Implementing accessed using Curl. This paper also provides

Implementing Firewall for Floodlight Controller

 

Navinder Kaur Brar

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Jaspreet Singh

Harkishan Singh

Department of Systems and Computer Engineering

Department of Systems and Computer Engineering

Department of Systems and Computer Engineering

Carleton University

Carleton University

Carleton University

Student No. 101026788

Student No.

Student No.

[email protected]

email

email

 

Group
Number: 16

This report was prepared for Professor Ahmed
Karmouch in partial fulfillment of the requirements for the course ELG-7187A

 

 

               Abstract – Software
Defined Networking which opened many doors of possibilities for the future of
the network in which the network logic operations are detached from the
limitations of the underlying hardware. This new approach in the networking
also possess many threats towards the security. There are possibilities of the
compromise in the channel design and organization as well as controller
Denial-of-Service attacks. This paper describes the Floodlight Controller and
its applications and implementing Firewall application on it. Firewall
application has been implemented as a Floodlight module that imposes ACL rules.
We use the REST API to develop the application which was accessed using Curl.
This paper also provides the information about how Firewall implementation is
tested by filtering the ICMP and TCP packets.

Keywords- Software
Defined Network, Firewall, Floodlight, ACL, REST API

 

I.  Introduction

Software Defined
Networking one of the hot topics and a major breakthrough in the world of
networking. Traditional networks consist of the devices which consists of
control plane and data plane where control plane gives the information with the
help of which forwarding table is constructed. This forwarding table is used in
order to make decisions of routing and data plane uses the forwarding table to
manage the packets. Also, in traditional networks both of these planes lie
directly on the network devices. In the case of Software Defined Networking
(SDN) there is the physical separation of the network control plane and
forwarding plane or in the other words it abstracts the control plane. The
control plane is taken care by SDN controller which communicates with data
plane with the OpenFlow protocols 12. SDN is considered ideal for today’s
applications which require high-bandwidth and are more dynamic as it can be
managed easily and is more cost effective. As the architecture of SDN abstracts
the control and the forwarding functions which leads the network control to be
programmed directly. For various SDN solutions OpenFlow protocol is one of the
fundamental elements. 3 The characteristics of the SDN that the network
control is directly programmable makes it hit in the open networking area. It
is based on the open standards and does not depend on a specific vendor. New
developers and talent can work and experiment on top it which makes it more
prone to development. Also, the switches used could be physical and virtual and
provides network as a service in the hands of the users.

The controller in the
SDN are centralized instead of distributed and it have a global view of the
network and the network administrators can adjust the traffic flows all over
the network if there is need of some change. SDN is also described as a model
which represents a client-server relationship with the controller. In SDN the
service customer can send or receive the data with the help of the network
resources and the network services can be managed by the controller. The
responsibilities of the service provider include virtualization and
orchestration of the resources which could be used by the customers. One of the
main problem to be solved in most of the network areas is security. For SDN the
security should be in the basic architecture also it should be provided as a
service to the users in order to shield the privacy and the integrity of the
information flowing. 4 In the SDN architecture we can secure the network in
various ways such as by controlling the SDN controller in very tight manner. In
case of any attack where the SDN controller and the network goes down there is
need to maintain the accessibility of the controller. The operation on the
controller or on the whole network should operate as they should as the
communication in the whole network is prone to attacks from some network
intruders. Other focus is how this security should be deployed in SDN
environment as there are various solutions proposed such as the security should
be embedded in the networks itself while other solutions say it works best if
it is embedded within the servers or on the computing devices. But we need an
environment which is more secure, more efficient as well as scalable and proves
to be an edging technology in all the ways.

