Automatic and Optimal Configuration of Secure Communications in Virtualized Networks
keywords CYBERSECURITY, NETWORK FUNCTIONS VIRTUALIZATION, SECURITY AUTOMATION
Reference persons RICCARDO SISTO, FULVIO VALENZA
External reference persons BRINGHENTI DANIELE
Research Groups COMPUTER NETWORKS GROUP - NETGROUP, DAUIN - GR-03 - COMPUTER NETWORKS GROUP - NETGROUP, GR-03 - COMPUTER NETWORKS GROUP - NETGROUP, NETGROUP
Thesis type THEORETICAL/EXPERIMENTAL
Description Network function virtualization (NFV) and Software-Defined Networking (SDN) are two novel networking paradigms that can be used to virtualize and manage networks and security functions. These paradigms introduce several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g., by adding new instances to support higher request volumes). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions.
However, currently, the level of security automation and optimization is quite limited with respect to what could be potentially achieved with these new paradigms. For example, currently there is no automatic tool that can select the security functions and configure them according to a set of user's security requirements (also ensuring that some desired network properties or invariants are always guaranteed) or to dynamically reconfigure the security functions to mitigate a network attack. The Netgroup at the Turin Polytechnic is developing the VEREFOO framework (https://github.com/netgroup-polito/verifoo) which makes this automation possible: the administrator supplies the network topology and defines the security policies, while VEREFOO decides autonomously which security functions to allocate, where, and with which configuration, providing formal guarantee that the found solution correctly and optimally enforces the desired policies.
VEREFOO is an ambitious project. It is under development, but already working. At the moment, it can manage only some security controls (packet filtering firewalls and IPsec VPN gateways) and some implementations (Iptables, StrongSwan). The thesis will contribute to complete and improve VEREFOO, providing one of the following contributions:
- extension to new security controls and new security function implementations;
- definition, experimentation and tuning of heuristics to improve the performance and scalability of some of the framework components;
- VEREFOO integration within an existing orchestrator.
Each new contribution will be validated experimentally on use cases.
Required skills Reti di Calcolatori, Cybersecurity, Programmazione Java
Deadline 31/12/2023 PROPONI LA TUA CANDIDATURA