6.1 Automatic Firewall and Access Control Configuration
A first class of network security functions is represented by the functions that can decide if a traffic flow with certain characteristics is allowed to continue to its destination or if it must be blocked. In this category, the function that has been most investigated is the packet filtering firewall (i.e., a firewall that can analyze fields of the IP 5-tuple), because this kind of function is sufficient to protect an end-to-end service in most situations, and, at the same time, it requires a much simpler configuration than what is needed by other security functions. In this class, nevertheless, we will consider also traditional functions, such as filtering routers, that can be configured as access control devices. The reasons of this classification choice are that most of the methodologies share the same concepts, since firewalls themselves are exploited for access control, and these functions themselves take decisions that are mostly based on the same information.
The oldest work that we found in this category is dedicated to filtering routers [
75]. It discusses the possibility to compute a set of filters for the individual routers of a distributed networked system, so as to enforce a global network access control policy. However, being the first proposal in this area, this methodology is lacking from several points of view. First, the abstraction level at which it works is really high, so that the actual configuration of access control devices would require an additional refinement. Second, the filtering rules that are produced are not guaranteed to be optimal. Finally, an algorithm to check the consistency of the computed configurations is presented, but it is not based on formal verification techniques; consequently, it does not provide a full formal correctness assurance. Despite all these limitations, this article opened the path to other similar research works in the immediate next years in a period that is largely antecedent to the advent of network virtualization.
A framework mainly targeted to traditional small-sized networks was proposed few years later, and it became a milestone for access control automation: Firmato [
33] is a firewall management toolkit that can automatically compute a firewall configuration so as to enforce a set of global security policies into a network. The presence of a model compiler allows the framework to provide an abstract representation of the output configuration with respect to the specific setup of each firewall. Besides, with the aid of an additional module called Fang [
140], a human being can easily interact with the automated framework through a query-and-answer session, by means of which she can find out if a global policy is correctly satisfied by the enforced firewall rules. This work has become so important in this field, because it has been the first proposal of an automatic firewall configuration, based on an abstract and vendor-independent representation. Although designed for distributed firewall architectures, Firmato was validated by considering a single border firewall.
After this first work, other proposals tried to overcome its limitations, at the same time providing additional features. The next papers that appeared after Reference [
33] are References [
74,
76,
77]. In Reference [
74], concrete firewall configuration rules are derived from high-level network security policies by exploiting an
Organization Based Access Control model. The operation that is performed is actually a translation, more than a refinement, just providing abstraction from firewall implementations. The methodology proposed in Reference [
76] exploits a framework for policy-based management, called STRONGMAN [
141], to automatically establish and enforce local access control rules that are compliant with high-level global security policies: The compliance checker module can, in fact, compose the rules into a coherent enforceable set for each device. Finally, FACE [
77] is a framework that can automatically analyze and generate the rules for a distributed firewall, so as to satisfy a filtering policy expressed with a threat model where the attacks for which a protection must be enforced are defined. These works apply policy-refinement to a distributed access control architecture, even though only Reference [
76] really validates the approach in a distributed system, while Reference [
74] validates it with a single firewall and in Reference [
77] no effective validation is showed. At the same time, none of these works uses formal verification techniques.
Formal assurance of configuration correctness was introduced in References [
78,
79,
80,
81]. Specifically, Reference [
78] exploits formal logic programming methods to model real-world situations, where firewall rules are automatically generated by a reasoning engine so that they not only enforce security policies, but they are not affected by anomalies such as redundancies or contradictions. This approach, however, is limited to configurations that are compliant exclusively with the syntax of IPChains and Cisco’s PIX. The methodology illustrated in Reference [
79], instead, automatically refines a conflict-free set of access control policies into distributed rules; the consistency and correctness of the access control list implementation are then formally verified with respect to the original policy model by exploiting a Boolean satisfiability problem formulation. B-Method, an approach based on formal methods applied to abstract machine notation, is instead used in Reference [
80] for the enforcement of security policies through a simplified refinement where the information composing the abstract notation is derived from the external network environment. Finally, the technique described in Reference [
81] is based on formal argumentation and preference reasoning, exploited to both analyze and generate firewall rules from high-level policies. Even if the rule ordering is not specified in the high-level policies, the correct ordering of the firewall rules is automatically computed by means of abductive reasoning.
