Abstract | ||
---|---|---|
With increasing network bandwidths, stateful firewalls are likely to become communication bottlenecks in networks. To mitigate this problem, we propose to bypass selected traffic around firewalls using software-defined networking (SDN). We discuss various approaches and elaborate the following concept. A controller samples outgoing packets at the firewall using sFlow to detect congestion. In case of congestion, flows already admitted by the firewall are identified and offloaded at an appropriate rate by installing flow-specific bypass rules on an OpenFlow-capable switch. We suggest two different algorithms to select appropriate flows and provide a proof-of-concept implementation in a network testbed using the Ryu controller framework. Experimental results illustrate the system behavior at different load levels with and without offloading. We provide an analytical system model to predict the offloading performance for other system parameters than experimentally evaluated and validate the model with our experimental results. A parameter study suggests that the offloaded traffic rate may be a multiple of the firewall's capacity if the switch supports sufficient flow rules or is able to match for TCP flags. |
Year | DOI | Venue |
---|---|---|
2017 | 10.23919/CNSM.2017.8255971 | 2017 13th International Conference on Network and Service Management (CNSM) |
Keywords | Field | DocType |
congestion offloading,network bandwidths,stateful firewalls,communication bottlenecks,selected traffic,controller samples outgoing packets,appropriate rate,flow-specific bypass rules,OpenFlow-capable switch,appropriate flows,proof-of-concept implementation,Ryu controller framework,experimental results,different load levels,analytical system model,offloading performance,offloaded traffic rate,sufficient flow rules,software-defined firewall bypass,TCP flags,software-defined networking,SDN,sFlow | sFlow,Control theory,Firewall (construction),Computer science,Network packet,Computer network,Software,Bandwidth (signal processing),Stateful firewall,System model,Distributed computing | Conference |
ISSN | ISBN | Citations |
2165-9605 | 978-1-5386-2153-0 | 0 |
PageRank | References | Authors |
0.34 | 8 | 4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Florian Heimgaertner | 1 | 28 | 6.15 |
Mark Schmidt | 2 | 7 | 4.60 |
David Morgenstern | 3 | 0 | 0.34 |
Michael Menth | 4 | 567 | 72.74 |