Automation for Network Security Configuration: State of the Art and Research Trends

Network Security Functions (NSFs) are the network functions used to ensure security defense against network attacks. This definition abstracts the concept of Security Controller. If a Security Controller is a middlebox that executes a security function, then an NSF is the function itself that provides security. An NSF is consequently abstract and independent from its implementation, which could be a hardware device (a traditional Security Controller) or a virtual entity. There are different kinds of NSFs. For example, filtering functionalities, such as firewalls, can block unwanted communications, Virtual Private Networks (VPNs) can ensure confidentiality and integrity of network communications, and Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) can respectively detect unwanted network activities and mitigate their negative effects and risks.

The configuration of NSFs has been traditionally performed manually by the security manager, who is a professional figure disjoint from the network administrator in most companies. This person is in charge of collecting the security requirements formulated by network users and enforce them by placing and configuring a set of NSFs. However, configuring NSFs such as firewalls, VPN gateways, and IDSs has always been troublesome and more complex than the configuration of other service functions that provide networking features, like routers, Network Address Translator (NATs), and load balancers. In fact, for NSF configuration, it is necessary to reason about all possible attacks that may occur in the network, not just about connecting services. Besides, manually enforcing the required protection requires expertise in using all the NSF configuration languages, which often are quite different from one another.

As a result, anomalies can likely arise in manually specified security configurations. In literature, an anomaly is defined as an incorrect specification of a network function configuration that an administrator may introduce. Several studies, such as the ones discussed in References [11, 12], extensively analyzed the impact of anomalies related to firewall and VPN configurations on the actual protection these NSFs must guarantee. For example, an unfeasible communication over a VPN occurs when the security manager defines a VPN configuration based on a technology not supported by an end point or a security level too high to be enforced by its available cipher suites. This anomaly is severe, because it completely prevents data exchange due to a hard misconfiguration. Instead a sub-optimization anomaly affects a firewall configuration if all packets matched by a filtering rule are also matched by another rule with higher priority. Even if this is not a hard misconfiguration, it may decrease the efficiency of the security operations, because the firewall takes more time to analyze its rule set when deciding the action to apply to each packet.

The problem of anomalies in the configuration of NSFs is being exacerbated year after year. An analysis of the Data Breach Investigations Reports produced by Verizon from 2013 to 2022¹ leads to two interesting considerations stressing the importance of the security configuration problem. Among the causes of security incidents, both misconfiguration and the macro-category it belongs to, i.e., miscellaneous errors, have a growing trend. Inside this category, the percentage covered by misconfiguration has increased from 0% to 42%, becoming the first cause of breaches within the miscellaneous error category. A similar pattern can be seen in the growing trend of the error category itself, whose incidence growed from the 5% of the previous report to the 13% of the last one. Even if these percentages are lower than the ones associated with other incident classes, the absolute number of incidents due to errors, including misconfigurations, is significant. As Verizon reports 23,896 security incidents occurring in 2021, over 1,300 incidents are therefore due to misconfigurations. This high number of related incidents cannot be overlooked when protecting a computer network, without forgetting that many incidents are commonly not declared and consequently not analyzed in the report.

Here are the main reasons why this problem has become so relevant.

Role separation and lack of communication. Security manager and network administrator are separate roles, so lack of communication or knowledge about the other expertise area can easily lead to mistakes in security configuration [13]. For example, if the network administrator does not provide the security manager full information about the network settings, then the latter could make incorrect assumptions when starting to design the security architecture for the network service defined by the former.

Increasing network size. The number of offered network services is constantly increasing, from Voice-over-IP to video streaming and from traditional e-mails to in-app communications. The size of the new generation computer networks had to adapt to these needs by becoming bigger. However, the presence of more communication channels increases the possibility of vulnerabilities.

Increasing network complexity. According to the KISS rule, first proposed by the U.S. Navy in 1960, complexity is the worst enemy of security. Indeed, keeping NSFs simple would be fundamental to keep network security configuration easy. Nevertheless, the complexity of NSFs is growing, as reaction to the new emerging attack types: For instance, new kinds of firewalls are produced to work at different levels of the ISO/OSI stack, artificial intelligence algorithms are introduced as intrusion prevention systems, and data loss prevention modules are applied across many network devices. Security configuration correctness is consequently becoming almost impossible to achieve by manual operation: The complexity introduced to provide security becomes a double-edged sword, since it creates new vulnerabilities while trying to stop others.

Increasing network heterogeneity. Modern generation computer networks are characterized by high heterogeneity: Not only the function types are quite different from one another, but differences also arise, because different functions are produced by many different vendors. However, heterogeneous networks are intrinsically more complex than homogeneous ones [14]. For example, if firewalls produced by different companies are installed in a network, then they would require different configurations to set the same filtering policy.

Trial-and-error configuration approaches. The trial-and-error approach that commonly characterizes manual security configuration lets security managers save time in the short term, but in the long term it may lead to ever increasing configuration size and complexity, which in turn favors mistakes such as the introduction of contradictory rules.

Impact of security breaches. In the latest years, cyber attackers have been developing more powerful strategies to intrude information systems. Because of the potential errors due to a manual security configuration, the resulting security breaches have a twofold impact. On the one hand, the financial conditions of the firms affected by a breach are seriously threatened. A multi-faceted analysis carried out in Reference [15] states that also non-breached firms experience significant negative economic impact around the announcement of a breach that is indirectly related to their activity. On the other hand, a breach can also damage non-monetary factors, such as consumer confidence, social trust, and personal safety, as demonstrated in Reference [16] with a visualization technique based on artificial intelligence. Consequently, recent approaches in the literature aim at estimating security costs by taking into account also transparent indirect costs related to security management, such as the method called Cost Assessment of Personnel Activities in Information Security Management [17]. From this analysis, manual prevention and mitigation of breaches is clearly becoming impractical.

By definition, automation is a technique that “emphasizes efficiency, productivity, quality, and reliability, focusing on systems that operate autonomously, often in structured environments over extended periods, and on the explicit structuring of such environments” [18]. In an automatic system, the core principle is the minimization of human interventions: After the system receives an external input from a human being or from another system, it should be able to work without requiring other external contributions. Even though design complexity represents a potential criticality for automatic systems, nevertheless the possible benefits equalize and overcome that drawback. Both activity productivity and solution quality typically achieve a great improvement: On the one hand, the human operator is not demanded to perform the whole task but only to make the system properly start and provide assistance or maintenance during the automatic operations; on the other hand, the solution is reached faster and with a better accuracy.

In network security, the introduction of automation represents a possible solution to human errors characterizing manual configuration of security functions. A fundamental requirement for enabling automatic security configuration is agility: Whenever the current state changes, the system must be able to automatically adapt to the new conditions in the shortest possible time, so that no inconsistencies are created. The absence of agility in traditional computer networks represented one of the main reasons why automation had not already been fully introduced in the past in this engineering field. In recent years, the perspective changed thanks to the softwarization of networking, i.e., most notably SDN and NFV, and to the introduction of PBM.

SDN decouples the data plane from the control plane [19], and this decoupling allows us to centralize all the orchestration operations of the control plane in a single architectural element, named the SDN Controller. This element coordinates all the SDN switches of the data plane through protocols, such as OpenFlow [20], which provide an abstraction from the vendor-specific implementations of the forwarding devices. Thanks to these characteristics, SDN introduces several advantages with respect to traditional networking paradigms. First, as the SDN Controller can configure forwarding rules on all the switches of the data plane, it can force network traffic to pass through specific appliances. Second, the controller can dynamically update SDN switch configuration to comply with new security requirements as soon as they emerge. In fact, it can simply install new rules on the switches it manages. Third, it can configure a different security service exploiting the same hardware switches for different users.

