Firewall Over The Floodlight Controller

2012/
2
013

IF 5144 – Information and Social Network

Lecture:
Dr. Ir. Ing. Suhardi; Samuel A K, ST.,MT.

By:
Fathonah Tri Hastuti. / NIM. 23514048

MAGISTER OF INFORMATICS
SCHOOL OF ELECTRICAL DAN INFORMATICS ENGINEERING
INSTITUTE OF TECHNOLOGY BANDUNG

2015
 ABSTRACT

This research discuss about simulation firewall over the floodlight controller.

i
 TABLE OF CONTENT

TABLE OF CONTENT ......................................................................................................

Error! Bookmark not defined.
LIST OF TABLES ..............................................................................................................
Error! Bookmark not defined.
LIST OF FIGURES ............................................................................................................
Error! Bookmark not defined.
1. INTRODUCTION ..........................................................................................................
Error! Bookmark not defined.
1.1. BPS PROFILE ........................................................................................................
Error! Bookmark not defined.
1.2. SCOPE ................................................................................................................
Error! Bookmark not defined.
2. SERVICE ANALYSIS ...................................................................................................
Error! Bookmark not defined.
2.1.CASE STUDY .........................................................................................................
Error! Bookmark not defined.
2.2. BMC EXISTING ....................................................................................................
Error! Bookmark not defined.
2.3. GAP AND SWOT ANALYSIS ..............................................................................
Error! Bookmark not defined.
2.4. BC TO BE ...............................................................................................................
Error! Bookmark not defined.
2.5. SERVICE BLUEPRINT .........................................................................................
Error! Bookmark not defined.
3. SERVICE DESIGN ........................................................................................................
Error! Bookmark not defined.
3.1. SOA METHODOLOGY .........................................................................................
Error! Bookmark not defined.
3.2. PERFORM SERVICE-ORIENTED ANALYSIS ..................................................
Error! Bookmark not defined.
3.2.1. DEFINE BUSINESS REQUIREMENTS .....................................................
Error! Bookmark not defined.

ii
 3.2.2. IDENTIFY AUTOMATION SYSTEM .......................................................
Error! Bookmark not defined.
3.2.3. MODEL CANDIDATE SERVICES ............................................................
Error! Bookmark not defined.
3.3. PERFORM SERVICE-ORIENTED DESIGN .......................................................
Error! Bookmark not defined.
REFERENCES ..............................................................................................................
Error! Bookmark not defined.

iii
 LIST OF TABLES

Gambar 1. Literatur Map ........................................................................................ 4

iv
 LIST OF FIGURES

Tabel 1. Jadwal Kegiatan Penelitian .................................................................... 6

v
I. INTRODUCTION/ MOTIVATION

Software Defined Networking (SDN) is a new paradigm in networking, a new

approach to build, design and set up a computer network. SDN consists of decoupling
the control and data plane of a network[1]. It relies on the fact that the simplest function
of a switch is to forard packets according to a set of rules. The rules followed by the
switch to forward packets are managed by a software-based controller.

The idea of SDN continues to grow until 2011, forming the organization OpenFlow
Network Foundation pioneered by various companies in the world. Some boards
include Google, Yahoo, and NTT. While as a member there are CISCO, Juniper, IBM,
DELL, HP, etc. The various background why the global IT companies join in
OpenFlow Network Foundation due to see the great potential of the transition to a
future era of SDN.

There are many types of controllers on OpenFlow SDN include: NOX, POX, SNAC,
Beacon, Trema, Maestro, Floodlight, and Open-daylight. Each has its own
characteristic ranging from programming languages used, platform used, up to a virtual
machine that can be used. Basically almost all OpenFlow controller that has the same
function as the center and as a remote configuration settings to the device in the
network that have implemented the concept of SDN OpenFlow.

Traditional network architecture is less effective performance due to the amount of time
required to perform the configuration of all devices must be configured manually or one
by one. In tradisional architecture also restrict new innovation in the network, it’s make
more difficult to develop.

However, by using the SDN OpenFlow on a network can simplify the configuration of
all devices that performed centrally on the controller that manages all the devices that
exist underneath. SDN OpenFlow architecture also does not restrict any new
innovations on the network and can be developed by the user so that it can improve the
performance of network devices using OpenFlow SDN. OpenFlow-based applications
proposed essentially to simplify network configuration, to facilitate network settings.

