TheSoftware DefinedNetworking (SDN) paradigm decouples the logicmodule fromthe forwardingmodule on traditional network\ndevices, bringing a wave of innovation to computer networks. Firewalls, aswell as other security appliances, can largely benefit from\nthis novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the\ncontrol plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible\noverhead in the communication channel between layers, as well as introducing an additional computational load on the control\nplane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that\nleverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS\ncan be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar\nadvantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our\nsolution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data planeâ??we\nrequire 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability,\nelegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally,\nwe also provide further research directions.
Loading....