隨著人工智慧和雲端計算的普及，數據中心所需處理的封包吞吐量也日益增
加。然而，隨著資料傳輸量的增加，我們也不能忽視網路安全相關的議題。傳
統的硬體防火牆使用專用硬體和軟體來分析、過濾和阻擋從外部網路進入數據
中心內部網路的惡意封包。然而，這種專用硬體防火牆在可擴展性和配置靈活
性方面無法應對不斷增長的網路流量的挑戰。同時，軟體定義網路的發展趨於
成熟。軟體定義網路具有高度的擴展性和靈活性，並結合開源軟體的入侵偵測
系統，使我們能夠達到一個目標，即逐漸淘汰傳統的硬體防火牆。
我們的目標是利用軟體定義網路的靈活性，與入侵偵測系統相結合，從而不
再需要依賴傳統的硬體防火牆。
在本篇論文中，我們提出了一個全新的防火牆系統架構。這個架構利用軟體
定義網路的群播系統和入侵偵測系統的開源軟體，並結合多個量產型電腦，實
現了一個分散式的防火牆系統。這個系統能夠動態地新增和關閉防火牆，以減
少待機時所消耗的能源。同時，根據每個防火牆的運算能力，合理分配封包的
傳輸數量。
實驗結果顯示我們提出的分散式防火牆架構能夠根據各個防火牆的運算能力
有效地分配封包。這意味著系統能夠在不同防火牆之間實現負載平衡，確保每
個防火牆都能有效處理封包。

Traditional high-speed firewalls utilize dedicated hardware to analyze, filter,
and block malicious packets from entering the internal network of an organization
(such as a company, institution, and data center). However, these dedicated
hardware firewalls face challenges in cost, scalability, and configuration flexibility
as network traffic continues to grow. Software-defined networking (SDN), which
offers high scalability and flexibility, can be used to provide a solution to these challenges.
Combined with software-based intrusion detection systems, SDN enables
us to replace a dedicated-hardware-based firewall by a distributed firewall system
that consists of a number of firewalls, each running on a commodity machine (or
on a virtual machine instance).
In this paper, we propose a novel firewall system architecture. This architecture
consists of a software-defined network and a set of (virtual) firewalls, each
running a software-based intrusion detection system on an off-the-shelf computer
and connecting to the network. This system can dynamically scale out and scale
in, according to the real-time workload. Additionally, it intelligently distributes
the workload, according to the processing capability of each firewall.
Experimental results demonstrate that our proposed distributed firewall system
can effectively scale out/in and distribute workload, based on the computational
capabilities of each firewall. This means that the system can achieve load balancing
among different firewalls, ensuring that each firewall can effectively process
packets.

Abstract i
中文摘要 iii
Contents iv
List of Figures vi
1 Introduction 1
2 Related Work 6
2.1 OpenFlow Controller Selection . . . . . . . . . . . . . . . . . . . . . 6
2.2 SDN-based Firewall System . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Multi-controller System . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 OpenFlow Control Message Transmission . . . . . . . . . . . . . . . 9
3 System Architecture 10
3.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4 Proposed Method 16
4.1 System Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Dynamic Load-balancing Dynamic Scaling . . . . . . . . . . . . . . 18
5 System Components 25
5.1 OpenFlow vSwitch . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Main Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2.1 Initialization Phase . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.2 Runtime Phase . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.3 IDS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.4 Subordinate Controller . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.5 Communication Module . . . . . . . . . . . . . . . . . . . . . . . . 40
6 Experimental Evaluation 42
6.1 Experimental Environment . . . . . . . . . . . . . . . . . . . . . . . 42
6.1.1 Hardware Information . . . . . . . . . . . . . . . . . . . . . 42
6.1.2 Emulation Topology . . . . . . . . . . . . . . . . . . . . . . 43
6.1.3 Software Information . . . . . . . . . . . . . . . . . . . . . . 43
6.2 Multi-controller design evaluation . . . . . . . . . . . . . . . . . . . 44
6.3 DLDS evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7 Conclusion 51
Reference 52

