Automated optimal firewall orchestration and configuration in virtualized networks

Emerging technologies such as Software-Defined Networking and Network Functions Virtualization are making the definition and configuration of network services more dynamic, thus making automatic approaches that can replace manual and error-prone tasks more feasible. In view of these considerations, this paper proposes a novel methodology to automatically compute the optimal allocation scheme and configuration of virtual firewalls within a user-defined network service graph subject to a corresponding set of security requirements. The presented framework adopts a formal approach based on the solution of a weighted partial MaxSMT problem, which also provides good confidence about the solution correctness. A prototype implementation of the proposed approach based on the z3 solver has been used for validation, showing the feasibility of the approach for problem instances requiring tens of virtual firewalls and similar numbers of security requirements.

[1]  Adel Bouhoula,et al.  A Fully Automatic Approach for Fixing Firewall Misconfigurations , 2011, 2011 IEEE 11th International Conference on Computer and Information Technology.

[2]  Antonio Manzalini,et al.  Formal Verification of Virtual Network Function Graphs in an SP-DevOps Context , 2015, ESOCC.

[3]  Jiao Zhang,et al.  Enabling Efficient Service Function Chaining by Integrating NFV and SDN: Architecture, Challenges and Opportunities , 2018, IEEE Network.

[4]  David Hutchison,et al.  Self-Organization and Resilience for Networked Systems: Design Principles and Open Research Issues , 2019, Proceedings of the IEEE.

[5]  Cataldo Basile,et al.  Assessing network authorization policies via reachability analysis , 2017, Comput. Electr. Eng..

[6]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[7]  Fulvio Valenza,et al.  A Framework for Verification-Oriented User-Friendly Network Function Modeling , 2019, IEEE Access.

[8]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.

[9]  Lisandro Zambenedetti Granville,et al.  INSpIRE: Integrated NFV-based Intent Refinement Environment , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[10]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[11]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[12]  Ratul Mahajan,et al.  Automatically Repairing Network Control Planes Using an Abstract Representation , 2017, SOSP.

[13]  Kamel Adi,et al.  Automatic security policy enforcement in computer systems , 2018, Comput. Secur..

[14]  Atul Prakash,et al.  FACE: a firewall analysis and configuration engine , 2005, The 2005 Symposium on Applications and the Internet.

[15]  Zhaowen Lin,et al.  A SDN/NFV Security Protection Architecture with a Function Composition Algorithm Based on Trie , 2018, CSAE '18.

[16]  Jae-Hyoung Yoo,et al.  An intent-based network virtualization platform for SDN , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[17]  Zhan Zhang,et al.  Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls , 2010, IEEE Transactions on Computers.

[18]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[20]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[21]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[22]  Lisandro Zambenedetti Granville,et al.  Refining Network Intents for Self-Driving Networks , 2018, SelfDN@SIGCOMM.

[23]  Ehab Al-Shaer,et al.  Automated Synthesis of Distributed Network Access Controls: A Formal Framework with Refinement , 2017, IEEE Transactions on Parallel and Distributed Systems.

[24]  Kevin Curran,et al.  A formal logic approach to firewall packet filtering analysis and generation , 2008, Artificial Intelligence Review.

[25]  Cataldo Basile,et al.  Classification and Analysis of Communication Protection Policy Anomalies , 2017, IEEE/ACM Transactions on Networking.

[26]  Cataldo Basile,et al.  Adding Support for Automatic Enforcement of Security Policies in NFV Networks , 2019, IEEE/ACM Transactions on Networking.

[27]  Adlen Ksentini,et al.  Virtual Network Embedding with Formal Reachability Assurance , 2018, 2018 14th International Conference on Network and Service Management (CNSM).