Implementation and Performance Analysis of Firewall on Open vSwitch

Software Defined Networking (SDN) is a current research trend that follows the ideology of physical separation of the control and data plane of the forwarding devices. SDN mainly advocates with two types of devices: (1) Controllers, that implement the control plane and (2) Switches, that perform the data plane operations. OpenFlow protocol (OFP) is the current standard through which controllers and switches can communicate with each other. Using OpenFlow, SDN controllers can manage forwarding behaviors of SDN switches by managing Flow Table entries. Switches use these low-level Flow Table entries to forward packets to appropriate hosts. Firewalls are integral part of today’s networks. We can’t imagine our network without a Firewall which protects our network from potential threats. As SDN is getting pace in replacing traditional architecture, it would be very interesting to see how much security features can be provided by OpenFlow-enabled switches. Hence, it will be very important to see if SDN, on the top of OpenFlow, can efficiently implement Firewalls and provides support for an advanced feature like connection tracking. The task is straightforward: Controller will add Flow Table entries on switches based upon Firewall rules. Such way, we can enhance packet-processing by providing security. In this Document, one strategy for implementing Firewall on SDN is presented. We can write some controller applications that work as Firewall and inspect incoming packets against the Firewall rules. These applications are also able to implement connection tracking mechanism. As SDN devices for the experiments, we selected Ryu controller and Open vSwitch. Initially, such applications are tested on local machine with small Firewall ruleset. Later, they are tested with real-world traffic and comparatively large Firewall ruleset. The testing results present that such strategy can be used as a first step in implementing security features (including connection tracking) in SDN environment.