{"id":19873079,"url":"https://github.com/checkpointsw/sdn","last_synced_at":"2025-11-23T18:07:12.711Z","repository":{"id":43170766,"uuid":"157679992","full_name":"CheckPointSW/sdn","owner":"CheckPointSW","description":null,"archived":false,"fork":false,"pushed_at":"2023-05-13T06:43:49.000Z","size":26,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-01-11T16:49:46.414Z","etag":null,"topics":["management-api","sdn","security-gateway"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CheckPointSW.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-15T08:47:27.000Z","updated_at":"2023-12-13T09:23:42.000Z","dependencies_parsed_at":"2025-01-11T16:45:00.121Z","dependency_job_id":"b632de71-7802-4d8f-91df-e4d9f43bccaa","html_url":"https://github.com/CheckPointSW/sdn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fsdn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fsdn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fsdn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fsdn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CheckPointSW","download_url":"https://codeload.github.com/CheckPointSW/sdn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241299953,"owners_count":19940485,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["management-api","sdn","security-gateway"],"created_at":"2024-11-12T16:17:43.312Z","updated_at":"2025-11-23T18:07:12.681Z","avatar_url":"https://github.com/CheckPointSW.png","language":"Python","readme":"# Overview\n\nSoftware Defined Networks (SDN) is a paradigm for centrally controlling the\nbehavior of network switches with a standard protocol (e.g., OpenFlow). The\nlogic for forwarding the traffic in the network is centralized in a single\nsoftware component called the _controller_.\n\nThe idea of this proof of concept project, is to integrate a firewall gateway\ninto an SDN cotrolled network, such that depending on a configurable policy,\ntraffic in the network would either bypass the gateway or will be forwarded to\nthe gateway to decide on what to do (depending on the gateway policy).\n\nWhenever a switch encounters an unknown packet it will forward it to the\ncontroller.\n\n*   The controller uses a discovery module, which sends out test packets to map\n    the links between the different switch ports. \n\n\tThe controller listens to the events about discovered links and builds\n\tpaths leading from each switch to the port that is connected to the\n\tfirewall gateway. These paths are then used when forwarding non-bypassed IP\n\tpackets to the firewall gateway.\n\n*   Non-IP packets are forwarded - the controller notifies the switch to\n    register a flow with the specific packet parameters with the action to\n    forward matching packets to the appropriate switch port. If the destination\n    is yet unknown to the controller, it will ask the switch to flood the\n    packet to all the ports. For every packet that it sees, the controller\n    learns that the source MAC address is behind the port in the switch from\n    which the packet came.\n\n*   IP packets are inspected against a connection table. If found, the action\n    (see the next bullet) that is specified in the table is performed.\n\n*   Unknown IP packets are matched against the bypass policy rules, the action\n    that is specified in the rule (either bypass, or forward to the firewall)\n    is enforced. Bypass is normal forwarding (such as what is done to non-IP\n    packets). Forwarding to the firewall means, in every switch, forwarding to\n    the port leading to the firewall gateway. Packets that come from the port\n    that leads to the gateway are assumed to have been already inspected, and\n    so they are forwarded just like bypassed packets.\n\n\n# Environment\n\nSDN experiments are often done in a virtualized network framework called\n[Mininet](https://github.com/mininet/mininet/wiki/Introduction-to-Mininet). It\nallows the user to specify an arbitrary number of hosts connected by switches\nand controlled by a controller, where everything is run on a single host\n(often, the Mininet host is a VM running on a personal desktop/laptop).