67 research outputs found
Probabilistic QoS-aware Placement of VNF chains at the Edge
Deploying IoT-enabled Virtual Network Function (VNF) chains to Cloud-Edge
infrastructures requires determining a placement for each VNF that satisfies
all set deployment requirements as well as a software-defined routing of
traffic flows between consecutive functions that meets all set communication
requirements. In this article, we present a declarative solution, EdgeUsher, to
the problem of how to best place VNF chains to Cloud-Edge infrastructures.
EdgeUsher can determine all eligible placements for a set of VNF chains to a
Cloud-Edge infrastructure so to satisfy all of their hardware, IoT, security,
bandwidth, and latency requirements. It exploits probability distributions to
model the dynamic variations in the available Cloud-Edge infrastructure, and to
assess output eligible placements against those variations
Automation for network security configuration: state of the art and research trends
The size and complexity of modern computer networks are progressively increasing, as a consequence of novel architectural paradigms such as the Internet of Things and network virtualization. Consequently, a manual orchestration and configuration of network security functions is no more feasible, in an environment where cyber attacks can dramatically exploit breaches related to any minimum configuration error. A new frontier is then the introduction of automation in network security configuration, i.e., automatically designing the architecture of security services and the configurations of network security functions, such as firewalls, VPN gateways, etc. This opportunity has been enabled by modern computer networks technologies, such as virtualization. In view of these considerations, the motivations for the introduction of automation in network security configuration are first introduced, alongside with the key automation enablers. Then, the current state of the art in this context is surveyed, focusing on both the achieved improvements and the current limitations. Finally, possible future trends in the field are illustrated
Network Security Automation
L'abstract Ăš presente nell'allegato / the abstract is in the attachmen
Recommended from our members
A pattern-based framework for the design of secure and dependable SDN/NFV-enabled networks
As the world becomes an interconnected network where objects and humans interact, cyber and physical networks appear to play an important role in smart ecosystems due to their increasing use on critical infrastructure and smart cities. Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are a promising combination for programmable connectivity, rapid service provisioning and service chaining as they offer the necessary end-to-end optimisations. However, with the actual exponential growth of connected devices, future networks, such as SDN and NFV, require open architectures, facilitated by standards and a strong ecosystem.In this thesis, a model-based approach is proposed to support the design and verification of secure and dependable SDN/NFV-enabled networks. The model is based on the development of a pattern-based approach to design executable patterns as solutions for reusable designs and interactions of objects, encoded in a rule based reasoning system, able to guarantee security and dependability (S&D) properties in SDN/NFV enabled networks. To execute S&D patterns, a pattern based framework is implemented for the insertion of patterns at design and at runtime level. The developed pattern framework highlights also the benefit of leveraging the flexibility of SDN/NFV-enabled networks to deploy enhanced reactive security mechanisms for the protection of the industrial network via the use of service function chaining (SFC). To prove the importance of this approach and the functionality of the pattern framework, different pattern instances are implemented to guarantee S&D in network infrastructures. The developed design patterns are able to design network topologies, guarantee network properties and offer security service provisioning and chaining. Finally, in order to evaluate the developed patterns in the pattern framework, three different use cases are described, where a number of usage scenarios are deployed and evaluated experimentally
Hybrid SDN Evolution: A Comprehensive Survey of the State-of-the-Art
Software-Defined Networking (SDN) is an evolutionary networking paradigm
which has been adopted by large network and cloud providers, among which are
Tech Giants. However, embracing a new and futuristic paradigm as an alternative
to well-established and mature legacy networking paradigm requires a lot of
time along with considerable financial resources and technical expertise.
Consequently, many enterprises can not afford it. A compromise solution then is
a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN
functionalities are leveraged while existing traditional network
infrastructures are acknowledged. Recently, hSDN has been seen as a viable
networking solution for a diverse range of businesses and organizations.
Accordingly, the body of literature on hSDN research has improved remarkably.
On this account, we present this paper as a comprehensive state-of-the-art
survey which expands upon hSDN from many different perspectives
Context-based security function orchestration for the network edge
Over the last few years the number of interconnected devices has increased dramatically, generating zettabytes of traffic each year. In order to cater to the requirements of end-users, operators have deployed network services to enhance their infrastructure. Nowadays, telecommunications service providers are making use of virtualised, flexible, and cost-effective network-wide services, under what is known as Network Function Virtualisation (NFV). Future network and application requirements necessitate services to be delivered at the edge of the network, in close proximity to end-users, which has the potential to reduce end-to-end latency and minimise the utilisation of the core infrastructure while providing flexible allocation of resources. One class of functionality that NFV facilitates is the rapid deployment of network security services. However, the urgency for assuring connectivity to an ever increasing number of devices as well as their resource-constrained nature, has led to neglecting security principles and best practices. These low-cost devices are often exploited for malicious purposes in targeting the network infrastructure, with recent volumetric Distributed Denial of Service (DDoS) attacks often surpassing 1 terabyte per second of network traffic.
The work presented in this thesis aims to identify the unique requirements of security modules implemented as Virtual Network Functions (VNFs), and the associated challenges in providing management and orchestration of complex chains consisting of multiple VNFs The work presented here focuses on deployment, placement, and lifecycle management of microservice-based security VNFs in resource-constrained environments using contextual information on device behaviour. Furthermore, the thesis presents a formulation of the latency-optimal placement of service chains at the network edge, provides an optimal solution using Integer Linear Programming, and an associated near-optimal heuristic solution that is able to solve larger-size problems in reduced time, which can be used in conjunction with context-based security paradigms.
