Software defined network approach for layer II based distributed firewall

Abstract

Controlling and managing networks has become a highly complex and specialized activity. Network operators are struggling to cope with integration of different types of networks, while meeting the challenges of increasing traffic. The traditional network tends to be rigid. Once the forwarding policy has been defined, the only way to change it is by changing the configuration of all the affected devices. In this context Software Defined Networking (SDN) is being looked upon as a promising paradigm that has the power to change the way networking is done. By centralizing control, and making forwarding nodes simple, SDN offers flexible control over the traffic flows and the policies networks use to manage these flows. Along with the excitement, there have been apprehensions regarding SDN. The perceived risks associated with SDN have prevented faster adoption so far. Spurious traffic flows can affect switches and controllers alike. An attacker, with malicious intent, can build up the infructuous flows to such an extent as to seriously overload the switches and the controller thus, led to a Denial of Service (DoS) attack. In this paper we propose a Layer II firewall for preventing such intrusions using SDN traffic flow intrusions. The Layer II firewall would not only detect the intrusions but also provide some degree of protection to the network devices the moment an attack is detected. Furthermore, it will completely prevent undesired traffic from transmitting data on the network. Thereby making the network more robust and reliable. The proposed technique uses an algorithm that control traffic variation of flow table entries and subject them to a set of rules based on source and destination MAC address in the flow header. The experimental result using Mininet virtualized network environment has shown that our proposed technique has improved performance against results obtained using an IP based firewall in terms of bandwidth, round trip time (RTT) and latency variation while preventing attack on the overall networks traffic.