ETSI ZSM driven security management in future networks

This paper presents a security management framework driven by Zero-Touch Network and Service Management (ZSM) paradigm and embedded in the High-Level Architecture (HLA) developed in the INSPIRE-5Gplus project. This project work also included design and implementation of different smart 5G security methods and techniques that are essential for achieving security management in future networks. Moreover, the paper provides a summary of lessons learned and guidelines gathered during the practical validation activities for bringing closed loop and smart security management into Beyond 5G systems. Finally we discuss the key challenges and future work needed to enable integrating closed-loop security management in future networks

Gestión de seguridad dirigida por políticas para infraestructuras IoT de nueva generación basadas en SDN/NFV

Objetivo Al principio de esta tesis (2017), distintas fuentes estimaban cerca de veintitrés mil millones de dispositivos IoT conectados a la red y los estadistas pronosticaban que esos números podrían alcanzar hasta 50 mil millones de dispositivos en pocos años. Si bien es cierto que el manejo de esta sobrecogedora cantidad de dispositivos y conexiones representa per se un enorme desafío, la naturaleza de los dispositivos IoT también conlleva desafíos específicos para la gestión de la seguridad tales como su escalabilidad, dinamicidad, heterogeneidad o sus recursos limitados. Para contribuir a esta línea de investigación, esta tesis se centra en la investigación, diseño y desarrollo de un framework capaz de manejar políticas de seguridad a un alto nivel de abstracción las cuales son independientes a la infraestructura subyacente, desacoplando así los requisitos de seguridad de implementaciones específicas con el fin de mitigar problemas como la heterogeneidad. La combinación de la seguridad basada en políticas, la modularidad del diseño, su apropiada integración con tecnologías dinámicas y flexibles como SDN, NFV, así como distintas tecnologías de monitorización y nuevos componentes de seguridad específicamente diseñados para IoT dotan al framework de novedosas características tales como la automatización de la administración de seguridad sobre dichos entornos, mediante capacidades reactivas de autocuración y auto reparación con el fin de hacer frente a las nuevas amenazas. Metodología Para alcanzar el objetivo propuesto, éste fue dividido en diferentes bloques sobre los cuales, para cada uno se aplicó una metodología iterativa incremental, aplicándose ésta también entre bloques. Así, sobre cada bloque se realizó un análisis de requisitos, estado del arte, diseño de la solución, implementación de prueba de concepto, configuración, despliegue, evaluación y análisis de los resultados. Estos últimos proporcionaron nuevo conocimiento para refinar las siguientes iteraciones en el mismo bloque, así como sus posibles interacciones con el resto. De esta forma, cada bloque fue refinado a lo largo de la tesis, contribuyendo a la solución final de la misma. Resultados Durante el periodo de esta tesis, la metodología iterativa sobre los objetivos produjo diferentes resultados tales como un capítulo de libro, un artículo de conferencia y nueve publicaciones indexadas en JCR, de las cuales cinco conforman el compendio de la tesis. Debido a que los resultados de la tesis fueron también validados durante el proyecto europeo ANASTACIA H-2020, fueron también producidos múltiples informes técnicos (más de 20 entregables de proyecto europeo). En ese sentido, se han proporcionado resultados del diseño, implementación y validación para el aislamiento de dispositivos IoT comprometidos mediante la aplicación de políticas de filtrado de trafico de alto nivel. Se han desarrollado capacidades de AAA y protección de las comunicaciones dinámicas y bajo demanda para entornos IoT, inexistentes hasta el momento. Los componentes e interacciones del framework también han sido validados sobre el proyecto europeo ANASTACIA, donde se han integrado con los elementos de monitorización y reacción, proporcionando capacidades de reacción específicas sobre dispositivos IoT. También se han proporcionado los primeros resultados hasta el momento sobre la instanciación dinámica transparente de redes IoT virtuales que replican entornos reales IoT como una nueva contramedida de seguridad mediante la integración de SDN, NFV y emuladores específicos IoT. Finalmente, se han diseñado las políticas de orquestación para mejorar notablemente la capacidad de mitigación del sistema, las cuales albergan múltiples políticas de seguridad, así como su orden de aplicación, sus prioridades o incluso dependencias entre ellas, o entre las políticas y eventos del sistema. Es importante resaltar que los resultados de esta tesis, así como la implementación de sus distintos componentes han sido y están siendo explotados y reutilizados en proyectos europeos H2020 como ANASTACIA e INSPIRE 5G+.Objectives At the beginning of this thesis (2017), different sources estimated about 23 billion IoT devices connected to the network and statisticians predicted that these numbers could reach up to 50 billion devices in a few years. While it is true that managing this staggering number of devices and connections represents an enormous challenge per se, the nature of IoT devices also brings specific challenges for security management such as their scalability, dynamism, heterogeneity or their limited resources. To contribute to this line of research, this thesis focuses on the research, design and development of a framework capable of managing security policies at a high level of abstraction which are independent of the underlying infrastructure, thus decoupling the security requirements of specific implementations in order to mitigate problems such as heterogeneity. The combination of policy-based security, the modularity of the design, its appropriate integration with dynamic and flexible technologies such as SDN, NFV, as well as different monitoring technologies and new security components specifically designed for IoT, provide the framework with new features such as the automation of security management over these environments, through reactive self-healing and self-repairing capabilities in order to deal with new threats. Methodology To achieve the proposed objectives, they were divided into different blocks on which, for each one, an incremental iterative methodology was applied, also being applied between blocks. Thus, an analysis of requirements, state of the art, solution design, proof of concept implementation, configuration, deployment, evaluation and analysis of the results were carried out on each block. The latter provided new knowledge to refine the following iterations in the same block, as well as their possible interactions with the rest. In this way, each block was refined throughout the thesis, contributing to the final solution. Results During the period of this thesis, the iterative methodology on the objectives produced different results such as a book chapter, a conference article and nine publications indexed in JCR, of which five compose the compendium of the thesis. Since the results of the thesis were also validated during the European ANASTACIA H-2020 project, multiple technical reports (more than 20 European project deliverables) were also produced. In this sense, results of the design, implementation and validation have been provided for the isolation of compromised IoT devices through the application of high-level traffic filtering policies. Dynamic and on-demand AAA and channel protection capabilities have been developed for IoT environments, non-existent so far. The components and interactions of the framework have also been validated on the European ANASTACIA project, where they have been integrated with the monitoring and reaction elements, providing specific reaction capabilities on IoT devices. The first results so far on the transparent dynamic instantiation of virtual IoT networks that replicate real IoT environments have also been provided as a new security countermeasure by integrating SDN, NFV and specific IoT emulators. Finally, the orchestration policies have been designed to significantly improve the mitigation capabilities of the system, which contain multiple security policies, as well as their order of application, priorities or even dependencies between them, or between the policies and system events. It is important to highlight that the results of this thesis, as well as the implementation of its different components, have been and are being exploited and reused in European H2020 projects such as ANASTACIA and INSPIRE 5G +

