Implementation method of software-defined firewall system

An implementation method and software-defined technology, applied in the field of computer networks, can solve the problems of packet filtering, increasing the burden on SDN controllers and OpenFlow switches, and increasing the complexity of data packet processing by the data layer, so as to reduce the amount of calculation and achieve high versatility. sexual effect

Active Publication Date: 2019-10-25
ZHEJIANG UNIV
View PDF5 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

At present, the Floodlight controller has a firewall module. The firewall module implements a stateless packet filtering firewall. It monitors the first data packet of the network flow to realize the access control function. However, this purely stateless firewall cannot The state of the packet filters the data packet, which has great limitations. For example, it cannot realize the one-way TCP access of the internal and external network
Wang Juan and others added a state table to the SDN controller and the OpenFlow switch, and realized the synchronization state connection table between the

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Implementation method of software-defined firewall system
  • Implementation method of software-defined firewall system
  • Implementation method of software-defined firewall system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0042] The present invention will be further described below in conjunction with specific examples. like image 3 As shown, two hosts h1 and h2 are connected through an OpenFlow switch. The IP addresses of the two hosts are 10.0.0.1 / 24 and 10.0.0.2 / 24 respectively, and the MAC addresses are 00:00:00:00:00:01 and 00:00:00:00:00:02, the OpenFlow switch is connected to the SDN controller.

[0043] 1. Implementation of stateful firewall for TCP packets

[0044] The network administrator adds the firewall rules shown in Table 1 through the firewall (the firewall allows h1 to actively access h2, and denies h2 to actively access h1)

[0045] Table 1 Firewall rules

[0046] priority source IP address Destination IP address agreement type action 2 10.0.0.1 10.0.0.2 TCP Allow 1 10.0.0.2 10.0.0.1 TCP Deny

[0047] When h1 initiates a TCP connection to h2, h1 first sends a SYN request packet, which matches the initial flow entry when passing t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an implementation method of a software-defined firewall system, which belongs to the technical field of computer networks. The method comprises the following steps: establishing connection between an OpenFlow switch and an SDN controller, and receiving a table-miss flow table entry and an initial flow table entry; sending the data packet by the OpenFlow switch to the SDN controller; performing state detection filtering on the TCP data packet by a state detection filtering module in the SDN controller through combinations with the firewall rule and the state of the datapacket, and maintaining a state connection table; and performing packet filtering on the stateless IP protocol data packet by a packet filtering module in the SDN controller according to a firewall rule, and issuing a flow table entry to the OpenFlow switch to guide subsequent data packet processing. According to the method, stateless packet filtering and stateful state detection filtering can berespectively carried out on data packets of different protocol types, the state firewall function is achieved, the operand of the SDN controller is reduced by issuing the flow table item in the packetfiltering process, in addition, an OpenFlow protocol does not need to be modified when state detection filtering is achieved, and higher universality is achieved.

Description

technical field [0001] The invention belongs to the technical field of computer networks, and in particular relates to an implementation method of a software-defined firewall system. Background technique [0002] SDN (Software Defined Networking) proposes the idea of ​​separating the control plane and data plane of network equipment, and strips the software part that originally runs on proprietary hardware equipment, making network equipment a white box that no longer runs any network protocols. It is only responsible for the matching and forwarding of network data packets. The OpenFlow protocol is a standard southbound interface protocol for communication between OpenFlow switches and controllers. SDN technology makes the control plane of network equipment programmable, and centrally manages and controls network equipment through controllers, which greatly facilitates network configuration management, reduces the cost of hardware equipment, and shortens the cycle of networ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/02H04L63/0227H04L63/20
Inventor 宋姝雨李荣鹏赵志峰张宏纲
Owner ZHEJIANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap