Security of software networks

In recent years, companies and organizations with increasingly distributed IT infrastructures have been consolidating the investment trend toward the cloud computing paradigm, given its many benefits: among them, the ability to develop and deliver applications and services dynamically and flexibly through the use of the container-based approach. Concurrently, such service orchestration systems, foremost among them Kubernetes, are receiving increasing interest to effectively manage these resources in the new container architecture. The value proposition of this thesis is related to the creation of a security function orchestration system in Kubernetes via a software defined approach, employing the Network Service Mesh (NSM) framework and defining a software network based on service chains within extending the Kuberentes network. By making some specific changes and configurations, chains are created that reflect the user's intent, defined through a Command Line Interface (CLI) and then managed by a Kubernetes operator. The latter has to ensure the correct configuration of what are the security functions corresponding to the user's specified intents, respecting the received specifications and providing all the necessary resources for deployment: the basic idea is to let the user configure the chain at a level that is as high as possible, while giving at the same time a broader and easier to understand view of the network. In order for there to be a match between intent and security function, a Knowledge Base is used so that among multiple types of resources, the one best suited to meet the security requirement could be inferred. In addition, the operator allows management of possible reconfiguration of the chain, adding or removing security functions, giving a way to react to possible needs that might arise during use. Unlike what is available in the most common solutions in this area, such as Istio, through this approach it is possible to go to operate at a lower level, and more specifically at the network level, since each intermediate pod in the chain makes two network interfaces available, resulting in a fundamental aspect to allow the containers assigned to security functions to monitor or simply apply filters to network traffic. As an end result, a cluster is then obtained within which the desired chain is defined in order to protect a given service. The user responsible for configuring this cluster has the option of specifying the functions desired, while also keeping in mind those that can actually be provided. To achieve an effective configuration of the chain, security functions were identified and chosen to follow a plug-and-play approach, testing them directly within a cluster, using different configurations including filtering rules. Regarding possible future developments, in addition to the extension of the KB with which the mapping is done and its additional configurations, it is possible to add and integrate other software features defined by the NSM framework so as to extend those already present.. The available security features can be extended, respecting the limitation of falling within a single container in order to avoid possible conflicts with the NSM framework and its architecture.