5 The mean of security
in SDN should be in such a way that mostly all of the underlying components
which includes the controller, applications, the switches and the communication
channel between the switches and controller. Also, there is need to secure the
endpoints and the other basic components of the network architecture. It is
felt that with the commencement of the new approaches in the field of
networking which includes the virtualization and the use of mobile devices
which is growing in large numbers and the change in the patterns of traffic gives
us a hint toward new steps to be followed in the case of security. Changing the
requirements such as security as an application which is familiar with the
processes happing in the application at any time. Also, the security in the
network should have protection in the internal segments and on the servers and
nodes.

In
this paper, we will discuss about the implementation of such a security i.e.
firewall on one of the SDN controllers which is Floodlight. This paper
describes the implementation of Firewall application as a module with the help
of REST API by using Access Control List rules and by taking the advantage of
programmability in SDN. The paper is divided into various parts where we will
discuss first the Objective of this project in which we will discuss what we
are performing in this project and what are the needs of security or Firewall
then in Section III i.e. Background we will provide the information about the
SDN controller (Floodlight 7), its characteristics, architecture, the ACL
rules and how we are using REST API in implementing the Firewall. In Section IV
we will describe the methodology used to implement this project with the help
of screen shots and various steps to be performed to implement Firewall. We
will be discussing some other approaches put forward by other researches in
Section V, Related Work. At the end, we will write the summary or conclusion in
Section VI.

II. OBJECTIVE

The main objective of
guaranteeing security in Software Defined Networking can be explained in two
ways. First, the security of the main components which consists of the actual
network infrastructure that includes the controller and the several
applications, communication channel between SDN controller and switches. Second
way in which we can secure SDN is by taking care of the storage systems,
endpoints as well as the servers. 6 “A firewall is a network security system
that monitors incoming and outgoing network traffic and decides whether to
allow or block specific traffic based on a defined set of security rules”. To
secure the SDN we implement Firewall using Floodlight controller. Firewall in
Floodlight is programmable controller module in which we can add, delete or
update the firewall rules.

 

III. BACKGROUND

7 Floodlight is an
Apache licenced Java based OpenFlow Controller which is supported by large
number of developers. It is developed by open community developers which is
easy to use because of its GUI and is tested as well as supported by community
of developers. Floodlight follows the OpenFlow Standards and can easily work
even if the number of the switches, virtual switches, routers which are
supported by OpenFlow are increased. Various features of Floodlight are that it
is drafted to provide the high performance, it is merely easy to set up with
minimal dependencies. As already discussed Floodlight supports wide range of
physical as well as virtual OpenFlow Switches. Floodlight supports OpenStack
cloud orchestration platform (“8 Orchestration is the process of using the
SDN controller’s resources to simultaneously satisfy service demands from all
of its clients according to an optimization policy.”)

9 Being an OpenFlow
Controller Floodlight also consists
various number of the applications which are built on the top of it. Floodlight
achieve some common set of components to control and take care OpenFlow network
whereas applications which are built on top of it are used to solve different
needs w.r.t different features which are needed over network. Figure1 shows the
Floodlight Controller and various applications which are built on top of it as
Java modules and using Floodlight REST API. Java module applications and the
controller starts running as we run the Floodlight and the REST API are
available by all the modules running via specified REST port. ACK which uses
stateless firewall is one of the applications of Floodlight that we are
implementing in this project which uses various ACL rules. 10 ACL rules
contains a set conditions according to which the flow of the traffic is allowed
or denied. 11 There are different URIs with REST methods just as GET, PUT,
POST, DELETE to add various rules for the firewall. Every time any rule is
created it generates a rule_id which is random number. In order to perform
DELETE method or to delete any rule we can do it by mentioning the rule_id.

 

Figure1. Floodlight
Architecture 12

 

To attach the running
Floodlight with OpenFlow network we can use Mininet 13 which is a network
simulation tool. Also, to analyse the packet or to filter the packets we use
Wireshark 14. Floodlight also come with web based Graphical User Interface
which can be detected with the help of REST API in Floodlight. It consists of
OpenFlow statistics which are easy to read as they are shown in tabular manner
and also shows the status of various applications and we can tell if Firewall
is working or not. GUI can be accessed by following URL 15:

 

 

 

 

Here
is the IP address of the machine on which controller is
running. With the help of GUI, we can modify the network state as it provides
the read and write access to Floodlight controller.

