FireFlow - High Performance Hybrid SDN-Firewalls with OpenFlow

摘要

Today, the most widely distributed type of firewalls are software firewalls, running as applications on standard systems. Dedicated networking hardware like SDN switches has also been used to implement firewall functionality, although their native classification capabilities are restricted to relatively simple checks, such as subnet tests. However, native SDN hardware can satisfy high performance requirements that would be challenging for standard software firewalls. This motivates to build a hybrid combination of fast SDN hardware with a standard software firewall. Our approach directly offloads simple rule policies instead of flows to the SDN switch, in order to exploit the limited storage capacity more efficiently. An effective packet diversion algorithm based on header space analysis avoids expensive communication with the back-end. This way, it can achieve the throughput of a native SDN switch while still being able to resort decisions to the full extent of a software firewall. Our evaluation demonstrates a 23-fold classification performance increase over a standard software firewall.