A model for the analysis of security policies in service function chains

Two emerging architectural paradigms, i.e., Software Defined Networking (SDN) and Network Function Virtualization (NFV), enable the deployment and management of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that packets have to traverse in the route from source to destination. While this appealing solution offers significant advantages in terms of flexibility, it also introduces new challenges such as the correct configuration and ordering of SFs in the chain to satisfy overall security requirements. This paper presents a formal model conceived to enable the verification of correct policy enforcements in SFCs. Software tools based on the model can then be designed to cope with unwanted network behaviors (e.g., security flaws) deriving from incorrect interactions of SFs in the same SFC

Secure communication using dynamic VPN provisioning in an Inter-Cloud environment

Most of the current cloud computing platforms offer Infrastructure as a Service (IaaS) model, which aims to provision basic virtualised computing resources as on-demand and dynamic services. Nevertheless, a single cloud does not have limitless resources to offer to its users, hence the notion of an Inter-Cloud enviroment where a cloud can use the infrastructure resources of other clouds. However, there is no common framework in existence that allows the srevice owners to seamlessly provision even some basic services across multiple cloud service providers, albeit not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms are built. In this paper we present a novel solution which aims to cover a gap in a subsection of this problem domain. Our solution offer a security architecture that enables service owners to provision a dynamic and service-oriented secure virtual private network on top of multiple cloud IaaS providers. It does this by leveraging the scalability, robustness and flexibility of peer- to-peer overlay techniques to eliminate the manual configuration, key management and peer churn problems encountered in setting up the secure communication channels dynamically, between different components of a typical service that is deployed on multiple clouds. We present the implementation details of our solution as well as experimental results carried out on two commercial clouds

An Analisys of Business VPN Case Studies

A VPN (Virtual Private Network) simulates a secure private network through a shared public insecure infrastructure like the Internet. The VPN protocol provides a secure and reliable access from home/office on any networking technology transporting IP packets. In this article we study the standards for VPN implementation and analyze two case studies regarding a VPN between two routers and two firewalls.VPN; Network; Protocol.

On the security of software-defined next-generation cellular networks

In the recent years, mobile cellular networks are ndergoing fundamental changes and many established concepts are being revisited. Future 5G network architectures will be designed to employ a wide range of new and emerging technologies such as Software Defined Networking (SDN) and Network Functions Virtualization (NFV). These create new virtual network elements each affecting the logic of the network management and operation, enabling the creation of new generation services with substantially higher data rates and lower delays. However, new security challenges and threats are also introduced. Current Long-Term Evolution (LTE) networks are not able to accommodate these new trends in a secure and reliable way. At the same time, novel 5G systems have proffered invaluable opportunities of developing novel solutions for attack prevention, management, and recovery. In this paper, first we discuss the main security threats and possible attack vectors in cellular networks. Second, driven by the emerging next-generation cellular networks, we discuss the architectural and functional requirements to enable appropriate levels of security

Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration

Growing traffic demands and increasing security awareness are driving the need for secure services. Current solutions require manual configuration and deployment based on the customer's requirements. In this work, we present an architecture for an automatic intent-based provisioning of a secure service in a multilayer - IP, Ethernet, and optical - network while choosing the appropriate encryption layer using an open-source software-defined networking (SDN) orchestrator. The approach is experimentally evaluated in a testbed with commercial equipment. Results indicate that the processing impact of secure channel creation on a controller is negligible. As the time for setting up services over WDM varies between technologies, it needs to be taken into account in the decision-making process.Comment: Parts of the presented work has received funding from the European Commission within the H2020 Research and Innovation Programme, under grant agreeement n.645127, project ACIN

Global Verification and Analysis of Network Access Control Configuration

Network devices such as routers, firewalls, IPSec gateways, and NAT are configured using access control lists. However, recent studies and ISP surveys show that the management of access control configurations is a highly complex and error prone task. Without automated global configuration management tools, unreachablility and insecurity problems due to the misconfiguration of network devices become an ever more likely. In this report, we present a novel approach that models the global end-to-end behavior of access control devices in the network including routers, firewalls, NAT, IPSec gateways for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determine the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs). We extended computation tree logic (CTL) to provide more useful operators and then we use CTL and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. The model is implemented in a tool called ConfigChecker. We gave special consideration to ensure an efficient and scalable implementation. Our extensive evaluation study with various network and policy sizes shows that ConfigChecker has acceptable computation and space requirements with large number of nodes and configuration rules

Description and Experience of the Clinical Testbeds

This deliverable describes the up-to-date technical environment at three clinical testbed demonstrator sites of the 6WINIT Project, including the adapted clinical applications, project components and network transition technologies in use at these sites after 18 months of the Project. It also provides an interim description of early experiences with deployment and usage of these applications, components and technologies, and their clinical service impact