350 rub
Journal Highly available systems №3 for 2013 г.
Article in number:
Toward network access control with Software-Defined Networking
Authors:
D.Yu. Gamayunov - Senior Research Scientist, Lomonosov Moscow State University
I.S. Platonov - Programmer, Information Systems Security Lab, Lomonosov Moscow State University
R.L. Smeliansky - RAS corresponding member, Scientific Director, Applied Research Center for Computer Networks
Abstract:
Today specialized packet filtering solutions (including software implementations in operating systems) are used to provide network access control - firewalls, Intrusion Prevention Systems, network antiviruses, application layer proxy servers (including WAF - web application firewalls). Because of enormous growth of Internet throughput their efficiency reduces, however the cost remains high. Firewalls are installed in one certain point of network topology, so the rules syntax should allow to accurately distinguish the flows originating from different applications and clients. For this reason, the logic of firewalls becomes more complex; they need to perform more operations with each packet header to resolve which action to perform. At the same time it is known that source based filtering performed closer to the source node and the destination based filtering closer to the destination node or application allows simplifying the policy rules and therefore making filtering logic cheaper. In terms of client devices mobility, network configuration is changing rapidly and the information about network topology changes could not be used directly for access control. That is why the problem of network access control based on the information about the expected behavior (flows) of network applications is becoming more and more important. New SDN concept allows not only to escape the necessity for dedicated hardware firewalls, but to maximize the overall L2 network throughput. We claim that any given firewall configuration which specifies access control policy between applications in the network may be implemented as an SDN Flow Policy which preserves the reachability matrix on a network graph and maximizes the throughput of the L2 networking infrastructure. In this paper we formally show how to solve the problem of migration from traditional network with dedicated firewalls to SDN while preserving the nodes reachability (the connection matrix). The proposed approach was implemented as application for the POX SDN controller. The input of application is the existing network topology and a rule set for each firewall in Extended Cisco ACL format; the result is SDN access control policy of rule sets for every OpenFlow switch in SDN topology. The experimental evaluation with physical SDN testbed built upon 5 NEC Programmable Flow series switches was performed and obtained quantitative results confirm assumption of the applicability of the proposed method. The themes for further research are presented in the conclusion. They are based on records optimization in Flow Tables of OF switches.
Pages: 85-97
References

  1. Wool A. Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese // in IEEE Internet Computing. 2010. V. 14. P. 58-65.
  2. Al-Shaer E., Hamed H. Modeling and Management of Firewall Policies // in IEEE eTransactions on Network and Service Management. April 2004. V. 1-1.
  3. Al-Shaer E., Hamed H., Boutaba R. et al. Conflict Classification and Analysis of Distributed Firewall Policies // in IEEE Journal on Selected Areas in Communications. October 2005. V. 23. № 10.
  4. Johnson D.S. Near Optimal Bin-Packing Algorithms. Massachusetts Institute of Technology, Dept. of Mathematics. 1973.
  5. Extended Cisco ACL syntax. URL: http://www.cisco.com/en/US/products/sw/secursw/ps1018/ products_tech_note09186a00800a5b9a.shtml
  6. Hazelhusrt S. Algorithms for Analyzing Firewall and Router Access Lists // In Technical Report TR-WitsCS-1999. Department of Computer Science, University of the Witwatersrand. July 1999.
  7. Hari B., Suri S. and Parulkar G. Detecting and Resolving Packet Filter Conflicts // In Proc. of IEEE INFOCOM-00. March 2000.
  8. Srinivasan V., Suri S., Varghese G. Packet Classification Using Tuple Space Search. In Computer ACM SIGCOMM Communication Review. October 1999.
  9. Eppstein D., Muthukrishnan S. Internet Packet Filter Management and Rectangle Geometry // In Proc. of 12-th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA). January 2001.
  10. Gouda M., Liu A. Firewall design: consistency, completeness, and compactness. In Proc. of the 24th IEEE International Conference on Distributed Computing Systems. Tokyo. Japan. March 2004. P. 320-327.
  11. Mayer A., Wool A., and Ziskind E. Fang: A firewall analysis engine // in Proc. of the 2000 IEEE Symposium on Security and Privacy (S&P 2000). May 2000. P. 177.
  12. Bartal Y., Mayer A., Nissim K. et al. Firmato: A novel firewall management toolkit // in ACM Transactions on Computer Systems. Nov. 2004. V. 22. № 4, pp. 381 - 420.
  13. Yuan L., Mai J., Su Z., Chen H. et al. FIREMAN: A Toolkit for Firewall Modeling and Analysis // in Proc. IEEE Symposium on Security and Privacy. May 2006.
  14. Tapdiya A. Firewall policy optimization and management // in Master-s thesis, Wake Forest University, Computer Science Department. 2008.
  15. Guttman J. Filtering Posture: Local Enforcement for Global Policies // in Proc. of 1997 IEEE Symposium on security and Privacy. May 1997.
  16. Xie G.G., Zhan J., Maltz D.A. et al. On static reachability analysis of ip networks // in INFOCOM - 05 Proc. of the 24-th Annual Joint Conference of the IEEE Computer and Communications Societies, Miami, USA. 2005. P. 2170-2183.
  17. Bandhakavi S., Bhatt S., Okita C., and Rao P. Analyzing end-to-end network reachability // in IM - 09 Proc. of the 11-th IFIP/IEEE International Conference on Symposium on Integrated Network Man-agement, Long Island, USA. 2009. P. 585-590.
  18. Khakpour A.R., Liu A.X. Quantifying and Querying Network Reachability // in CDCS - 10 Proc. of the 2010 IEEE 30-th International Conference on Distributed Computing Systems, Genoa, Italy. 2010. P. 817-826.
  19. Chen F., Bruhadeshwar B., Liu A.X. A cross-domain privacy- preserving protocol for cooperative firewall optimization // in INFOCOM - 11 Proc. of the 30-th IEEE International Conference on Computer Communications, Shanghai, China. 2011. P. 2903-2911.
  20. SNAC. URL: http://www.openflow.org/wp/snac/
  21. Fulp E.W. Optimization of Network Firewall Policies using Directed Acyclical Graphs // in Proc. of IEEE Internet Management Conference. 2005.
  22. Tapdiya A., Fulp E.W. Towards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs // in Proc. of 18-th Internatonal Conference on. August 2009.
  23. Al-Shaer E., El-Alfy M., Selim S.Z. Dynamic Rule-ordering Optimization for High-speed Firewall Filtering // in Proc. of IEEE International Conference on Computer Systems and Applications. 2007.
  24. Packet Filter OpenBSD. URL: http://www.openbsd.org/faq/pf/
  25. POX. URL: http://www.noxrepo.org/pox/about-pox/
  26. Nec Switch. URL: http://www.nec.com/en/global/prod/pflow/images_documents/ProgrammableFlow_Switch_PF5820.pdf