Attacks targeting single computers as well as whole network are very frequent
nowdays. Everyone, home users as well as business companies and states, has to secure

1
 their devices against data theft or unpermitted usage. The needed measures of
protection are based on the formulation of a security concept which is put into action
using a component called firewall.

The importance of security in the network led researchers to conduct research on the
firewall. The previous research discussed about the packet filtering in SDN topology.
The other research discussed about fungsionality testing. To increase the understanding
about firewall over the controller, this research present more scenario firewall testing
than the previous research. Controller that will be used in this research is based on java
Floodlight. VirtualBox and mininet used to create SDN network topology.

II. RELATED WORK

The have been many research that discuss about OpenFlow SDN. OpenFlow-based
architectures have specific capabilities that can be exploited by researchers to
experiment with new ideas and test novel applications[1]. Cost saving approach for on
demand elastic Network design and active FlowPlacement in SDN environment was
discuss by Julius Mueler et al[3].

An SDN controller instruct the switches as to what action they should take via what is
commonly called the southbound API. SDN controller is a new class of data
networking product[4]. The ten key characteristics that IT organizations should look for
when evaluating an SDN controller are: OpenFlow Support, Network Virtualization,
Network Functionaliy, Scalability, Performance, Network Programmability, Reliability,
Security oof the Network, Centralized Monitoring and Visualization, and the SDN
Controller Vendor.

Some of the additional security-related functionality that an SDN controller should

provide was already discussed. OpenFlow-based SDN controller can show that most of
firewall functionalities are able to built on sofrware, without the aid of a dedicated
hardware [5]. The firewall control traffic by directly modifying the flow tables of
devicies providing more speed without affecting connentivity[6]. There are many
reseach discussed about firewall [5][6]][7][8], Figure 1. shows the detail research in
firewalls and using Floodlight controller.

2
 SDN [1][2][3]

Performance
Controller Testing [4]

Pengujian Firewall
[5][6][7][8]

Packet Filtering Packet Filtering teting

testing, Fungtionality Firewall Appllication by developed
Packet Filtering
testing, Ping all to packet filtering automated packet
Testing on POX
Testing, ICMP testing [7] generation techniques
controller [5]
blocking on POX [8]
controller [6]

This Research
 Pembuatan topologi
 Connection Testing
 Isolation Network
 File Sharing
 Packet Filtering
On Floodlight controller


Figure 1. Literature Map

III. NETWORK SECURITY CONCEPT

When users want to exchange data over a computer network this done by using data
packets[7]. These contain-in addition to the payload-information regarding sender and
receiver or the route which the packet has passed on its way between them. Large data
stream are devided into smaller part and put together by the receiver.

3
 Security problem arise with this concept because the sender is able to set the
information of the packet without restaint, thus being able to hide the true origin packet.
The use of firewall is helpfull for countering this type of attack.

Firewall describe the general concept, and a software product called a packet filter
which is anstalled on a separate host is used to implement it. Firewall is essential in
keeping the network safe from outside attacks[5].

There are two approaches considered in implementing the firewall: 1) pre-installing the
rules onto the switch’s flow table and 2) handing the packet direcly as they come in.
The logic of firewall is as follows: each packet headers are checked against the firewall
rule, and perform specified action once matcing field are found in the rule, any
unmatched packets are dropped.

IV. SCENARIO/ IMPLEMENTATION

A. Software

In order to test the functionality of firewall in this research, the following software
were used:

1. Oracle VirtualBox, provides an environment for virtual network to be

formed.

2. Mininet, provides virtual SDN network topology

3. Floodlight, SDN controller to manage the decision on what switch will be

done.

4. Putty, used to remote the mininet, it make the reasearcher easily in

configurate the network topology.

5. REST API, as recommended interface for developing applications that

utilize contorllet Floodlight features, one of which is a firewall.

6. Visio and VND, help the reasearcher figure the network topology.

7. WinSCP, to file transfer from local to virtual operating system

4
B. Network Topology

The Network topology designed for this research based on SDN OpenFlow still
using simple configuration. The Topology consists of:

1. 1 Floodligth OpeFlow Controller

2. 3 Switch OpenFlow, with 3 host for each switch

C0

S1 S3

S2
H1 H2 H3 H7 H8 H9

H4 H5 H6
Figure 2. Network Topology

The IP address that used for each point in network topology can be seen in Table 1.

