A firewall is a critical security appliance for the mitigation of the security attacks not only in the traditional network, but also in software-defined networking (SDN). Previous firewall applications over SDN controller are implemented with one of two firewall concepts: centralized firewall and distributed firewall. Centralized firewall method incurs controller overhead problem as the controller acts as a centralized firewall which maintains firewall rules and filters out the traffic. Distributed firewall method comes out the complicated firewall configuration, additional cost in rules maintenance in each switch, and less sensitive to the topology. This system proposes a firewall rules installation based on topology-aware selectively distributed stateful firewall with source-based DoS attack defense mechanism. The purpose of this system is to overcome not only the performance issues but also security issues. This paper finally shows that the stateful firewall application can not only track the TCP flow, but also reduce latency plus table lookup time up to 16% in long-lived flow and 50% in short-lived flow. Moreover, according to the security perspective, the accuracy for the DOS detection and mitigation of stateful firewall application is 98.93 % of SYN flooding attack and 92.09% for UDP flooding attack.

Stateless Firewall, Stateful Firewall, SDN

[1] Tran, Thuy Vinh, and Heejune Ahn. "Flowtracker: A SDN Stateful Firewall Solution with Adaptive Connection Tracking and Minimized Controller Processing." Software Networking (ICSN), 2016 International Conference on. IEEE, 2016.
[2] Tran, Thuy Vinh, and Heejune Ahn. "A network topology-aware selectively distributed firewall control in SDN." Information and Communication Technology Convergence (ICTC), 2015 International Conference on. IEEE, 2015.
[3] Pena, Justin Gregory V., and William Emmanuel Yu. "Development of a distributed firewall using software defined networking technology" Information Science and Technology (ICIST), 2014 4th IEEE International Conference on. IEEE, 2014.
[4] Arins, Andis. "Firewall as a service in SDN OpenFlow network" Information, Electronic and Electrical Engineering (AIEEE) , 2015 IEEE 3rd Workshop on Advances in. IEEE, 2015.
[5] Rao, S., and S. Rao. "Denial of service attacks and mitigation techniques: Real time implementation with detailed analysis" This paper is from the SANS Institute Reading Room site (2011).
[6] Rajkumar, M. Nene. "A Survey on Latest DoS Attacks: Classification and Defense Mechanisms" IJIRCCE 1.8 (2013).
[7] Ivan Pepelnjak, “What can openflow tables do?”, https://www.youtube.com/watch?v=7R91K0d2r2E.
[8] “Attack Detection and Defense Mechanisms" Juniper Networks, Inc.1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-7 45-2000 www.juniper.net, 2016.
[9] Morzhov, Sergey, Igor Alekseev, and Mikhail Nikitinskiy. "Firewall application for Floodlight SDN controller" Control and Communications (SIBCON), 2016 International Siberian Conference on. IEEE, 2016.
[10] Pena, Justin Gregory V., and William Emmanuel Yu. "Development of a distributed firewall using software defined networking technology" Information Science and Technology (ICIST), 2014 4th IEEE International Conference on. IEEE, 2014.
[11] Suh, Michelle, et al. "Building firewall over the software-defined network controller" Advanced Communication Technology (ICACT), 2014 16th International Conference on. IEEE, 2014.
[12] Trabelsi, Zouheir. "Teaching stateless and stateful firewall packet filtering: A hands-on approach" 16th Colloquium for Information Systems Security Education. 2012.
[13] Dillon, C., and Michael Berkelaar. “OpenFlow (D) DoS Mitigation”. Technical report (February 2014), http://www. delaat. net/rp/2013-2014/p42/report. pdf, 2014.
[14] Low, Christopher. "Icmp attacks illustrated" SANS Institute URL: http://rr. sans. org/threats/ICMP attacks. php (12/11/2001) (2001).
[15] Shieha, Alaauddin. "Application Layer Firewall Using OpenFlow" (2014).
[16] Mininet Network Emulator, http://mininet.org.
[17] Xargs command, Internet:http://man7.org/linux/man-pages/man1 /xargs.1.html.
[18] Hping3 Security Tool[online]. Available from: https://www.hping. org/hping3.html.
[19] D-ITG, Distributed Internet Traffic Generator, http://www.grid.unina.it/software/ITG/.
[20] Tcpdump[online].Availablefrom: https://www.tcpdump.org/manpages/tcpdump.1.html.
[21] Y. Perwej, “The Hadoop Security in Big Data: A Technological Viewpoint and Analysis”, International Journal of Scientific Research in Computer Science and Engineering, Vol.7, Issue.3, pp.1-14, June 2019.
[22] G. Abare, “A Proposed Model for Enhanced Security against Key Reinstallation Attack on Wireless Networks”, International Journal of Scientific Research in Network Security and Communication, Volume-7, Issue-3, ISSN: 2321-3256, Jun 2019.