Politecnico di Torino (logo)

An abstract model of NSF capabilities for the automated security management in Software Networks

Aurelio Cirella

An abstract model of NSF capabilities for the automated security management in Software Networks.

Rel. Cataldo Basile, Antonio Lioy. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (3MB) | Preview

Virtualisation mechanisms allow to dynamically start an instance of any kind of software without worrying about the setup and configuration of a dedicated physical machine for each of them. These mechanisms are a huge step forward in terms of service provisioning and network management: an example could be the Network Function Virtualisation approach that proposes network function instances that can be executed as processes on virtual environments hosted on the network node where these functions are needed. However, security issues are still not addressed properly. Security policy enforcement is a sensitive area that can leverage virtualisation tools. In particular, one of the most discussed problems is the development of automated frameworks that help the user to easily configure and implement the desired security level within its network topology. Usually, in order to properly embody the desired security requirements, the user should choose and configure in the proper way the Network Security Functions (NSFs). NSFs are defined as a set of Security Capabilities. Security Capability represents what the NSF can do in terms of security enforcement. Some examples are packet filtering or traffic encryption. In this scenario, the user has to know how NSF from each vendor has to be set up and this can cause errors when switching from one vendor to another. The thesis aim is to develop an abstract model through which it is possible to formally describe NSFs and how to use them. Since NSFs from different vendors expose different interfaces, a standard is required to reduce complexity when it comes to managing NSFs from several providers. The proposed abstract model offers a common interface with which different NSFs can be operated. Automated tools can leverage this common interface by programmatically querying available functionalities and configuring them according to the user's needs. The outcome is an automated framework that can perform the same reasonings that human security experts would do. The proposed model takes advantage of software development and model definition methods such as Model-Driven Engineering and Information and Data Models. The developed framework offers a formal description of NSFs through the Decorator Design Pattern. This facilitates the definition of further NSF instances and their abstract language. One of the most important abstraction layer functionalities is the introduction of a general way to specify Security Capability values in abstract policy definition, decoupling the NSF low-level syntax from the abstract policy syntax. Also, the model facilitates the provisioning of details that are specific to the selected NSF, such as low-level policy string format. Moreover, it introduces the support to NSF Default Actions when no abstract policy has to be performed and NSF Resolution Strategy when multiple abstract policies are in conflict. In conclusion, the proposed framework can receive a security policy stated in abstract language and translate it into an equivalent policy stated using low-level language for the selected Network Security Function. The developed solution can cover the above usage scenario. It has been validated in real-world use cases and it has been proven that including new NSF is simple and clear if the proposed workflow is followed. Finally, it has been tested that the proposed solution can produce valid low-level policies and that it can be embedded in the above-mentioned wider refinement framework.

Relators: Cataldo Basile, Antonio Lioy
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 107
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/22805
Modify record (reserved for operators) Modify record (reserved for operators)