Detection and prevention of firewall-rule conflicts on software-defined networking

Software-Defined Networking (SDN) is a different approach to manage a network by software. It could use well-defined software expressions and predicates to regulate network behavior. Current SDN controllers, such as Floodlight, offer a framework to develop, test and run applications that control the network operation, including the firewall function. However, they are not able to validate firewall policies, detect conflicts; neither avoids contradictory configurations on network devices. Some compilers only detect conflicts by a subset of the language; hence, it cannot detect conflicts related to contradicting rules with security controls. This paper presents our framework based on Alloy called FireWell. FireWell is able to model firewall policies as formal predicates to validate, detect and prevent conflicts in firewall policies. In addition we present the implementation of FireWell and test it using the Floodlight controller and firewall application.