Professional Documents
Culture Documents
I. INTRODUCTION
Fig. 1. An ideal Openflow switch [3].
Software Defined Network (SDN) architecture separates
data and control planes bundled inside a vendor-locked router.
It aims to provide open interfaces which enable software
development to control connectivity between network
resources and flow of traffic [1]. The benefits of this approach
are centralized configuration of network devices across
organization computer network setup, less network traffic,
reduced computation at router, network scalability, and ease of
experimentation. Re-placement of a network device in a well-
organized and planned computer network setup is a
cumbersome task. With this architecture, replacement or
upgrade are easy as configuration settings are applied from a
central place. The architecture shifts role of network
configuration and operations to a more software centric
approach. This further reduces number of errors caused by the
human operator.
Fig. 2. Components of a NOX-based network [4].
The SDN architecture has emerged as a use case of net-
work virtualization and is a result of many research efforts mandatory part of an effective information security program.
towards programmable networking [2]. Two important mile- This study focuses on layer2 firewall implementation by
stones in development of this architecture are OpenFlow [3] modifying code provided with POX controller. We use a tree
and NOX [4]. OpenFlow provides an open switch topology with one controller, three switches, and four hosts for
specification as shown in Fig. 1. The switch consists of three experimentation in a virtual environment.
parts: flow table, secure channel, and OpenFlow protocol.
NOX is an SDN controller written in C++. Components of a The outline of this paper is as follows. In Section II, we
NOX-based network are: OpenFlow switches, controller describe our experimental setup and give details of hub, layer2
process, and database, See Fig. 2. Applications make decisions learning switch, and layre3 learning switch implementations
based on network view. POX is a Python-based provided in POX controller. We create simplified flowcharts
implementation of NOX controller which provides an for these devices from Python code and modify flowchart in
excellent platform for education and research. Section III to implement firewall in layer2 learning switch and
layer3 learning switch. Experimental results are shown in
A firewall allows or rejects a specific type of information. Section IV. The paper concludes in Section V with future
It may be an application, a service, or a device. directions.
Implementation of a firewall and intrusion detection is a
39
978-1-4799-5852-8/14/$31.00 ©2014 IEEE
II. EXPERIMENTAL SETUP
Our experimental setup was based on study [5] which used
Mininet – an emulator for rapid prototyping of SDN. Mininet
creates virtual networks as shown in Fig. 3. It creates host
processes, network name spaces, and virtual connections. We
used Oracle VirtualBox for virtualization. The setup screen
shots and example topology used in this study are shown in
Fig. 4. Virtual network is a tree topology with one controller,
three switches, and four hosts. The controller is labeled with
c0, switches are labeled with s0, s1, and s2, and hosts are
labeled with h0, h1, h2, and h3. All devices are connected by
links which are labeled as well.
The POX controller comes with three network devices
which are hub, layer2 learning switch, and layer3 learning
switch. We used Xming X Server for Windows and PuTTY
SSH client to establish remote connections to virtual hosts. Fig. 3. Mininet Virtual Network [5].
These open-source software provided us enough flexibility to
learn POX controller functionality, make modifications in
code, and perform experiments.
40
Fig. 5. Simplified flowcharts: (from left to right) hub, layer2 learning switch, and layer3 learning switch.
41
V. CONCLUSION
We have successfully implemented a layer2 firewall by
modifying layer2 learning switch code in the POX
controller, at control plane of emerging SDN architecture. A
simplified flowchart was developed for firewall
functionality. Traffic through example tree topology
network was controlled successfully by configured firewall
rules. The results have shown extended functionality. In
future, we implement firewall for layer3 learning switch on
a similar pattern as outlined in [7], however, with a different
topology and work toward development of intrusion
detection system.
Acknowledgment
Authors would like to thank Coursera education
platform and Dr. Nick Feamster, Associate Professor,
Georgia Tech. First author has honored to attend online
course titled, “Software Defined Networking,” and received
statement of accomplishment in 2013.
42