%0 Conference Proceedings
%T Software Defined Networking Reactive Stateful Firewall
%+ Lab-STICC_TB_CID_SFIIS
%+ Lab-STICC_UBO_CID_SFIIS
%+ Institut de Recherche Technologique b-com (IRT b-com)
%A Zerkane, Salah Eddine, S. E.
%A Le Parc, Philippe
%A Cuppens, Frederic
%A Espes, David
%Z Part 3: Cyber Infrastructure
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 31st IFIP International Information Security and Privacy Conference (SEC)
%C Ghent, Belgium
%Y Jaap-Henk Hoepman
%I Springer
%3 IFIP Advances in Information and Communication Technology
%V AICT-471
%P 119-132
%8 2016-05-31
%D 2016
%R 10.1007/978-3-319-33630-5_9
%K Security
%K Orchestration
%K TCP
%K Software Defined Networking
%K Stateful Firewall
%Z Computer Science [cs]/Cryptography and Security [cs.CR]
%Z Computer Science [cs]/Networking and Internet Architecture [cs.NI]
%Z Computer Science [cs]Conference papers
%X Network security is a crucial issue of Software Defined Networking (SDN). It is probably, one of the key features for the success and the future pervasion of the SDN technology. In this perspective, we propose a SDN reactive stateful firewall. Our solution is integrated into the SDN architecture. The application filters TCP communications according to the network security policies. It records and processes the different states of connections and interprets their possible transitions into OpenFlow (OF) rules. The proposition uses a reactive behavior in order to reduce the number of OpenFlow rules in the data plane devices and to mitigate some Denial of Service (DoS) attacks like SYN Flooding. The firewall processes the Finite State Machine of network protocols so as to withdraw useless traffic not corresponding to their transitions' conditions. In terms of cost efficiency, our proposal empowers the behavior of Openflow compatible devices to make them behaving like stateful firewalls. Therefore, organizations do not need to spend money and resources on buying and maintaining conventional firewalls. Furthermore, we propose an orchestrator in order to spread and to reinforce security policies in the whole network with a fine grained strategy. It is thereupon able to secure the network by filtering the traffic related to an application , a node, a subnetwork connected to a data plane device, a sub SDN network connected to a controller, traffic between different links, etc. The deployment of rules of the firewall becomes flexible according to a holistic network view provided by the management plane. In addition, the solution enlarges the security perimeter inside the network by securing accesses between its internal nodes.
%G English
%Z TC 11
%2 https://hal.univ-brest.fr/hal-01333445/document
%2 https://hal.univ-brest.fr/hal-01333445/file/2016_Software%20Defined%20Networking%20Reactive%20Stateful%20Firewall_Draft.pdf
%L hal-01333445
%U https://hal.univ-brest.fr/hal-01333445
%~ UNIV-BREST
%~ INSTITUT-TELECOM
%~ CNRS
%~ UNIV-UBS
%~ LAB-STICC_UBO
%~ ENIB
%~ LAB-STICC_ENIB
%~ IFIP
%~ IFIP-AICT
%~ LAB-STICC
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-SEC
%~ IFIP-AICT-471
%~ LAB-STICC_TB
%~ BCOM_NETWORK
%~ BCOM_NA
%~ IBNM
%~ BCOM_NETWORK_SECURITY
%~ BCOM_AC
%~ INSTITUTS-TELECOM