Design and Implementation of Proactive Firewall System in Cooperation with DNS and SDN

Tomokazu Otsuka; Nariyoshi Yamai; Kiyohiko Okayama; Yong Jin; Hiroya Ikarashi; Naoya Kitagawa

Summary

International Technical Conference on Circuits/Systems, Computers and Communications

2016

Session Number:M1-1

Session:

Number:M1-1-3

Design and Implementation of Proactive Firewall System in Cooperation with DNS and SDN

Tomokazu Otsuka, Nariyoshi Yamai, Kiyohiko Okayama, Yong Jin, Hiroya Ikarashi, Naoya Kitagawa ,

pp.25-28

Publication Date:2016/7/10

Online ISSN:2188-5079

DOI:10.34385/proc.61.M1-1-3

PDF download (1.2MB)

Summary:

Recently, unauthorized accesses from the external networks to the internal hosts are sharply increasing. Although many firewall appliances are widely utilized as one of the countermeasures, its throughput is not high enough especially when it performs deep packet inspection. In order to solve this problem, we propose a proactive firewall system which consists of two or more firewall appliances with Software Defined Network (SDN) adaptively choosing a proper one for each communication flow based on, for example, whether its peer is trusted or not. To obtain the peer IP address in advance, the system introduces EDNS Client Subnet option of DNS. According to the performance evaluation results on the prototype system, we confirmed that the prototype system could separate flows of trusted hosts from other flows effectively.