When network virtualization became dominant in research, a number of papers [
82,
83,
84,
85,
86,
87,
88] started investigating methodologies that can be applied to virtualized networks. Indeed, most of these methodologies can be applied to traditional networks, too, the only exceptions being References [
82,
87,
88], that propose, respectively, an automatic approach for computing Netfilter configurations through the user specification of unordered policies [
82], a method to automatically define the rules for iptables, to ensure access control protection in a large-scale synthetic power system [
87], and a method that applies to three UNIX firewall systems (iptables, ipfw, pf) [
88].
Coming to the approaches that can be applied to both traditional and virtualized networks, Reference [
83] addresses the lack of a formal semantic to distribute multiple security policies in the access control middleboxes of a network by designing an automated refinement process, based on algebraic requirements. This approach also supports a formal verification step. Another framework, proposed in Reference [
84], is SyNET, which is based on a correctness-by-construction approach. The synthesized rules for access control devices are computed as the output of a Datalog program, which contains all the information about both the network topology and the security policies. An alternative paradigm, proposed by the same authors in Reference [
85], is the NetComplete framework, which, like SyNet, is based on an SMT problem formulation, but it avoids to model policies as constraints of the SMT problem if they can be solved and verified in an alternative way, and it also exploits domain-specific heuristics, such as partial evaluation, to reduce the solution space, so improving the overall efficiency. Another comprehensive approach for access control policy refinement and formal verification is illustrated in Reference [
86]. The designed methodology can derive the proper access control configuration from security policies, but it can also fix an existing one if it does not correctly enforce the user-specified requirements.
Firewall and access control configuration proves to be a thriving research area at the beginning of this new decade, too, with a new range of studies [
69,
70,
71,
89,
90,
91,
92]. References [
89] and [
90] aim to improve the scalability of automatic access control configuration. The former applies machine learning on the operator-provided feedback, while the latter transforms the user-specified policies into a representation named
priority-based domain type enforcement, which considerably reduces the complexity of policy specification and therefore its impact in terms of performance. Instead, References [
69,
70,
91,
92] apply formal methods to ensure configuration correctness. Reference [
91] achieves this goal by using preference-based argumentation reasoning, so as to identify all the possible conflicts and anomalies among the user requirements before refining them into the firewall rules. Reference [
92] shows that modeling the user-specified policies with the metagraph algebra leads to reduce the problem complexity, as policies are decoupled from implementation-specific intricacies of low-level middleboxes. Finally, Reference [
69], already presented among the approaches for automatic composition of network security services in Section
5, proposes a framework that can also automatically compute the configuration of a distributed firewall architecture as the solution of a MaxSMT problem, which also provides formal correctness assurance and optimization, such as minimization of the cardinality of the firewalls’ rule sets. This approach has been recently extended in Reference [
70], where an algorithm for the computation of the traffic flows to be later modeled in the MaxSMT problem allows achieving better performance. An alternative way to model packet classes in a MaxSMT problem has been preliminarily investigated in Reference [
71]. In that study, each packet class considered for traffic flow computation is the minimal one and is disjoint from the others. Then, each class can be associated with an integer number and fewer variables are included in the problem formulation, thus increasing the overall scalability.
All the papers discussed so far exploit automation to compute firewall configurations from scratch, assuming all the access control boxes are just placed in the service but are not yet characterized by any filtering rule. However, a consistent group of papers [
94,
95,
96,
97,
98,
99,
100,
101,
102] focused on automated reconfiguration, with the purpose of fixing an existing configuration that is not compliant anymore with a new set of network security policies or which is affected by some policy anomalies. Even though at first sight this capability could seem more limited than the computation of a full configuration, it represents a crucial component of the full workflow of an automated network configuration, described in Section
4. Whenever a new security requirement is identified by the user (e.g., a server has been recently victim of an attack and the access to this host must be prohibited, thus avoiding any interaction that could make the attack propagate in the network), the reconfiguration of the security architecture should be as fast as possible. If the rules of each function must be computed from scratch each time the user adds or modifies policies, then the required time could soon become unacceptable, although shorter than that required by a manual intervention.