Semantic-aware security orchestration in SDN/NFV-enabled IoT systems

| openaire: EC/H2020/731558/EU//ANASTACIA | openaire: EC/H2020/871808/EU//INSPIRE-5GplusIoT systems can be leveraged by Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies, thereby strengthening their overall flexibility, security and resilience. In this sense, adaptive and policy-based security frameworks for SDN/NFV-aware IoT systems can provide a remarkable added value for self-protection and self-healing, by orchestrating and enforcing dynamically security policies and associated Virtual Network Functions (VNF) or Virtual network Security Functions (VSF) according to the actual context. However, this security orchestration is subject to multiple possible inconsistencies between the policies to enforce, the already enforced management policies and the evolving status of the managed IoT system. In this regard, this paper presents a semantic-aware, zero-touch and policy-driven security orchestration framework for autonomic and conflict-less security orchestration in SDN/NFV-aware IoT scenarios while ensuring optimal allocation and Service Function Chaining (SFC) of VSF. The framework relies on Semantic technologies and considers the security policies and the evolving IoT system model to dynamically and formally detect any semantic conflict during the orchestration. In addition, our optimized SFC algorithm maximizes the QoS, security aspects and resources usage during VSF allocation. The orchestration security framework has been implemented and validated showing its feasibility and performance to detect the conflicts and optimally enforce the VSFs.Peer reviewe