 

IV.
METHODOLOGY &
IMPLEMENTATION

 

Floodlight contains ACL 16 (Access Control List) that
works in a reactive way to allow of stop movement of packets according to the
rules defined. The floodlight controller monitors the rules enforced by ACL and
pushes only the relevant entries. In a proactive way, the switches can allow
the rules without the request to avoid delays. The ACL parses user’s
Representational state transfer(REST) to update ACL and makes a static flow
entry to proactively monitor Packet in messages. It removes the filter as soon
as the rule is removed from ACL. The application maps the ACL rule and flow
entries. It makes use of the IDeviceService in floodlight to monitor if any
device is added. If user adds a rule of “Deny flow” giving the source IP the
application inserts a static entry to deny the packets from that IP. Now we
will discuss the implementation steps we took to implement the firewall in
floodlight using ACL:

Step 1: Build and Run floodlight- In order to build and run
floodlight controller we need to write the following commands:

cd floodlight

ant

java -jar target/floodlight.jar

Figure 2 shows the result of running these commands.

Figure 2. Building and Running Floodlight

Step 2: In this step, we open the web GUI to visualize the
structure of the network for better understanding. At current state, the GUI is
empty as no network definition has been provided. In order to open the web GUI,
we type in the default address http://10.10.2.15:8080/ui/index.html.

 

Step 3: In this step, we start Wireshark. Wireshark is a
tool to monitor the movement of packets in a network. We need ot to monitor the
movement of the packet the network that we are going to define in the upcoming
steps

 

Figure 4. Starting Wireshark for Floodlight

 

Figure 5. Wireshark GUI

 

Step 4: Create a network topology. In this step, we create
the network topology using mininet. After the nodes are made we ping them to
make sure that the connection to all the nodes are working. We enter the
following command:

 

sudo mn –topo=tree,3 –mac –switch ovsk
–controller=remote, ip=10.0.2.15, port=6653

 

This command defines a tree network of depth 3, switch type
ovsk, remote controller at a specified IP and port. The IP chosen is the
default i.e. 10.0.2.15 and the port chosen is the default for floodlight i.e.
6653.

 

Figure 6. Creating Topology using Mininet

 

The network topology created can visualized using the
Graphical User Interface of Floodlight.

 

Figure 7: Topology formalized as in Floodlight GUI

 

Step 5: In this step, we use curl to access the REST API.
The following command in the floodlight controller allows us to do that:

 

sudo apt-get install curl

 

Step 6: Now we check the firewall status. If it is enabled
we don’t change anything else if it is disabled we enable it. We use the
following command:

 

curl http://localhost:8080/wm/firewall/module/status/json

 

Figure 8. Checking
Firewall Status

 

Step 7: Now we enable the firewall if the status is
disabled. This step is not required if the status of the firewall is already
enable. We run the following command and the we got the result that the
Firewall is enabled. Figure 9 showing the results of Firewall when enabled in Wireshark,
thus pingall command showing no response found.

 

curl http://localhost:8080/wm/firewall/module/enable/json -X
PUT

 

Figure 9: Firewall Enabled

Step 8: Adding rule to Switch. In this step, we add a new
rule to the switch to filter packets through it. The following commands will do
the process and add the new rule to the switch number 3.

 

curl -X POST -d
‘{“switchid”:”00:00:00:00:00:00:00:03″}’
http://10.0.2.15:8080/wm/firewall/rules/json

 

Step 9: Add DENY rule between hosts. In this step, we add a
deny request to the host so that we can separate ICMP packets from TCP packets.
This is accomplished using the following commands:

 

curl -X POST -d ‘{“src-ip:
“10.0.0.1/32″,”dst-ip”:”10.0.0.2/32″,”nw-proto”:”ICMP”,
“action: “DENY”}’ http://localhost:8080/wm/firewall/rules/json

 

We can send a “pingall” command to mininet to see if the
packet flow is moving in the correct way. In order to monitor the packet, flow
we can use Wireshark. The figure below shows how Wireshark is used to see the
movement of packets.