\n\nFor the controller (the software component, with which the switches talk to\nmake decisions about forwarding), we chose\n[POX](https://openflow.stanford.edu/display/ONL/POX+Wiki) - a Python based,\nresearch oriented OpenFlow controller.\n\nWe configure Mininet with a custom topology.\n\nIn our custom POX module (fw.py), we use the POX discovery module to enable\nautomatic learning of the switch topology (finding out the path from every\nswitch to the firewall gateway port). We also use webcore and webservice\nmodules to support web services\n\n\n# Limitations\n\n*   There is an assumption that the firewall gateway would either drop a packet\n    or accept it without modifying the connection parameters (e.g., no NAT),\n    this allows the controller to recognize the packet after it was forwarded\n    to the firewall.\n\n*   IP fragments are dropped.\n\n*   Only IPv4 is handled.\n\n*   Once a connection has expired from the controller connection table, packets\n    with reverse connection parameters (of the expired connection) might match\n    a bypass rule. This means that the connection would be registered as a\n    bypass connection and packets that actually belong to the original expired\n    connection would not be forwarded to the firewall anymore.\n\n*   The long timeout on TCP connection means that most TCP connections would\n    occupy resources in the controller connection table, long after they have\n    closed.\n\n\n# Setup\n\n## Ubuntu Server VM\n\n*   Install an Ubuntu server 12.04.2 32bit on VirtualBox (another VM technology\n    can be used as well):\n\n    *   Add a host only interface.\n\n    *   Choose the ssh server option when installing Ubuntu.\n\n    *   Disable the password requirement for sudo:\n\n            $ sudo sed -i 's/^\\(%sudo.*)\\) ALL/\\1 NOPASSWD: ALL/' /etc/sudoers\n\n## Code\n\n*   Install the demo code from GitHub:\n\n        $ sudo apt-get install git\n        $ cd ~\n        $ git clone https://github.com/CheckPointSW/sdn.git\n\n## Mininet\n\n*   Install Mininet/POX - you must have Internet access!\n\n        $ ~/sdn/setup.sh\n\n*   Run Mininet with custom topology and POX using our fw component:\n\n    (the POX fw module logs are at /tmp/c0-pox.log)\n\n        $ sudo mn --custom ~/sdn/custom.py --topo fw --controller pox --mac\n\n\n# Configuration\n\n## Mininet Topology\n\nConfigures the Mininet switches and hosts (it is read by custom.py):\n\n*   `switches` - a list of Mininet switch names\n\n*   `links` - a list of lists. Each sub list specifies `[NODE1, PORT1, NODE2,\n\tPORT2]`, where a `NODE` is either a switch (listed in switches before), or\n\ta host (either `hNN` or `fw1`). `PORT` need only be specified for switches,\n\tit should be null for hosts.\n\n*   Example (see -  ~/sdn/topo.json in the source code):\n\n\t\t{\n    \t\t\"switches\": [\"s1\", \"s2\", \"s3\"],\n    \t\t\"links\": [\n        \t\t[\"s1\", 1, \"fw1\", null],\n        \t\t[\"s1\", 2, \"s2\", 1],\n        \t\t[\"s1\", 3, \"s3\", 1],\n        \t\t[\"s2\", 2, \"h22\", null],\n        \t\t[\"s2\", 3, \"h23\", null],\n        \t\t[\"s3\", 2, \"h32\", null],\n        \t\t[\"s3\", 3, \"h33\", null]\n    \t\t]\n\t\t}\n\n## Firewall Bypass Policy\n\nConfigures the fw bypass/forwarding policy (it is read by fw.py):\n\n*   `fw1` - the port to which the firewall gateway is connected: `[SWITCH,\n    PORT]` (this must match the fw1 link in topo.json)\n\n*   `policy` - contains timeouts and rules\n\n\t*   `timeouts` - a map between IP protocol numbers and time in seconds, the\n\t    time indicates how long the controller will remember an inactive\n\t    connection with the respective IP protocol\n\n\t*   `rules` - a list of lists. Each sub list specifies `[SRC, DST, SERVICE,\n\t    ACTION]`\n\n\t\t* `SRC`, `DST` - either a host name or a list of host names\n\n\t\t* `SERVICE`: see the comment before the matchService() function in\n\t\t  fw.py\n\n\t\t* `ACTION`: true means allow bypass, false means