NFV virtualizes network functions as software processes named Virtual Network Functions (VNFs), whose possible implementations are traditional Virtual Machines (VMs) [21] and Dockers [22]. NFV highly contributes to automatize network security configuration. Every time the service must be reconfigured by introducing a new function or removing an existing one, it is sufficient to start a new software program or to stop a running one, instead of physically managing the appliances. The lifecycle itself of each VNF can be managed automatically, and the failure of a virtual security function can be overcome by executing some programming scripts that would restore it with the same previous configuration. At the same time, the reaction to cyber attacks becomes faster: Instead of having to access the physical appliance, the configuration of the service can be changed more easily by accessing a VM or a Docker, thus saving vital time in blocking an ongoing attack.

The agility and reactivity provided by SDN and NFV enabled the coupling of network security management with PBM, i.e., defining the network security behavior by means of policies. A policy is a definite goal or course or method of action, which can be expressed as a set of rules, to administer, manage, and control access to network resources [23]. The idea is that a network administrator only specifies what security properties the network should fulfill, without defining how, i.e., without defining the configuration of each security function, because this latter task is automatically performed by an assisting tool. An architectural model that can be used for Policy-Based Management has been described in RFC 3060 [23], and it has been later improved by extended models, such as Ponder [24], KAoS [25], or Rei [26].² This architecture reflects the whole process through which a policy, after being specified by the user, is processed and finally enforced by the network functions. This process can be structured into three main phases. First, the policies are specified by the user and then automatically analyzed so that any anomaly is found (policy analysis). Second, the user-specified policies are refined into the configuration rules: This task is needed, because the language that is typically exploited by the user is high level to be independent of the technicalities of the functions (policy refinement). Finally, a verification is often performed to check if the result is compliant with the original policies (policy verification).

Policy refinement is the stage that mostly suits network security automation. Network functions, even when belonging to the same type, are typically implemented in different ways, as they are produced by different vendors. In virtualized networks, this issue is exacerbated, because anyone can easily create a VNF by writing a software program. Policy refinement addresses this problem when coupled with the policy continuum [28]. The core idea is the existence of different levels of abstraction for the representation of policies and function configurations. According to the analyses by Basile et al. [29] and by Hermosilla et al. [30], three classes of policy languages may be exploited for a complete representation as follows: (1) High-level Policy Languages (HPLs) allow users to express policies in a user-friendly notation, thus easing readability and understandability; (2) Medium-level Policy Languages (MPLs) express policies within a structured implementation-independent representation, based on conditions (i.e., the events that must happen so that the policy is triggered) and actions (i.e., the operations that a function must execute whenever all the policy conditions are true); and (3) Low-Level Configurations express policies with the languages specifically required by the network functions that must enforce them. In this policy continuum, policy refinement represents the decision-making process that changes the abstraction level of the policy representation from higher to lower level classes.

According to this discussion, Policy-Based Management is a fundamental component of automated methodologies for the configuration of a network security service. The main reason is that automation always requires input data to perform the operations needed to compute the outcome. User-specified network security policies perfectly play this role, since they describe the behavior that the network must satisfy, thus allowing the automated methodology to establish consistent function configurations. Moreover, thanks to the intermediate abstraction level represented by MPLs, even though anyone can define their own virtual function implementation, the automated methodology that should be created for computing their configuration can be designed without caring about this aspect. Indeed, the final translation from MPLs to low-level configurations can be performed independently from the refinement from HPLs to MPLs. On the one hand, all the information required for security enforcement is already provided by the medium-level representation. On the other hand, this final translation consists in a syntax translation and simply requires the knowledge about the syntax of the languages of the low-level configurations. Therefore, when the problem of automatic configuration is investigated, it is possible to focus on the generation of the medium-level representation.

The trend of introducing automation for network security configuration is motivated by its ability to overcome most of the limitations dissected in Subsection 2.1.

First, automated orchestrators can be used to configure network security without requiring a high level of network security expertise or experience. Expert security managers are few in number and have high costs. Consequently, in many companies, most of the people working in network security have networking expertise, and they are supervised by a restricted number of security experts. If these people use automatic tools, then their lack of expertise is mitigated, thanks to the aid provided by the tools. Of course, they must monitor the tools that perform the automatic operations, but monitoring is much less complex, less error prone, and less time-consuming than the full manual design of a security service.

Second, size and heterogeneity of modern generation computer networks can be better dominated with automation than manually. On the one hand, an automated orchestrator of network security functions can have a complete overview of the whole network architecture by taking global decisions that a human being would have difficulty to manage. On the other hand, heterogeneity can be managed by an abstraction layer between the automated orchestrator and the heterogeneous security functions, so that the configuration that is automatically computed for each one is translated into the correct vendor-dependent commands to set up the specific device. This translation step, if performed manually, requires the complete knowledge of how each parameter must be set for any implementation of the function; in this case, a software process with all the required information can perform this operation faster and more reliably.

Third, differently from a manual configuration, which is based on a trial-and-error approach, an automated orchestration can directly find a correct and optimal solution. Optimization could be exploited, for example, to allocate only the middleboxes that are really needed to provide the service, so that only the required resources are actually installed. Or it could also be exploited to maximize security protection. Achieving the same result manually would be extremely difficult, since correctness itself is hard to achieve manually.

Despite all these benefits that automation could carry over to the network security field, some potential drawbacks could also be highlighted. However, most of them are only apparent and mostly depend on human prejudice. The main problem is clearly not technical but related to the psychological field. In history, automation has always been considered potentially dangerous, because the users of automated tools fail in fully understanding how such tools work and fear they could lead to bigger problems than manual operations. However, this common sense is not justified. First, automation can be exploited to provide a guarantee of correctness by leveraging automated formal verification techniques, while achieving the same guarantee manually is more difficult. Second, any automated tool is developed by a human being, who should provide the full documentation to make others understand how it works and how some potential problems should be managed. Third, the problem is not the “over-automation” but either the design of the automated tools or their supervision [31]. Both these operations rely on human beings, thus proving that, at the end, any drawback that automation can introduce is related to some activities directly or indirectly performed by humans.

Summarizing, the statistics that have been reported in this section come from research studies, which further supports the idea that automation may play a central role in future network security. The challenge that arises is rather how to answer the following questions: (i) Which technologies can be exploited as foundations for automated network security methodologies? and (ii) How can research further deploy this novel path by improving the current state of the art?

The research questions addressed by this survey are as follows:

RQ1 (Time distribution): What is the time distribution of the works about network security configuration automation? Research in network security configuration automation has recently started to trend again, thanks to the advent of virtualization in the networking field. However, it is well known that the same topic has been addressed in the past, too. A pair of pilot studies, Firmato [33] and MIRAGE [34], date back to the first decade of the 2000s. Consequently, it is interesting to understand the publication trend of papers on this topic throughout the years.

RQ2 (Enhancing features): How are automatic methodologies enhancing network security configuration with respect to manual strategies?

Automation can improve the produced output quality, as it can perform more complex and faster operations than what humans can do. It is expected that the same applies to the network security configuration field. An objective of this literature review is to identify the common enhancements and improvements that have already been achieved by the state-of-the-art automatic approaches for network security configuration with respect to the manual ones. From this analysis, researchers can understand which paths have already been investigated.

