User-friendly Security Automation for Domotic Networks

The Network Functions Virtualization (NFV) paradigm revolutionizes networking technology by enabling the installation of software processes as service functions on general-purpose servers. Through NFV, a Service Graph is created, offering improved flexibility and performance by enabling multiple paths between endpoints. However, the manual creation and configuration of Service Graphs, especially when it involves security functions, present challenges. Security functions, such as firewalls and parental controls, play a crucial role in ensuring network safety. Misconfigurations and delays in updating security defenses to meet evolving security requirements are common risks associated with manual operations. To overcome these challenges, this thesis contributes to the development of VEREFOO (VErified REFinement and Optimized Orchestration). VEREFOO aims to automate Network and Security Management by automatically allocating and configuring Network Security Functions on a Service Graph. It achieves this by addressing a set of network security requirements expressed by the security administrator using a high-level security language and a refinement process. The proposed approach involves the formulation of a MaxSMT problem, with the objective of maximizing the sum of weights assigned to satisfied soft clauses while adhering to hard constraints, that always require to be satisfied. This formulation provides a formal verification of the solution’s correctness. The significant contribution of this thesis work lies in extending the functionality of VEREFOO’s ADP module to enable automatic allocation and/or configuration of Parental Control Systems. These systems can be implemented either within a device with full internet capabilities or within an Allocation Place along the path between the source and destination of the requirement. This thesis has introduced two types of Parental Control Systems. The first type is a simpler system that allows traffic customization for each user based on predefined filter levels. The second type is a more advanced system that enables device-level constraints, such as setting a daily time limit for device usage. Extensive testing of the implementation has been conducted in various network scenarios, demonstrating that the proposed approach provides a viable alternative to manual allocation and configuration of Parental Control Systems. Furthermore, the approach has been designed to be extensible, allowing for future enhancements such as defining requirements for specific categories of websites and incorporating other features commonly found in current Parental Control solutions.