SPT: Security Policy Translator for Network Security Functions in Cloud-Based Security Services

Interface to Network Security Functions (I2NSF) Working Group within Internet Engineering Task Force (IETF) has developed a framework and its interfaces with YANG data models for configuring Network Security Functions (NSF). These models include a high-level security policy (i.e., an overview of configuration) and a low-level security policy (i.e., a detailed and specific configuration) to facilitate the configuration of NSFs. In this paper, a Security Policy Translator (SPT) is proposed to translate high-level security policies created by users into the corresponding low-level security policies. It leverages the design of I2NSF YANG data models to accurately translate security policies. The SPT performs a translation by extracting the high-level security principles using Deterministic Finite Automaton (DFA) construction from the high-level YANG data model. It converts the extracted information to a low-level form by utilizing a mapping model created by comparing the two YANG data models, such as the Consumer-Facing Interface (CFI) and NSF-Facing Interface (NFI) YANG data models. It selects the optimal NSFs based on the security policies to provide maximum security performance. It generates low-level security policies for the NSFs to deploy the security services. The proposed approach allows security policy translation for the I2NSF framework with high accuracy and speed.