More Web Proxy on the site http://driver.im/

research-article

A flexible architecture for orchestrating network security functions to support high-level security policies

Authors:

Jaehoon (Paul) Jeong,

Hyoungshick KimAuthors Info & Claims

IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication

Article No.: 44, Pages 1 - 5

https://doi.org/10.1145/3022227.3022270

Published: 05 January 2017 Publication History

Abstract

Network Functions Virtualization (NFV) has provided a new way to design and deploy network security services, but it may fail to build a practically useful ecosystem that seamlessly integrates network security services if there is no standard interface between them. We propose a generic architecture for security management service based on Network Security Functions (NSF) using NFV. The proposed architecture allows users to define their security requirements in a user-friendly manner by providing the users with high-level security interfaces that do not require specific information about network resources and protocols. We design basic components (e.g., Security policy manager, NSF capability manager, Application logic, Policy updater and Event collector) and interfaces for the proposed architecture. We introduce three use cases: (1) blacklists of dangerous domains, (2) time-dependent access control policies and (3) detection of suspicious calls for VoIP-VoLTE services. We also explain how to implement our proposed architecture with an illustrative example. Furthermore, we discuss several technical challenges to deploy the proposed architecture in a real network environment.

References

[1]

Hassan Hawilo, Abdallah Shami, Maysam Mirahmadi, and Rasool Asal. NFV: state of the art, challenges, and implementation in next generation mobile networks (vEPC). IEEE Network, 28(6):18--26, 2014.

[2]

Arsany Basta, Wolfgang Kellerer, Marco Hoffmann, Hans Jochen Morper, and Klaus Hoffmann. Applying NFV and SDN to LTE mobile core gateways, the functions placement problem. In Proceedings of the 4th Workshop on All things cellular: operations, applications, & challenges, pages 33--38, 2014.

Digital Library

[3]

IETF Interface to Network Security Functions (i2nsf) Working Group. https://datatracker.ietf.org/wg/i2nsf/charter/.

[4]

The Internet Engineering Task Force (IETF). https://ietf.org/.

[5]

Edward Lopez, Diego Lopez, Linda Dunbar, John Strassner, Xiaojun Zhuang, Joe Parrott, Ram (Ramki) Krishnan, and Seetharama Rao Durbha. Framework for Interface to Network Security Functions. IETF Internet-Draft draft-ietf-i2nsf-framework-02, July 2016. http://www.ietf.org/internet-drafts/draft-ietf-i2nsf-framework-02.txt.

[6]

M. Bjorklund. YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF). IETF RFC 6020, October 2010. http://www.rfc-editor.org/rfc/rfc6020.txt.

[7]

Andy Bierman, Martin Bjorklund, and Kent Watsen. RESTCONF Protocol. IETF Internet-Draft draft-ietf-netconf-restconf-16, August 2016. http://www.ietf.org/internet-drafts/draft-ietf-netconf-restconf-16.txt.

[8]

R. Enns, M. Bjorklund, J. Schoenwaelder, and A. Bierman. Network Configuration Protocol (NETCONF). IETF RFC 6241, June 2011. http://www.rfc-editor.org/rfc/rfc6241.txt.

[9]

Rakesh Kumar, Anil Lohiya, Dave Qi, and Xiaobo Long. Client Interface for Security Controller : A Framework for Security Policy Requirements. IETF Internet-Draft draft-kumar-i2nsf-client-facing-interface-req-00, August 2016. http://www.ietf.org/internet-drafts/draft-kumar-i2nsf-client-facing-interface-req-00.txt.

[10]

Mark Reitblatt, Nate Foster, Jennifer Rexford, and David Walker. Consistent updates for software-defined networks: Change you can believe in! In Proceedings of the 10th Workshop on Hot Topics in Networks, page 7, 2011.

Digital Library

[11]

Soheil Yeganeh, Amin Tootoonchian, and Yashar Ganjali. On scalability of software-defined networking. IEEE Communications Magazine, 2(51):136--141, 2013.

[12]

Joel M. Halpern and John Strassner. Generic Policy Data Model for Simplified Use of Policy Abstractions (SUPA). IETF Internet-Draft draft-ietf-supa-generic-policy-data-model-00, July 2016. http://www.ietf.org/internet-drafts/draft-ietf-supa-generic-policy-data-model-00.txt.

