Implementing Firewall for Floodlight Controller
Navinder Kaur Brar
Department of Systems and Computer Engineering
Department of Systems and Computer Engineering
Department of Systems and Computer Engineering
Student No. 101026788
Group Number: 16
This report was prepared for Professor Ahmed Karmouch in partial fulfillment of the requirements for the course ELG-7187A
Abstract – Software Defined Networking which opened many doors of possibilities for the future of the network in which the network logic operations are detached from the limitations of the underlying hardware. This new approach in the networking also possess many threats towards the security. There are possibilities of the compromise in the channel design and organization as well as controller Denial-of-Service attacks. This paper describes the Floodlight Controller and its applications and implementing Firewall application on it. Firewall application has been implemented as a Floodlight module that imposes ACL rules. We use the REST API to develop the application which was accessed using Curl. This paper also provides the information about how Firewall implementation is tested by filtering the ICMP and TCP packets.
Keywords- Software Defined Network, Firewall, Floodlight, ACL, REST API
Software Defined Networking one of the hot topics and a major breakthrough in the world of networking. Traditional networks consist of the devices which consists of control plane and data plane where control plane gives the information with the help of which forwarding table is constructed. This forwarding table is used in order to make decisions of routing and data plane uses the forwarding table to manage the packets. Also, in traditional networks both of these planes lie directly on the network devices. In the case of Software Defined Networking (SDN) there is the physical separation of the network control plane and forwarding plane or in the other words it abstracts the control plane. The control plane is taken care by SDN controller which communicates with data plane with the OpenFlow protocols. SDN is considered ideal for today’s applications which require high-bandwidth and are more dynamic as it can be managed easily and is more cost effective. As the architecture of SDN abstracts the control and the forwarding functions which leads the network control to be programmed directly. For various SDN solutions OpenFlow protocol is one of the fundamental elements. The characteristics of the SDN that the network control is directly programmable makes it hit in the open networking area. It is based on the open standards and does not depend on a specific vendor. New developers and talent can work and experiment on top it which makes it more prone to development. Also, the switches used could be physical and virtual and provides network as a service in the hands of the users.
The controller in the SDN are centralized instead of distributed and it have a global view of the network and the network administrators can adjust the traffic flows all over the network if there is need of some change. SDN is also described as a model which represents a client-server relationship with the controller. In SDN the service customer can send or receive the data with the help of the network resources and the network services can be managed by the controller. The responsibilities of the service provider include virtualization and orchestration of the resources which could be used by the customers. One of the main problem to be solved in most of the network areas is security. For SDN the security should be in the basic architecture also it should be provided as a service to the users in order to shield the privacy and the integrity of the information flowing. In the SDN architecture we can secure the network in various ways such as by controlling the SDN controller in very tight manner. In case of any attack where the SDN controller and the network goes down there is need to maintain the accessibility of the controller. The operation on the controller or on the whole network should operate as they should as the communication in the whole network is prone to attacks from some network intruders. Other focus is how this security should be deployed in SDN environment as there are various solutions proposed such as the security should be embedded in the networks itself while other solutions say it works best if it is embedded within the servers or on the computing devices. But we need an environment which is more secure, more efficient as well as scalable and proves to be an edging technology in all the ways.
(Sergey Morzhov) The mean of security in SDN should be in such a way that mostly all of the underlying components which includes the controller, applications, the switches and the communication channel between the switches and controller. Also, there is need to secure the endpoints and the other basic components of the network architecture. It is felt that with the commencement of the new approaches in the field of networking which includes the virtualization and the use of mobile devices which is growing in large numbers and the change in the patterns of traffic gives us a hint toward new steps to be followed in the case of security. Changing the requirements such as security as an application which is familiar with the processes happing in the application at any time. Also, the security in the network should have protection in the internal segments and on the servers and nodes.
In this paper, we will discuss about the implementation of such a security i.e. firewall on one of the SDN controllers which is Floodlight. This paper describes the implementation of Firewall application as a module with the help of REST API by using Access Control List rules and by taking the advantage of programmability in SDN. The paper is divided into various parts where we will discuss first the Objective of this project in which we will discuss what we are performing in this project and what are the needs of security or Firewall then in Section III i.e. Background we will provide the information about the SDN controller (Floodlight), its characteristics, architecture, the ACL rules and how we are using REST API in implementing the Firewall. In Section IV we will describe the methodology used to implement this project with the help of screen shots and various steps to be performed to implement Firewall. We will be discussing some other approaches put forward by other researches in Section V, Related Work. At the end, we will write the summary or conclusion in Section VI.
The main objective of guaranteeing security in Software Defined Networking can be explained in two ways. First, the security of the main components which consists of the actual network infrastructure that includes the controller and the several applications, communication channel between SDN controller and switches. Second way in which we can secure SDN is by taking care of the storage systems, endpoints as well as the servers. “A firewall is a network security system that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules”. To secure the SDN we implement Firewall using Floodlight controller. Firewall in Floodlight is programmable controller module in which we can add, delete or update the firewall rules.
Floodlight is an Apache licenced Java based OpenFlow Controller which is supported by large number of developers. It is developed by open community developers which is easy to use because of its GUI and is tested as well as supported by community of developers. Floodlight follows the OpenFlow Standards and can easily work even if the number of the switches, virtual switches, routers which are supported by OpenFlow are increased. Various features of Floodlight are that it is drafted to provide the high performance, it is merely easy to set up with minimal dependencies. As already discussed Floodlight supports wide range of physical as well as virtual OpenFlow Switches. Floodlight supports OpenStack cloud orchestration platform (“Orchestration is the process of using the SDN controller’s resources to simultaneously satisfy service demands from all of its clients according to an optimization policy.”)
Being an OpenFlow Controller Floodlight also consists various number of the applications which are built on the top of it. Floodlight achieve some common set of components to control and take care OpenFlow network whereas applications which are built on top of it are used to solve different needs w.r.t different features which are needed over network. Figure1 shows the Floodlight Controller and various applications which are built on top of it as Java modules and using Floodlight REST API. Java module applications and the controller starts running as we run the Floodlight and the REST API are available by all the modules running via specified REST port. ACK which uses stateless firewall is one of the applications of Floodlight that we are implementing in this project which uses various ACL rules. ACL rules contains a set conditions according to which the flow of the traffic is allowed or denied. There are different URIs with REST methods just as GET, PUT, POST, DELETE to add various rules for the firewall. Every time any rule is created it generates a rule_id which is random number. In order to perform DELETE method or to delete any rule we can do it by mentioning the rule_id.
Figure1. Floodlight Architecture
To attach the running Floodlight with OpenFlow network we can use Mininet which is a network simulation tool. Also, to analyse the packet or to filter the packets we use Wireshark. Floodlight also come with web based Graphical User Interface which can be detected with the help of REST API in Floodlight. It consists of OpenFlow statistics which are easy to read as they are shown in tabular manner and also shows the status of various applications and we can tell if Firewall is working or not. GUI can be accessed by following URL: