Politecnico di Torino (logo)

Evaluation of a Heuristic Algorithm for Firewall Configuration

David Di Marco

Evaluation of a Heuristic Algorithm for Firewall Configuration.

Rel. Fulvio Valenza, Riccardo Sisto, Daniele Bringhenti. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2024

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (6MB) | Preview

In the ever-evolving landscape of network security and orchestration, the Network Functions Virtualization (NFV) paradigm is a novel innovative paradigm revolutionizing networking technology. NFV presents significant advantages over traditional networks by decoupling network functions from hardware appliances. This innovation enables the deployment of software processes as service functions on versatile general purpose servers. This approach introduces unparalleled flexibility and agility, enabling the creation of Service Graphs that generalize the Service Function Chain (SFC) concept. These graphs describe the organization and connection of network functions essential for end-to-end service delivery. However, a challenge arises in this context. While service designers are typically responsible for creating Service Graphs, security managers separately handle the allocation and configuration of Network Security Functions (NSFs) like firewalls. These manual operations are human error-prone and can result in latency when adapting to evolving security requirements. To address these challenges, this thesis contributes to the advancement of the VEREFOO (VErified REFinement and Optimized Orchestration) framework, a Java-based system designed to automatically determine the optimal placement and configuration of network security mechanisms in a virtualized network, such as firewalls and anti-spam filters given as input the network topology and a set of Network Security Requirements (NSRs). In prior studies, VEREFOO was explored through two distinct implementations. The initial approach is based on the formulation of the problem for optimization and verification and its execution using Z3, an advanced MaxSMT solving tool. The primary goal is to minimize the number of instances of NSFs for optimal resource utilization. Additionally, there is a focus on optimally configuring the rules in order to enhance the efficiency of filtering operations. However, this solution faces scalability problems. Despite the optimal allocation of firewalls and rules, it still experiences significantly prolonged resolution times, yet when dealing with networks of small to medium sizes. To tackle the scalability challenges inherent in the initial MaxSMT-based solution, an innovative heuristic algorithm has been introduced. In this context, a heuristic algorithm denotes an approach that, while not ensuring optimality, strikes a balance between achieving suboptimal results and enhancing scalability. This strategic decision allows for the handling of larger networks, although the resultant solution may not be optimal as the one proposed by the MaxSMT solver. It means that the solution given by the heuristic algorithm will result in a higher number of allocated NSFs and configured rules. Nevertheless, the advantage lies in the capability to manage vastly expanded network sizes, accompanied by reduced resolution times when compared to the MaxSMT-based approach. The main goal of this thesis is to compare these two distinct approaches to evaluate their performance in real-world scenarios. This assessment was conducted through a series of tests exploring feasibility, scalability, and optimality of both approaches. The aim is to determine the circumstances in which using one approach is more advantageous than the other, thus providing clear insights into optimal situations for the application of each method.

Relators: Fulvio Valenza, Riccardo Sisto, Daniele Bringhenti
Academic year: 2023/24
Publication type: Electronic
Number of Pages: 119
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/31062
Modify record (reserved for operators) Modify record (reserved for operators)