Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution

Hiroya Ikarashi, Yong Jin, Nariyoshi Yamai, Naoya Kitagawa, Kiyohiko Okayama

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

Original languageEnglish
Pages (from-to)2633-2643
Number of pages11
JournalIEICE Transactions on Information and Systems
VolumeE101D
Issue number11
DOIs
Publication statusPublished - Nov 1 2018

Fingerprint

Controllers
Servers
Inspection
Intrusion detection
Throughput

Keywords

  • Client subnet option
  • DNS
  • Domain name resolution
  • EDNS
  • Firewall system
  • OpenFlow
  • SDN

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition
  • Electrical and Electronic Engineering
  • Artificial Intelligence

Cite this

Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution. / Ikarashi, Hiroya; Jin, Yong; Yamai, Nariyoshi; Kitagawa, Naoya; Okayama, Kiyohiko.

In: IEICE Transactions on Information and Systems, Vol. E101D, No. 11, 01.11.2018, p. 2633-2643.

Research output: Contribution to journalArticle

Ikarashi, Hiroya ; Jin, Yong ; Yamai, Nariyoshi ; Kitagawa, Naoya ; Okayama, Kiyohiko. / Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution. In: IEICE Transactions on Information and Systems. 2018 ; Vol. E101D, No. 11. pp. 2633-2643.
@article{36b4f7e5729c49c6a7c6c96fb0a76cf3,
title = "Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution",
abstract = "Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.",
keywords = "Client subnet option, DNS, Domain name resolution, EDNS, Firewall system, OpenFlow, SDN",
author = "Hiroya Ikarashi and Yong Jin and Nariyoshi Yamai and Naoya Kitagawa and Kiyohiko Okayama",
year = "2018",
month = "11",
day = "1",
doi = "10.1587/transinf.2017ICP0014",
language = "English",
volume = "E101D",
pages = "2633--2643",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "11",

}

TY - JOUR

T1 - Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution

AU - Ikarashi, Hiroya

AU - Jin, Yong

AU - Yamai, Nariyoshi

AU - Kitagawa, Naoya

AU - Okayama, Kiyohiko

PY - 2018/11/1

Y1 - 2018/11/1

N2 - Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

AB - Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

KW - Client subnet option

KW - DNS

KW - Domain name resolution

KW - EDNS

KW - Firewall system

KW - OpenFlow

KW - SDN

UR - http://www.scopus.com/inward/record.url?scp=85056100920&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056100920&partnerID=8YFLogxK

U2 - 10.1587/transinf.2017ICP0014

DO - 10.1587/transinf.2017ICP0014

M3 - Article

AN - SCOPUS:85056100920

VL - E101D

SP - 2633

EP - 2643

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 11

ER -