Table 1. IP Address

Host IP Address Network

h1 10.1.1.10/24 Network 1
h2 10.1.1.20/24 Network 1
h3 10.1.1.30/24 Network 1
h4 10.1.2.40/24 Network 2
h5 10.1.2.50/24 Network 2
h6 10.1.2.60/24 Network 2
h7 10.1.3.70/24 Network 3
h8 10.1.3.80/24 Network 3
h9 10.1.3.90/24 Network 3
r0-gateway 10.1.1.1/24

5
 10.1.2.1/24
10.1.3.1/24

C. Firewall Simulation scenario

The previous research in firewall focus on packet filtering, to increase the

understanding about firewall over the controller, this research present more scenario
firewall testing than the previous research. The simulation starts from create
network topology until testing the firewall with many scenario. The detailed
scenario list as follows:

1. Create the network topology.

2. Connection testing

a. Fungtionality testing, to look at the time that it takes a host to ping

other hosts, in general the first time you do a ping require more time.

b. Ping all testing, to shows that all hosts in the network is connected.

3. Sharing files from host to server. Detailed scenario described in Table 2.

Table 2. Sharing File Scenario

Network 1 Host 1 Server File sharing

1st Scenario
Host 2 Client testing in 1
network
2nd Scenario Network 1 Host 1 Server File sharing
Network 2 Host 4 Client testing inter-
network

4. Network isolation. Detailed scenario described in Table 3.

Table 3. Network Isolation Scenario

Network 1 Host 1 connected

cenario Host 2 connected
Host 3 not connected
Network 2 Host 4 connected

6
 Host 5 not connected
Host 6 not connected
Network 3 Host 7 not connected
Host 8 not connected
Host 9 not connected

5. Packet Filtering Testing, the flow of packet filtering described in Figure 3.

Network traffic to
validate

Source: Internal Network

Match
Dest: Firewall Accept
Port : SSH

No match

Source: Internal Network

Match
Dest: Firewall Drop
Port : All

No match

Source: Internal Network

Match
Dest: All Accept
Port : All

No match

Drop

Figure 3. Packet Filtering Flow Diagram

7
 The detailed packet filtering in this research dercribed in Table 4.

Mas yg bagian ini, membuat skenario packet filtering biar nyambung dengan flow
diatas agak kurang paham, boleh minta tolong diisiin? Tq before

No Source Destination Service(des) Action

1 Internal host Any Any Allow
Domain Deny
Ssh
Any H1 http, port:80 Allow
https

V. RESULT

VI. CONCLUSION

8
 REFERENCE

[1] Andrian Lara, Anisha Kolasani, and Byrav Ramamurthy, “ Network Innovation using
OpenFlow: A Survey”, IEEE COMMUNICATIONS SURVEYS & TUTORIALS,
VOL. 16, NO. 1, FIRST QUARTER 2014

[2] C. DeCusatis, M.Haley IBM, et al., “ Dynamic, Software-defined Service Provider

Network Infrastucture and Cloud Drivers for SDN Adoption”, IEEE, 2nd Workshop on
Clouds, Network and Data Centers, 2013.

[3] Julius Mueller, Andreas Wierz, et al., “Elastic Network Design and Adaptive Flow
Placement in Software Define Network”, IEEE, 2013.

[4] Aston, Metzler and Asociates, “ Ten Things to Look for in an SDN Controller”,
https://www.necam.com/docs/?id=23865bd4-f10a-49f7-b6be-a17c61ad6fff.

[5] Michelle Suh, Sae Hyong Park, Byungjoon Lee, Sunhee Yang, “ Building Firewall over
the Software-Defined Network Controller”, ICACT2014, february 16-19.

[6] Justin Gregory V. Pena and William Emmanuel Yu, “Development of a Distributed
Firewall Using Software Defined Networking Technology”, IEEE, 2014.

[7] Stephan Windmuller, “ Offline Validation of Firewall”, 34th IEEE, Softare Engineering
Workshop, 2011.

[8] JeeHyun Hwang, Tao Xie, et al., “Systematic Structural Testing of Firewall Policies”,
IEEE, Symposium on Reliable Distributed Systems, 2008.