2014 Conference on Information Assurance and Cyber Security (CIACS)

A Layer2 Firewall for Software Defined Network

(Short Paper)
Tariq Javid, Tehseen Riaz, Asad Rasheed
Department of Electrical Engineering
Heavy Industries Taxila Education City (HITEC) University
Taxila Cantt-47070, Pakistan
Email: tariq.javid@hitecuni.edu.pk

Abstract—The software defined networking is an emerging

three layer architecture which defines data, control, and
application planes. Data and control planes implement
forwarding and routing functions, respectively. Application plane
contains communicating processes. This paper presents a layer2
fire-wall implementation using an example tree topology with one
controller, three switches, and four hosts. Our implementation
uses POX controller at control plane of the architecture. The
modified code successfully controlled flow of packets between
hosts according to firewall rules.

Keywords—Firewall; SDN; POX; Mininet; OpenFlow

I. INTRODUCTION
Fig. 1. An ideal Openflow switch [3].
Software Defined Network (SDN) architecture separates
data and control planes bundled inside a vendor-locked router.
It aims to provide open interfaces which enable software
development to control connectivity between network
resources and flow of traffic [1]. The benefits of this approach
are centralized configuration of network devices across
organization computer network setup, less network traffic,
reduced computation at router, network scalability, and ease of
experimentation. Re-placement of a network device in a well-
organized and planned computer network setup is a
cumbersome task. With this architecture, replacement or
upgrade are easy as configuration settings are applied from a
central place. The architecture shifts role of network
configuration and operations to a more software centric
approach. This further reduces number of errors caused by the
human operator.
Fig. 2. Components of a NOX-based network [4].
The SDN architecture has emerged as a use case of net-
work virtualization and is a result of many research efforts mandatory part of an effective information security program.
towards programmable networking [2]. Two important mile- This study focuses on layer2 firewall implementation by
stones in development of this architecture are OpenFlow [3] modifying code provided with POX controller. We use a tree
and NOX [4]. OpenFlow provides an open switch topology with one controller, three switches, and four hosts for
specification as shown in Fig. 1. The switch consists of three experimentation in a virtual environment.
parts: flow table, secure channel, and OpenFlow protocol.
NOX is an SDN controller written in C++. Components of a The outline of this paper is as follows. In Section II, we
NOX-based network are: OpenFlow switches, controller describe our experimental setup and give details of hub, layer2
process, and database, See Fig. 2. Applications make decisions learning switch, and layre3 learning switch implementations
based on network view. POX is a Python-based provided in POX controller. We create simplified flowcharts
implementation of NOX controller which provides an for these devices from Python code and modify flowchart in
excellent platform for education and research. Section III to implement firewall in layer2 learning switch and
layer3 learning switch. Experimental results are shown in
A firewall allows or rejects a specific type of information. Section IV. The paper concludes in Section V with future
It may be an application, a service, or a device. directions.
Implementation of a firewall and intrusion detection is a

39
978-1-4799-5852-8/14/$31.00 ©2014 IEEE
 II. EXPERIMENTAL SETUP
Our experimental setup was based on study [5] which used
Mininet – an emulator for rapid prototyping of SDN. Mininet
creates virtual networks as shown in Fig. 3. It creates host
processes, network name spaces, and virtual connections. We
used Oracle VirtualBox for virtualization. The setup screen
shots and example topology used in this study are shown in
Fig. 4. Virtual network is a tree topology with one controller,
three switches, and four hosts. The controller is labeled with
c0, switches are labeled with s0, s1, and s2, and hosts are
labeled with h0, h1, h2, and h3. All devices are connected by
links which are labeled as well.
The POX controller comes with three network devices
which are hub, layer2 learning switch, and layer3 learning
switch. We used Xming X Server for Windows and PuTTY
SSH client to establish remote connections to virtual hosts. Fig. 3. Mininet Virtual Network [5].
These open-source software provided us enough flexibility to
learn POX controller functionality, make modifications in
code, and perform experiments.

III. FLOW CHARTS

We created simple flowcharts from Python code in POX
controller corresponding to hub, layer2 learning switch, and
layer3 learning switch, See Fig. 5. When POX controller is
used as hub, it flood every received packet to all ports except
incoming port. In case of layer2 learning switch, simplified
controller function is as follows. For each packet from the
switch: (1) use source MAC address and incoming switch port
to update address/port table, (2) install flow table entry in the
switch, and (3) send the packet out appropriate port. In case of
layer3 learning switch, source IP address is used instead of
MAC address.
We used following command on Mininet virtual machine
to initialize second ethernet interface: $ sudo dhclient eth1. To
establish SSH connection with Mininet virtual machine,
Xming X Server and PuTTY were used with X11 forwarding
enabled. We used two remote connections: one for Mininet
and other to use POX controller. To create our example tree
topology in Fig. 4, we used following command. $ sudo mn --
topo tree,2 --mac --switch ovsk --controller remote. The
command setup the virtual network with four hosts, three
switches, automatically set host MAC address, and configured
OpenFlow switch to connect to remote controller.
The modified flowchart to implement firewall at layer2
and layer3 appeared in Fig. 6. In this figure, the header
information in received packet (frame in case of layer2
learning switch and datagram in case of layer3 learning
switch) was checked against firewall rules. The packet is
either rejected or allowed based on firewall rule condition. In Fig. 4. Mininet virtual network creation (top) and topology (bottom).
this study, we experimented with three devices to learn the
POX controller. However, our firewall implementation
focused on layer2 learning switch.
whereas the other session was used to execute POX controller
Initial experiments were completed to learn and confirm with following commands in pox directory:
POX controller functionality with Mininet example virtual $ ./pox.py forwarding.hub
network. To complete this task, we used two SSH connections
$ ./pox.py forwarding.l2 learning
using PuTTY from host machine. One session was used to
create example topology with command specified earlier $ ./pox.py forwarding.l3 learning