[13]

Laxmana Rao Battula. Network Security Function Virtualization (NSFV) towards Cloud computing with NFV Over Openflow infrastructure: Challenges and novel approaches. In Proceedings of the 3rd International Conference on Advances in Computing, Communications and Informatics, pages 1622--1628, 2014.

[14]

Mahdi Daghmehchi Firoozjaei, Jaehoon (Paul) Jeong, Hoon Ko, and Hyoungshick Kim. Security challenges with network functions virtualization. Future Generation Computer Systems, 2016.

[15]

GSNFV ETSI. Network functions virtualisation (NFV): Architectural framework. ETSI GS NFV, 2(2):V1, 2013.

Cited By

Murillo ARueda S(2020)Access Control Policies for Network Function Virtualization environments in Industrial Control Systems2020 4th Conference on Cloud and Internet of Things (CIoT)10.1109/CIoT50422.2020.9244205(17-24)Online publication date: 7-Oct-2020
https://doi.org/10.1109/CIoT50422.2020.9244205
Kim EKim KLee SJeong JKim H(2018)A Framework for Managing User-defined Security Policies to Support Network Security FunctionsProceedings of the 12th International Conference on Ubiquitous Information Management and Communication10.1145/3164541.3164569(1-8)Online publication date: 5-Jan-2018
https://dl.acm.org/doi/10.1145/3164541.3164569
Hyun SKim JKim HJeong JHares SDunbar LFarrel A(2018)Interface to Network Security Functions for Cloud-Based Security ServicesIEEE Communications Magazine10.1109/MCOM.2018.170066256:1(171-178)Online publication date: Jan-2018
https://doi.org/10.1109/MCOM.2018.1700662
Show More Cited By

Index Terms

A flexible architecture for orchestrating network security functions to support high-level security policies
1. Networks

Recommendations

A Framework for Managing User-defined Security Policies to Support Network Security Functions
IMCOM '18: Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication

Network Functions Virtualization (NFV) and Software Defined Networking (SDN) make it easier for security administrators to manage security policies on a network system. However, it is still challenging to map high-level security policies defined by ...
Implementation of a Formal Security Policy Refinement Process in WBEM Architecture

Security mechanisms enforcement consists in configuring devices with the aim that they cooperate and guarantee the defined security goals. In the network context, this task is complex due to the number, the nature, and the interdependencies of the ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication

January 2017

746 pages

ISBN:9781450348881

DOI:10.1145/3022227

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMCOM '17

Sponsor:

SIGAPP

IMCOM '17: The 11th International Conference on Ubiquitous Information Management and Communication

January 5 - 7, 2017

Beppu, Japan

Acceptance Rates

IMCOM '17 Paper Acceptance Rate 113 of 366 submissions, 31%;

Overall Acceptance Rate 213 of 621 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
162
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Murillo ARueda S(2020)Access Control Policies for Network Function Virtualization environments in Industrial Control Systems2020 4th Conference on Cloud and Internet of Things (CIoT)10.1109/CIoT50422.2020.9244205(17-24)Online publication date: 7-Oct-2020
https://doi.org/10.1109/CIoT50422.2020.9244205
Kim EKim KLee SJeong JKim H(2018)A Framework for Managing User-defined Security Policies to Support Network Security FunctionsProceedings of the 12th International Conference on Ubiquitous Information Management and Communication10.1145/3164541.3164569(1-8)Online publication date: 5-Jan-2018
https://dl.acm.org/doi/10.1145/3164541.3164569
Hyun SKim JKim HJeong JHares SDunbar LFarrel A(2018)Interface to Network Security Functions for Cloud-Based Security ServicesIEEE Communications Magazine10.1109/MCOM.2018.170066256:1(171-178)Online publication date: Jan-2018
https://doi.org/10.1109/MCOM.2018.1700662
Lee JKim H(2017)Security and Privacy Challenges in the Internet of Things [Security and Privacy Matters]IEEE Consumer Electronics Magazine10.1109/MCE.2017.26850196:3(134-136)Online publication date: Jul-2017
https://doi.org/10.1109/MCE.2017.2685019

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents