Automated firewall configuration in virtual networks

Automated firewall configuration in virtual networks. Bringhenti, D., Marchetto, G., Sisto, R., Valenza, F., & Yusupov, J. IEEE Transactions on Dependable and Secure Computing, 2022. in press

Paper doi abstract bibtex 19 downloads

The configuration of security functions in computer networks is still typically performed manually, which likely leads to security breaches and long re-configuration times. This problem is exacerbated for modern networks based on network virtualization, because their complexity and dynamics make a correct manual configuration practically unfeasible. This article focuses on packet filters, i.e., the most common firewall technology used in computer networks, and it proposes a new methodology to automatically define the allocation scheme and configuration of packet filters in the logical topology of a virtual network. The proposed method is based on solving a carefully designed partial weighted Maximum Satisfiability Modulo Theories problem by means of a state of the art solver. This approach formally guarantees the correctness of the solution, i.e., that all security requirements are satisfied, and it minimizes the number of needed firewalls and firewall rules. This methodology is extensively evaluated using different metrics and tests on both synthetic and real use cases, and compared to the state-of-the-art solutions, showing its superiority. © 2022 IEEE.

@article{2022ACC,
  author    = {Daniele Bringhenti and Guido Marchetto and Riccardo Sisto and
               Fulvio Valenza and Jalolliddin Yusupov},
  title     = {Automated firewall configuration in virtual networks},
  journal   = {{IEEE} Transactions on Dependable and Secure Computing},
  year      = {2022},
  url       = {https://iris.polito.it/retrieve/handle/11583/2958744/571845/TDSC2022.pdf},
  doi       = {10.1109/TDSC.2022.3160293},
  abstract = {The configuration of security functions in computer
networks is still typically performed manually, which likely
leads to security breaches and long re-configuration times.
This problem is exacerbated for modern networks based on
network virtualization, because their complexity and dynamics
make a correct manual configuration practically unfeasible. This
article focuses on packet filters, i.e., the most common firewall
technology used in computer networks, and it proposes a new
methodology to automatically define the allocation scheme and
configuration of packet filters in the logical topology of a virtual
network. The proposed method is based on solving a carefully
designed partial weighted Maximum Satisfiability Modulo Theories problem 
by means of a state of the art solver. This approach
formally guarantees the correctness of the solution, i.e., that
all security requirements are satisfied, and it minimizes the
number of needed firewalls and firewall rules. This methodology
is extensively evaluated using different metrics and tests on both
synthetic and real use cases, and compared to the state-of-the-art
solutions, showing its superiority. © 2022 IEEE.},   
  note      = {in press}}

Downloads: 19

{"_id":"LdtgkxHdLPQAuwXer","bibbaseid":"bringhenti-marchetto-sisto-valenza-yusupov-automatedfirewallconfigurationinvirtualnetworks-2022","author_short":["Bringhenti, D.","Marchetto, G.","Sisto, R.","Valenza, F.","Yusupov, J."],"bibdata":{"bibtype":"article","type":"article","author":[{"firstnames":["Daniele"],"propositions":[],"lastnames":["Bringhenti"],"suffixes":[]},{"firstnames":["Guido"],"propositions":[],"lastnames":["Marchetto"],"suffixes":[]},{"firstnames":["Riccardo"],"propositions":[],"lastnames":["Sisto"],"suffixes":[]},{"firstnames":["Fulvio"],"propositions":[],"lastnames":["Valenza"],"suffixes":[]},{"firstnames":["Jalolliddin"],"propositions":[],"lastnames":["Yusupov"],"suffixes":[]}],"title":"Automated firewall configuration in virtual networks","journal":"IEEE Transactions on Dependable and Secure Computing","year":"2022","url":"https://iris.polito.it/retrieve/handle/11583/2958744/571845/TDSC2022.pdf","doi":"10.1109/TDSC.2022.3160293","abstract":"The configuration of security functions in computer networks is still typically performed manually, which likely leads to security breaches and long re-configuration times. This problem is exacerbated for modern networks based on network virtualization, because their complexity and dynamics make a correct manual configuration practically unfeasible. This article focuses on packet filters, i.e., the most common firewall technology used in computer networks, and it proposes a new methodology to automatically define the allocation scheme and configuration of packet filters in the logical topology of a virtual network. The proposed method is based on solving a carefully designed partial weighted Maximum Satisfiability Modulo Theories problem by means of a state of the art solver. This approach formally guarantees the correctness of the solution, i.e., that all security requirements are satisfied, and it minimizes the number of needed firewalls and firewall rules. This methodology is extensively evaluated using different metrics and tests on both synthetic and real use cases, and compared to the state-of-the-art solutions, showing its superiority. © 2022 IEEE.","note":"in press","bibtex":"@article{2022ACC,\r\n author = {Daniele Bringhenti and Guido Marchetto and Riccardo Sisto and\r\n Fulvio Valenza and Jalolliddin Yusupov},\r\n title = {Automated firewall configuration in virtual networks},\r\n journal = {{IEEE} Transactions on Dependable and Secure Computing},\r\n year = {2022},\r\n url = {https://iris.polito.it/retrieve/handle/11583/2958744/571845/TDSC2022.pdf},\r\n doi = {10.1109/TDSC.2022.3160293},\r\n abstract = {The configuration of security functions in computer\r\nnetworks is still typically performed manually, which likely\r\nleads to security breaches and long re-configuration times.\r\nThis problem is exacerbated for modern networks based on\r\nnetwork virtualization, because their complexity and dynamics\r\nmake a correct manual configuration practically unfeasible. This\r\narticle focuses on packet filters, i.e., the most common firewall\r\ntechnology used in computer networks, and it proposes a new\r\nmethodology to automatically define the allocation scheme and\r\nconfiguration of packet filters in the logical topology of a virtual\r\nnetwork. The proposed method is based on solving a carefully\r\ndesigned partial weighted Maximum Satisfiability Modulo Theories problem \r\nby means of a state of the art solver. This approach\r\nformally guarantees the correctness of the solution, i.e., that\r\nall security requirements are satisfied, and it minimizes the\r\nnumber of needed firewalls and firewall rules. This methodology\r\nis extensively evaluated using different metrics and tests on both\r\nsynthetic and real use cases, and compared to the state-of-the-art\r\nsolutions, showing its superiority. © 2022 IEEE.}, \r\n note = {in press}}","author_short":["Bringhenti, D.","Marchetto, G.","Sisto, R.","Valenza, F.","Yusupov, J."],"key":"2022ACC","id":"2022ACC","bibbaseid":"bringhenti-marchetto-sisto-valenza-yusupov-automatedfirewallconfigurationinvirtualnetworks-2022","role":"author","urls":{"Paper":"https://iris.polito.it/retrieve/handle/11583/2958744/571845/TDSC2022.pdf"},"metadata":{"authorlinks":{}},"downloads":19},"bibtype":"article","biburl":"https://raw.githubusercontent.com/FulvioValenza/bibliography/main/Valenza_bibliography.bib","dataSources":["JbiX35GNqPCF3nids"],"keywords":[],"search_terms":["automated","firewall","configuration","virtual","networks","bringhenti","marchetto","sisto","valenza","yusupov"],"title":"Automated firewall configuration in virtual networks","year":2022,"downloads":19}