Politecnico di Torino (logo)

Automated Policy Enforcement in Software Defined Networking and NFV Environment

Antonio Amoroso

Automated Policy Enforcement in Software Defined Networking and NFV Environment.

Rel. Riccardo Sisto, Fulvio Valenza, Daniele Bringhenti. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview

The increasing spreading of the amount of exchanging data and the dynamic deployment of applications and services lead to an evolution of the traditional network technology. One possible solution is based on virtualization, in particular exploiting the Network Function Virtualization (NFV) parading. It is an architectural approach which aim is to decouple the network functions and the hardware appliances, making possible the deployment of network service on general purpose servers, achieving flexibility during the design of a particular service. A problem that arises is the service design that usually is performed manually, and this can lead to errors, especially if the service under analysis is related to security function, such as firewalls. In order to avoid these errors an automated approach should be used. In this context it is possible to use policy-based model that can be refined and translated. In view of this consideration, this thesis focussed on security inside NFV, in particular analysing packet filter behaviour and it contributed to the translation from a medium language policy to a low-level configuration taking care of different firewall languages used in different scenarios. Moreover, it contributed to the development of VEREFOO (VErified REFinement and Optimized Orchestration), a framework which aims to provide a Security Automation approach as a solution to the problem highlighted before. Previously inside this framework is already perform the refinement of the policy from high level language to the medium level one generating also policy configured as IP quintuple (source address, destination address, transport layer protocol, source port, destination port). This work implements a new model used as base for the translation and it focused on enforce the configuration generated into iptables, IpFirewall, BPF-iptables, OpenVSwitch and Fortinet. The reason under these choices are that Iptables is the standard packet filter inside linux kernel and it is also one of the most widely spread, IpFirewall is a packet filter based on FreeBSD operating system and it is the core for other well-known and widely used firewall solutions. BPF-iptables is used in extended Berkeley Packet Filter (eBPF) context and developed by this university in order to achieve better performance than the previously defined iptables and OpenVSwitch that is used in Software Defined Networking (SDN) working with OpenFlow protocol. Fortinet is a physical firewall making possible the application of this tool also in a mixed environment and create an opening for future scenarios. The implementation is finally tested in different network scenarios, finding that most al the translation developed are acting in the same way that is described by the medium level abstraction model. In particular the best results are achieved with IpFirewall, Iptables and BPF-iptables. The module provides a RESTful API that ensure the connectivity to other modules inside the framework. For future works it can be extended to other type of firewall and implements different submodules for new packet filters. Moreover, can be implemented a machine learning algorithm that can effectively choose the right packet filter to deploy according to hardware resources of the machine and the environment in which it should be deployed.

Relators: Riccardo Sisto, Fulvio Valenza, Daniele Bringhenti
Academic year: 2020/21
Publication type: Electronic
Number of Pages: 92
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Ente in cotutela: Kyoto Institute of Technology (GIAPPONE)
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/18132
Modify record (reserved for operators) Modify record (reserved for operators)