Automated optimal firewall orchestration and configuration in virtualized networks.
Bringhenti, D., Marchetto, G., Sisto, R., Valenza, F., & Yusupov, J.
In
Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2020), pages 1–7, 2020. IEEE
![Automated optimal firewall orchestration and configuration in virtualized networks [pdf]](//bibbase.org/img/filetypes/pdf.svg "Paper")
Paper
doi
link
bibtex
abstract
11 downloads
@InProceedings{2020NOMS_VEREFOO,
author = {Daniele Bringhenti and Guido Marchetto and Riccardo Sisto and Fulvio Valenza and Jalolliddin Yusupov},
booktitle = {Proceedings of the {IEEE/IFIP} Network Operations and Management Symposium ({NOMS} 2020)},
doi = {10.1109/NOMS47738.2020.9110402},
pages = {1--7},
publisher = {{IEEE}},
title = {Automated optimal firewall orchestration and configuration in virtualized networks},
year = {2020},
url = {https://iris.polito.it/retrieve/handle/11583/2837546/426876/2020NOMS_VEREFOO_author.pdf},
abstract={Emerging technologies such as Software-Defined Networking and Network Functions Virtualization are making the definition and configuration of network services more dynamic, thus making automatic approaches that can replace manual and error-prone tasks more feasible. In view of these considerations, this paper proposes a novel methodology to automatically compute the optimal allocation scheme and configuration of virtual firewalls within a user-defined network service graph subject to a corresponding set of security requirements. The presented framework adopts a formal approach based on the solution of a weighted partial MaxSMT problem, which also provides good confidence about the solution correctness. A prototype implementation of the proposed approach based on the z3 solver has been used for validation, showing the feasibility of the approach for problem instances requiring tens of virtual firewalls and similar numbers of security requirements. © 2020 IEEE.},
keywords={Firewall,Policy Refinement,Security Automation},
}
Emerging technologies such as Software-Defined Networking and Network Functions Virtualization are making the definition and configuration of network services more dynamic, thus making automatic approaches that can replace manual and error-prone tasks more feasible. In view of these considerations, this paper proposes a novel methodology to automatically compute the optimal allocation scheme and configuration of virtual firewalls within a user-defined network service graph subject to a corresponding set of security requirements. The presented framework adopts a formal approach based on the solution of a weighted partial MaxSMT problem, which also provides good confidence about the solution correctness. A prototype implementation of the proposed approach based on the z3 solver has been used for validation, showing the feasibility of the approach for problem instances requiring tens of virtual firewalls and similar numbers of security requirements. © 2020 IEEE.
Introducing programmability and automation in the synthesis of virtual firewall rules.
Bringhenti, D., Marchetto, G., Sisto, R., Valenza, F., & Yusupov, J.
In
Proceedings of the 6th IEEE Conference on Network Softwarization (NetSoft 2020), pages 473-478, 2020.
Paper
doi
link
bibtex
abstract
5 downloads
@InProceedings{2020NetSoft,
author = {Bringhenti, D. and Marchetto, G. and Sisto, R. and Valenza, F. and Yusupov, J.},
booktitle = {Proceedings of the 6th {IEEE} Conference on Network Softwarization (NetSoft 2020)},
doi = {10.1109/NetSoft48620.2020.9165434},
pages = {473-478},
title = {Introducing programmability and automation in the synthesis of virtual firewall rules},
year = {2020},
abstract = {The rise of new forms of cyber-threats is mostly due to the extensive use of virtualization paradigms and the increasing adoption of automation in the software life-cycle. To address these challenges we propose an innovative framework that leverages the intrinsic programmability of the cloud and software-defined infrastructures to improve the effectiveness and efficiency of reaction mechanisms. In this paper, we present our contributions with a demonstrative use case in the context of Kubernetes. By means of this framework, developers of cybersecurity appliances will not have any more to care about how to react to events or to struggle to define any possible security tasks at design time. In addition, automatic firewall ruleset generation provided by our framework will mostly avoid human intervention, hence decreasing the time to carry out them and the likelihood of errors. We focus our discussions on technical challenges: definition of common actions at the policy level and their translation into configurations for the heterogeneous set of security functions by means of a use case. © 2020 IEEE.},
keywords = {Firewall,Security Orchestration},
url = {https://iris.polito.it/retrieve/handle/11583/2844332/391324/main.pdf},
}
The rise of new forms of cyber-threats is mostly due to the extensive use of virtualization paradigms and the increasing adoption of automation in the software life-cycle. To address these challenges we propose an innovative framework that leverages the intrinsic programmability of the cloud and software-defined infrastructures to improve the effectiveness and efficiency of reaction mechanisms. In this paper, we present our contributions with a demonstrative use case in the context of Kubernetes. By means of this framework, developers of cybersecurity appliances will not have any more to care about how to react to events or to struggle to define any possible security tasks at design time. In addition, automatic firewall ruleset generation provided by our framework will mostly avoid human intervention, hence decreasing the time to carry out them and the likelihood of errors. We focus our discussions on technical challenges: definition of common actions at the policy level and their translation into configurations for the heterogeneous set of security functions by means of a use case. © 2020 IEEE.
