TY - JOUR
T1 - FORTRESS
T2 - An efficient and distributed firewall for stateful data plane SDN
AU - Caprolu, Maurantonio
AU - Raponi, Simone
AU - Di Pietro, Roberto
N1 - Funding Information:
This publication was partially supported by awards NPRP-S-11-0109-180242, UREP23-065-1-014, and NPRP X-063-1-014 from the QNRF-Qatar National Research Fund, a member of The Qatar Foundation.
Publisher Copyright:
© 2019 Maurantonio Caprolu et al.
PY - 2019
Y1 - 2019
N2 - The SoftwareDefinedNetworking (SDN) paradigmdecouples the logicmodule fromthe forwardingmodule on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, aswell as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: A stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane-we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.
AB - The SoftwareDefinedNetworking (SDN) paradigmdecouples the logicmodule fromthe forwardingmodule on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, aswell as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: A stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane-we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.
UR - http://www.scopus.com/inward/record.url?scp=85065338935&partnerID=8YFLogxK
U2 - 10.1155/2019/6874592
DO - 10.1155/2019/6874592
M3 - Article
AN - SCOPUS:85065338935
SN - 1939-0114
VL - 2019
JO - Security and Communication Networks
JF - Security and Communication Networks
M1 - 6874592
ER -