Politecnico di Torino (logo)

Optimized Configuration of Network Security Policies

Luigi La Mattina

Optimized Configuration of Network Security Policies.

Rel. Riccardo Sisto, Guido Marchetto, Fulvio Valenza, Daniele Bringhenti. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (2MB) | Preview

In recent years, the emergence of new networking technologies, Network Functions Virtualization (NFV) and Software Defined Network (SDN) has brought significant improvements and greater flexibility in building the functions that make up a Service Function Chain. Thanks to these improvements, each specific function such as NAT or proxy server is no longer constituted by an ad hoc hardware device, but is implemented on a standard server that can host multiple network functions at the same time. This allows you to make the most of the resources of the system and of the device itself, in fact to add a new device it is no longer necessary to purchase a new physical box but to implement it directly on the server, which will use the device resources by sharing them with other devices installed inside it. Having assimilated the new technologies, a not negligible problem that arises in the creation of a Service Function Chain is given by the manual configuration of the network devices and especially of the network safety devices, since an incorrect configuration can lead to very serious errors such as violating security or accepting unwanted traffic. This configuration, in addition to the problems mentioned above, can also cause significant latency due to the time required for updating or maintaining the security system. A solution to these problems is provided by Network Automation, since automating the configuration of network security devices would drastically reduce human errors and the latency of any device configuration changes. Starting from these innovations, the main objective of this thesis work concerned the automation of the allocation and configuration of network security functions, which took place thanks to a tool capable of allocating and configuring Firewalls and Channel Protection Systems (CPSs) at the same time, managing any conflicts and respecting some optimality criteria in order to satisfy a series of communication requirements. In particular, the main goal was the expansion and improvement of VEREFOO, a framework already able to satisfy the network security requirements by managing the allocation and configuration of the two security functions separately, but not able to allocate them simultaneously in the same iteration. In fact, thanks to this improvement, the administrator can manage the allocation of the two network security functions in a single iteration. In addition to the addition of this functionality, the constraints present in the CPSs allocation and configuration tool have been modified and rewritten. These constraints, initially written with integer variables, have been rewritten with Boolean variables, so as to improve the computation time of z3. In fact, thanks to this modification, the scalability of the framework has been significantly improved, since the reduction of the integers has greatly simplified the MaxSMT problem. Finally, in the final part of the thesis work, thanks to the writing of a translator, it was possible to create, starting from the configuration of the VPNGateways present in the output of the framework, a configuration file for the StrongSwan platform, a platform fulfilled for the construction of Channels Ipsec .

Relators: Riccardo Sisto, Guido Marchetto, Fulvio Valenza, Daniele Bringhenti
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 106
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/20416
Modify record (reserved for operators) Modify record (reserved for operators)