40
 Fig. 5. Simplified flowcharts: (from left to right) hub, layer2 learning switch, and layer3 learning switch.

TABLE I. RECORD OF MAC AND IP ADDRESSES FOR

EXAMPLE TREE TOPOLOGY.

Net Node MAC Address IP Address Switch:Port

c0 08:00:27:f5:78:e9 192.168.56.101 c0:1
s1-eth1 random not configured s1:1
s1-eth2 random not configured s1:2
s2-eth1 random not configured s2:1
s2-eth2 random not configured s2:2
s2-eth3 random not configured s2:3
s3-eth1 random not configured s3:1
s3-eth2 random not configured s3:2
s3-eth3 random not configured s3:3
host1 00:00:00:00:00:01 10.0.0.1 s2:1
host2 00:00:00:00:00:02 10.0.0.2 s2:2
host3 00:00:00:00:00:03 10.0.0.3 s3:1
Fig. 6. Updated flowchart for firewall implementation. host4 00:00:00:00:00:04 10.0.0.4 s3:2

IV. RESULTS be obtained from mininet prompt. In this table, port

Initially, we implemented modified code for layer2
learning switch learned from Coursera course titled,
“Software De-fined Networking” [6]. The code installed
firewall entries and worked for example used in that course.
However, when it was tried, it failed for our example tree
topology in Fig. 4. We used Wireshark network protocol
analyzer to troubleshoot and found ARP queries were
failing. We fixed it by adding rules to all three switches. The
resulting code implemented firewall in layer2 learning
switch as per flowchart in Fig. 6.
We used following command to access hosts, switches,
and controller at mininet prompt: $ xterm c0 s1 s2 s3 h1 h2
h3 h4. Now at each terminal we recorded MAC and IP
addresses of each host in Tab. I. This information was
recorded during initial exploration by using ifconfig utility
at individual hosts and controller. This information can also
numbers are learned by observing logged information
during experiments based on ICMP echo and reply. We
learned entries installed by POX controller in layer2 and
layer3 switches.
We conducted a number of experiments in which our
implemented firewall code for layer2 learning switch
showed successful network traffic control. We selected a
case in which hosts h1 and h4 were allowed to communicate
with each other, whereas all other communications were
blocked, See Fig. 7. When POX controller was invoked,
firewall rules were installed in switches. The logging level
was set by using log.level --DEBUG. In this figure, pingall
command at Mininet prompt showed PING reachability
between hosts h1 and h4 only. A number of other scenarios
were experimented using experimental setup with successful
results.

41
 V. CONCLUSION
We have successfully implemented a layer2 firewall by
modifying layer2 learning switch code in the POX
controller, at control plane of emerging SDN architecture. A
simplified flowchart was developed for firewall
functionality. Traffic through example tree topology
network was controlled successfully by configured firewall
rules. The results have shown extended functionality. In
future, we implement firewall for layer3 learning switch on
a similar pattern as outlined in [7], however, with a different
topology and work toward development of intrusion
detection system.

Acknowledgment
Authors would like to thank Coursera education
platform and Dr. Nick Feamster, Associate Professor,
Georgia Tech. First author has honored to attend online
course titled, “Software Defined Networking,” and received
statement of accomplishment in 2013.

Fig. 7. Demonstration of layer2 firewall implementation, rules installed in

References three switches of tree topology in Fig. 4 and allowed communication
between host h1 and host h4.
[1] ONF, “SDN architecture overview version 1.0,” Open Networking
Foun-dation, December 2013.
[2] N. Feamster, J. Rexford, and E. Zegura, “The road to SDN,” Queue,
vol. 11, no. 12, p. 20, 2013.
[3] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.
Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow:
enabling innovation in campus networks,” ACM SIGCOMM
Computer Communication Review, vol. 38, no. 2, pp. 69–74, 2008.
[4] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown,
and S. Shenker, “NOX: towards an operating system for
networks,” ACM SIGCOMM Computer Communication Review,
vol. 38, no. 3, pp. 105– 110, 2008.
[5] B. Lantz, B. Heller, and N. McKeown, “A network in a laptop: rapid
prototyping for software-defined networks,” in Proceedings of the 9th
ACM SIGCOMM Workshop on Hot Topics in Networks. ACM,
2010, p. 19.
[6] N. Feamster, “Software defined networking,” Coursera, 2013.
[Online]. Available: https://class.coursera.org/sdn-001
[7] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over the
software-defined network controller,” in Advanced Communication
Technology (ICACT), 2014 16th International Conference on, Feb
2014, pp. 744–748.

42