ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture

Recently, zero trust security has received notable attention in the security community. However, while many networks use monitoring and security functions like firewalls, their integration in the design of zero trust architectures remains largely unaddressed. In this article, we contribute with resp...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access 2023, Vol.11, p.125307-125327
Main Authors: Bradatsch, Leonard, Miroshkin, Oleksandr, Kargl, Frank
Format: Article
Language:English
Subjects:
access control
Authentication
Chaining
Computer architecture
Cybersecurity
Information flow
Inspection
IP networks
Monitoring
Network performance
Network security
Performance enhancement
Performance evaluation
Prototypes
Security
Service function chaining
User experience
Zero Trust
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3
cites cdi_FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3
container_end_page 125327
container_issue
container_start_page 125307
container_title IEEE access
container_volume 11
creator Bradatsch, Leonard
Miroshkin, Oleksandr
Kargl, Frank
description Recently, zero trust security has received notable attention in the security community. However, while many networks use monitoring and security functions like firewalls, their integration in the design of zero trust architectures remains largely unaddressed. In this article, we contribute with respect to this aspect a novel network security architecture called Zero Trust Service Function Chaining (ZTSFC). With ZTSFC, we achieve three main improvements over zero trust architectures: (1) the zero trust components can directly integrate other monitoring and security functions into their access decisions, (2) an efficient flow of information between zero trust components, monitoring, and security functions are achieved, and (3) ZTSFC improves the performance with respect to hardware load and user experience. As proof of concept, we implemented a publicly available ZTSFC prototype based on HTTPS and the policy language ALFA. Using this prototype, we demonstrate the achievement of all three improvements in representative use cases. In addition, our performance evaluation compares ZTSFC with a regular zero trust network without ZTSFC. The results indicate that ZTSFC can reduce CPU usage by 25% for specific monitoring and security functions in certain scenarios. Overall, we also observed a 30% decrease in the time it takes to access services with ZTSFC.
doi_str_mv 10.1109/ACCESS.2023.3330706
format article
fullrecord <record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_proquest_journals_2890104024</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10310190</ieee_id><doaj_id>oai_doaj_org_article_f25fbdd574b74166ba68fd8a3a821eb8</doaj_id><sourcerecordid>2890104024</sourcerecordid><originalsourceid>FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3</originalsourceid><addsrcrecordid>eNpNUE1Lw0AQXUTBUvsL9BDwnLpf2Wy81dBqoeAh9dLLsh-TdktN6iYR_PempkjnMDM83nszPITuCZ4SgrOnWZ7Pi2JKMWVTxhhOsbhCI0pEFrOEieuL_RZNmmaP-5I9lKQj9LJZF4v8OZpFBYRvbyFadJVtfV1F-U77ylfbeF5pcwAXbSDU0Tp0TRvNgt35FmzbBbhDN6U-NDA5zzH6WMzX-Vu8en9d5rNVbDnO2thwJjOg0gqOuSZOZ8yUlGZpAoJSKazpmwSTMmeloZprRpzFJOXWSEksG6Pl4OtqvVfH4D91-FG19uoPqMNW6dB6ewBV0qQ0ziUpNyknQhgtZOmkZlpSAkb2Xo-D1zHUXx00rdrXXaj69xWVGSaYY8p7FhtYNtRNE6D8v0qwOmWvhuzVKXt1zr5XPQwqDwAXCkYwyTD7BdhCfcE</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2890104024</pqid></control><display><type>article</type><title>ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture</title><source>IEEE Xplore Open Access Journals</source><creator>Bradatsch, Leonard ; Miroshkin, Oleksandr ; Kargl, Frank</creator><creatorcontrib>Bradatsch, Leonard ; Miroshkin, Oleksandr ; Kargl, Frank</creatorcontrib><description>Recently, zero trust security has received notable attention in the security community. However, while many networks use monitoring and security functions like firewalls, their integration in the design of zero trust architectures remains largely unaddressed. In this article, we contribute with respect to this aspect a novel network security architecture called Zero Trust Service Function Chaining (ZTSFC). With ZTSFC, we achieve three main improvements over zero trust architectures: (1) the zero trust components can directly integrate other monitoring and security functions into their access decisions, (2) an efficient flow of information between zero trust components, monitoring, and security functions are achieved, and (3) ZTSFC improves the performance with respect to hardware load and user experience. As proof of concept, we implemented a publicly available ZTSFC prototype based on HTTPS and the policy language ALFA. Using this prototype, we demonstrate the achievement of all three improvements in representative use cases. In addition, our performance evaluation compares ZTSFC with a regular zero trust network without ZTSFC. The results indicate that ZTSFC can reduce CPU usage by 25% for specific monitoring and security functions in certain scenarios. Overall, we also observed a 30% decrease in the time it takes to access services with ZTSFC.</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2023.3330706</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>access control ; Authentication ; Chaining ; Computer architecture ; Cybersecurity ; Information flow ; Inspection ; IP networks ; Monitoring ; Network performance ; Network security ; Performance enhancement ; Performance evaluation ; Prototypes ; Security ; Service function chaining ; User experience ; Zero Trust</subject><ispartof>IEEE access, 2023, Vol.11, p.125307-125327</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3</citedby><cites>FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3</cites><orcidid>0000-0003-3800-8369 ; 0000-0001-7120-6557 ; 0000-0003-0264-6676</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10310190$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,4024,27633,27923,27924,27925,54933</link.rule.ids></links><search><creatorcontrib>Bradatsch, Leonard</creatorcontrib><creatorcontrib>Miroshkin, Oleksandr</creatorcontrib><creatorcontrib>Kargl, Frank</creatorcontrib><title>ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture</title><title>IEEE access</title><addtitle>Access</addtitle><description>Recently, zero trust security has received notable attention in the security community. However, while many networks use monitoring and security functions like firewalls, their integration in the design of zero trust architectures remains largely unaddressed. In this article, we contribute with respect to this aspect a novel network security architecture called Zero Trust Service Function Chaining (ZTSFC). With ZTSFC, we achieve three main improvements over zero trust architectures: (1) the zero trust components can directly integrate other monitoring and security functions into their access decisions, (2) an efficient flow of information between zero trust components, monitoring, and security functions are achieved, and (3) ZTSFC improves the performance with respect to hardware load and user experience. As proof of concept, we implemented a publicly available ZTSFC prototype based on HTTPS and the policy language ALFA. Using this prototype, we demonstrate the achievement of all three improvements in representative use cases. In addition, our performance evaluation compares ZTSFC with a regular zero trust network without ZTSFC. The results indicate that ZTSFC can reduce CPU usage by 25% for specific monitoring and security functions in certain scenarios. Overall, we also observed a 30% decrease in the time it takes to access services with ZTSFC.</description><subject>access control</subject><subject>Authentication</subject><subject>Chaining</subject><subject>Computer architecture</subject><subject>Cybersecurity</subject><subject>Information flow</subject><subject>Inspection</subject><subject>IP networks</subject><subject>Monitoring</subject><subject>Network performance</subject><subject>Network security</subject><subject>Performance enhancement</subject><subject>Performance evaluation</subject><subject>Prototypes</subject><subject>Security</subject><subject>Service function chaining</subject><subject>User experience</subject><subject>Zero Trust</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>DOA</sourceid><recordid>eNpNUE1Lw0AQXUTBUvsL9BDwnLpf2Wy81dBqoeAh9dLLsh-TdktN6iYR_PempkjnMDM83nszPITuCZ4SgrOnWZ7Pi2JKMWVTxhhOsbhCI0pEFrOEieuL_RZNmmaP-5I9lKQj9LJZF4v8OZpFBYRvbyFadJVtfV1F-U77ylfbeF5pcwAXbSDU0Tp0TRvNgt35FmzbBbhDN6U-NDA5zzH6WMzX-Vu8en9d5rNVbDnO2thwJjOg0gqOuSZOZ8yUlGZpAoJSKazpmwSTMmeloZprRpzFJOXWSEksG6Pl4OtqvVfH4D91-FG19uoPqMNW6dB6ewBV0qQ0ziUpNyknQhgtZOmkZlpSAkb2Xo-D1zHUXx00rdrXXaj69xWVGSaYY8p7FhtYNtRNE6D8v0qwOmWvhuzVKXt1zr5XPQwqDwAXCkYwyTD7BdhCfcE</recordid><startdate>2023</startdate><enddate>2023</enddate><creator>Bradatsch, Leonard</creator><creator>Miroshkin, Oleksandr</creator><creator>Kargl, Frank</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0003-3800-8369</orcidid><orcidid>https://orcid.org/0000-0001-7120-6557</orcidid><orcidid>https://orcid.org/0000-0003-0264-6676</orcidid></search><sort><creationdate>2023</creationdate><title>ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture</title><author>Bradatsch, Leonard ; Miroshkin, Oleksandr ; Kargl, Frank</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>access control</topic><topic>Authentication</topic><topic>Chaining</topic><topic>Computer architecture</topic><topic>Cybersecurity</topic><topic>Information flow</topic><topic>Inspection</topic><topic>IP networks</topic><topic>Monitoring</topic><topic>Network performance</topic><topic>Network security</topic><topic>Performance enhancement</topic><topic>Performance evaluation</topic><topic>Prototypes</topic><topic>Security</topic><topic>Service function chaining</topic><topic>User experience</topic><topic>Zero Trust</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Bradatsch, Leonard</creatorcontrib><creatorcontrib>Miroshkin, Oleksandr</creatorcontrib><creatorcontrib>Kargl, Frank</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Xplore Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE/IET Electronic Library</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Directory of Open Access Journals (Open Access)</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Bradatsch, Leonard</au><au>Miroshkin, Oleksandr</au><au>Kargl, Frank</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2023</date><risdate>2023</risdate><volume>11</volume><spage>125307</spage><epage>125327</epage><pages>125307-125327</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>Recently, zero trust security has received notable attention in the security community. However, while many networks use monitoring and security functions like firewalls, their integration in the design of zero trust architectures remains largely unaddressed. In this article, we contribute with respect to this aspect a novel network security architecture called Zero Trust Service Function Chaining (ZTSFC). With ZTSFC, we achieve three main improvements over zero trust architectures: (1) the zero trust components can directly integrate other monitoring and security functions into their access decisions, (2) an efficient flow of information between zero trust components, monitoring, and security functions are achieved, and (3) ZTSFC improves the performance with respect to hardware load and user experience. As proof of concept, we implemented a publicly available ZTSFC prototype based on HTTPS and the policy language ALFA. Using this prototype, we demonstrate the achievement of all three improvements in representative use cases. In addition, our performance evaluation compares ZTSFC with a regular zero trust network without ZTSFC. The results indicate that ZTSFC can reduce CPU usage by 25% for specific monitoring and security functions in certain scenarios. Overall, we also observed a 30% decrease in the time it takes to access services with ZTSFC.</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2023.3330706</doi><tpages>21</tpages><orcidid>https://orcid.org/0000-0003-3800-8369</orcidid><orcidid>https://orcid.org/0000-0001-7120-6557</orcidid><orcidid>https://orcid.org/0000-0003-0264-6676</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2169-3536
ispartof IEEE access, 2023, Vol.11, p.125307-125327
issn 2169-3536
2169-3536
language eng
recordid cdi_proquest_journals_2890104024
source IEEE Xplore Open Access Journals
subjects access control
Authentication
Chaining
Computer architecture
Cybersecurity
Information flow
Inspection
IP networks
Monitoring
Network performance
Network security
Performance enhancement
Performance evaluation
Prototypes
Security
Service function chaining
User experience
Zero Trust
title ZTSFC: A Service Function Chaining-Enabled Zero Trust Architecture
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-04T19%3A05%3A50IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=ZTSFC:%20A%20Service%20Function%20Chaining-Enabled%20Zero%20Trust%20Architecture&rft.jtitle=IEEE%20access&rft.au=Bradatsch,%20Leonard&rft.date=2023&rft.volume=11&rft.spage=125307&rft.epage=125327&rft.pages=125307-125327&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2023.3330706&rft_dat=%3Cproquest_ieee_%3E2890104024%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c409t-b4389e28c6404a1da93bf22975e62286cb2868eb73dc8b2a4a31dc0174cb881c3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2890104024&rft_id=info:pmid/&rft_ieee_id=10310190&rfr_iscdi=true