User Account

All Pages

Create a configurable firewall using an OpenFlow switch

Assignment Help Computer Engineering
Reference no: EM132160530

Project - SDN Firewall

Goal - In this project, you will use SDN to create a configurable firewall using an OpenFlow enabled switch. This is beyond what is possible with traditional L2 switches, and shows how the simplest of SDN switches are more capable than even the fanciest of L2 switches.

You are going to create an externally configurable? firewall using Pyretic. That means that the firewall rules are provided in a configuration file, so they can be changed without altering the switch code.

This firewall is the type that allows all traffic that isn't expressly disallowed (a blacklist firewall). This is the type of firewall that you would find in an office environment where you wish to restrict access to certain resources from other devices. The alternative is to disallow all traffic that isn't allowed by the policy (whitelist firewall). A whitelist firewall is typically used in edge situations protecting internal resources from the outside/Internet (an example is a home internet router). The code we have provided for this project could be modified to implement this second type of firewall, and would be a worthwhile project for those who are interested in learning further.

In the Project directory, there are many files, described below:

  • firewall-policies-bad.pol - This is an example firewall configuration policy that is broken. When parsing, an error message will be thrown. Each line has an error of some type. Try removing lines to see the different possible error messages. This shows how the policy file is parsed by the parse_config? function in firewall.py
  • firewall-policies-good.pol - This is an example firewall configuration policy that disallows all devices to connect to port 1080 on all devices. You can use this as the base for the firewall-config.pol file you will generate later in the instructions. The code to implement this firewall policy is included in the Firewall_policy.py file.
  • Firewall_policy.py - This is the file where you will implement the firewall using python and pyretic code, based on the policy configuration that is passed in via the configuration files.
  • firewall.py - This is the file that sets up pyretic application and reads the firewall config policy into a data object. DO NOT MODIFY THIS FILE. A shell script is provided to help run it. This file contains the code that is used to parse your firewall-config.pol file, so please look here for the import format for your firewall-config.pol.
  • firewall-topo.py - This is a mininet program to start your topology. It consists of one switch and two groups of hosts. Modifying this file isn't necessary, but you may choose to try different topologies for testing your code (make sure that your firewall-config.pol works with the original firewall-topo.py, however).
  • pyretic_switch.py - This implements a learning switch. You do not need to modify this file.
  • run-firewall.sh - This script runs the firewall using pyretic. (It starts the firewall.py application.) The files need to be in the pyretic directory trees, and this script makes that happen. Also, it allows for different configuration files to be used by giving the filename on the command line.
  • test-tcp-client.py - This acts as a TCP client: opens a connection, sends a string, then waits to hear it echoed back. You can use this to test your firewall policies.
  • test-tcp-server.py - This acts as a TCP server: listens on a specified port, echos back whatever it hears. You can use this together with the test-tcp-client.py program.
  • test-udp-client.py - This acts as a UDP client to test your firewall policies.
  • test-udp-server.py - This acts as a UDP server which echos back whatever it hears. You can use this together with the test-udp-client.py program.

Instructions - RUN THIS PROJECT ON THE OLD VM, BUT PLEASE USE THE EXTRA CREDIT OPPORTUNITY BY RUNNING THIS PROJECT ON THE NEW VM. THERE WILL BE A PIAZZA THREAD ABOUT THIS PROJECT AND THE NEW VM.

Rules to be implemented:

1. One common implementation for a virtual private network solution utilizes PPTP (Point-to-Point Tunnelling Protocol). It now has many issues related to the way it authenticates users. Write firewall policy rules to block PPTP that will prohibit all systems from accessing a PPTP server running on server2. (TCP Port 1723)

2. SSH is used to provide a remote shell which can be used to forward other ports or to bypass firewalls. Write firewall policy rule(s) that will prohibit all computers/devices from connecting to a SSH server on the east hosts (e1-e3). (TCP and UDP Port 22)

3. One common way to perform a distributed denial of service (DDOS) attack is to use an amplification attack using the Network Time Protocol (NTP) and Domain Name Services (DNS) taking advantage of the UDP protocol to saturate the links. Write firewall policy rule(s) to protect the DNS and NTP Services on server1 and server2 from all hosts. However, the DNS and NTP services on server3 should remain accessible. (UDP Ports 123 and 53, respectively)

4. Write a series of firewall policy rules disallowing hosts w1 and w2 from pinging mobile1. This rule will be satisfied if the full ICMP response is not completed. Analyzing the interactions with Wireshark is helpful, but not required.

5. Write a series of firewall policies to disallow all traffic destined to TCP ports 9950-9952 on host e3 from host e1.

6. Write a series of firewall policies to restrict host mobile1 from communicating to any of the east hosts (e1-e3) on both TCP and UDP protocols.

Questions to Ponder -

To help you implement your firewall policy and configuration rules properly, think about the following topics. Feel free to discuss these on Piazza:

  • When creating firewall rules, should you be using BOTH source and destination ports when creating a rule? Why or why not?
  • What happens when you block one side of an ICMP request/response? What is the behavior if you block the sender vs the requester?
  • Pyretic has specific requirements when port numbers are specified. Why is this so?
  • If you do a wireshark traffic dump while testing your rules, why do you sometimes see one-sided responses?
  • Given a rule to block access to a port 80 server on host E2, should you be able to access the port 80 service FROM host E2? Why?

