Research On SDN Firewall Rule Conflict Detection Method

As a new type of network architecture,Software Defined Networking(Software Defined Network,SDN)decouples the data plane and control plane in the traditional network,bringing greater flexibility and programmability to the network.However,this new network architecture also brings certain security risks.Under the SDN network,the controller centrally controls the data plane by issuing flow table rules.As a common function to protect the user's internal network,the firewall faces many traditional functions.Risks that do not exist in the network: First,the firewall under SDN usually receives the configuration of various user applications,and their firewall rules may not be the same,which leads to conflicts in the firewall.This phenomenon is called internal rules.Conflict;Secondly,users can use the modification action provided by SDN to modify the packet header to complete their network functions.This operation will cause the application to bypass the firewall rule inspection through a series of operations to modify the packet header information,resulting in The failure of firewall rules causes security problems,which are called rule bypass conflicts.Therefore,this article focuses on the problem of firewall rule conflicts under the above two SDNs.The main research contents are as follows:(1)Aiming at the problem of internal rules conflicts in firewalls under SDN,this article analyzes the process and causes of it,and defines and regularizes related conflicts.On this basis,a detection method based on HPT tree is proposed.The method stores SDN firewall rules in the structure of hash table and Patricia tree to speed up the rule search process during subsequent conflict detection.This method can accurately detect the conflicting rules inside the firewall,and effectively reduces the time cost of the detection algorithm compared with traditional algorithms.(2)Aiming at the problem of rule bypassing conflict in the entire network under SDN,this article describes its principle in detail,and then analyzes the alias set algorithm of the classic solution to this problem,explains its shortcomings,and proposes on this basis,an improved method based on the forwarding graph is proposed.The method collects the flow table entries of the modified data packet in the network and establishes the forwarding graph,thereby judging the actual forwarding path of the data packet in the network according to the forwarding graph,which makes up for the alias set algorithm.Check the defects of the actual forwarding path of the data packet,and improve the accuracy of bypass collision detection.(3)The firewall rule conflict detection system under SDN is designed,and the system is implemented on the ONOS controller.The performance test and function test of the internal rule conflict detection algorithm and rule bypass conflict detection algorithm of the firewall were carried out respectively.The experimental results prove that the internal rule conflict detection algorithm based on HPT tree proposed in this paper can effectively reduce the time consumption of detection and speed up the detection process;and the rule bypass conflict detection method based on forwarding graph has good feasibility and effectiveness.