Can An Sdn Switch Behave Like A Firewall?

By Author: IP Fabrics
Total Articles: 4
Comment this article

SDN switch can drop packets of flow that are not permitted by the controller. SDN basically evolved from the concept of decoupling the lower frame/packet forwarding from the control function that brilliantly determines how application traffic should be transported. The separation of the forwarding plane from the control plane allows the networks to make easier packet processing in new ways and also created a paradigm for network virtualization.

Software Defined Networking has opened up a new world of network design and enabled creative approach to networking. SDN has caused us to reconsider the security policies that are enforced within the network.In an OpenFlow SDN model, the flows within a network switch are placed there by an OpenFlow controller. If a flow is not there then the switch travel to the controller to ask for help that how the packets should be forwarded. Openflow technical specifications states that if the table flow entry is not present in switch and if there is no rule to send the packets to the controller then the packet is dropped by the switch.

If the switch travels the packet ...
... to the controller then controller processes the packet-in message and decides the destiny of the packet. By this behavior of SDN switch, it seems like it is behaving like a firewall and enforcing the rule which is not included in the flow table and dropped. All this sounds like a new form of security and makes it seem like each and every port of an SDN switch can behave like a firewall.

Mostly SDN switches behave like a standard Ethernet switch and flood traffic out of all ports for Ethernet frames. Many Modern SDN switches flood normal ARP traffic like a hardware based Ethernet switch. In some situations, the default behavior for an SDN switch is to act like an Ethernet bridge or learning bridge. It is possible to put an SDN switch into a clear forwarding mode whereby only flows allowed or pushed/configured by controller are allowed.

So how can a modern SDN product implement security and could they really behave like a traditional firewall?

In IP Fabrics Application Centric Infrastructure, the Nexus 9000 switches operate in a stateless manner. Application Network Profiles configured in the Application policy infrastructure controller are moved to the switches in the application centric infrastructure fabric in a stateless manner. Therefore, an ACI system would not be able to operate within the same level of security as a standard stateful firewall. There are many specialized groups who are working to create SDN system that will provide robust security policy enforcement.

By this analysis, we can conclude that an SDN switch device that obtains the forwarding policies from a controller is not necessarily state-ful. However these SDN switches are unable to provide the same level of protection as a stateful firewall. It is very important to ask about the details of the statefulness of the firewall capabilities in the SDN switches from the vendors and also understand how they operate. Mostly these SDN devices operates in a stateless manner, but if your organization requires stateful firewall protection then you must go for SDN policies to direct the traffic with service chaining towards a stateful packet examination Network Functions Virtualization firewall.