SDN-based Stateful Firewall for Cloud

The firewall service (FWaaS) is one of the key components of the cloud computing environment, it requires the ability to automatically open and flexibly adjust as needed. Current firewalls in the cloud are mainly based on static security rule configuration or simple rule matching, which makes them inflexible and cannot guarantee network security. In this paper, we propose a stateful firewall based on the programmable data plan, compared with existing SDN firewalls, our method is able to extract, analyze and record the connection state information of data packets in the data plane by designing a finite state machine and a state table. We implement a prototype using P4, then, evaluate its performance and overheads. The experimental results show that the scheme can achieve fine-grained access control and reduce communication overhead.