Looking more closely at the methodologies belonging to this class, Reference [
94] designed a policy engine that can perform an automated reasoning on vendor-independent network function models so as to compute new configuration parameters every time the need to change them is brought over by the violation of a security policy. The followed approach has an iterative nature, because the policy engine generates a compliance test for each policy, executes all of them, and derives new configurations for a network partition; if compliance is not yet reached, then the process is then repeated for another partition. The technique presented in Reference [
95], instead, targets the firewall reconfiguration problem by applying a reduction algorithm to the result represented with a
Firewall Decision Diagram, while maintaining its consistency and completeness at the same time. Another approach [
96] derives anomaly-free rule sets by analyzing the relationships between the filtering rules of each firewall, searching for coincidence, disjunction, and inclusion phenomena in the condition attributes of the rules. Following an approach similar to References [
95,
96], Reference [
100] illustrates five algorithms that can reconfigure a faulty firewall configuration after incurring in one of the five corresponding issues (wrong rule order, missing rules, wrong condition predicates, wrong decision actions, wrong extra rules). However, Reference [
97] proposes a change management process, based on changeability analysis on a Service Graph, which recomputes the access control configuration to make it consistent with end-to-end connectivity requirements. This work was limited to a specific type of security requirements, while Reference [
98] considers additional classes of constraints, such as reliability and performance requirements. Finally, two other papers exploit formal verification to provide the administrator correctness assurance of the achieved results. Reference [
101] describes the design of the Control Plane Repair algorithm, based on a MaxSMT formulation, which also minimizes the number of configuration changes by using an abstract representation of the control plane semantics. Reference [
102] uses a dedicated calculus to formally verify if the access control configuration is compliant with the security policies and, if not, to automatically generate the optimal configuration repair.
6.2 Automatic SDN Switch Configuration
An SDN switch is an access control device that works in symbiosis with an SDN controller. The filtering rules can be lowered on a switch in a proactive way, previously established by the administrator. However, the optimal working mode is the reactive one, where an automated controller computes configurations by itself and changes the rules when needed, e.g., when a new security policy must be enforced or an attack has overcome all the barriers. The main differences with respect to traditional access control devices are that (i) a full framework for SDN switches management is not needed, because an application integrated within the controller is sufficient, and (ii) reaction time is typically lower, because most of the operations are performed by software.
A first problem addressed in literature about automation of SDN switch configuration is the need of high-level languages to specify policies in such a way that security requirements can be independent from vendor-specific switch implementations. This challenge was faced in the early years of SDN, before the advent of the first automated configuration techniques, which inherited the most useful principles of these original languages. The milestone languages are Ethane [
142], Frenetic [
48], and PolicyCop [
143]. Ethane [
142] allows administrators to write high-level access control policies with a flow-based language, while Frenetic [
48] is a programming language specifically developed for OpenFlow networks, is able to express both user-specified policies and policies for automatic reaction to events. Instead, PolicyCop [
143] is a language for the specification of service level agreements within Openflow. A more extended dissection of specification languages, which would be out of scope for this article, is provided in Reference [
144].
After this preliminary research phase, OpenFlow has been used to develop automated methodologies for configuration (and reconfiguration) of SDN-based networks [
47,
103,
105,
106]. The common ground of these techniques is the automatic enforcement of user-specified policies, expressed with a user-friendly language, in a distributed SDN switch architecture, providing abstraction between policies and filtering rules. Each of them has some significant exclusive peculiarities described below, and there is no dominant work in this group overshadowing all the others.
CloudWatcher [
103] can define the optimal (i.e., minimum) route for each traffic flow such that it crosses some nodes dedicated to intrusion detection. In fact, the main goal is that such traffic flow is inspected, thus enabling automatic reaction. However, the reaction can be performed only by means of external modules, developed by the cloud administrator, since internal reactive algorithms are not provided. Procera [
105] is a framework based on functional reactive programming, inspired by the Frenetic language. Its main peculiarity is the simplification of event reaction, by the definition of reactive policies that capture all the information needed to enforce security constraints after a specific event. However, a limitation is the complexity of the language used for policy specification, since it is similar to a programming language and less user-friendly than the others. Fresco [
47], already presented among the approaches for automatic composition of virtual network security services in Section
5, also includes a number of modules that can be exploited and combined to create and then enforce network security policies. A great advantage of this approach is that each policy is not independent of the others, but they can share the enforcing modules. As for Procera, user friendliness is not very good, because each policy is similar to a code script. OpenSec [
106] is characterized by an internal mechanism to offer event reaction and a more user-friendly policy language. Nevertheless, with respect to CloudWatcher, optimization is missing, whereas, with respect to Fresco, each policy is independent and isolated from the others.
