An efficient architecture for dynamic middlebox policy enforcement in SDN networks

Middleboxes are widely deployed devices that play crucial roles in today's networks. Their behavior is commonly determined by policies that are manually set by network administrators, what may be a burden for networks whose connectivity dynamically changes. Recently, with the advent of Software-Defined Networking (SDN), a number of possibilities for handling middlebox policy enforcement have emerged. Even though there have been some contributions in this area, none of them eliminate the necessity of manual configuration of middleboxes for policy enforcement. In this paper, we propose an SDN-based architecture for dynamic middlebox policy enforcement that is able to respond to network events without any manual intervention from the network administrator. The architecture is also based on an interface proposed in this paper that enables the communication between an SDN controller and any middlebox. To evaluate the policy enforcement architecture, a prototype with two types of middleboxes, a firewall and an Intrusion Prevention System (IPS), was implemented in a virtual machine. Hypothesis tests were performed in order to validate the experimental results obtained with the prototype. Results show that the architecture is able to dynamically enforce middlebox policies, allowing network applications to run appropriately with no impact on network performance.