TY - GEN
T1 - Cost-Effective N:1 Firewall Array Via Subnet-Levcl Load Balancing by SDN/OpenFlow Switches
AU - Quispe, Christian I.
AU - Santivanez, Cesar A.
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/12/5
Y1 - 2018/12/5
N2 - Enterprise networks' firewalls are rarely set up in a shared-protection (N:1) configuration, preferring instead the more costly active-stand by (1+1) configuration. This is due to, in part, to the high cost associated with software-based per-flow load balancing at high traffic loads. In this work, we propose the use of SDN/OpenFlow switches as a low-cost hardware-based alternative for subnet-level load balancing, for use in a N:1 firewall array. Our design guarantees that the N:1 system exhibits the same performance of a 1+1 system but at a much lower cost. In particular, the design provides lossless firewall handover of subnets in response to traffic bursts. A prototype of the system has been implemented in Python over the base of the Floodlight OpenFlow Controller and tested in our SDN Test-Bed using the ISPDSL II traffic traces, evaluating the behavior during traffic peaks. Initial results show that the system successfully migrate subnet traffic without packet losses, call blockings, or TCAM exhaustion.
AB - Enterprise networks' firewalls are rarely set up in a shared-protection (N:1) configuration, preferring instead the more costly active-stand by (1+1) configuration. This is due to, in part, to the high cost associated with software-based per-flow load balancing at high traffic loads. In this work, we propose the use of SDN/OpenFlow switches as a low-cost hardware-based alternative for subnet-level load balancing, for use in a N:1 firewall array. Our design guarantees that the N:1 system exhibits the same performance of a 1+1 system but at a much lower cost. In particular, the design provides lossless firewall handover of subnets in response to traffic bursts. A prototype of the system has been implemented in Python over the base of the Floodlight OpenFlow Controller and tested in our SDN Test-Bed using the ISPDSL II traffic traces, evaluating the behavior during traffic peaks. Initial results show that the system successfully migrate subnet traffic without packet losses, call blockings, or TCAM exhaustion.
KW - Application Delivery Controller (ADC)
KW - ExoGENI TestBed
KW - Firewall Array N
KW - Firewall Load Balancer
KW - HandOff Process
UR - http://www.scopus.com/inward/record.url?scp=85060370260&partnerID=8YFLogxK
U2 - 10.1109/ANDESCON.2018.8564610
DO - 10.1109/ANDESCON.2018.8564610
M3 - Conference contribution
AN - SCOPUS:85060370260
T3 - 2018 IEEE ANDESCON, ANDESCON 2018 - Conference Proceedings
BT - 2018 IEEE ANDESCON, ANDESCON 2018 - Conference Proceedings
A2 - Callejas, Jose David Cely
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 9th IEEE ANDESCON, ANDESCON 2018
Y2 - 22 August 2018 through 24 August 2018
ER -