Firewalling in SDN: Proposal, Analysis, Implementation and Experiment

Software-defined networking (SDN) is an emerging paradigm which decouples the control and the data planes. A centralized programmable controller manages the network through software applications. Leveraging the global network visibility, SDN overcomes many limitations of the traditional networks. However, the involvement of the controller for any stateful processing and any rule update is problematic. This involvement introduces an additional computational burden on the controller as well as a considerable overhead in the communication channel between the control and the data planes. To address these limitations, the stateful data plane architecture was proposed to consider the possibility to shift some control tasks and stateful rules back to the switch. Leveraging the stateful data plane concept, this study aims to reduce the switch-to-controller packet exchange by implementing a distributed stateful firewall that resides entirely in the data plane. This firewall should extend the OpenFlow switch to make it able to recognize the sessions of multiple protocols. Consequently, the switch drops the illicit packets and allows the legitimate ones without interacting with the controller.