The four papers just discussed [
47,
103,
105,
106] represent the core of automation for SDN switch configuration. However, another group [
104,
107,
108,
109,
110] is worth being discussed, since they present innovations that go beyond the principles on which CloudWatcher, Procera, FRESCO, and OpenSec are based. Reference [
107] describes the architecture of a framework to enforce security policies on SDN communications that introduces the innovation of a Policy Manager that can be both intra- and inter-domain, thus showing the feasibility of this approach for big multi-domain scenarios. An extension of this work [
109] introduces the presence of Switch Security Components, i.e., enforcement mechanisms directly residing in the switches rather than in the SDN controller, where only the orchestrating software, called Security Management Application, runs; this novelty is particularly suitable for a proactive prevention of the attacks from malicious end points connected to the network. Instead, Reference [
108] proposes a methodology, based on a MILP formulation, to optimally update the configuration of an SDN-based network whenever the waypoint traversal of traffic flows must be enforced. The optimality criterion is the minimization of the number of rounds through which the traffic can reach the specific waypoint. Reference [
104] defines the MTDSynth framework, which exploits moving target defense techniques to automatically enforce agility specifications, i.e., the definition of which security actions must be applied in reaction to specific mutation events. Finally, Reference [
110] formalizes security policies with multi-attributed graphs to easily remove the conflicting flow rule from the switches and automatically install the new ones requested by the user.
6.3 Automatic VPN Gateway Configuration
Another category of network security functions is represented by communication protection devices that can be used to enforce policies about how traffic should be protected when crossing the network. The two main security properties that are dealt with are data integrity (i.e., the guarantee that the correctly received data have not been modified by the middle-boxes with respect to the ones originally sent by the source) and source authentication (i.e., the guarantee for the destination that the source of communication is the expected one). The most frequently used technology is IPsec, often adopted for creating VPNs, i.e., networks that, although crossing public or non-trusted nodes, are protected and made private by security mechanisms. When using this mechanism, VPN gateways are the security functions used to enforce the required communication protection by creating secure IP tunnels.
As for firewalls, also for VPN gateways a milestone paper can be identified in the research area of automatic configuration: Reference [
111] was the first paper that proposed a clear classification of the user-specified requirements for secure communication. These requirements are divided into four categories: (1) access control requirements for restricting access only to trusted traffic; (2) security coverage requirements to define which security algorithms should be applied to a specific type of traffic; (3) content access requirements to establish which network nodes can have visibility of the decrypted traffic; and (4) security association requirements, related to the set of Security Associations, i.e., sets of shared security attributes between two network nodes. Given these four requirement types, the authors propose three different algorithms for computing the configuration of VPN gateways. These algorithms have been the base of all the other ones developed later. In a nutshell, the first strategy, called direct approach, simply creates a VPN tunnel for each security coverage requirement. It is very efficient, because it is a mapping between requirements and function rules. However, it can lead to incomplete solutions, because it may fail in enforcing a security requirement if a one-to-one relationship with a VPN tunnel is not enough. A second possibility is the bundle approach, which consists of grouping traffic flows into disjoint sets, for which the VPN rules are created: The solution that is reached is always complete and correct, but the strategy is less efficient and scalable. Finally, a combined approach is proposed as a tradeoff to overcome the weak efficiency of the bundle approach and the lack of completeness of the direct approach.
One issue with this proposal is that, with any algorithm proposed in Reference [
111], the number of automatically generated VPN rules is often greater than necessary. With the aim to overcome this limitation, the author proposed a fourth algorithm in Reference [
112], called ordered-split approach. With respect to the other three ones, this strategy is optimized, because it builds the minimum number of VPN tunnels to satisfy the user-specified requirements. This objective is achieved with a solution based on the traditional “task scheduling” algorithm.