Figure 10. Wireshark showing the results.

 

V.
RELATED WORK

 

In 5 we see the implementation of a general idea of the
SDN controller along with explanation of Floodlight controller and reasons to
choose Floodlight controller. It also explains some of the key concepts of
network security implementation in floodlight. The implementation is done as
basic network mechanism.

In 2 they discuss the rules that match to describe network
packages. In 3 the authors have discussed about modification to the rules
such as disjoint, exactly matching, inclusively matching and correlated.

Our approach focussed on the ACL and
definition of simple rules. These approaches discussed here can be further
implemented in future.

VI.
CONCLUSION &
FUTURE SCOPE

 

In conclusion, we can see that we use the ACL for
controlling the forwarding of packets. We defined the network topology using
mininet. As we make the network we can see the network on the web GUI and make
changes as required. Once we have established the network we can define the
rules using curl to allow or deny the packets that get transferred. The rules
are defined in ACL using curl. We can also use python for future to make it
more flexible. In our project, we have defined ACL rules to deny ICMP packets
and allow TCP packets. The tree network with 7 switches and 8 hosts shows a
positive response to the ping of the networks, it blocked all the ICMP packets
and allowed only TCP packets through switch number 3.

 

References

1   N. McKeown, T. Anderson, H. Balakrishnan, G.
Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “Openflow:
enabling innovation in campus networks,” SIGCOMM Comput. Commun. Rev., vol. 38,
no. 2, pp. 69–74, 2008.

2   “OpenFlow Switch Specification, Version
1.0.0 (Wire Protocol 0x01).” Internet: http://archive.openflow.org/documents/openflowspec-v1.0.0.pdf.

3     “Software-Defined Networking(SDN) Definition”
Internet: https://www.opennetworking.org/sdn-definition/

4     “SDN Security Challenges in SDN Environments” Internet:
https://www.sdxcentral.com/security/definitions/security-challenges-sdn-software-defined-networks/

5   S. Morzhov, I. Alekseev, and M.
Nikitinskiy, “Firewall application for Floodlight SDN controller”, In: Proc. of
the International Siberian Conference on Control and Communications, pp.
1-5,2016

6  
“What is Firewall?”  Internet:
www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

7   Big Switch Networks- sponsored community project “Project
Floodlight- Floodlight Is an Open SDN Controller” Internet: http://www.projectfloodlight.org/floodlight/

8    Open Network
Flow “SDN architecture” Internet: https://3vf60mmveq1g8vzn48q2o71a-wpengine.netdna-ssl.com/wp-content/uploads/2013/05/7-26%20SDN%20Arch%20Glossy.pdf

9     Big Switch Networks “Project Floodlight – Applications”
Internet: http://www.projectfloodlight.org/applications/

10   Big Switch Networks “ACL (stateless FW)” Internet: http://www.projectfloodlight.org/firewall/

11   [email protected] “Firewall REST API” Internet: https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/pages/1343614/Firewall+REST+API,
October 28, 2015 December 7, 2017

12   [email protected] “The Controller-Architecture
Diagram” Internet: https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/pages/1343548/The+Controller;
April 26,2016 December 7,2017

13   Mininet Team- Powered by Octopress “Mininet” Internet:
http://mininet.org/

14   “Wireshark” Internet: https://www.wireshark.org/

15   [email protected] “Web GUI”, Internet: https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/pages/40403023/Web+GUI;
May 02,2016 December 10,2017

16   [email protected] “ACL (Access Control List)
REST API” Internet:  March 17,2015