RQ3 (Limitations): What are the limitations of the state of the art in the area of network security configuration automation?

A crucial objective of this study is to understand the current limitations of the proposed approaches. Even though important steps have been taken to improve the state of the art, not all the problems in this area have been solved, and the existing papers have shortcomings to be addressed. From the identification of these limitations, researchers can intuitively infer emerging challenges and research trends that should be followed in the future to fill the existing gaps.

The search process of conference proceedings and journal papers was carried out in the following databases: SCOPUS, Science@Direct, Wiley InterScience, IEEE Digital Library, ACM Digital Library, SPRINGER, and ISI Web of Knowledge. The following search string has been used in the search engine of the previously listed databases:

The tool Publish or Perish has been used to automate the search process for the supported databases.

The results have been enriched with the snowballing technique, i.e., for each study, its references and the papers citing it have been analyzed. Then, all enriched search results have been merged by fulfilling the following criteria:

(C1) Impurity and duplicates removal: Duplicate results were removed.

(C2) Inclusion criteria: Papers were considered if they respected all the following criteria: (1) papers describing methodologies that can be used for the automatic synthesis of a network security service or the automatic configuration of the network security functions; (2) papers published between 1996 and 2023; (3) papers subject to peer review (e.g., journal papers, papers published as part of conference proceedings will be considered, whereas white papers will be discarded); and (4) papers written in English and available in full text.

(C3) Exclusion criteria: Papers were excluded if they fulfilled at least one of the following criteria: (1) papers describing methodologies only for network management automation, without any reference to network security; (2) papers limited to present a formal theory for networking, without any substantial possible application to computer networks; (3) secondary studies (e.g., systematic literature reviews, surveys); and (4) studies in the form of tutorial papers, poster papers, editorials, because they do not provide enough information due to page limitation.

(C4) Combination: If there are multiple papers related to the same study, then a single record is kept for all of them. This action is necessary for ensuring completeness and traceability of results. For example, if a primary study is published in more than one paper (a conference paper, then extended to a journal version), then only one instance will be counted as a primary study. Generally, the journal version will be preferred, since more complete.

Finally, we positively verified that the combined result of the search process includes the following pilot studies (relevant papers for the investigated literature area) [29, 33, 34, 35, 36].

Here we describe how data collection and synthesis have been performed and how we provide responses to the research questions according to the results of those operations.

First, data collection has been performed independently by three authors so that the results could be compared. In merging the results according to the described method, disagreements have been resolved by consensus among the three authors. The fourth author checked how the extraction was performed. At the end of the review process, 98 papers were collected.

Second, the collected data were tabulated according to the taxonomy shown in Figure 1. This taxonomy is the result of patterns identified when analyzing the state-of-the-art literature. In particular, for the studies about security service composition, large differences exist depending on the main technology that is used to introduce automation (SDN or NFV). Instead, approaches for automatic function configuration mainly differ according to the function types for which they have been designed (firewalls, SDN switches, VPN gateways, and embedded devices), while a limited number of them can be applied to heterogeneous security services composed of multiple function types. Each data row includes the characteristics listed in Table 1.

According to such taxonomy and characteristics list, Section 5 and Section 6 summarize the papers collected about automatic service composition and automatic function configuration, respectively. This descriptive synthesis represents the key to understand how the three research questions can be answered.

Finally, the final elaboration of the literature investigation results, jointly with their quantitative analysis, is presented in Section 7. This discussion follows the descriptive synthesis of the collected papers, because, as recommended by the guidelines described in Reference [32], this allows readers to have the knowledge necessary to fully understand the answers.

In an SDN network, the main goal related to automatic service composition is to design the architecture of a network made of SDN switches. The security requirements are commonly expressed in terms of traffic steering policies, e.g., for a traffic flow the path that it should follow is specified, or the requirement that such flow does not reach some destinations or that it does not cross non-permitted switches. However, switch configurations, including the forwarding and filtering rules by means of which the policies are enforced, are not managed by the approaches presented in this subsection, whose purpose is the design of the service architecture, but by those presented in Subsection 6.2.

A milestone for automatic security service composition in SDN networks was the solution proposed in Reference [47], named FRESCO. It is a framework based on the well-known OpenFlow protocol, one of the communication protocols most commonly used by SDN controllers to access to the forwarding plane of network switches. FRESCO introduces the possibility of designing composable security architectures made of detection and mitigation modules. This framework uses code snippets, called modules, which can be combined to create security functions. These modules can inter-operate and exchange helpful information to make more grounded decisions, which represents a novelty not appearing in any other work related to the automatic creation of SDN-based services. Moreover, each module can be triggered according to an action-reaction paradigm, thus avoiding further human interventions after the initial design of the service. Even though neither formal verification nor optimization enrich this framework, FRESCO represents the peak of several works dealing with OpenFlow-based declarative query languages (e.g., Frenetic [48]) and the basis for other related automated approaches.

Subsequent papers related to this area include References [49, 50, 51, 52]. The first two (i.e., References [49, 50]) formulate the traffic steering problem as an Integer Linear Programming (ILP) problem, targeting optimality criteria to be fulfilled in the design of a security service. Reference [49] proposes a framework called Software-defined Middlebox Policy Enforcement, which exploits SDN to automatically enforce policies when planning the placement of middleboxes in a network. The purpose is to optimally balance the traffic load across the middleboxes that are laid to compose the service. Reference [50], instead, proposes a solution based on a special data structure called MultiPoint-To-Point Tree, which was originally created for Multi Protocol Label Switching networks for managing traffic steering. In both approaches the requirements that a user can specify are security related (e.g., it could be required that a specific traffic flow crosses the sequence of firewall, IDS and proxy). However, the same does not apply to the optimization goals, which are only related to networking parameters, such as the minimization of the load across the middleboxes composing the service. Reference [51] proposes a rule-based system for automatic composition of security chains including formal verification of their compliance with the requirements to be fulfilled. This approach uses logic programming for establishing the functional specification of the security chains after evaluating the different kinds of traffic in the network and classifying them. The automatically synthesized chains are then created by using the Pyretic language [73], which is part of the Frenetic framework [48], for programming the SDN controller. However, differently from the previous ones, this approach is mainly meant to protect Android applications, even though the proposed formal models for achieving the synthesis of a security service could also be theoretically applied in different environments. Instead, Reference [52] describes an architecture that performs automatic intent-based provisioning of a security service in a multilayer network. This operation is performed by using an SDN orchestrator developed on top of the Open Network Operating System controller. The intents discussed in this article are only related to encryption requirements, and they might not be sufficient to specify more complex requirements (e.g., based on mutual authentication mechanisms or key exchange protocols).

Finally, References [53, 54] focus on methodologies for refactoring an existing security service to fulfill the input requirements. Reference [53] exploits Nile, a high-level comprehensive intent definition language, for the specification of the security intents that must be achieved in the service. After they have been formulated in a human-readable representation, a refinement process establishes which NSFs should be added to the service and in which position (i.e., between which pair of already present functions) so as to fulfill the intent. Instead, Reference [54] defines a technique for designing security chains based on Markov models, i.e., learning finite automata. In particular, with the aim to minimize the total number of security functions in the service, two algorithms are presented: The first one identifies multiple functions in the same chain that could be replaced by a single one, whereas the second one searches for different chains that could be refactored into a single one. Both References [53, 54] do not apply when the full service should be created from scratch.

