Towards Energy-Aware Network Security Automation in Edge-to-Cloud Environments

The rapid evolution of digital infrastructures, accelerated by the proliferation of the Internet of Things (IoT) and virtualization, has increased the complexity of securing distributed environments while raising concerns about energy efficiency. Traditional manual configuration of security controls is no longer feasible in dynamic networks, where even small errors can compromise protection. Automation addresses this challenge by ensuring correctness and adaptability, but current approaches often overlook the energy consumption of security operations. This thesis focuses on the integration of network security automation with energy-aware strategies in Edge-to-Cloud (E2C) environments, where resources are dynamically distributed between endpoints, edge devices, and cloud infrastructures. The work builds upon GreenShield, an energy-aware framework for automated firewall configuration, designed to enforce security policies with strict correctness while reducing energy consumption. The thesis extends GreenShield to support the hierarchical nature of E2C systems, introducing novel constraints to guide the placement and activation of security functions with explicit consideration for power efficiency. A key contribution is the analysis of the power consumption of virtualization technologies, i.e., virtual machines (VMs) and containers, that are at the basis of E2C platforms. Finally, new constraints are proposed to integrate GreenShield in the E2C context. In the second part, to evaluate scalability and practical feasibility, the thesis develops a dedicated test generator integrated into Verefoo, the security automation framework that serves as the foundation for GreenShield. The generator is adapted to the CESNET3 research and education network, based on real encrypted TLS traffic traces, taken by the CESNET-TLS-Year22 dataset. It systematically produces realistic test cases by statistically modeling traffic distributions and generating reachability and isolation policies. In the final part, the thesis presents a comprehensive validation of the tests generated for the CESNET3 network. The results are evaluated under different configurations, including various solver versions, both with a MaxSMT and a heuristic approach, and varying policies complexity. The findings demonstrate the effectiveness of the proposed extensions in maintaining security guarantees, while also providing a means to study the scalability of the test generator and of Verefoo, on a real network such as CESNET3. As a future work, the thesis suggests further extension of the test generator to GreenShield, enabling the evaluation of energy-aware security automation in contexts that closely resemble real-world scenarios like CESNET3 network.