TY - GEN
T1 - A flexible architecture for orchestrating network security functions to support high-level security policies
AU - Oh, Sanghak
AU - Kim, Eunsoo
AU - Jeong, Jaehoon
AU - Ko, Hoon
AU - Kim, Hyoungshick
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/1/5
Y1 - 2017/1/5
N2 - Network Functions Virtualization (NFV) has provided a new way to design and deploy network security services, but it may fail to build a practically useful ecosystem that seamlessly integrates network security services if there is no standard interface between them. We propose a generic architecture for security management service based on Network Security Functions (NSF) using NFV. The proposed architecture allows users to define their security requirements in a user-friendly manner by providing the users with high-level security interfaces that do not require specific information about network resources and protocols. We design basic components (e.g., Security policy manager, NSF capability manager, Application logic, Policy updater and Event collector) and interfaces for the proposed architecture. We introduce three use cases: (1) blacklists of dangerous domains, (2) time-dependent access control policies and (3) detection of suspicious calls for VoIP-VoLTE services. We also explain how to implement our proposed architecture with an illustrative example. Furthermore, we discuss several technical challenges to deploy the proposed architecture in a real network environment.
AB - Network Functions Virtualization (NFV) has provided a new way to design and deploy network security services, but it may fail to build a practically useful ecosystem that seamlessly integrates network security services if there is no standard interface between them. We propose a generic architecture for security management service based on Network Security Functions (NSF) using NFV. The proposed architecture allows users to define their security requirements in a user-friendly manner by providing the users with high-level security interfaces that do not require specific information about network resources and protocols. We design basic components (e.g., Security policy manager, NSF capability manager, Application logic, Policy updater and Event collector) and interfaces for the proposed architecture. We introduce three use cases: (1) blacklists of dangerous domains, (2) time-dependent access control policies and (3) detection of suspicious calls for VoIP-VoLTE services. We also explain how to implement our proposed architecture with an illustrative example. Furthermore, we discuss several technical challenges to deploy the proposed architecture in a real network environment.
KW - NFV
KW - NSF
KW - Security management
KW - Security policy
UR - https://www.scopus.com/pages/publications/85015185522
U2 - 10.1145/3022227.3022270
DO - 10.1145/3022227.3022270
M3 - Conference contribution
AN - SCOPUS:85015185522
T3 - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
BT - Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
PB - Association for Computing Machinery, Inc
T2 - 11th International Conference on Ubiquitous Information Management and Communication, IMCOM 2017
Y2 - 5 January 2017 through 7 January 2017
ER -