Given the importance that NFV achieved in the networking field since the early 2010s, most of the approaches for automatic service composition—including some based on SDN—exploit its virtualization principles.

As discussed in Section 2, the introduction of NFV into the techniques for automatic network security configuration has enabled the introduction of several optimality criteria. Despite this statement, some authors [35, 55, 56] do not formulate the problem taking optimization objectives into account, but they focus on other features. More precisely, Reference [55] proposes an automated mechanism that, starting from requirements expressed in controlled natural language by business-level operators, automatically generates security service graphs based on them. The engine requires a repository of VNFs from which it chooses the needed ones by matching their capabilities with the fields of the requirements themselves. The approach has been further extended by the authors in Reference [35]. In this case, when the needed VNFs must be selected, the k-means clustering algorithm is invoked, so that groups of VNFs are created according to the level of security they can provide. For example, if a medium level of security in the detection of attacks is required, then an IDS from the cluster labeled with “medium security” will be selected. This action can improve performance, because the choice for the refinement of each intent is thus restricted to a smaller set of functions. Another approach [56] proposes a function composition algorithm based on a Trie tree, which finds a security service composition that meets user’s requirements. This approach shows high flexibility, because it can manage the IP addresses of the Virtual Machines automatically, so addressing the problem that, in cloud environments, IP addresses often change.

Let us now analyze, instead, the consistent number of other approaches [29, 57, 58, 59, 60, 61, 62] that aim at designing network security services by fulfilling, at the same time, some optimization criteria.

In References [57, 58, 59, 60], some heuristic strategies have been explored to minimize the total hardware and power resource usage. In virtualized environments and cloud scenarios, this purpose is evidently reached by minimizing the number of VNF instances installed in the network, since each one requires some resources. In particular, Reference [57] proposes the APPLE framework, in which each security policy is a sequence of security functions that each kind of traffic flow must traverse. APPLE achieves the aimed objective by creating a sequential ordering of functions that satisfies all the specified policies: In this way, the same instance of function could be present in more flow paths. The heuristics described in Reference [58], instead, after receiving multiple requests of generating security chains, refine these requirements by establishing a single combination of functions that consumes as few network node resources as possible. This algorithm is based on a greedy iterative approach: At each iteration it considers a possible function combination and it gives priority to security services where the composing functions have the maximum total throughput. In Reference [59], a novel heuristic based on a breadth first search is proposed to reach near-optimal solutions in polynomial time. This algorithm consists of two steps: First, the functions needed to enforce the policies are identified; then, they are composed by constructing the breadth first search tree and by minimizing the objective function, which considers parameters such as CPU, storage, bandwidth, and latency. Instead, in Reference [60] the heuristic algorithm is based on the partitioning concept: Instead of computing the full topology at the same time, the network is divided into partitions, and the problem is solved for each partition independently. This approach provides great scalability, while guaranteeing that the ordering constraints between the NSFs are still respected. The last two studies [59, 60] also introduce an ILP formulation of the problem but only to have a reference to assess the performance of the proposed heuristic.

Other approaches [29, 61, 62, 63, 64, 65], instead, propose to use ILP formulations rather than heuristics. Reference [61] describes a formulation based on the creation of an augmented graph: Considering all the security requirements related to the service design, all the possible instances are introduced in this virtual topology, the augmented graph, with all the possible interconnections. Only a subset of instances and connections will be actually present in the final service, in accordance with the objective function, which aims to minimize the number of VNF instances. Reference [62] describes an optimization engine, called Policy Manager, which exploits some policy refinement techniques to identify the NSFs that can be used to enforce the policies. The selection is typically based on a tradeoff among different criteria, such as cost, performance, reliability, or reputation of the different functions. However, additional usage profiles are provided to the users by means of which some parameters can be assigned greater importance than others when selecting the functions. The constraints about the profiles and the objective function are represented with a Mixed Integer Linear Program (MILP) problem, whose variables can be discrete (i.e., they can take a limited number of possible values). A further improvement of this methodology has been later presented in Reference [29]. In this case, the key role is covered by a Security Awareness Manager, which is in charge of the policy refinement process, but it provides also additional features with respect to the Policy Manager. For example, it supports dynamic adaptation to network changes, so that the security policies are kept enforced even when a security function fails. Considering the larger number of optimization parameters taken into account (e.g., user rating, experts trustworthiness expectations and security evaluation), the problem is formulated with a multi-objective approach. Reference [63] reaches an optimal construction of service function chains proposing an abstraction of multiple categories of security demands, so as to summarize them with a numerical value named security level of the chain. The ILP problem that is formulated aims to maximize not only parameters related to physical resources, such as CPU capacity and utilization time, but also the security level itself. Reference [64] proposes a novel abstraction of virtual network security functions, called functionality, which extracts the essential configuration parameters of each function in a vendor-independent representation. As better discussed in the extended version of this approach in Reference [65], this abstraction allows disjoining service composition from its deployment in the physical infrastructure, because functionalities can be used to compose the virtual service before establishing which VNFs are needed to enforce the security requirements and how they should be configured.

Other studies address the automatic fixing of an already-deployed security service in the NFV context, too. Reference [66] defines four operations that can be applied in the refactoring process: separating a security service into multiple ones, chaining VNFs into a single structure, merging the unnecessary VNFs to optimize system resources, reordering the VNF organization. Reference [67], instead, proposes a dynamic defense provisioning mechanism, where a single IDS can be broken down into separate light network functions, each one in charge of detecting some attacks at different levels of the ISO/OSI stack (e.g., from packet header inspectors to deep packet inspectors).

All the works analyzed so far concern either the automatic composition of the full network service from scratch, including the security functions, or its refinement, by changing a previously generated service. There are other studies, such as References [36, 68, 69, 71], that address the different scenario of a network administrator who wants to enforce security requirements on an already defined network service, which does not yet include security functions. For example, the service could be exclusively made of network functions such as NATs, web caches, and load balancers but not NSFs. In this specific situation, the administrator may want that the service topology is kept and not changed, i.e., all the service functions should be crossed by the traffic flows as forced by the original design. In this case, the security policies are enforced by just allocating some NSFs in the existing topology.

This problem is more complex than the previous one, mainly because the presence of the pre-existing middle-boxes must be considered when deciding the allocation scheme of the NSFs: Each network function can, in fact, have a behavior that could impact on the enforcement of the security policies themselves. A trivial solution such as allocating NSFs between any pair of network functions, even though potentially correct, would consume too many resources, would be inefficient, and would increase the configuration work. For this reason, solutions that try to optimize the way the network service is enriched with NSFs have been proposed.

Reference [68] solves the so-called firewall placement problem by identifying how firewalls should be placed in a network topology so that the maximum firewall rule set, which would be needed to satisfy the input security policies, can be minimized. Since this problem is NP-complete, a heuristic algorithm based on a variant of the shortest path algorithm is exploited to approximately achieve this optimization goal. Another approach [36] automates the generation of the allocation scheme for access control devices with an optimized and formal approach based on the definition of an iterative Satisfiability Modulo Theories (SMT) problem.³ The basic idea is that, at each step of the algorithm, the access control architecture is tuned until all the security policies are properly enforced by the achieved result. With respect to Reference [68], the optimization criterion is, in this case, the minimization of the access control elements allocated in the network. In both these papers the presented methodologies are general enough to be applied to both traditional and virtual networks. A more recent approach [69, 70, 71] proposes a definition of the firewall allocation problem as a Maximum Satisfiability Modulo Theories (MaxSMT) problem.⁴ In this case, formal correctness of the computed solution is achieved with a correctness-by-construction approach, thus avoiding an a posteriori formal verification and speeding up the overall process. The optimality criterion that is considered is the minimization of the number of allocated firewalls. Moreover, with respect to the other two works, in this case not only the allocation scheme but also the firewall configuration rules are computed. Hence, the algorithm can represent a complete proof-of-concept of an automatic network security service generation, albeit limited to firewalls only. Some ideas about how to extend this approach for the composition of services with multiple types of security functions have been discussed in Reference [72], where the MaxSMT formulation is again presented to design a service with the minimum size.

