Integration of Security Service Functions Into Network-Level Access Control

Service function chaining is an approach to dynamically steer traffic through different service functions like intrusion prevention systems within a local area network. Existing approaches to determining the set of service functions through which specific traffic is steered are relatively coarse-grained. In this article, which focuses on security-related service functions, we present a more fine-grained determination process by integrating security service functions into attribute-based access control and utilizing contextual information attributes, such as access time. By mapping attributes to security service functions, we aim to achieve four key objectives: 1) Minimizing false negative access decisions, 2) minimizing false positive access decisions, 3) enhancing network performance by optimizing the application of security service functions, and 4) ensuring network visibility. The paper includes a detailed list of available security service functions and the security actions each can perform based on a comprehensive literature review. It also explains how attributes can be mapped to security service functions to determine when and which security service function needs to be applied to network traffic. The paper also includes detailed use cases to demonstrate the practical implementation of our approach. In the evaluation of these use cases we achieved an accuracy improvement of up to 16% compared to a standard Zero Trust approach that does not integrate traffic classification into access control. Additionally, we reduced false negatives by as much as 93% and false positives by up to 100%. The network performance was enhanced by decreasing service access times by up to 29% and increasing the number of accesses per second by up to 40% during high concurrency.