Analysis on Access Control Policy and Security Groups in Firewall Configuration

A Service Function Chain (SFC) is an ordered sequence of network functions -such as firewalls and intrusion detection systems (IDS)- that are applied to data flows in order to achieve a particular objective, such as network security. With advancements in Network Functions Virtualization (NFV) and Software-Defined Networking (SDN), SFCs have become more flexible: NFV allows general servers to host multiple network functions, eliminating the need for dedicated hardware and its limitations, while SDN enables specific routing paths for different traffic types and users, enhancing the adaptability of SFCs. Still, manual configuration of SFCs remains complex, often leading to errors and delays. In order to overcome these issues, network automation solutions, like the VEREFOO framework, have been developed to automate security functions’ setup, reducing latency and human error. This thesis explores new Network Security Functions available to VEREFOO, specifically Access Control Firewalls and Security Groups, to strengthen its security capabilities. Research into existing solutions, including Nftables, CISCO/CommScope and AWS Network ACL, and AWS's, IBM's and Oracle's Security Groups, supported the development of advanced access control techniques for VEREFOO that weren't possible with the already implemented Packet Filter function. The thesis contributes with a research on Access Control and Security Groups, abstract and XML models for these firewalls, and a Java-based Nftables serializer, translating XML configurations into commands for Linux systems. The study concludes with potential expansions for VEREFOO, aiming to further automate and refine network security configuration for additional protections.