A first class of network security functions is represented by the functions that can decide if a traffic flow with certain characteristics is allowed to continue to its destination or if it must be blocked. In this category, the function that has been most investigated is the packet filtering firewall (i.e., a firewall that can analyze fields of the IP 5-tuple), because this kind of function is sufficient to protect an end-to-end service in most situations, and, at the same time, it requires a much simpler configuration than what is needed by other security functions. In this class, nevertheless, we will consider also traditional functions, such as filtering routers, that can be configured as access control devices. The reasons of this classification choice are that most of the methodologies share the same concepts, since firewalls themselves are exploited for access control, and these functions themselves take decisions that are mostly based on the same information.

The oldest work that we found in this category is dedicated to filtering routers [75]. It discusses the possibility to compute a set of filters for the individual routers of a distributed networked system, so as to enforce a global network access control policy. However, being the first proposal in this area, this methodology is lacking from several points of view. First, the abstraction level at which it works is really high, so that the actual configuration of access control devices would require an additional refinement. Second, the filtering rules that are produced are not guaranteed to be optimal. Finally, an algorithm to check the consistency of the computed configurations is presented, but it is not based on formal verification techniques; consequently, it does not provide a full formal correctness assurance. Despite all these limitations, this article opened the path to other similar research works in the immediate next years in a period that is largely antecedent to the advent of network virtualization.

A framework mainly targeted to traditional small-sized networks was proposed few years later, and it became a milestone for access control automation: Firmato [33] is a firewall management toolkit that can automatically compute a firewall configuration so as to enforce a set of global security policies into a network. The presence of a model compiler allows the framework to provide an abstract representation of the output configuration with respect to the specific setup of each firewall. Besides, with the aid of an additional module called Fang [140], a human being can easily interact with the automated framework through a query-and-answer session, by means of which she can find out if a global policy is correctly satisfied by the enforced firewall rules. This work has become so important in this field, because it has been the first proposal of an automatic firewall configuration, based on an abstract and vendor-independent representation. Although designed for distributed firewall architectures, Firmato was validated by considering a single border firewall.

After this first work, other proposals tried to overcome its limitations, at the same time providing additional features. The next papers that appeared after Reference [33] are References [74, 76, 77]. In Reference [74], concrete firewall configuration rules are derived from high-level network security policies by exploiting an Organization Based Access Control model. The operation that is performed is actually a translation, more than a refinement, just providing abstraction from firewall implementations. The methodology proposed in Reference [76] exploits a framework for policy-based management, called STRONGMAN [141], to automatically establish and enforce local access control rules that are compliant with high-level global security policies: The compliance checker module can, in fact, compose the rules into a coherent enforceable set for each device. Finally, FACE [77] is a framework that can automatically analyze and generate the rules for a distributed firewall, so as to satisfy a filtering policy expressed with a threat model where the attacks for which a protection must be enforced are defined. These works apply policy-refinement to a distributed access control architecture, even though only Reference [76] really validates the approach in a distributed system, while Reference [74] validates it with a single firewall and in Reference [77] no effective validation is showed. At the same time, none of these works uses formal verification techniques.

Formal assurance of configuration correctness was introduced in References [78, 79, 80, 81]. Specifically, Reference [78] exploits formal logic programming methods to model real-world situations, where firewall rules are automatically generated by a reasoning engine so that they not only enforce security policies, but they are not affected by anomalies such as redundancies or contradictions. This approach, however, is limited to configurations that are compliant exclusively with the syntax of IPChains and Cisco’s PIX. The methodology illustrated in Reference [79], instead, automatically refines a conflict-free set of access control policies into distributed rules; the consistency and correctness of the access control list implementation are then formally verified with respect to the original policy model by exploiting a Boolean satisfiability problem formulation. B-Method, an approach based on formal methods applied to abstract machine notation, is instead used in Reference [80] for the enforcement of security policies through a simplified refinement where the information composing the abstract notation is derived from the external network environment. Finally, the technique described in Reference [81] is based on formal argumentation and preference reasoning, exploited to both analyze and generate firewall rules from high-level policies. Even if the rule ordering is not specified in the high-level policies, the correct ordering of the firewall rules is automatically computed by means of abductive reasoning.

When network virtualization became dominant in research, a number of papers [82, 83, 84, 85, 86, 87, 88] started investigating methodologies that can be applied to virtualized networks. Indeed, most of these methodologies can be applied to traditional networks, too, the only exceptions being References [82, 87, 88], that propose, respectively, an automatic approach for computing Netfilter configurations through the user specification of unordered policies [82], a method to automatically define the rules for iptables, to ensure access control protection in a large-scale synthetic power system [87], and a method that applies to three UNIX firewall systems (iptables, ipfw, pf) [88].

Coming to the approaches that can be applied to both traditional and virtualized networks, Reference [83] addresses the lack of a formal semantic to distribute multiple security policies in the access control middleboxes of a network by designing an automated refinement process, based on algebraic requirements. This approach also supports a formal verification step. Another framework, proposed in Reference [84], is SyNET, which is based on a correctness-by-construction approach. The synthesized rules for access control devices are computed as the output of a Datalog program, which contains all the information about both the network topology and the security policies. An alternative paradigm, proposed by the same authors in Reference [85], is the NetComplete framework, which, like SyNet, is based on an SMT problem formulation, but it avoids to model policies as constraints of the SMT problem if they can be solved and verified in an alternative way, and it also exploits domain-specific heuristics, such as partial evaluation, to reduce the solution space, so improving the overall efficiency. Another comprehensive approach for access control policy refinement and formal verification is illustrated in Reference [86]. The designed methodology can derive the proper access control configuration from security policies, but it can also fix an existing one if it does not correctly enforce the user-specified requirements.

Firewall and access control configuration proves to be a thriving research area at the beginning of this new decade, too, with a new range of studies [69, 70, 71, 89, 90, 91, 92]. References [89] and [90] aim to improve the scalability of automatic access control configuration. The former applies machine learning on the operator-provided feedback, while the latter transforms the user-specified policies into a representation named priority-based domain type enforcement, which considerably reduces the complexity of policy specification and therefore its impact in terms of performance. Instead, References [69, 70, 91, 92] apply formal methods to ensure configuration correctness. Reference [91] achieves this goal by using preference-based argumentation reasoning, so as to identify all the possible conflicts and anomalies among the user requirements before refining them into the firewall rules. Reference [92] shows that modeling the user-specified policies with the metagraph algebra leads to reduce the problem complexity, as policies are decoupled from implementation-specific intricacies of low-level middleboxes. Finally, Reference [69], already presented among the approaches for automatic composition of network security services in Section 5, proposes a framework that can also automatically compute the configuration of a distributed firewall architecture as the solution of a MaxSMT problem, which also provides formal correctness assurance and optimization, such as minimization of the cardinality of the firewalls’ rule sets. This approach has been recently extended in Reference [70], where an algorithm for the computation of the traffic flows to be later modeled in the MaxSMT problem allows achieving better performance. An alternative way to model packet classes in a MaxSMT problem has been preliminarily investigated in Reference [71]. In that study, each packet class considered for traffic flow computation is the minimal one and is disjoint from the others. Then, each class can be associated with an integer number and fewer variables are included in the problem formulation, thus increasing the overall scalability.

