Design And Implementation Of Firewall System Based On Software-Defined Security

Inspired by Software-Defined Networking(SDN),Software-Defined Security(SDS),which separates the secure data plane from the security control plane,enables a more flexible network security system.Firewall is an important network security protection technology that can filter and block data packets on the network.However,traditional firewalls based on hardware devices are often physically limited and need to be installed in multiple network locations on a network.Also,firewall devices are difficult to coordinate with other security entities.Taking the advantages of SDN technology in network security applications,this paper proposes a software-defined firewall system.The system has the characteristics of network-wide access control,real-time traffic monitoring,and dynamic updating of security policies.It provides two different types of firewall security services,namely packet filtering firewall security services and stateful inspection firewall security services.The control layer of firewall service is developed based on the Openday Light open source controller,and the security policy is flexibly issued using the Open Flow protocol.In addition,as part of the collaborative defense system,the system provides the northbound RESTful interfaces that enables the intrusion detection system to transmit the security policy through network protocols,and implements real-time monitoring of network traffic based on s Flow technology.This paper uses Mininet to build a virtual topology to verify the system's firewall security services and traffic monitoring functions.The results show that the firewall security services can provide access control to the network according to the security policy,and the traffic monitoring center is able to analyze and divides the traffic.Finally,our network security team set up the collaborative defense system using physical devices.The software-defined firewall system designed in this paper is responsible for receiving security policies and defending malicious traffic in real time.We simulate attacking and defensive experiments multiple times.The results show that the collaborative defense system can detect and defense network attacks in a relatively short period of time.