Use cases and Gap Analysis Hares (editor) draft-hares-i2nsf-use-gap-analysis- 00.txt Sue Hares



Similar documents
Network Security as a Service (NSaaS) July 2014

Dynamic Service Chaining for NFV/SDN

Application Defined E2E Security for Network Slices. Linda Dunbar Diego Lopez

An Open Approach to Enhancing Networking for OpenStack

Introduction to Quality Assurance for Service Provider Network Functions Virtualization

The following normative disclaimer shall be included on the front page of a PoC report:

ETSI NFV ISG DIRECTION & PRIORITIES

SDN FOR IP/OPTICAL TRANSPORT NETWORKS

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

NFV Management and Orchestration: Enabling Rapid Service Innovation in the Era of Virtualization

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Delivering Managed Services Using Next Generation Branch Architectures

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

Transforming Service Life Cycle Through Automation with SDN and NFV

THE RIGHT SDN IS RIGHT FOR NFV STRATEGIC WHITE PAPER NFV INSIGHTS SERIES

The Role of Virtual Routers In Carrier Networks

SDN PARTNER INTEGRATION: SANDVINE

Customer Benefits Through Automation with SDN and NFV

Various Alternatives to achieve SDN. Dhruv Dhody, Sr. System Architect, Huawei Technologies

NFV & SDN World. Practical Approaches to NFV Orchestration Deployment. Terry McCabe CTO Mobile Business Unit

Cisco IP Solution Center MPLS VPN Management 5.0

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Quantum Hyper- V plugin

Covering my IaaS: Security and Extending the Datacenter. Brian Bourne Tadd Axon

Lecture 02b Cloud Computing II

Deployment Topologies - DPAdmin An isoagroup Product

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Designing and Implementing a Server Infrastructure

Network Security Administrator

SDN and NFV in the WAN

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Network Functions Virtualization (NFV) for Next Generation Networks (NGN)

MS 20413A: Designing and Implementing a Server Infrastructure

REMOTE ASSISTANCE SOLUTIONS Private Server

Designing and Implementing a Server Infrastructure MOC 20413

TECHNOLOGY WHITE PAPER. Correlating SDN overlays and the physical network with Nuage Networks Virtualized Services Assurance Platform

Description: Objective: Upon completing this course, the learner will be able to meet these overall objectives:

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Designing and Implementing a Server Infrastructure

CISCO IOS NETWORK SECURITY (IINS)

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

managing SSO with shared credentials

CARRIER LANDSCAPE FOR SDN NEXT LEVEL OF TELCO INDUSTRILIZATION?

Cisco Advanced Services for Network Security

Data Center Infrastructure of the future. Alexei Agueev, Systems Engineer

Installation Guide Avi Networks Cloud Application Delivery Platform Integration with Cisco Application Policy Infrastructure

MOC 20413C: Designing and Implementing a Server Infrastructure

SCOPE DOCUMENT. Trade Name IT- Network Systems Administration Post- Secondary DATE OF DISTRIBUTION VIA WEBSITE

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

Cisco Network Services Orchestrator enabled by Tail-f Multi-Vendor Service Automation & Network Programmability Stefan Vallin, Ph D

Installation and configuration guide

Using Managed Services As A Software Delivery Model In Canadian Health Care

Leveraging SDN and NFV in the WAN

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

ETSI NFV Management and Orchestration - An Overview

Remote Voting Conference

Building an Open, Adaptive & Responsive Data Center using OpenDaylight

PLUMgrid Open Networking Suite Service Insertion Architecture

Vyatta Network OS for Network Virtualization

Centrify Cloud Connector Deployment Guide

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

Presented by Philippe Bogaerts Senior Field Systems Engineer Securing application delivery in the cloud

Introduction to Software Defined Networking

Security in the Software Defined Data Center

NFV and What it Means to You From ETSI to MANO to YANG Making Sense of it All

Installing Intercloud Fabric Firewall

How To Extend Security Policies To Public Clouds

Definition of a White Box. Benefits of White Boxes

VMUG - vcloud Air Deep Dive VMware Inc. All rights reserved.

APIs The Next Hacker Target Or a Business and Security Opportunity?

Lesson Plans Managing a Windows 2003 Network Infrastructure

Network Services Internet VPN

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

References and Requirements for CPE Architectures for Data Access

Disaster Recovery White Paper

Virtual CPE and Software Defined Networking

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

IDENTITY & ACCESS MANAGEMENT IN THE CLOUD

COURSE 20413C: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

DECODING SOFTWARE DEFINED NETWORKING (SDN) Nico Siebelink Technical Director Northern Europe

An Architecture for Application-Based Network Operations

Intel Network Builders

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Cloud Customer Architecture for Web Application Hosting, Version 2.0

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

NFV Forum Progression to Launch

Designing and Implementing a Server Infrastructure 20413C; 5 days, Instructor-led

Scenario: Remote-Access VPN Configuration

Virtual Machine in Data Center Switches Huawei Virtual System

Transcription:

Use cases and Gap Analysis Hares (editor) draft-hares-i2nsf-use-gap-analysis- 00.txt Sue Hares