All the papers discussed so far exploit automation to compute firewall configurations from scratch, assuming all the access control boxes are just placed in the service but are not yet characterized by any filtering rule. However, a consistent group of papers [94, 95, 96, 97, 98, 99, 100, 101, 102] focused on automated reconfiguration, with the purpose of fixing an existing configuration that is not compliant anymore with a new set of network security policies or which is affected by some policy anomalies. Even though at first sight this capability could seem more limited than the computation of a full configuration, it represents a crucial component of the full workflow of an automated network configuration, described in Section 4. Whenever a new security requirement is identified by the user (e.g., a server has been recently victim of an attack and the access to this host must be prohibited, thus avoiding any interaction that could make the attack propagate in the network), the reconfiguration of the security architecture should be as fast as possible. If the rules of each function must be computed from scratch each time the user adds or modifies policies, then the required time could soon become unacceptable, although shorter than that required by a manual intervention.

Looking more closely at the methodologies belonging to this class, Reference [94] designed a policy engine that can perform an automated reasoning on vendor-independent network function models so as to compute new configuration parameters every time the need to change them is brought over by the violation of a security policy. The followed approach has an iterative nature, because the policy engine generates a compliance test for each policy, executes all of them, and derives new configurations for a network partition; if compliance is not yet reached, then the process is then repeated for another partition. The technique presented in Reference [95], instead, targets the firewall reconfiguration problem by applying a reduction algorithm to the result represented with a Firewall Decision Diagram, while maintaining its consistency and completeness at the same time. Another approach [96] derives anomaly-free rule sets by analyzing the relationships between the filtering rules of each firewall, searching for coincidence, disjunction, and inclusion phenomena in the condition attributes of the rules. Following an approach similar to References [95, 96], Reference [100] illustrates five algorithms that can reconfigure a faulty firewall configuration after incurring in one of the five corresponding issues (wrong rule order, missing rules, wrong condition predicates, wrong decision actions, wrong extra rules). However, Reference [97] proposes a change management process, based on changeability analysis on a Service Graph, which recomputes the access control configuration to make it consistent with end-to-end connectivity requirements. This work was limited to a specific type of security requirements, while Reference [98] considers additional classes of constraints, such as reliability and performance requirements. Finally, two other papers exploit formal verification to provide the administrator correctness assurance of the achieved results. Reference [101] describes the design of the Control Plane Repair algorithm, based on a MaxSMT formulation, which also minimizes the number of configuration changes by using an abstract representation of the control plane semantics. Reference [102] uses a dedicated calculus to formally verify if the access control configuration is compliant with the security policies and, if not, to automatically generate the optimal configuration repair.

An SDN switch is an access control device that works in symbiosis with an SDN controller. The filtering rules can be lowered on a switch in a proactive way, previously established by the administrator. However, the optimal working mode is the reactive one, where an automated controller computes configurations by itself and changes the rules when needed, e.g., when a new security policy must be enforced or an attack has overcome all the barriers. The main differences with respect to traditional access control devices are that (i) a full framework for SDN switches management is not needed, because an application integrated within the controller is sufficient, and (ii) reaction time is typically lower, because most of the operations are performed by software.

A first problem addressed in literature about automation of SDN switch configuration is the need of high-level languages to specify policies in such a way that security requirements can be independent from vendor-specific switch implementations. This challenge was faced in the early years of SDN, before the advent of the first automated configuration techniques, which inherited the most useful principles of these original languages. The milestone languages are Ethane [142], Frenetic [48], and PolicyCop [143]. Ethane [142] allows administrators to write high-level access control policies with a flow-based language, while Frenetic [48] is a programming language specifically developed for OpenFlow networks, is able to express both user-specified policies and policies for automatic reaction to events. Instead, PolicyCop [143] is a language for the specification of service level agreements within Openflow. A more extended dissection of specification languages, which would be out of scope for this article, is provided in Reference [144].

After this preliminary research phase, OpenFlow has been used to develop automated methodologies for configuration (and reconfiguration) of SDN-based networks [47, 103, 105, 106]. The common ground of these techniques is the automatic enforcement of user-specified policies, expressed with a user-friendly language, in a distributed SDN switch architecture, providing abstraction between policies and filtering rules. Each of them has some significant exclusive peculiarities described below, and there is no dominant work in this group overshadowing all the others.

CloudWatcher [103] can define the optimal (i.e., minimum) route for each traffic flow such that it crosses some nodes dedicated to intrusion detection. In fact, the main goal is that such traffic flow is inspected, thus enabling automatic reaction. However, the reaction can be performed only by means of external modules, developed by the cloud administrator, since internal reactive algorithms are not provided. Procera [105] is a framework based on functional reactive programming, inspired by the Frenetic language. Its main peculiarity is the simplification of event reaction, by the definition of reactive policies that capture all the information needed to enforce security constraints after a specific event. However, a limitation is the complexity of the language used for policy specification, since it is similar to a programming language and less user-friendly than the others. Fresco [47], already presented among the approaches for automatic composition of virtual network security services in Section 5, also includes a number of modules that can be exploited and combined to create and then enforce network security policies. A great advantage of this approach is that each policy is not independent of the others, but they can share the enforcing modules. As for Procera, user friendliness is not very good, because each policy is similar to a code script. OpenSec [106] is characterized by an internal mechanism to offer event reaction and a more user-friendly policy language. Nevertheless, with respect to CloudWatcher, optimization is missing, whereas, with respect to Fresco, each policy is independent and isolated from the others.

The four papers just discussed [47, 103, 105, 106] represent the core of automation for SDN switch configuration. However, another group [104, 107, 108, 109, 110] is worth being discussed, since they present innovations that go beyond the principles on which CloudWatcher, Procera, FRESCO, and OpenSec are based. Reference [107] describes the architecture of a framework to enforce security policies on SDN communications that introduces the innovation of a Policy Manager that can be both intra- and inter-domain, thus showing the feasibility of this approach for big multi-domain scenarios. An extension of this work [109] introduces the presence of Switch Security Components, i.e., enforcement mechanisms directly residing in the switches rather than in the SDN controller, where only the orchestrating software, called Security Management Application, runs; this novelty is particularly suitable for a proactive prevention of the attacks from malicious end points connected to the network. Instead, Reference [108] proposes a methodology, based on a MILP formulation, to optimally update the configuration of an SDN-based network whenever the waypoint traversal of traffic flows must be enforced. The optimality criterion is the minimization of the number of rounds through which the traffic can reach the specific waypoint. Reference [104] defines the MTDSynth framework, which exploits moving target defense techniques to automatically enforce agility specifications, i.e., the definition of which security actions must be applied in reaction to specific mutation events. Finally, Reference [110] formalizes security policies with multi-attributed graphs to easily remove the conflicting flow rule from the switches and automatically install the new ones requested by the user.