Enabling Virtual AAA Management in SDN-Based IoT Networks †

The increase of Software Defined Networks (SDN) and Network Function Virtualization (NFV) technologies is bringing many security management benefits that can be exploited at the edge of Internet of Things (IoT) networks to deal with cyber-threats. In this sense, this paper presents and evaluates a novel policy-based and cyber-situational awareness security framework for continuous and dynamic management of Authentication, Authorization, Accounting (AAA) as well as Channel Protection virtual security functions in IoT networks enabled with SDN/NFV. The virtual AAA, including network authenticators, are deployed as VNF (Virtual Network Function) dynamically at the edge, in order to enable scalable device’s bootstrapping and managing the access control of IoT devices to the network. In addition, our solution allows distributing dynamically the necessary crypto-keys for IoT Machine to Machine (M2M) communications and deploy virtual Channel-protection proxys as VNFs, with the aim of establishing secure tunnels among IoT devices and services, according to the contextual decisions inferred by the cognitive framework. The solution has been implemented and evaluated, demonstrating its feasibility to manage dynamically AAA and channel protection in SDN/NFV-enabled IoT scenarios

Enforcing Behavioral Profiles through Software-Defined Networks in the Industrial Internet of Things

The fourth industrial revolution is being mainly driven by the integration of Internet of Things (IoT) technologies to support the development lifecycle of systems and products. Despite the well-known advantages for the industry, an increasingly pervasive industrial ecosystem could make such devices an attractive target for potential attackers. Recently, the Manufacturer Usage Description (MUD) standard enables manufacturers to specify the intended use of their devices, thereby restricting the attack surface of a certain system. In this direction, we propose a mechanism to manage securely the obtaining and enforcement of MUD policies through the use of a Software-Defined Network (SDN) architecture. We analyze the applicability and advantages of the use of MUD in industrial environments based on our proposed solution, and provide an exhaustive performance evaluation of the required processes

ETSI ZSM Driven Security Management in Future Networks (FNWF 2022)

This paper presents a security management framework driven by Zero-Touch Network and Service Management (ZSM) paradigm and embedded in the High-Level Architecture (HLA) developed in the INSPIRE-5Gplus project. This project work also included design and implementation of different smart 5G security methods and techniques that are essential for achieving security management in future networks. Moreover, we provide a summary of some lessons learned and guidelines gathered during the practical validation activities for bringing closed loop and smart security management into Beyond 5G systems. Finally, we discuss the key challenges and future work needed to enable integration of closed-loop security management in future networks

Semantic-aware security orchestration in SDN/NFV-enabled IoT systems

Abstract IoT systems can be leveraged by Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies, thereby strengthening their overall flexibility, security and resilience. In this sense, adaptive and policy-based security frameworks for SDN/NFV-aware IoT systems can provide a remarkable added value for self-protection and self-healing, by orchestrating and enforcing dynamically security policies and associated Virtual Network Functions (VNF) or Virtual network Security Functions (VSF) according to the actual context. However, this security orchestration is subject to multiple possible inconsistencies between the policies to enforce, the already enforced management policies and the evolving status of the managed IoT system. In this regard, this paper presents a semantic-aware, zero-touch and policy-driven security orchestration framework for autonomic and conflict-less security orchestration in SDN/NFV-aware IoT scenarios while ensuring optimal allocation and Service Function Chaining (SFC) of VSF. The framework relies on Semantic technologies and considers the security policies and the evolving IoT system model to dynamically and formally detect any semantic conflict during the orchestration. In addition, our optimized SFC algorithm maximizes the QoS, security aspects and resources usage during VSF allocation. The orchestration security framework has been implemented and validated showing its feasibility and performance to detect the conflicts and optimally enforce the VSFs

Security Architecture for defining and enforcing security profiles in DLT/SDN-based IoT systems

Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data make IoT devices an attractive target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices’ data, which are shared through a blockchain platform. The resulting approach has been implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices’ communication before they join a certain network.JRC.E.3-Cyber and Digital Citizens' Securit