Politecnico di Torino (logo)

Enhanced Deployment of Channel Protection Functions in Virtual Networks

Angelo Floridia

Enhanced Deployment of Channel Protection Functions in Virtual Networks.

Rel. Fulvio Valenza, Riccardo Sisto, Daniele Bringhenti. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2023

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (3MB) | Preview

In today's world, automating Cybersecurity has become a crucial aspect of companies strategy defense to ensure security and reliability against constantly evolving network security threats. Through the exploitation of Network Function Virtualization (NFV) and Software defined Networks (SDN) it is possible to express a series of Network Security Requirements (NSRs) for any given network with the aim to use the paradigm of network virtualization to automate and optimize the allocation and the configuration of Network Security Functions (NSFs), such as channel protection systems. Since a pure manual configuration is prone to human errors, it’s been addressed an approach which allow network administrators to specify NSRs in a high-level language with a software capable of automatically translate them, establishing a graph of the network without policy conflicts and with NSFs allocated and configured automatically. These solutions are called Refinement Tools and are provided with correctness-by-construction verification approach. When it comes to configure communication protected channels, it is mandatory to take into consideration not only the risks connected to a manual configuration, but also all the various variables present in the configuration of them. This is advised in order not to occur in low security configuration and/or data losses. To define these problems there have been studied taxonomies which classify these inconsistencies (i.e., Insecure communications, Unfeasible communication, Suboptimal walks, etc.). The objective of this work is to create a middleware, capable of taking in input a correct and optimal VPN configuration and translate it to a real configuration for a IPSEC-based VPN software solution: Strongswan. This Translator is itself part of a bigger framework, VEREFOO, capable of translating NSR given in a high-level language by human to an automatic allocation and configuration of NSF in an optimized, verified and correct manner. In VEREFOO, to model how traffic flows is forwarded and/or translated crossing the different nodes (Firewalls, NAT, VPN gateways) in the network have been proposed two approaches. The first takes into consideration the use of Atomic Predicates, each one identified by the IP quintuple, through which it is possible to calculate the set of minimal and totally disjunct set of predicates (atomic). The second one is dependent on the splitting of the traffic in the opposite way, which means creating fewer flows but combining them having just one of them representative for all. There is no winner in these two approaches, but a series of pros and cons are discussed in the thesis. In this thesis the focus was on the recognition of VPN tunnels in the virtualized network and the automatic generation of the respecting configuration files in the low-level language of Strongswan. To accomplish this goal some tools have been used, like the OpenSSH project, the SCP protocol exploited through the Library com.jcraft.jsch. The network topology was analyzed and its configuration has been sanitized and translated to be compatible with Strongswan and the new configuration files were sent to Virtual Machines, used as test environment. Due to the unpreparednes of the network configuration coming in output from VEREFOO for a real configuration implementation, some assumptions has been necessary and some limitations were pointed out, but overall the tests have showed promising results, easily improvable in the future, confirming this way is respectable to follow.

Relators: Fulvio Valenza, Riccardo Sisto, Daniele Bringhenti
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 84
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/27658
Modify record (reserved for operators) Modify record (reserved for operators)