Another category of network security functions is represented by communication protection devices that can be used to enforce policies about how traffic should be protected when crossing the network. The two main security properties that are dealt with are data integrity (i.e., the guarantee that the correctly received data have not been modified by the middle-boxes with respect to the ones originally sent by the source) and source authentication (i.e., the guarantee for the destination that the source of communication is the expected one). The most frequently used technology is IPsec, often adopted for creating VPNs, i.e., networks that, although crossing public or non-trusted nodes, are protected and made private by security mechanisms. When using this mechanism, VPN gateways are the security functions used to enforce the required communication protection by creating secure IP tunnels.

As for firewalls, also for VPN gateways a milestone paper can be identified in the research area of automatic configuration: Reference [111] was the first paper that proposed a clear classification of the user-specified requirements for secure communication. These requirements are divided into four categories: (1) access control requirements for restricting access only to trusted traffic; (2) security coverage requirements to define which security algorithms should be applied to a specific type of traffic; (3) content access requirements to establish which network nodes can have visibility of the decrypted traffic; and (4) security association requirements, related to the set of Security Associations, i.e., sets of shared security attributes between two network nodes. Given these four requirement types, the authors propose three different algorithms for computing the configuration of VPN gateways. These algorithms have been the base of all the other ones developed later. In a nutshell, the first strategy, called direct approach, simply creates a VPN tunnel for each security coverage requirement. It is very efficient, because it is a mapping between requirements and function rules. However, it can lead to incomplete solutions, because it may fail in enforcing a security requirement if a one-to-one relationship with a VPN tunnel is not enough. A second possibility is the bundle approach, which consists of grouping traffic flows into disjoint sets, for which the VPN rules are created: The solution that is reached is always complete and correct, but the strategy is less efficient and scalable. Finally, a combined approach is proposed as a tradeoff to overcome the weak efficiency of the bundle approach and the lack of completeness of the direct approach.

One issue with this proposal is that, with any algorithm proposed in Reference [111], the number of automatically generated VPN rules is often greater than necessary. With the aim to overcome this limitation, the author proposed a fourth algorithm in Reference [112], called ordered-split approach. With respect to the other three ones, this strategy is optimized, because it builds the minimum number of VPN tunnels to satisfy the user-specified requirements. This objective is achieved with a solution based on the traditional “task scheduling” algorithm.

All these concepts were then exploited in Reference [113] for the description of a distributed and automated architecture, called BANDS. The main purpose is to apply the algorithms proposed in Reference [111] or Reference [112] to an inter-domain environment, where VPN tunnels cross multiple Autonomous Systems. The increased complexity is managed by discovering which path of Autonomous Systems each traffic flow must cross in the tunnel and by the activation of a negotiation protocol, through which each Autonomous System can negotiate the VPN policies with the others. This negotiation is performed automatically, for each Autonomous Systems, by a server specifically in charge of this task.

In the subsequent years, other authors studied the automatic configuration of VPN gateways by proposing alternative methodologies for the computation of rules or improving the features of the existing ones. Reference[114] proposes an algorithm to automatically generate conflict-free VPN rules, with the aim of solving all the possible conflicts that could arise from an incorrect specification of the requirements. Their strategy is based on an iterative approach: After each requirement is mapped to a specific VPN rule, at each step the policies are ordered by decreasing length and possible overlapping or redundancy anomalies are managed starting from longest tunnels. Instead, the algorithm described in Reference [115] aims at automatically generating the policies by exploiting recursive binary trees. These data structures allow previously created rules to be reused to satisfy new requirements by only adjusting their selectors, thus avoiding the creation of new rules and improving efficiency. Reference [116] describes the design of a framework, based on a fully automated strategy to perform a distributed configuration of IPSec domains, including scenarios such as nested networks or mobile environments. With respect to the previous approaches, this algorithm reaches good robustness against potential failures, high scalability in terms of VPN gateways, and the agility needed by mobile IPsec devices. Instead, Reference [117] proposes an efficient approach to solve conflicts in VPN policies by creating new rules that are free from any identified issue. The main limitation of this work is that, with respect to the previous ones, it cannot create the configuration of a VPN gateway from scratch, but it works on previously established rules.

All the approaches discussed so far for VPN configuration can be applied only to physical networks. Two studies that went beyond this limitation are Reference [118, 119]. The former designs a hybrid SDN architecture that allows network devices from different providers to be connected through VPN tunnels configured automatically. The latter uses a MaxSMT formulation to ensure that the automatically computed VPN configuration is compliant with the user demands. Independently of the technical methods, both these approaches show that automating VPN configuration is a relevant state-of-the-art problem in modern networks, too, also because of the large variety of available VPN technologies, which may make manual decisions slower and more error-prone.

New security issues arise in managing the configuration of embedded devices, such as those in cyber-physical systems. The heterogeneity, pervasiveness, and distributed nature of embedded devices make their manual configuration much more error prone than what it is for traditional networked systems. This peculiarity can be observed especially with IoT devices, due to new security challenges that arise in protecting communications between constrained devices [145]. For example, privacy and data protection requirements add to access control constraints, and they should be treated with a high degree of flexibility in compliance with the adaptation and self-healing feature of IoT infrastructures. Therefore, expressing and refining security policies to govern distributed embedded systems (such as IoT) is a difficult task, because, in distributed architectures, complex processes are carried out by several interacting entities. This complexity is shown in the proposal of a policy language for distributed systems, called Hierarchical Policy Language for Distributed Systems [146]. This language enables expressing the relationship between an abstract policy, related to the whole network, and its distributed implementations at different locations through reference monitors that control the flow of information among distributed devices.

Following the proposal of this policy language, early attempts have been made for automatically refining security policies related to embedded devices, especially in IoT environments [120, 121, 122, 123]. The enforcement solution proposed in Reference [120] is a security toolkit, named SecKit, which cooperates with distributed systems via the MQTT protocol, a widely adopted technology to enable lightweight communications among constrained devices. The MQTT broker is extended with the capability of enforcing policies, concerning authorizations and obligations, in compliance with internal meta-models. As this was the first proposal for IoT devices, it has some drawbacks: All the enforcement operations are executed at the broker level, so this may hinder the safety and efficiency of the whole system. Instead, the idea behind the work illustrated in Reference [121] consists in the integration of an existing flexible and distributed IoT middleware, namedNetwOrked Smart objects (NOS) [147], with a security-aware policy enforcement framework. This extension of NOS is in charge of handling access control and service provisioning under security and quality requirements, e.g., to protect data resources and user sensitive information. A similar approach was pursued in Reference [122], where the security policy refinement mechanism thought for generic IoT environments is cast into networked systems for smart health. There, security policies concern the provision of authentication and authorization (e.g., nurses cannot access to sensitive data related to the doctors), or the anonymity of personal information. Instead, Reference [123] designs an automated framework, named ARCADIAN-IoT, for the holistic management of security policies related to multiple relevant properties for IoT-based networks, such as trust and transparent, user-controllable, and decentralized privacy.

