A novel approach for security function graph configuration and deployment

Network virtualization increased the versatility in enforcing security protection, by easing the development of new security function implementations. However, the drawback of this opportunity is that a security provider, in charge of configuring and deploying a security function graph, has to choose the best virtual security functions among a pool so large that makes manual decisions unfeasible. In light of this problem, the paper proposes a novel approach for synthesizing virtual security services by introducing the functionality abstraction. This new level of abstraction allows to work in the virtual level without considering the different function implementations, with the objective to postpone the function selection jointly with the deployment, after the configuration of the virtual graph. This novelty enables to optimize the function selection when the pool of available functions is very large. A framework supporting this approach has been implemented and it showed adequate scalability for the requirements of modern virtual networks.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Guido Marchetto,et al.  Improving the Formal Verification of Reachability Policies in Virtualized Networks , 2021, IEEE Transactions on Network and Service Management.

[3]  Adlen Ksentini,et al.  A Formal Approach to Verify Connectivity and Optimize VNF Placement in Industrial Networks , 2021, IEEE Transactions on Industrial Informatics.

[4]  Muhammad Ali Babar,et al.  A Multi-Vocal Review of Security Orchestration , 2019, ACM Comput. Surv..

[5]  Faqir Zarrar Yousaf,et al.  Benchmarking open source NFV MANO systems: OSM and ONAP , 2020, Comput. Commun..

[6]  Fulvio Valenza,et al.  Short Paper: Automatic Configuration for an Optimal Channel Protection in Virtualized Networks , 2020 .

[7]  Xin Li,et al.  An NFV Orchestration Framework for Interference-Free Policy Enforcement , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[8]  Günter Schäfer,et al.  Distributed Automatic Configuration of Complex IPsec-Infrastructures , 2010, Journal of Network and Systems Management.

[9]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[10]  Cataldo Basile,et al.  Information Model of NSFs Capabilities , 2019 .

[11]  Raouf Boutaba,et al.  Policy-based Management: A Historical Perspective , 2007, Journal of Network and Systems Management.

[12]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[13]  Dan Li,et al.  PACE: Policy-Aware Application Cloud Embedding , 2013, 2013 Proceedings IEEE INFOCOM.

[14]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.

[15]  Basil S. Maglaris,et al.  Policy-based orchestration of NFV services in Software-Defined Networks , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[16]  Fulvio Valenza,et al.  Automated optimal firewall orchestration and configuration in virtualized networks , 2020, NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium.

[17]  Juan Felipe Botero,et al.  Resource Allocation in NFV: A Comprehensive Survey , 2016, IEEE Transactions on Network and Service Management.

[18]  Cataldo Basile,et al.  Adding Support for Automatic Enforcement of Security Policies in NFV Networks , 2019, IEEE/ACM Transactions on Networking.

[19]  Nora Cuppens-Boulahia,et al.  MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies , 2010, DPM/SETOP.