All these concepts were then exploited in Reference [
113] for the description of a distributed and automated architecture, called BANDS. The main purpose is to apply the algorithms proposed in Reference [
111] or Reference [
112] to an inter-domain environment, where VPN tunnels cross multiple Autonomous Systems. The increased complexity is managed by discovering which path of Autonomous Systems each traffic flow must cross in the tunnel and by the activation of a negotiation protocol, through which each Autonomous System can negotiate the VPN policies with the others. This negotiation is performed automatically, for each Autonomous Systems, by a server specifically in charge of this task.
In the subsequent years, other authors studied the automatic configuration of VPN gateways by proposing alternative methodologies for the computation of rules or improving the features of the existing ones. Reference[
114] proposes an algorithm to automatically generate conflict-free VPN rules, with the aim of solving all the possible conflicts that could arise from an incorrect specification of the requirements. Their strategy is based on an iterative approach: After each requirement is mapped to a specific VPN rule, at each step the policies are ordered by decreasing length and possible overlapping or redundancy anomalies are managed starting from longest tunnels. Instead, the algorithm described in Reference [
115] aims at automatically generating the policies by exploiting recursive binary trees. These data structures allow previously created rules to be reused to satisfy new requirements by only adjusting their selectors, thus avoiding the creation of new rules and improving efficiency. Reference [
116] describes the design of a framework, based on a fully automated strategy to perform a distributed configuration of IPSec domains, including scenarios such as nested networks or mobile environments. With respect to the previous approaches, this algorithm reaches good robustness against potential failures, high scalability in terms of VPN gateways, and the agility needed by mobile IPsec devices. Instead, Reference [
117] proposes an efficient approach to solve conflicts in VPN policies by creating new rules that are free from any identified issue. The main limitation of this work is that, with respect to the previous ones, it cannot create the configuration of a VPN gateway from scratch, but it works on previously established rules.
All the approaches discussed so far for VPN configuration can be applied only to physical networks. Two studies that went beyond this limitation are Reference [
118,
119]. The former designs a hybrid SDN architecture that allows network devices from different providers to be connected through VPN tunnels configured automatically. The latter uses a MaxSMT formulation to ensure that the automatically computed VPN configuration is compliant with the user demands. Independently of the technical methods, both these approaches show that automating VPN configuration is a relevant state-of-the-art problem in modern networks, too, also because of the large variety of available VPN technologies, which may make manual decisions slower and more error-prone.
6.4 Automatic Configuration of Embedded Devices
New security issues arise in managing the configuration of embedded devices, such as those in cyber-physical systems. The heterogeneity, pervasiveness, and distributed nature of embedded devices make their manual configuration much more error prone than what it is for traditional networked systems. This peculiarity can be observed especially with IoT devices, due to new security challenges that arise in protecting communications between constrained devices [
145]. For example, privacy and data protection requirements add to access control constraints, and they should be treated with a high degree of flexibility in compliance with the adaptation and self-healing feature of IoT infrastructures. Therefore, expressing and refining security policies to govern distributed embedded systems (such as IoT) is a difficult task, because, in distributed architectures, complex processes are carried out by several interacting entities. This complexity is shown in the proposal of a policy language for distributed systems, called
Hierarchical Policy Language for Distributed Systems [
146]. This language enables expressing the relationship between an abstract policy, related to the whole network, and its distributed implementations at different locations through reference monitors that control the flow of information among distributed devices.
Following the proposal of this policy language, early attempts have been made for automatically refining security policies related to embedded devices, especially in IoT environments [
120,
121,
122,
123]. The enforcement solution proposed in Reference [
120] is a security toolkit, named SecKit, which cooperates with distributed systems via the MQTT protocol, a widely adopted technology to enable lightweight communications among constrained devices. The MQTT broker is extended with the capability of enforcing policies, concerning authorizations and obligations, in compliance with internal meta-models. As this was the first proposal for IoT devices, it has some drawbacks: All the enforcement operations are executed at the broker level, so this may hinder the safety and efficiency of the whole system. Instead, the idea behind the work illustrated in Reference [
121] consists in the integration of an existing flexible and distributed IoT middleware, named
NetwOrked Smart objects (NOS) [
147], with a security-aware policy enforcement framework. This extension of NOS is in charge of handling access control and service provisioning under security and quality requirements, e.g., to protect data resources and user sensitive information. A similar approach was pursued in Reference [
122], where the security policy refinement mechanism thought for generic IoT environments is cast into networked systems for smart health. There, security policies concern the provision of authentication and authorization (e.g., nurses cannot access to sensitive data related to the doctors), or the anonymity of personal information. Instead, Reference [
123] designs an automated framework, named ARCADIAN-IoT, for the holistic management of security policies related to multiple relevant properties for IoT-based networks, such as trust and transparent, user-controllable, and decentralized privacy.