[1] N. McKeown, T. Anderson, H. Balakrishnan, et al., “Openflow: Enabling innovation
in campus networks,” SIGCOMM Comput. Commun. Rev., vol. 38,
no. 2, pp. 69–74, 2008, issn: 0146-4833. doi: 10.1145/1355734.1355746.
[Online]. Available: https://doi.org/10.1145/1355734.1355746.
[2] P. Bosshart, D. Daly, G. Gibb, et al., “P4: Programming protocol-independent
packet processors,” SIGCOMM Comput. Commun. Rev., vol. 44, no. 3,
pp. 87–95, 2014, issn: 0146-4833. doi: 10.1145/2656877.2656890. [Online].
Available: https://doi.org/10.1145/2656877.2656890.
[3] The Open Networking Foundation, OpenFlow Switch Specification, 2012.
[4] Open network operating system (onos), https://docs.onosproject.org/,
[Online; accessed 29-July-2023].
[5] J. Medved, R. Varga, A. Tkacik, and K. Gray, “Opendaylight: Towards a
model-driven sdn controller architecture,” in Proceeding of IEEE International
Symposium on a World of Wireless, Mobile and Multimedia Networks
2014, 2014, pp. 1–6.
[6] Ryu component-based software defined networking framework, https : / /
github.com/faucetsdn/ryu, 2014.
[7] Floodlight openflow controller, https://groups.io/g/floodlight, [Online;
accessed 29-June-2023].
[8] M. Sinha, P. Bera, and M. Satpathy, “An anomaly free distributed firewall
system for sdn,” in 2021 International Conference on Cyber Situational
Awareness, Data Analytics and Assessment (CyberSA), 2021, pp. 1–8. doi:
10.1109/CyberSA52016.2021.9478256.
[9] M. F. Monir and D. Pan, “Application and assessment of click modular firewall
vs pox firewall in sdn/nfv framework,” in 2020 IEEE REGION 10 CONFERENCE
(TENCON), 2020, pp. 991–996. doi: 10.1109/TENCON50793.
2020.9293713.
[10] P. Krongbaramee and Y. Somchit, “Implementation of sdn stateful firewall
on data plane using open vswitch,” in 2018 15th International Joint Conference
on Computer Science and Software Engineering (JCSSE), 2018, pp. 1–
5. doi: 10.1109/JCSSE.2018.8457354.
[11] A. Takai, N. Yamai, and R. Nakagawa, “Fast blocking of malicious traffic by
excluding benign flow monitoring in ids/sdn cooperative firewall systems,”
in Proceedings of the 17th Asian Internet Engineering Conference, ser. AINTEC
’22, Hiroshima, Japan: Association for Computing Machinery, 2022,
pp. 62–69, isbn: 9781450399814. doi: 10.1145/3570748.3570757. [Online].
Available: https://doi.org/10.1145/3570748.3570757.
[12] Y. Katsura, P. Sakarin, N. Yamai, H. Kimiyama, and V. Visoottiviseth,
“Quick blocking operation of firewall system cooperating with ids and sdn,”
in 2022 24th International Conference on Advanced Communication Tech-
nology (ICACT), 2022, pp. 393–398. doi: 10.23919/ICACT53585.2022.
9728831.
[13] O. Blial, M. Ben Mamoun, and R. Benaini, “An overview on sdn architectures
with multiple controllers,” Journal of Computer Networks and Communications,
vol. 2016, p. 9 396 525, 2016, issn: 2090-7141. doi: 10.1155/
2016/9396525. [Online]. Available: https://doi.org/10.1155/2016/
9396525.
[14] Y. Hu, W. Wang, X. Gong, X. Que, and S. Cheng, “Balanceflow: Controller
load balancing for openflow networks,” in 2012 IEEE 2nd International Conference
on Cloud Computing and Intelligence Systems, vol. 02, 2012, pp. 780–
785. doi: 10.1109/CCIS.2012.6664282.
[15] P. T. Duy, D. T. T. Hien, H. P. Qui, and V.-H. Pham, “Aloba: A mechanism
of adaptive load balancing and failure recovery in distributed sdn
controllers,” in 2019 IEEE 19th International Conference on Communication
Technology (ICCT), 2019, pp. 1322–1326. doi: 10.1109/ICCT46805.
2019.8947182.
[16] Y. Zhou, M. Zhu, L. Xiao, et al., “A load balancing strategy of sdn controller
based on distributed decision,” in 2014 IEEE 13th International Conference
on Trust, Security and Privacy in Computing and Communications, 2014,
pp. 851–856. doi: 10.1109/TrustCom.2014.112.
[17] E. W. Dijkstra, “A note on two problems in connexion with graphs,” Numerische
mathematik, vol. 1, no. 1, pp. 269–271, 1959.
[18] A. Hagberg, P. Swart, and D. S Chult, “Exploring network structure, dynamics,
and function using networkx,” Jan. 2008. [Online]. Available: https:
//www.osti.gov/biblio/960616.
[19] H. Schulzrinne, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6)
Option for Civic Addresses Configuration Information, RFC 4776, Nov. 2006.
doi: 10.17487/RFC4776. [Online]. Available: https://www.rfc-editor.
org/info/rfc4776.
[20] IEEE Computer Society, “IEEE Std 802.1Q: Standard for local and metropolitan
area networks – media access control (mac) bridges and virtual bridged
local area networks,” IEEE, Piscataway, NJ, USA, Tech. Rep. 802.1Q-2018,
2018.
[21] B. Pfaff, J. Pettit, T. Koponen, et al., “The design and implementation of
open vswitch,” in Proceedings of the 12th USENIX Conference on Networked
Systems Design and Implementation, ser. NSDI’15, Oakland, CA: USENIX
Association, 2015, pp. 117–130, isbn: 9781931971218.
[22] C. Talos, Snort 3: The next-generation open source intrusion prevention system,
https://www.snort.org/, Accessed: June 30, 2023, 2021.
[23] Linux Documentation Project, Control group documentation, https://www.
kernel.org/doc/html/latest/admin-guide/cgroup-v1/index.html,
Accessed: July 6, 2023.