Abstract
The recent years have witnessed a growth in the number of users connected to computer networks, due mainly to megatrends such as Internet of Things (IoT), Industry 4.0, and Smart Grids. Simultaneously, service providers started offering vertical services related to a specific business case (e.g., automotive, banking, and e-health) requiring more and more scalability and flexibility for the infrastructures and their management. NFV and SDN technologies are a clear way forward to address these challenges even though they are still in their early stages. Security plays a central role in this scenario, mainly because it must follow the rapid evolution of computer networks and the growing number of devices. The main issue is to protect the end-user from the increasing threats, and for this reason, we propose in this paper a security framework compliant to the Security-as-a-Service paradigm. In order to implement this framework, we leverage NFV and SDN technologies, using a user-centered approach. This allows to customize the security service starting from user preferences. Another goal of our work is to highlight the main relevant challenges encountered in the design and implementation of our solution. In particular, we demonstrate how significant is to choose an efficient way to configure the Virtual Network Security Functions in terms of performance. Furthermore, we also address the nontrivial problem of Service Function Chaining in an NFV MANO platform and we show what are the main challenges with respect to this problem.
Highlights
Cybercrime has grown faster in the past years, attacks are evolving rapidly, and organizations are forced to continuously update their cybersecurity and cyberdefence techniques
A complete framework design is shown, in which an Network Function Virtualisation (NFV) Infrastructure is used to provide security services for the end-user terminals. e Virtual Network Security Functions (vNSFs), which in that case were called Personal Security Applications (PSAs), were driven by a policy-based management system. at system was in charge of gathering user policies (expressed in an high-level language: the High-level Security Policy Language (HSPL)) and the admin policies (expressed in a medium-level language: the Medium-level Security Policy Language (MSPL)); translating those policies in a service graph, which describes the needed PSAs and the links between them, and a set of low-level configurations for the PSAs used; and enforcing those low-level configurations on the PSAs deployed starting from the service graph provided
Starting a Network Security Service implies the launch of all the required vNSF instances and the proper configuration of them. We perform this operation in two different steps: (i) Day-0 configuration: during this step, we provide all the software and configurations needed by the vNSF via cloud-init technology, starting from an Ubuntu cloud image; at the end of the process, we deliver a Security Service Controller
Summary
Cybercrime has grown faster in the past years, attacks are evolving rapidly, and organizations are forced to continuously update their cybersecurity and cyberdefence techniques. Network Function Virtualisation (NFV) and Software-Dened Networking (SDN) are technologies that grant to the ISPs a reliable and scalable solution to address the end-user security problem. Work e focus of this paper is centered on the new NFV Management and Orchestration technologies and the use of the SECaaS paradigm in order to grant security to the enduser. In an NFV environment, it is possible to define a particular VNF [8] offering security functionalities (e.g., vFW, vIDS, and vDPI) and called vNSFs. SECaaS is a new approach based on NFV Orchestration which deploys security protections by means of vNSFs. e derived security services could offer dynamic response for a specific set of threats addressable with the available vNSFs; scalability based on the enterprise capabilities; and targeted security data monitoring and gathering at a specific point in the network for analysis and remediation. A complete framework design is shown, in which an NFV Infrastructure is used to provide security services for the end-user terminals. e vNSFs, which in that case were called Personal Security Applications (PSAs), were driven by a policy-based management system. at system was in charge of gathering user policies (expressed in an high-level language: the High-level Security Policy Language (HSPL)) and the admin policies (expressed in a medium-level language: the Medium-level Security Policy Language (MSPL)); translating those policies in a service graph, which describes the needed PSAs and the links between them, and a set of low-level configurations for the PSAs used; and enforcing those low-level configurations on the PSAs deployed starting from the service graph provided
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
