Design and Implementation of SDN-Based Proactive Firewall System in Collaboration with Domain Name Resolution

Hiroya IKARASHI  Yong JIN  Nariyoshi YAMAI  Naoya KITAGAWA  Kiyohiko OKAYAMA  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E101-D   No.11   pp.2633-2643
Publication Date: 2018/11/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2017ICP0014
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Network Security
Keyword: 
firewall system,  DNS,  domain name resolution,  EDNS,  client subnet option,  SDN,  OpenFlow,  

Full Text: PDF(1.1MB)
>>Buy this Article


Summary: 
Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.