Network-wide virtual firewall using SDN/OpenFlow

Abstract

Traditional firewalls are used to enforce network security policies at boundaries within a network. However, this can leave hosts vulnerable to attacks that originate from within the network they are part of. We leverage the flexibility of Software Defined Networking to turn the network infrastructure into a virtual firewall thus improving security across an entire network. We present ACLSwitch, a network-wide virtual firewall that utilises the OpenFlow protocol to filter traffic across a network comprised of OpenFlow switches. We also define “policy domains” that allow different filtering configurations to be applied to different switches of the network. The solution allows rules to be distributed across a network without the need for a human operator to send the rules to switches separately, yet it is flexible enough to allow subsets of the switches to enforce different security policies.