The increase of Software Defined Networks (SDN) and Network Function Virtualization (NFV) technologies is bringing many security management benefits that can be exploited at the edge of Internet of ...Things (IoT) networks to deal with cyber-threats. In this sense, this paper presents and evaluates a novel policy-based and cyber-situational awareness security framework for continuous and dynamic management of Authentication, Authorization, Accounting (AAA) as well as Channel Protection virtual security functions in IoT networks enabled with SDN/NFV. The virtual AAA, including network authenticators, are deployed as VNF (Virtual Network Function) dynamically at the edge, in order to enable scalable device's bootstrapping and managing the access control of IoT devices to the network. In addition, our solution allows distributing dynamically the necessary crypto-keys for IoT Machine to Machine (M2M) communications and deploy virtual Channel-protection proxys as VNFs, with the aim of establishing secure tunnels among IoT devices and services, according to the contextual decisions inferred by the cognitive framework. The solution has been implemented and evaluated, demonstrating its feasibility to manage dynamically AAA and channel protection in SDN/NFV-enabled IoT scenarios.
IoT systems can be leveraged by Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies, thereby strengthening their overall flexibility, security and resilience. In ...this sense, adaptive and policy-based security frameworks for SDN/NFV-aware IoT systems can provide a remarkable added value for self-protection and self-healing, by orchestrating and enforcing dynamically security policies and associated Virtual Network Functions (VNF) or Virtual network Security Functions (VSF) according to the actual context. However, this security orchestration is subject to multiple possible inconsistencies between the policies to enforce, the already enforced management policies and the evolving status of the managed IoT system. In this regard, this paper presents a semantic-aware, zero-touch and policy-driven security orchestration framework for autonomic and conflict-less security orchestration in SDN/NFV-aware IoT scenarios while ensuring optimal allocation and Service Function Chaining (SFC) of VSF. The framework relies on Semantic technologies and considers the security policies and the evolving IoT system model to dynamically and formally detect any semantic conflict during the orchestration. In addition, our optimized SFC algorithm maximizes the QoS, security aspects and resources usage during VSF allocation. The orchestration security framework has been implemented and validated showing its feasibility and performance to detect the conflicts and optimally enforce the VSFs.
As the IoT adoption is growing in several fields, cybersecurity attacks involving low-cost end-user devices are increasing accordingly, undermining the expected deployment of IoT solutions in a broad ...range of scenarios. To address this challenge, emerging Network Function Virtualization (NFV) and Software Defined Networking (SDN) technologies can introduce new security enablers, thereby endowing IoT systems and networks with higher degree of scalability and flexibility required to cope with the security of massive IoT deployments. In this sense, honeynets can be enhanced with SDN and NFV support, to be applied into IoT scenarios thereby strengthening the overall security. IoT honeynets are virtualized services simulating real IoT networks deployments, so that attackers can be distracted from the real target. In this paper, we present a novel mechanism leveraging SDN and NFV aimed to autonomously deploy and enforce IoT honeynets. The system follows a security policy-based approach that facilitates management, enforcement and orchestration of the honeynets and it has been successfully implemented and tested in the scope of H2020 EU project ANASTACIA, showing its feasibility to mitigate cyber-attacks.
Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data, make IoT devices an attractive ...target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection, and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices' data, which are shared through a blockchain platform. The resulting approach was implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices' communication before they join a certain network.
Software Defined Network (SDN) and Network Function Virtualization (NFV) are bringing many advantages to optimize and automatize security management at the network edge, enabling the deployment of ...virtual network security functions (VSFs) in MEC nodes, to strengthen the end-to-end security in IoT environments. The benefits could exploit in mobile MEC nodes on-boarded in Unmanned Aerial Vehicles (UAV), as the UAVs would carry on-demand VSFs to particular physical locations. To that aim, this paper proposes a novel NFV/SDN-based zero-touch security management framework for automatic orchestration, configuration and deployment of lightweight VSF in MEC-UAVs, that considers diverse contextual factors, related to both physical and virtual conditions, to optimize the security orchestration. Our solution aims to deploy on-demand VSFs, such as virtual Firewalls (vFirewalls), vProxies, vIDS (Intrusion Detection Systems) and vAAA, to assist during emerging situations in particular physical locations, protecting and optimizing the managed IoT network, as well as replacing or supporting compromised physical devices like IoT gateways. The proposed solution has been implemented, deployed and evaluated in a real testbed with real drones, showing its feasibility and performance.
Although the softwarization of network infrastructures through the use of Software Defined Networking (SDN) and Network Function Virtualization (NFV) has set the foundations of future communication ...architectures, the efficient handling of high throughput traffic while maintaining latency requirements still remains a challenge. In this work, we explore two arising technologies that aim at reducing networking tasks’ latency while dealing with high levels of traffic volume, namely, Programming Protocol-independent Packet Processors (P4) and the extended Berkeley Packet Filter (eBPF). We present a review of the latest advances in the use of both technologies and we provide a discussion on their advantages and disadvantages. As the main contribution of the paper, we showcase an extensive performance evaluation of these technologies under different traffic conditions. To do so, we implement a fast traffic processing network function operating in a real 5G Stand Alone (SA) network. Obtained results confirm, as expected, the high performance attained using dedicated hardware programmed by P4, in contrast to eBPF-based solution’s poorer results while handling similar throughputs. Nevertheless, eBPF allows similar packet-processing times than P4, therefore qualifying it as a perfectly scalable solution on commodity hardware even as a virtual function, which paves the way for the realization of autonomous, flexible and cost-effective next-generation network infrastructures.
The Internet of Things (IoT) brings a multidisciplinary revolution in several application areas. However, security and privacy concerns are undermining a reliable and resilient broad-scale deployment ...of IoT-enabled critical infrastructures (IoT-CIs). To fill this gap, this paper proposes a comprehensive architectural design that captures the main security and privacy challenges related to cyber-physical systems and IoT-CIs. The architecture is devised to empower IoT systems and networks to make autonomous security decisions through the usage of novel technologies such as software defined networking and network function virtualization, as well as endowing them with intelligent and dynamic security reaction capabilities by relying on monitoring methodologies and cyber-situational tools. The architecture has been successfully implemented and evaluated in the scope of ANASTACIA H2020 EU research project.
Summary
Billions of Internet of Things (IoT) devices are expected to populate our environments and provide novel pervasive services by interconnecting the physical and digital world. However, the ...increased connectivity of everyday objects can open manifold security vectors for cybercriminals to perform malicious attacks. These threats are even augmented by the resource constraints and heterogeneity of low‐cost IoT devices, which make current host‐based and static perimeter‐oriented defense mechanisms unsuitable for dynamic IoT environments. Accounting for all these considerations, we reckon that the novel softwarization capabilities of Telco network can fully leverage its privileged position to provide the desired levels of security. To this aim, the emerging software‐defined networking (SDN) and network function virtualization (NFV) paradigms can introduce new security enablers able to increase the level of IoT systems protection. In this paper, we design a novel policy‐based framework aiming to exploit SDN/NFV‐based security features, by efficiently coupling with existing IoT security approaches. A proof of concept test bed has been developed to assess the feasibility of the proposed architecture. The presented performance evaluation illustrates the benefits of adopting SDN security mechanisms in integrated IoT environments and provides interesting insights in the policy enforcement process to drive future research.
The paper defines a novel policy‐based framework aiming to exploit SDN/NFV‐based security features, by efficiently coupling with existing IoT security approaches.
The security framework has been partially implemented and evaluated, validating the feasibility of the proposed policy translation and refinement processes, from high‐level security policies to low‐level configurations, deployed through Security Orchestrator in SDN/NFV enabled IoT networks.
The performance assessment and comparison using ONOS, ODL, and legacy solutions has highlighted the benefits of enforcing SDN‐based security countermeasures with respect to conventional approaches.
The fourth industrial revolution is being mainly driven by the integration of Internet of Things (IoT) technologies to support the development lifecycle of systems and products. Despite the ...well-known advantages for the industry, an increasingly pervasive industrial ecosystem could make such devices an attractive target for potential attackers. Recently, the Manufacturer Usage Description (MUD) standard enables manufacturers to specify the intended use of their devices, thereby restricting the attack surface of a certain system. In this direction, we propose a mechanism to manage securely the obtaining and enforcement of MUD policies through the use of a Software-Defined Network (SDN) architecture. We analyze the applicability and advantages of the use of MUD in industrial environments based on our proposed solution, and provide an exhaustive performance evaluation of the required processes.