After these initial studies, other ones [
127,
128,
129,
130,
131] have introduced formal verification to improve the automation of embedded devices configuration. In greater detail, Reference [
127] aims to reach a conflict-free enforcement in multi-administrative IoT environments, throughout a vendor-independent graph-based policy specification mechanism. Reference [
128] challenges the auto-configuration problem for a peculiar class of embedded devices, smart meters, which forms an Advanced Metering Infrastructure, interconnected along with heterogeneous cyber-physical components transmitting usage reports or control commands between meters and the utility. An SMT problem is formulated to synthesize resiliency configurations for the smart meters, so as to enforce, in a provable way, security requirements, operational integrity invariants, and robustness constraints. Reference [
129] uses a MaxSMT formulation for modeling the auto-configuration problem in IoT-aware networks. The proposed mechanism is tailored to solve specific problems of IoT environments, such as the simultaneous presence of numerous interconnected devices and strict latency requirements. Reference [
130] defines a tree search-based algorithm that looks for potential alternatives of embedded devices configuration through a deterministic search process, and it proposes a verification mechanism to validate that all the threats described in the security requirements are successfully mitigated in the generated configuration. As discussed in Reference [
131], this approach has been later improved with the inclusion of the full MITRE ATT&CK taxonomy [
148], so that the proposed algorithm can also use its extensive knowledge to formally verify system design security characteristics.
Some other approaches propose to adapt a particular class of policies, named sticky policies, to the needs of IoT systems [
124,
125,
126]. According to the original definition in Reference [
149], the main idea behind the concept of sticky policies is to attach security and privacy policies to owners’ data to drive access control decisions and policy enforcement. In the extension of NOS proposed in Reference [
124], each user can establish their policies on data, respecting the constraints defined by a trust authority, and attach them to the data themselves. After receiving the data, NOS can regulate access control by means of the attacked sticky policies. Similarly, in Reference [
125], IoT users are enabled to personally enforce their privacy preferences. Thus, the policy enforcement mechanism relies on privacy metadata (e.g., privacy preferences, data categories, and data history), generated by smart objects owned by the users themselves. This idea is further improved in Reference [
126], where a permissioned blockchain mechanism in introduced in NOS, with the aim to protect the sticky policies, which regulate the access to IoT resources, against tampering and violation. In all three studies, embedding the enforcement mechanism into the devices leads to some overhead, but it is compensated by the absence of a single point of failure.
Automating IoT security configuration has been also a central research topic in a recent EU H2020 research project, ANASTACIA [
132]. The project created a framework, composed of distributed security components and enablers, that can dynamically refine user security preferences into the configuration of cyber-physical systems and IoT architectures. To this end, it also encompasses online monitoring to allow more automated adaptation of the system, with the aim to mitigate unexpected security vulnerabilities. In the frame of this project, multiple works have been carried out [
42,
133,
134]. In Reference [
42], different levels of abstractions for the IOT security policies are investigated, so as to enable a technology-agnostic refinement process. Security policies are refined in two steps: First sentences expressed in natural language are translated into technology-independent representations, and then those representations are refined into the effective configuration of each IoT device. This study has been enriched in Reference [
133] with a logic formalism based on rule reasoning and the Semantic Web technology. The former envisions the usage of reasoners to infer new knowledge, not explicitly defined by human users, whereas the latter enables formal verification of the entire automated configuration process. Thus, their combined usage allows detecting conflicts that may appear in the IoT security policies or in the refined configurations. Finally, these ideas are applied to the automatic configuration of highly interactive honeypots in Reference [
134]. Pro-active security policies are defined by the users to configure monitoring agents, which feeds the reaction part of the framework, and the monitored data are processed to generate and provide a set of countermeasures as new security policies, so that the configuration process for the IoT network can be repeated.
