SDN-based Firewall Project Report

1. Introduction

Software Defined Networking (SDN) represents a revolutionary approach to networking, enabling

centralized control and

programmability of the network. Traditional networks are hardware-centric, making them difficult to

manage and configure.

SDN, on the other hand, decouples the control plane from the data plane, allowing dynamic

configuration and control

through software applications.

In this project, we explore the application of SDN in implementing a basic firewall. The SDN-based

firewall provides

greater flexibility and programmability compared to traditional hardware firewalls, enabling

rule-based filtering and

dynamic traffic management.

2. System Architecture

The system architecture consists of the following key components:

- **Host Machines**: Devices in the network that send and receive data packets.

- **OpenFlow Switch**: Forwards packets based on the rules installed by the SDN controller.

- **SDN Controller (Ryu)**: A centralized controller that processes packet-in events and installs

forwarding rules.

- **Firewall Module**: A Python script integrated with the Ryu controller that implements filtering

logic.

Page 1
 SDN-based Firewall Project Report

The controller interacts with switches using the OpenFlow protocol and makes decisions on how

packets should be handled.

3. Literature Review

SDN was first introduced as a means to overcome the rigidity and complexity of traditional network

architectures.

Numerous studies have demonstrated the benefits of SDN in network management, security, and

traffic engineering.

Key literature includes:

- "OpenFlow: Enabling Innovation in Campus Networks" (McKeown et al.) - Introduced the

OpenFlow protocol.

- "A Survey of Software Defined Networking" (Kreutz et al.) - Discusses SDN architecture,

controllers, and applications.

- Research on SDN-based firewalls shows improved detection and mitigation of threats through

real-time rule updates.

4. Problem Statement

Traditional firewalls are typically hardware-based and lack flexibility. Updating rules requires manual

configuration and

often leads to network downtime. Additionally, these firewalls are not scalable and struggle to adapt

to dynamic network

environments.

This project addresses the need for a flexible, programmable, and scalable firewall solution that can

be dynamically

Page 2
 SDN-based Firewall Project Report

managed via a centralized controller using SDN principles.

5. Problem Solution

The proposed solution is an SDN-based firewall using the Ryu controller. The controller intercepts

incoming packets and

applies user-defined firewall rules to either forward or drop packets.

The firewall logic is implemented in Python and includes the following functionalities:

- Blocking traffic from specific IPs or IP ranges.

- Allowing only specified protocols or ports (e.g., HTTP, SSH).

- Logging dropped packets for audit purposes.

This approach ensures dynamic and centralized control over network traffic.

6. Source Code

Below is a simplified version of the Ryu controller script used to implement the firewall logic:

```python

from ryu.base import app_manager

from ryu.controller import ofp_event

from ryu.controller.handler import CONFIG_DISPATCHER, MAIN_DISPATCHER

from ryu.controller.handler import set_ev_cls

from ryu.ofproto import ofproto_v1_3

class SimpleFirewall(app_manager.RyuApp):

OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]

Page 3
 SDN-based Firewall Project Report

def __init__(self, *args, **kwargs):

super(SimpleFirewall, self).__init__(*args, **kwargs)

self.blocked_ips = ['10.0.0.2']

@set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)

def switch_features_handler(self, ev):

datapath = ev.msg.datapath

ofproto = datapath.ofproto

parser = datapath.ofproto_parser

for ip in self.blocked_ips:

match = parser.OFPMatch(eth_type=0x0800, ipv4_src=ip)

actions = []

self.add_flow(datapath, 1, match, actions)

def add_flow(self, datapath, priority, match, actions):

ofproto = datapath.ofproto

parser = datapath.ofproto_parser

inst = [parser.OFPInstructionActions(ofproto.OFPIT_APPLY_ACTIONS, actions)]

mod = parser.OFPFlowMod(datapath=datapath, priority=priority, match=match,

instructions=inst)

datapath.send_msg(mod)

```

7. Results

Page 4
 SDN-based Firewall Project Report

The SDN-based firewall was tested using Mininet. The firewall successfully blocked traffic from

specified IPs and allowed

permitted traffic as defined by the rules. Packets from blocked hosts did not reach the destination,

verifying the

correctness of the firewall logic.

Additionally, dynamic changes to the rule set were applied in real time without restarting the

network, demonstrating the

benefit of SDN's programmability.

8. References

1. McKeown, N., et al. "OpenFlow: Enabling Innovation in Campus Networks." ACM SIGCOMM

(2008).

2. Kreutz, D., et al. "Software-Defined Networking: A Comprehensive Survey." Proceedings of the

IEEE (2015).

3. Mininet Documentation. https://github.com/mininet/mininet/wiki

4. Ryu SDN Framework. https://osrg.github.io/ryu/

Page 5