Automated optimal firewall orchestration and configuration in virtualized networks

Bringhenti, Daniele; Marchetto, Guido; Sisto, Riccardo; Valenza, Fulvio; Yusupov, Jalolliddin

doi:10.1109/noms47738.2020.9110402

Cited by 21 publications

(21 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Later, formal verification techniques have been exploited to provide correctness assurance after the automated computation of firewall configurations ( [12], [5], [17], [22], [1]). Then, after the advent of softwarization in networking, this research path has found new relevance ( [20], [8], [9], [6]) and currently has become an important research trend in network security.…”

Section: Related Workmentioning

confidence: 99%

Short Paper

Bringhenti

Marchetto

Sisto

et al. 2020

Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Self Cite

View full text Add to dashboard Cite

Data confidentiality, integrity and authentication are security properties which are often enforced with the generation of secure channels, such as Virtual Private Networks, over unreliable network infrastructures. Traditionally, the configuration of the systems responsible of encryption operations is performed manually. However, the advent of software-based paradigms, such as Software-Defined Networking and Network Functions Virtualization, has introduced new arms races. In particular, even though network management has become more flexible, the increased complexity of virtual networks is making manual operations unfeasible and leading to errors which open the path to a large number of cyber attacks. A possible solution consists in reaching a trade-off between flexibility and complexity, by automatizing the configuration of the channel protection systems through policy refinement. In view of these considerations, this paper proposes a preliminary study for an innovative methodology to automatically allocate and configure channel protection systems in virtualized networks. The proposed approach would be based on the formulation of a MaxSMT problem and it would be the first to combine automation, formal verification and optimality in a single technique. CCS CONCEPTS • Security and privacy → Formal security models; Security protocols; Privacy-preserving protocols; • Networks → Security protocols; Network management.

show abstract

Section: Related Workmentioning

confidence: 99%

Short Paper

Bringhenti

Marchetto

Sisto

et al. 2020

Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Self Cite

View full text Add to dashboard Cite

show abstract

“…The most significant frameworks for automatic configuration of packets filtering firewalls based on policy refinement are FIRMATO [4], FACE [25], MI-RAGE [9], and VEREFOO [7]. Moreover, a refinement model that allows the translation of high-level security requirements into low-level configuration settings for the virtual network security functions was introduced in [5].…”

Section: Policy Refinementmentioning

confidence: 99%

“…The first step is to understand which are the paths for a certain package to go from the source to the destination. For req 3 we have 1 // p is a policy rule 2 if configuration=="max" then Algorithm 2: Firewalls' population algorithm two paths: the first uses F w 1 7 and F w 3 and the second uses F w 2 ; for req 1 we have two paths: the first uses F w 1 and F w 3 and the second uses F w 2 ; and for req 4 we have two paths: the first uses F w 1 and the second uses F w 2 and F w 3 . req 3 should be applied in all paths, as it is an "allow " action, thus, it should be placed in all firewalls.…”

Section: Distribution Modulementioning

confidence: 99%

“…Since req 5 is more specific, then it has higher priority than req 4 , (req 5 > req 4 ); -Conflict 4 -redundancy: req 6 is included in req 4 and their actions are the same. Since req 6 is more specific and allows the traffic, then it is removed; -Conflict 5 -correlation: there is an intersection between the packets of req 7 and req 8 and their actions are different. Due to the resolution strategy employed, req 8 has higher priority than req 7 , (req 8 > req 7 ); -Conflict 6 -redundancy: req 10 is included in req 9 and their actions are the same.…”

Section: Implementation and Validationmentioning

confidence: 99%

See 1 more Smart Citation

Automatic Firewalls’ Configuration Using Argumentation Reasoning

Karafili

Valenza

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

“…In light of these observations, the challenge we propose to face is to effectively exploit the benefits provided by the virtual networking paradigms, minimizing the impact of their beforehand illustrated drawbacks. With this aim, we designed a framework based on the innovative methodology presented in [8], based on Maximum Satisfiability Modulo Theories (MaxSMT), and we integrated it in the context of Kubernetes. The proposed approach automatically configures virtual firewalls, where a consistent number of configuration errors are traditionally performed.…”

Section: Introductionmentioning

confidence: 99%

Introducing programmability and automation in the synthesis of virtual firewall rules

Bringhenti

Marchetto

Sisto

et al. 2020

2020 6th IEEE Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

The rise of new forms of cyber-threats is mostly due to the extensive use of virtualization paradigms and the increasing adoption of automation in the software life-cycle. To address these challenges we propose an innovative framework that leverages the intrinsic programmability of the cloud and software-defined infrastructures to improve the effectiveness and efficiency of reaction mechanisms. In this paper, we present our contributions with a demonstrative use case in the context of Kubernetes. By means of this framework, developers of cybersecurity appliances will not have any more to care about how to react to events or to struggle to define any possible security tasks at design time. In addition, automatic firewall ruleset generation provided by our framework will mostly avoid human intervention, hence decreasing the time to carry out them and the likelihood of errors. We focus our discussions on technical challenges: definition of common actions at the policy level and their translation into configurations for the heterogeneous set of security functions by means of a use case.

show abstract

Automated optimal firewall orchestration and configuration in virtualized networks

Cited by 21 publications

References 23 publications

Short Paper

Short Paper

Automatic Firewalls’ Configuration Using Argumentation Reasoning

Introducing programmability and automation in the synthesis of virtual firewall rules

Contact Info

Product

Resources

About