Finally, a pair of studies [
43,
135] investigate how the problem of automatic security configuration can be addressed for IoT systems located in smart homes. Both pursue user-centered design, so as to include usability goals and user characteristics in the design of their solutions. On the one hand, Reference [
43] discusses a policy harmonization technique employed in the policy refinement process, so as to reconcile policies specified by different people living in the same home and solve inconsistencies transparently. On the other hand, Reference [
135] focuses on the refinement of attribute-based access control policies, allowing automatic decision-making processes based on environmental attributes like time of day, and on the location from which the attempt to access an IoT device originates.
6.5 Automatic Configuration of Heterogeneous Security Services
All the works surveyed so far in this section deal with a single kind of NSF (packet filter, SDN switch, VPN gateway, embedded device). Consequently, they can be applied under the assumption that either the security service is composed of that single function type or all the other security functions have already been configured. Few researchers addressed the case when this assumption is false, i.e., an automatic configuration of heterogeneous services is necessary, including different function types configured all together or iteratively, according to the adopted strategy.
The first work in this area is Reference [
136], which defines formal models of a large range of security functions and exploits them to check whether a set of security goals is achieved in a given network description. Indeed, this approach cannot automatically compute the configuration of the security devices from scratch, but it can identify possible violations of the security policies and recommend which devices should be reconfigured to eliminate the identified issues. Hence, this strategy requires that the functions are already configured before applying it. Despite this limitation, it can be considered as a first step toward fully automated configuration of an heterogeneous service.
After this initial verification-oriented attempt, Reference [
137] provides the first joint automatic generation of configuration rules for two different types of security functions: firewalls and IDSs. Correctness assurance of the computed results was also achieved, by defining the problem through a constraint logic programming language. Additionally, the computed configurations are optimal with respect to a specific cost function, according to which the rule configured for enforcing a specific policy should be placed so as to minimize bandwidth and packet drop rate. Even though this work shows that a heterogeneous security service can be configured from scratch, firewalls and IDSs are configured at different stages of the algorithm, and only locally optimal solutions are reached.
MIRAGE [
34] overcomes the limitations of the previous work by reaching a simultaneous top-down refinement of global security policies into configurations of three different kinds of functions: firewalls, IDSs, and VPN gateways. It can also perform a bottom-up analysis of already deployed network security configurations to guarantee correctness and consistency: This analysis works both at intra-function and at inter-function level. However, if any anomaly is detected, then no recovery mechanism is provided. Nonetheless, the optimality of this approach is achieved through the formulation of a linear programming problem, whose objective function is to minimize the number of used functionalities for the deployment of the rules.
Other approaches that can configure full network security services are References [
29,
51,
62,
72,
139]. In Reference [
62], the developed framework, called Policy Manager, automatically generates configurations for the virtual functions that have been selected in the previous step. This configuration process is made of two refinement phases: First, the function rules are expressed with an abstract and vendor-independent language; then, a final translator adapts the rules to the syntax required by the deployed VNF. The functions that can be managed are packet filters, stateful firewalls, L7 filters, and basic content inspectors, whereas VPN gateways, proxies, and IDSs are not dealt with. This initial work has been further extended by the authors in Reference [
29]. An important innovation is the proposed capability model, according to which each network security function is characterized by functionalities that are shared by other functions; for example, the packet filtering capability can be performed both by a traditional packet filter or by a web-application firewall. Consequently, the automatic configuration is targeted to the capabilities instead of the functions by introducing a further abstraction level. All the concepts presented in Reference [
29] have been validated with the implementation of Security Awareness Manager, the first framework that can automatically manage both composition and configuration of a security service. An extension of this meta-model was later presented in Reference [
138] introducing the possibility to configure a larger number of capability features. Another study [
139] proposes an automatic data model mapper to automate the refinement of high-level user-specified policies. Instead, the methodology illustrated in Reference [
51] pursues an approach similar to the one described in Reference [
29], as it refines user-specified policies into NSF configurations after synthesizing the chain in which they must be combined. Finally, Reference [
72] proposes an alternative methodology, where the configuration problem is stated as a MaxSMT problem, where a correctness-by-construction approach is exploited to provide formal correctness assurance without requiring an
a posteriori verification. Furthermore, the MaxSMT approach is also exploited to achieve optimality criteria, such as minimization of the number of configured rules. However, with this approach, a reconfiguration would not be possible, since the methodology can only work on user-specified requirements from scratch.