The results of this work demonstrate that lightweight security VNFs can be tailored for, and hosted on, a variety of devices, including commodity resource-constrained systems found in edge networks. Furthermore, using a context-based implementation of the management and orchestration of lightweight services enables the deployment of real-world complex security service chains tailored towards the userâs performance demands from the network. Finally, the results of this work show that on-path placement of service chains reduces the end-to-end latency and minimise the number of service-level agreement violations, therefore enabling secure use of latency-critical networks
Gestion de la Sécurité pour le Cyber-Espace - Du Monitorage Intelligent à la Configuration Automatique
The Internet has become a great integration platform capable of efficiently interconnecting billions of entities, from simple sensors to large data centers. This platform provides access to multiple hardware and virtualized resources (servers, networking, storage, applications, connected objects) ranging from cloud computing to Internet-of-Things infrastructures. From these resources that may be hosted and distributed amongst different providers and tenants, the building and operation of complex and value-added networked systems is enabled. These systems arehowever exposed to a large variety of security attacks, that are also gaining in sophistication and coordination. In that context, the objective of my research work is to support security management for the cyberspace, with the elaboration of new monitoring and configuration solutionsfor these systems. A first axis of this work has focused on the investigation of smart monitoring methods capable to cope with low-resource networks. In particular, we have proposed a lightweight monitoring architecture for detecting security attacks in low-power and lossy net-works, by exploiting different features provided by a routing protocol specifically developed for them. A second axis has concerned the assessment and remediation of vulnerabilities that may occur when changes are operated on system configurations. Using standardized vulnerability descriptions, we have designed and implemented dedicated strategies for improving the coverage and efficiency of vulnerability assessment activities based on versioning and probabilistic techniques, and for preventing the occurrence of new configuration vulnerabilities during remediation operations. A third axis has been dedicated to the automated configuration of virtualized resources to support security management. In particular, we have introduced a software-defined security approach for configuring cloud infrastructures, and have analyzed to what extent programmability facilities can contribute to their protection at the earliest stage, through the dynamic generation of specialized system images that are characterized by low attack surfaces. Complementarily, we have worked on building and verification techniques for supporting the orchestration of security chains, that are composed of virtualized network functions, such as firewalls or intrusion detection systems. Finally, several research perspectives on security automation are pointed out with respect to ensemble methods, composite services and verified artificial intelligence.LâInternet est devenu une formidable plateforme dâintĂ©gration capable dâinterconnecter efficacement des milliards dâentitĂ©s, de simples capteurs Ă de grands centres de donnĂ©es. Cette plateforme fournit un accĂšs Ă de multiples ressources physiques ou virtuelles, allant des infra-structures cloud Ă lâinternet des objets. Il est possible de construire et dâopĂ©rer des systĂšmes complexes et Ă valeur ajoutĂ©e Ă partir de ces ressources, qui peuvent ĂȘtre dĂ©ployĂ©es auprĂšs de diffĂ©rents fournisseurs. Ces systĂšmes sont cependant exposĂ©s Ă une grande variĂ©tĂ© dâattaques qui sont de plus en plus sophistiquĂ©es. Dans ce contexte, lâobjectif de mes travaux de recherche porte sur une meilleure gestion de la sĂ©curitĂ© pour le cyberespace, avec lâĂ©laboration de nouvelles solutions de monitorage et de configuration pour ces systĂšmes. Un premier axe de ce travail sâest focalisĂ© sur lâinvestigation de mĂ©thodes de monitorage capables de rĂ©pondre aux exigences de rĂ©seaux Ă faibles ressources. En particulier, nous avons proposĂ© une architecture de surveillance adaptĂ©e Ă la dĂ©tection dâattaques dans les rĂ©seaux Ă faible puissance et Ă fort taux de perte, en exploitant diffĂ©rentes fonctionnalitĂ©s fournies par un protocole de routage spĂ©cifiquement dĂ©veloppĂ©pour ceux-ci. Un second axe a ensuite concernĂ© la dĂ©tection et le traitement des vulnĂ©rabilitĂ©s pouvant survenir lorsque des changements sont opĂ©rĂ©s sur la configuration de tels systĂšmes. En sâappuyant sur des bases de descriptions de vulnĂ©rabilitĂ©s, nous avons conçu et mis en Ćuvre diffĂ©rentes stratĂ©gies permettant dâamĂ©liorer la couverture et lâefficacitĂ© des activitĂ©s de dĂ©tection des vulnĂ©rabilitĂ©s, et de prĂ©venir lâoccurrence de nouvelles vulnĂ©rabilitĂ©s lors des activitĂ©s de traitement. Un troisiĂšme axe fut consacrĂ© Ă la configuration automatique de ressources virtuelles pour la gestion de la sĂ©curitĂ©. En particulier, nous avons introduit une approche de programmabilitĂ© de la sĂ©curitĂ© pour les infrastructures cloud, et avons analysĂ© dans quelle mesure celle-ci contribue Ă une protection au plus tĂŽt des ressources, Ă travers la gĂ©nĂ©ration dynamique dâimages systĂšmes spĂ©cialisĂ©es ayant une faible surface dâattaques. De façon complĂ©mentaire, nous avonstravaillĂ© sur des techniques de construction automatique et de vĂ©rification de chaĂźnes de sĂ©curitĂ©, qui sont composĂ©es de fonctions rĂ©seaux virtuelles telles que pare-feux ou systĂšmes de dĂ©tection dâintrusion. Enfin, plusieurs perspectives de recherche relatives Ă la sĂ©curitĂ© autonome sont mises en Ă©vidence concernant lâusage de mĂ©thodes ensemblistes, la composition de services, et la vĂ©rification de techniques dâintelligence artificielle
- âŠ