Policy-based security management for SDN/NFV-aware next-generation IoT infrastructures

Resumo

Objectives At the beginning of this thesis (2017), different sources estimated about 23 billion IoT devices connected to the network and statisticians predicted that these numbers could reach up to 50 billion devices in a few years. While it is true that managing this staggering number of devices and connections represents an enormous challenge per se, the nature of IoT devices also brings specific challenges for security management such as their scalability, dynamism, heterogeneity or their limited resources. To contribute to this line of research, this thesis focuses on the research, design and development of a framework capable of managing security policies at a high level of abstraction which are independent of the underlying infrastructure, thus decoupling the security requirements of specific implementations in order to mitigate problems such as heterogeneity. The combination of policy-based security, the modularity of the design, its appropriate integration with dynamic and flexible technologies such as SDN, NFV, as well as different monitoring technologies and new security components specifically designed for IoT, provide the framework with new features such as the automation of security management over these environments, through reactive self-healing and self-repairing capabilities in order to deal with new threats. Methodology To achieve the proposed objectives, they were divided into different blocks on which, for each one, an incremental iterative methodology was applied, also being applied between blocks. Thus, an analysis of requirements, state of the art, solution design, proof of concept implementation, configuration, deployment, evaluation and analysis of the results were carried out on each block. The latter provided new knowledge to refine the following iterations in the same block, as well as their possible interactions with the rest. In this way, each block was refined throughout the thesis, contributing to the final solution. Results During the period of this thesis, the iterative methodology on the objectives produced different results such as a book chapter, a conference article and nine publications indexed in JCR, of which five compose the compendium of the thesis. Since the results of the thesis were also validated during the European ANASTACIA H-2020 project, multiple technical reports (more than 20 European project deliverables) were also produced. In this sense, results of the design, implementation and validation have been provided for the isolation of compromised IoT devices through the application of high-level traffic filtering policies. Dynamic and on-demand AAA and channel protection capabilities have been developed for IoT environments, non-existent so far. The components and interactions of the framework have also been validated on the European ANASTACIA project, where they have been integrated with the monitoring and reaction elements, providing specific reaction capabilities on IoT devices. The first results so far on the transparent dynamic instantiation of virtual IoT networks that replicate real IoT environments have also been provided as a new security countermeasure by integrating SDN, NFV and specific IoT emulators. Finally, the orchestration policies have been designed to significantly improve the mitigation capabilities of the system, which contain multiple security policies, as well as their order of application, priorities or even dependencies between them, or between the policies and system events. It is important to highlight that the results of this thesis, as well as the implementation of its different components, have been and are being exploited and reused in European H2020 projects such as ANASTACIA and INSPIRE 5G+.