Short Paper: Automatic Configuration for an Optimal Channel Protection in Virtualized Networks.
Bringhenti, D., Marchetto, G., Sisto, R., & Valenza, F.
In
Proceedings of the 2nd AMC CCS Workshop on Cyber-Security Arms Race (CYSARM 2020), pages 25-30, 2020.
Paper
doi
link
bibtex
abstract
8 downloads
@InProceedings{2020CYSARM,
author = {Bringhenti, D. and Marchetto, G. and Sisto, R. and Valenza, F.},
booktitle = {Proceedings of the 2nd {AMC CCS} Workshop on Cyber-Security Arms Race (CYSARM 2020)},
doi = {10.1145/3411505.3418439},
pages = {25-30},
title = {Short Paper: Automatic Configuration for an Optimal Channel Protection in Virtualized Networks},
year = {2020},
abstract = {Data confidentiality, integrity and authentication are security properties which are often enforced with the generation of secure channels, such as Virtual Private Networks, over unreliable network infrastructures. Traditionally, the configuration of the systems responsible of encryption operations is performed manually. However, the advent of software-based paradigms, such as Software-Defined Networking and Network Functions Virtualization, has introduced new arms races. In particular, even though network management has become more flexible, the increased complexity of virtual networks is making manual operations unfeasible and leading to errors which open the path to a large number of cyber attacks. A possible solution consists in reaching a trade-off between flexibility and complexity, by automatizing the configuration of the channel protection systems through policy refinement. In view of these considerations, this paper proposes a preliminary study for an innovative methodology to automatically allocate and configure channel protection systems in virtualized networks. The proposed approach would be based on the formulation of a MaxSMT problem and it would be the first to combine automation, formal verification and optimality in a single technique. © 2020 ACM.},
keywords = {VPN, Policy Refinement},
url = {https://iris.polito.it/retrieve/handle/11583/2844334/426885/2020_CYSARM_author.pdf},
}
Data confidentiality, integrity and authentication are security properties which are often enforced with the generation of secure channels, such as Virtual Private Networks, over unreliable network infrastructures. Traditionally, the configuration of the systems responsible of encryption operations is performed manually. However, the advent of software-based paradigms, such as Software-Defined Networking and Network Functions Virtualization, has introduced new arms races. In particular, even though network management has become more flexible, the increased complexity of virtual networks is making manual operations unfeasible and leading to errors which open the path to a large number of cyber attacks. A possible solution consists in reaching a trade-off between flexibility and complexity, by automatizing the configuration of the channel protection systems through policy refinement. In view of these considerations, this paper proposes a preliminary study for an innovative methodology to automatically allocate and configure channel protection systems in virtualized networks. The proposed approach would be based on the formulation of a MaxSMT problem and it would be the first to combine automation, formal verification and optimality in a single technique. © 2020 ACM.
![Security automation for multi-cluster orchestration in Kubernetes [link]](//bibbase.org/img/filetypes/link.svg "Paper")
Paper
doi
link
bibtex
![Security automation for multi-cluster orchestration in Kubernetes [link]](http://bibbase.org/img/filetypes/link.svg "Paper")
Paper
doi
link
bibtex
![Automated optimal firewall orchestration and configuration in virtualized networks [pdf]](http://bibbase.org/img/filetypes/pdf.svg "Paper")
Paper
doi
link
bibtex
abstract
11 downloads