Use Cases and Requirements for an Interface to Network Security Functions (draft-pastor-i2nsf-merged-use-cases-00) Antonio Pastor (antonio.pastorperales@telefonica.com0o Diego Lopez (diego.r.lopez@telefonica.com) Ke Wang (wangkeyj@chinamobile.com) Xiaojun Zhuang (zhuangxiaojun@chinamobile.com) Minpeng Qi (quiminpeng@chinamobile.com) Myo Zarny (myo.zarny@gs.com) Sumandra Majee (lal2ghar@gmail.com) Nic Leymann Deutsche Telekom (n.leymann@telekom.de) Linda Dunbar Huawei M. Georgiades PrimeTel June 26, 201 Analysis of Existing work for I2 Susan Hares (shares@ndzh.com) Dacheng Zhang (dacheng.zdc@aliabab-inc.com) Robert Moskowitz (rgm@labs.htt-consult.com) H. Rafiee (ietf@rozanak.com) Linda Dunbar (linda.dunbar@huawei.com)

Combined Use Cases

Where the Story Begins We need to close the gap between customers and security vendors or service providers Customer security services are being offloaded to network or cloud based infrastructures There is a demand for management interfaces of these delegated Draft contains use cases and requirements for a common interface to Network Security Functions (). It considers several use cases, organized in two basic scenarios: - Access Networks - Data Centers Identity & Key management Firewalls??? IDS/IPS Traffic Encryption

Terminology: A Couple of Basic Definitions Network Security Function (): A functional block within a network infrastructure to ensure integrity, confidentiality and availability of network communications, to detect unwanted activity, and to deter and block this unwanted activity or at least mitigate its effects on the network v Virtual Network Security Function: A network security function that runs as a software image on a virtualized infrastructure, and can be requested by one domain but may be owned or managed by another domain

The Scenarios. A Global View Residential xdsl/fttx/ vcpe NSP Management System(s) Mobile 3G/4G/5G/ vepc Cloud vpe L2VPN/L3VPN/

The Scenarios. Common Use User request security services through Cases the appropriate NSP network entity (Security Client Gateway) will invoke Requirements the (v)s according Security to Controller the user service Configurations request. Policies Capabilities Interface 1 Interface 2 Instantiation and Configuration Updating Collecting Status Validation Client sends security requirements through interface 1 to the security controller, which instantiates and configure the through Interface 2 The client requires the update of security service functions, including adding or deleting a security function, and updating configurations When users want to get the executing status of security functions they can request statistics information Users may require to validate availability, provenance, and/or its correct execution

The Two Scenarios at Play Cloud Datacenter The on demand, dynamic nature of datacenter deployment essentially requires that the network security "devices" be in software or virtual form factors On demand vfirewall A service provider needs the ability to dynamically deploy virtual firewalls for each client's set of servers based on established security policies and underlying network topologies. Simplify the highly complex process, by the automation of firewall policy deployment Access Network Customers (enterprise user, network administrator, residential user...) that request and manage security services hosted in the network service provider (NSP) infrastructure v deployment Instantiate a security service as one or the combination of several v(s) Make it available for provisioning v customer provisioning Customer enrollment and cancellation to a v Configuration of the v, based on specific configurations, or derived from common security policies Retrieve and list of the v functionalities, extracted from a manifest or a descriptor

And a Few Essential Requirements Key Requirements The I2 framework should provide a set of standard interfaces that facilitate: Dynamic creation, enablement, disablement, and removal of network security functions; Policy driven placement of new function instances in the right administrative domain; Attachment of appropriate security and traffic policies to the function instances Management of deployed instances in terms of fault monitoring, event logging, inventory, etc. Single and multi tenant environments and traffic policies. Premise agnostic Translation of security policies into functional tasks and into vendor specific configurations Security Considerations Relationship between different actors must be associated with administrative domains Closed environments with one administrative domain Open environments where some s can be hosted in different administrative domains More restrictive security controls Control on policy disclosure across domains Attestation of the v by the clients

Gap analysis

Interfaces for Virtual Security Functions Manager Interface: A For Service Function Vendors to register their available service functions & instances, and a set of policies (or policy profiles) that can be dynamically set by 3rd party security controller or management system (e.g. Operator s OSS or management system). - common mechanism to inform the Network Operator Mgmt Sys what they offer and what attributes can be dynamically configurable or Interface: monitoredb & C For Clients dynamically set the policies (or profiles) to the VNFs that are supported, monitor & verify the execution & performance. custome r Residenti al Enterpris e Mobile BNG CPE EPC Security Function Ctrl/mgnt B C App Layer Security Policy Functional Security Policy & Monitor NS NS F NS F NS F F NS NS F NS F NS F F A interface reference to other work done (I2RS, PCP, TRAM, etc ) and define requirement

Filters NETCONF / RESTCONF Device Filters: ACL I2RS FB RIB NMS Device Filters: ACL I2RS FB RIB application - wide Intent (ODL: Network-wide NIC/Nemo) L3SM VPN service, SUPA ECA/Intent policy Device level: P.I. I2RS RIB, FB-FIB Device level: protocol Isis, ospf, bgp, L3 Device level: IP, system, tunnels

Security Working Groups NMS System I2 Client DOTS Client SAC consumer Miles client SACM Repository I2 Agent I2 Agent DOTS agent Miles Agent SACM Information Provider Data Flow

Other Areas ETSI-NFV - EMS to VNF interface Defines interface between EMS (element management system) and VNF This matches I2 work OPNFV Moon project An interface between EMS-VNF Problems: NO dynamic control, only 1 definition, no room for existing vendor, no fine grain authentication, no allowance for central control CSA 1 definition, 10 implementation agreements All are concerned about the NMS- interface

Call for Help Security experts to help review and guide these documents

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information