forward to the\n\t\t  firewall\n\n* Example (see - ~/sdn/fw.json in the source code):\n\n\t\t{\n    \t\t\"fw1\": [\"s1\", 1],\n    \t\t\"policy\": {\n        \t\t\"timeouts\": {\n            \t\t\"0\": 40,\n            \t\t\"1\": 40,\n            \t\t\"6\": 3600,\n            \t\t\"17\": 40\n        \t\t},\n        \t\t\"rules\": [\n            \t\t[\"h22\", \"h33\", null, true],\n            \t\t[\"h33\", [\"h22\", \"h23\"], null, true],\n            \t\t[\"h23\", \"h32\", [1, {\"6\": [80, 443]}, {\"17\": 53}, \"50-51\"], true],\n            \t\t[null, null, null, false]\n        \t\t]\n    \t\t}\n\t\t}\n\n\n# Firewall Integration\n\n## Simulation\n\n*   To simulate a firewall that drops all the traffic - do nothing.\n\n*   To simulate a firewall that accepts all the traffic:\n\n\tRun the \"bridge\" (when Mininet is already running) with a localhost echo\n\tserver:\n\n        $ socat tcp-listen:31173,reuseaddr exec:cat \u0026 ~/sdn/bridge.py replay localhost:31173\n\n    (press Ctrl-C to stop)\n\n\t\"bridge.py replay\" starts tcpdump on the Mininet fw1 \"host\" interface and\n\tforwards the packets on a socket to the destination network address,\n\tpackets that return from socket are written to the fw1 \"host\" interface\n\tusing tcpreplay.\n\n## Firewall Gateway on another VM\n\n*   Asssumptions:\n\n    *    The gateway can run on a VM.\n\n\t*    The gateway has a working Python envrionment.\n\n\t*    The gateway will filter traffic that comes in on a tap (tun/tap)\n\t\t interface. The interface is connected to a Linux bridge, which is\n\t\t configured to work in hairpin mode.\n\n*   Start a VM with a firewall gateway that has an interface on the same\n    host-only network as the Mininet VM.\n\n*   Run the tunneling bridge client/server on the sdn and gateway VMs (run a\n    single script from the sdn VM).\n\n        $ ~/sdn/bridge.sh GATEWAY-ADDRESS\n\n    (press Return or Ctrl-C to stop)\n\n\t\"bridge.sh\" runs a local \"bridge.py replay\" to forward the traffic to the\n\tfirewall gateway. It also runs (over ssh) a remote \"bridge.py tap\" on the\n\tfirewall gateway that creates a tap interface and listens for a connection\n\tfrom the Mininet VM and forwards that packets into the tap interface, and\n\tfrom the tap interface back to the Mininet VM.\n\n\n# Web Services\n\nPOX exposes a set of extensible web services as follows:\n\n*   General:\n\n        $ curl -D - http://127.0.0.1:8000/\n\n*   OpenFlow:\n\n        $ curl -D - -d '{\"method\":\"get_switches\", \"id\": 0}' http://127.0.0.1:8000/OF/pretty\n        $ curl -D - -d '{\"method\":\"get_flow_stats\", \"params\":[\"00-00-00-00-00-01\"], \"id\": 0}' http://127.0.0.1:8000/OF/pretty\n\n*   Our POX FW extension:\n\n        $ curl -D - http://127.0.0.1:8000/FW/\n\n\n# Miscellaneous Helper Scripts\n\n*   Use ~/sdn/m to control hosts in a running Mininet.\n\n    *   Print the host address:\n\n            $ ~/sdn/m h22 addr\n\n    *   List all the hosts:\n            $ ~/sdn/m -l\n\t*   Ping another host (the arguments on the command line are automatically\n\t    resolved):\n\n            $ ~/sdn/m h22 ping h32\n\n*   Ping all the (non fw\\*) hosts in the Mininet network:\n\n        $ ~/sdn/pingall.sh\n\n*   Tunnel the firwall traffic elsewhere - see usage of ~/sdn/bridge.py and\n    ~/sdn/bridge.sh in Firewall Integration above.\n\n\n# References\n\n*   POX wiki: \u003chttps://openflow.stanford.edu/display/ONL/POX+Wiki\u003e\n\n*   Introduction to Mininet:\n    \u003chttps://github.com/mininet/mininet/wiki/Introduction-to-Mininet\u003e\n\n*   Mininet documentation:\n    \u003chttps://github.com/mininet/mininet/wiki/Documentation\u003e\n\n*   OpenFlow tutorial: \u003chttp://www.openflow.org/wk/index.php/OpenFlow_Tutorial\u003e\n\n*   OpenFlow 1.0.0 spec:\n    \u003chttp://www.openflow.org/documents/openflow-spec-v1.0.0.pdf\u003e\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw%2Fsdn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcheckpointsw%2Fsdn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw%2Fsdn/lists"}