommons.org/licenses/by/4.0/" target="_blank">http://creativecommons.org/licenses/by/4.0/</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1155/2019/6874592" target="_blank">https://dx.doi.org/10.1155/2019/6874592</a></p> |
| eu_rights_str_mv | openAccess |
| id | Manara2_4be3e2a1e9fa70a6db94536cdff811a0 |
| identifier_str_mv | 10.1155/2019/6874592 |
| network_acronym_str | Manara2 |
| network_name_str | Manara2 |
| oai_identifier_str | oai:figshare.com:article/27003544 |
| publishDate | 2019 |
| repository.mail.fl_str_mv | |
| repository.name.fl_str_mv | |
| repository_id_str | |
| rights_invalid_str_mv | CC BY 4.0 |
| spelling | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDNMaurantonio Caprolu (16928412)Simone Raponi (14158911)Roberto Di Pietro (16864155)Information and computing sciencesCybersecurity and privacyDistributed computing and systems softwareSoftware Defined Networking (SDN)FirewallStateful FirewallOpenFlowControl PlaneData PlaneFORTRESS<p dir="ltr">The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane—we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.</p><h2>Other Information</h2><p dir="ltr">Published in: Security and Communication Networks<br>License: <a href="http://creativecommons.org/licenses/by/4.0/" target="_blank">http://creativecommons.org/licenses/by/4.0/</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1155/2019/6874592" target="_blank">https://dx.doi.org/10.1155/2019/6874592</a></p>2019-02-19T03:00:00ZTextJournal contributioninfo:eu-repo/semantics/publishedVersiontextcontribution to journal10.1155/2019/6874592https://figshare.com/articles/journal_contribution/FORTRESS_An_Efficient_and_Distributed_Firewall_for_Stateful_Data_Plane_SDN/27003544CC BY 4.0info:eu-repo/semantics/openAccessoai:figshare.com:article/270035442019-02-19T03:00:00Z |
| spellingShingle | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN Maurantonio Caprolu (16928412) Information and computing sciences Cybersecurity and privacy Distributed computing and systems software Software Defined Networking (SDN) Firewall Stateful Firewall OpenFlow Control Plane Data Plane FORTRESS |
| status_str | publishedVersion |
| title | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| title_full | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| title_fullStr | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| title_full_unstemmed | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| title_short | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| title_sort | FORTRESS: An Efficient and Distributed Firewall for Stateful Data Plane SDN |
| topic | Information and computing sciences Cybersecurity and privacy Distributed computing and systems software Software Defined Networking (SDN) Firewall Stateful Firewall OpenFlow Control Plane Data Plane FORTRESS |