An OpenFlow-Based Prototype of SDN-Oriented Stateful Hardware Firewalls

This paper describes an Open Flow-based prototype of a SDN-oriented stateful hardware firewall. The prototype of a SDN-oriented stateful hardware firewall includes an Open Flow-enabled switch and a firewall controller. The security rules are specified in the flow table in both the Open Flow-enabled switch and the firewall controller. The firewall controller is in charge of making control decisions on regulating the unidentified traffic flows. A communication channel is needed between a firewall controller and an Open Flow enabled switch. Through this channel, a switch sends to the controller with the information of unidentified flows, and the controller sends to the switch with the control decisions. Constraining this communication overhead is important to the applicability of the prototype because a high communication overhead could disturb the performance evaluation on the operation of a SDN-oriented stateful hardware firewall.