A framework for automatic Network Security Functions selection and placement in NFV/Cloud context

Nowadays, electronic devices, such as computers and mobile phones, are used at any time of the day. They allow us to satisfy our desire to know, who has never done a search on the Web? They give us the opportunity to work remotely and, moreover, we use them for online shopping and to follow our team of the heart. But the most important thing is that they allow us to stay in contact with our loved ones that very often are miles from us. All these things are made possible by the fact that all devices are connected in the world through a large network: the Internet. Each of us uses the network without worrying about how it works. But setting up the network to allow this is not easy at all. Network administrators have a lot to do every day. This is because the network consists of countless devices that need to be added and configured according to user requests. The configuration and management of these devices is not simple and this is because the applications can be innumerable and very different from each other. There are also distinct types of devices and each requires specific knowledge to be configured correctly. The network is, therefore, difficult to manage, monitor and slow to react to failures and security attacks. These motivations have led, in recent years, the development of two new paradigms: Network Function Virtualization (NFV) and Software-Defined Networking (SDN). The aim of this thesis is to propose a framework that can meet the work of network administrators, helping them to define policies and choose the functions to be used. Proposing an innovative way to address customer needs and to automatically configure the Service Chain. In other word, to offer the Verifuse (VERInet FUnction SElection and placement) framework that can automatically choose how many and which security functions are needed, after having defined a set of policies written by one or more administrators for all users of the same network, and to allocate them among the physical servers available. Therefore, this thesis also proposes the following models made using the XML language: the Policy Repository, to allow administrators to express policies using the HPL language; the Catalog of NSFs, containing the list of all available network functions; Capabilities, key concept of the approach developed. They are a set of features that share network functions and that enable certain policies to be met. Each network function supports one or more capabilities and each policy rule requires one. For example, Internet traffic control requires the capability Packet Filter; Hosts, the physical servers available.???? The framework provides everything you need to define and analyze policies, allowing you to create your own catalog of functions and your physical host infrastructure. After choosing the optimization criterion (e.g., minimize the use of ram), Verifuse automatically selects which network functions are needed to meet the policies thanks to the ILP solver Gurobi. Therefore, it chooses functions, starting with policy analysis, and allocate them among the available hosts. The choice is optimized, it is the user who defines the parameters and the priorities. The modules scale very well and have been designed in such a way as to be independent and to be easily expandable in the future. In the future, in fact, we could improve the model of the hosts in such a way as to allow a better selection in the phase of optimization.