Attachment:- Assignment Files.rar

Verified Expert

Python-tables provides python bindings to tables under Linux. Interoperability with tables is achieved via using the tables C libraries (libiptc, and the tables extensions), not calling the tables binary and parsing its output

Reference no: EM132160530

Questions Cloud

What is the probability that a driver on highway : What is the probability that a driver on this highway will be a speeder and will not be detected by the radar gun? Show your work.
What is the probability that a randomly selected customer : What is the probability that a randomly selected customer of the restaurant chain will be either a woman or a vegetarian? Show the necessary work.
Identify the factors and consequences of social change : Identify the factors, sources, and consequences of social change. you will provide your own perspective on social change and the impact of social change.
Lower reject region and negative lower critical value : In this problem, the sign of the critical value is negative corresponding to a 1-tailed test with lower reject region and negative lower critical value.
Create a configurable firewall using an OpenFlow switch : CS 6250 Project - SDN Firewall. In this project, you will use SDN to create a configurable firewall using an OpenFlow enabled switch
Why do you suppose the gender gap exists : Why do you suppose the gender gap exists? What additional information (variables) do you think are important to explore the gap further?
Find the probability that a light bulb of that brand : Can you please find the probability that a light bulb of that brand lasts between 1550 hr and 1850 hr?
Summarize emile durkheims social theory : Summarize Emile Durkheim's social theory and how it implicates itself in his theory of suicide.
Results of sampling independence populations : The results of sampling independence populations:

Reviews

len2160530

11/5/2018 4:19:39 AM

Read all the instructions carefully! Then read them again after you finish but before you submit, so you can verify that what you did matches what the assignment says exactly. Even seemingly small details in the instructions can be very important! Some of those details exist to allow our grading code to interface with your project properly. You will lose points if your project does not work with our grader because you didn't follow them.

len2160530

11/5/2018 4:19:34 AM

NOTE: A good practice is to run “sudo mn -c” and “killall python” to make sure all processes are shut down. If the error message includes the word “pox”, also consider running “killall pox”. A script has been added (“cleanup.sh”) that will check the ownership of files and will cleanup mininet, python, and pox. NOTE: DO NOT HARDCODE FIREWALL RULES IN THIS FILE! The example was hard coded to demonstrate the desired behavior. The goal of this part of the assignment is to generalize and parse the configuration file to handle any particular firewall cofiguration file. After completing this part, only TCP Port 1080 should be blocked using the firewall-policies-good.pol file. You will not receive credit for hard-coding the firewall rules!

len2160530

11/5/2018 4:19:25 AM

Notes - Wireshark may be helpful for this project. You can start it from any terminal with the following command: sudo wireshark & (it needs to run as root to sniff traffic) and use it to look at traffic on specific ports. You may wish to start two instances - one either side of the switch - to see if traffic is being if actually being completed and received. Note that you can increase the RAM or processor usage for the VM for this project to improve performance. Please remember to set it back to the original settings for Project 8 if you do so. You are being provided a Project 6 GUI tool developed by Sam Paulissian, one of the TAs for this course. You may find it helpful for testing, but you are not required to use it if you are more comfortable using the command line interface. Download the Project6GUI zip file from Canvas and follow the instructions for use found within the folder after you unzip it using the unzip Project6GUI.zip command.

len2160530

11/5/2018 4:19:19 AM

Grading Policy and Rubric Your firewall_policy.py will be tested with a set of known good configuration files and different topologies that are not provided. These configurations will range from simple port blocking to others that are more complex than what was defined for this project. Also, both simple and complex topologies will be used to evaluate your policy. Your firewall-config.pol file will be tested for validity and functionality by using a known good firewall_policy.py file. It will also be tested in conjunction with your firewall_policy.py file. If you have trouble coding the firewall_policy.py file, at least attempt to create the firewall-config.pol to get additional partial credit.

len2160530

11/5/2018 4:19:14 AM

30 pts - Correct Submission for turning in all the correct files with the correct names, and significant effort has been made in each file towards completing the project. This will be up to 15 points for each file. The penalty will have a variance based on the effort undertaken. 30 pts - Firewall Policy the policy in firewall-config.pol passes a variety of tests to ensure correct blocking of traffic per the rules, and allows all other traffic. If there are significant issues with your firewall_policy.py file, your work may be verified against a known good firewall_policy.py file. 40 pts - Firewall Implementation the firewall implementation in firewall_policy.py passes a variety of tests to ensure it works properly with several different firewall configurations (i.e., different firewall rules and topologies).

Write a Review

Computer Engineering Questions & Answers

  Mathematics in computing

Binary search tree, and postorder and preorder traversal Determine the shortest path in Graph

  Ict governance

ICT is defined as the term of Information and communication technologies, it is diverse set of technical tools and resources used by the government agencies to communicate and produce, circulate, store, and manage all information.

  Implementation of memory management

Assignment covers the following eight topics and explore the implementation of memory management, processes and threads.

  Realize business and organizational data storage

Realize business and organizational data storage and fast access times are much more important than they have ever been. Compare and contrast magnetic tapes, magnetic disks, optical discs

  What is the protocol overhead

What are the advantages of using a compiled language over an interpreted one? Under what circumstances would you select to use an interpreted language?

  Implementation of memory management

Paper describes about memory management. How memory is used in executing programs and its critical support for applications.

  Define open and closed loop control systems

Define open and closed loop cotrol systems.Explain difference between time varying and time invariant control system wth suitable example.

  Prepare a proposal to deploy windows server

Prepare a proposal to deploy Windows Server onto an existing network based on the provided scenario.

  Security policy document project

Analyze security requirements and develop a security policy

  Write a procedure that produces independent stack objects

Write a procedure (make-stack) that produces independent stack objects, using a message-passing style, e.g.

  Define a suitable functional unit

Define a suitable functional unit for a comparative study between two different types of paint.

  Calculate yield to maturity and bond prices

Calculate yield to maturity (YTM) and bond prices

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +91-977-207-8620

Phone: +91-977-207-8620

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd