Dissecting Faucet Security
Some of Faucet’s little-advertised features can have quite a large positive impact for your network security. In this tutorial, Inside-Openflow presents Faucet’s security features with a large emphasis on ACLs and how they can be used to better protect your network.
ACLs as the front line of cybersecurity
Faucet ACLs provide a way to perform checks and specify actions on packets before they reach the L2 switching and L3 routing stages of the Faucet Pipeline. The article demonstrates this in a very practical way by showing the offloading firewall rules since those are fairly easy to convert and highlight some of the features of Faucet ACLs.
Think of these ACLs as a first line of defense when used for firewall offloading. Also, as Faucet and OpenFlow evolve more and more security tasks can be offloaded completely to the switch, removing the need for host firewalls and reducing the load on existing dedicated firewall appliances.
Using Faucet ACLs can provide a lot more protection in a data center where east-to-west traffic is not otherwise restricted. You can even add as many ACL entries as you want without a performance hit on any of your hosts or the network so long as your switch supports the number of flow entries required. Since modern OpenFlow switches such as NoviFlow’s NoviSwitches support millions of exact matches and hundreds of thousands of masked matches, that’s a lot of ACL entries!