After these initial studies, other ones [127, 128, 129, 130, 131] have introduced formal verification to improve the automation of embedded devices configuration. In greater detail, Reference [127] aims to reach a conflict-free enforcement in multi-administrative IoT environments, throughout a vendor-independent graph-based policy specification mechanism. Reference [128] challenges the auto-configuration problem for a peculiar class of embedded devices, smart meters, which forms an Advanced Metering Infrastructure, interconnected along with heterogeneous cyber-physical components transmitting usage reports or control commands between meters and the utility. An SMT problem is formulated to synthesize resiliency configurations for the smart meters, so as to enforce, in a provable way, security requirements, operational integrity invariants, and robustness constraints. Reference [129] uses a MaxSMT formulation for modeling the auto-configuration problem in IoT-aware networks. The proposed mechanism is tailored to solve specific problems of IoT environments, such as the simultaneous presence of numerous interconnected devices and strict latency requirements. Reference [130] defines a tree search-based algorithm that looks for potential alternatives of embedded devices configuration through a deterministic search process, and it proposes a verification mechanism to validate that all the threats described in the security requirements are successfully mitigated in the generated configuration. As discussed in Reference [131], this approach has been later improved with the inclusion of the full MITRE ATT&CK taxonomy [148], so that the proposed algorithm can also use its extensive knowledge to formally verify system design security characteristics.

Some other approaches propose to adapt a particular class of policies, named sticky policies, to the needs of IoT systems [124, 125, 126]. According to the original definition in Reference [149], the main idea behind the concept of sticky policies is to attach security and privacy policies to owners’ data to drive access control decisions and policy enforcement. In the extension of NOS proposed in Reference [124], each user can establish their policies on data, respecting the constraints defined by a trust authority, and attach them to the data themselves. After receiving the data, NOS can regulate access control by means of the attacked sticky policies. Similarly, in Reference [125], IoT users are enabled to personally enforce their privacy preferences. Thus, the policy enforcement mechanism relies on privacy metadata (e.g., privacy preferences, data categories, and data history), generated by smart objects owned by the users themselves. This idea is further improved in Reference [126], where a permissioned blockchain mechanism in introduced in NOS, with the aim to protect the sticky policies, which regulate the access to IoT resources, against tampering and violation. In all three studies, embedding the enforcement mechanism into the devices leads to some overhead, but it is compensated by the absence of a single point of failure.

Automating IoT security configuration has been also a central research topic in a recent EU H2020 research project, ANASTACIA [132]. The project created a framework, composed of distributed security components and enablers, that can dynamically refine user security preferences into the configuration of cyber-physical systems and IoT architectures. To this end, it also encompasses online monitoring to allow more automated adaptation of the system, with the aim to mitigate unexpected security vulnerabilities. In the frame of this project, multiple works have been carried out [42, 133, 134]. In Reference [42], different levels of abstractions for the IOT security policies are investigated, so as to enable a technology-agnostic refinement process. Security policies are refined in two steps: First sentences expressed in natural language are translated into technology-independent representations, and then those representations are refined into the effective configuration of each IoT device. This study has been enriched in Reference [133] with a logic formalism based on rule reasoning and the Semantic Web technology. The former envisions the usage of reasoners to infer new knowledge, not explicitly defined by human users, whereas the latter enables formal verification of the entire automated configuration process. Thus, their combined usage allows detecting conflicts that may appear in the IoT security policies or in the refined configurations. Finally, these ideas are applied to the automatic configuration of highly interactive honeypots in Reference [134]. Pro-active security policies are defined by the users to configure monitoring agents, which feeds the reaction part of the framework, and the monitored data are processed to generate and provide a set of countermeasures as new security policies, so that the configuration process for the IoT network can be repeated.

Finally, a pair of studies [43, 135] investigate how the problem of automatic security configuration can be addressed for IoT systems located in smart homes. Both pursue user-centered design, so as to include usability goals and user characteristics in the design of their solutions. On the one hand, Reference [43] discusses a policy harmonization technique employed in the policy refinement process, so as to reconcile policies specified by different people living in the same home and solve inconsistencies transparently. On the other hand, Reference [135] focuses on the refinement of attribute-based access control policies, allowing automatic decision-making processes based on environmental attributes like time of day, and on the location from which the attempt to access an IoT device originates.

All the works surveyed so far in this section deal with a single kind of NSF (packet filter, SDN switch, VPN gateway, embedded device). Consequently, they can be applied under the assumption that either the security service is composed of that single function type or all the other security functions have already been configured. Few researchers addressed the case when this assumption is false, i.e., an automatic configuration of heterogeneous services is necessary, including different function types configured all together or iteratively, according to the adopted strategy.

The first work in this area is Reference [136], which defines formal models of a large range of security functions and exploits them to check whether a set of security goals is achieved in a given network description. Indeed, this approach cannot automatically compute the configuration of the security devices from scratch, but it can identify possible violations of the security policies and recommend which devices should be reconfigured to eliminate the identified issues. Hence, this strategy requires that the functions are already configured before applying it. Despite this limitation, it can be considered as a first step toward fully automated configuration of an heterogeneous service.

After this initial verification-oriented attempt, Reference [137] provides the first joint automatic generation of configuration rules for two different types of security functions: firewalls and IDSs. Correctness assurance of the computed results was also achieved, by defining the problem through a constraint logic programming language. Additionally, the computed configurations are optimal with respect to a specific cost function, according to which the rule configured for enforcing a specific policy should be placed so as to minimize bandwidth and packet drop rate. Even though this work shows that a heterogeneous security service can be configured from scratch, firewalls and IDSs are configured at different stages of the algorithm, and only locally optimal solutions are reached.

MIRAGE [34] overcomes the limitations of the previous work by reaching a simultaneous top-down refinement of global security policies into configurations of three different kinds of functions: firewalls, IDSs, and VPN gateways. It can also perform a bottom-up analysis of already deployed network security configurations to guarantee correctness and consistency: This analysis works both at intra-function and at inter-function level. However, if any anomaly is detected, then no recovery mechanism is provided. Nonetheless, the optimality of this approach is achieved through the formulation of a linear programming problem, whose objective function is to minimize the number of used functionalities for the deployment of the rules.

Other approaches that can configure full network security services are References [29, 51, 62, 72, 139]. In Reference [62], the developed framework, called Policy Manager, automatically generates configurations for the virtual functions that have been selected in the previous step. This configuration process is made of two refinement phases: First, the function rules are expressed with an abstract and vendor-independent language; then, a final translator adapts the rules to the syntax required by the deployed VNF. The functions that can be managed are packet filters, stateful firewalls, L7 filters, and basic content inspectors, whereas VPN gateways, proxies, and IDSs are not dealt with. This initial work has been further extended by the authors in Reference [29]. An important innovation is the proposed capability model, according to which each network security function is characterized by functionalities that are shared by other functions; for example, the packet filtering capability can be performed both by a traditional packet filter or by a web-application firewall. Consequently, the automatic configuration is targeted to the capabilities instead of the functions by introducing a further abstraction level. All the concepts presented in Reference [29] have been validated with the implementation of Security Awareness Manager, the first framework that can automatically manage both composition and configuration of a security service. An extension of this meta-model was later presented in Reference [138] introducing the possibility to configure a larger number of capability features. Another study [139] proposes an automatic data model mapper to automate the refinement of high-level user-specified policies. Instead, the methodology illustrated in Reference [51] pursues an approach similar to the one described in Reference [29], as it refines user-specified policies into NSF configurations after synthesizing the chain in which they must be combined. Finally, Reference [72] proposes an alternative methodology, where the configuration problem is stated as a MaxSMT problem, where a correctness-by-construction approach is exploited to provide formal correctness assurance without requiring an a posteriori verification. Furthermore, the MaxSMT approach is also exploited to achieve optimality criteria, such as minimization of the number of configured rules. However, with this approach, a reconfiguration would not be possible, since the methodology can only work on user-specified requirements from scratch.