90 likes | 112 Views
This article discusses the challenges faced by clients in controlling the network security functions for their virtual networks, specifically related to firewall box configuration and port and link mapping. It also explores potential solutions and relevant industry initiatives.
E N D
Interface to Network Security FunctionsNov 2014 Linda Dunbar (linda.dunbar@huawei.com) Myo Zarny (Myo.Zarny@gs.com ) Christian Jacquenet (Christian.jacquenet@orange.com) Shaibal Chakrabarty (shaibalc@us-ignite.org)
Challenges Clients needs to control its network security functions for their virtual networks. • Key properties: • Clients don’t know how their VMs are mapped in the network. • VMs being moved, which will have different network ports. • Clients can’t easily view/query the FW policies related to their virtual networks. Internet Resource & Policies management vSwitch VM1 VM2 VM VM vSwitch VM1 VM2 Resource Pool
Common Functional components of FW Interface to Clients: Restful API: • Functional components: • User authentication, user privilege control • Policies, targets, • Configuration, query, validation • Logging, Reporting • Maintenance methods • … Web browser Customer WebPortal Automated Prov Sys • Web Portal
Goal: a common interface for client to specify desired network security functions • Security Policy: • Yellow===>Yellow, Green • Green ===>Green • Prohibited • Green=X=>Yellow Zones: Yellow zone Green zone … Change of the policies: IP11===>IP12 IP11===>IP14 IP13===>IP12 IP13===>IP14 … IP3 ===>IP1 IP3 ===>IP2 IP4=X=>IP1 IP4 ===>IP2 Policies for Firewall IP1===>IP3 IP1===>IP4 IP2=X=>IP3 IP2===>IP4 IP12=X=>IP11 IP12=X=>IP13 IP14=X=>I1P1 IP14 =X=>IP13 … • Regardless if the policies are enforced by FW or other devices. Clients' policy stay the same regardless what IP/MAC address are assigned/changed as VMs move around DCs. Config 1: App 4 App 3 App 2 App 3 App 4 App 2 App 1=IP1 App 2=IP2 App 3=IP3 App 4=IP4 … App 1 App 1 Config 2: App 1=IP11 App 2=IP12 App 3=IP13 App 4=IP14 …
Security Functions under consideration: • The wide acceptance of security functions that are not running on customer premises. For example: • Security as a Service: https://cloudsecurityalliance.org/research/secaas/#_get-involved • Firewall as a Service : http://docs.openstack.org/admin-guide-cloud/content/fwaas.html • Security has the sense of “long lasting services”. So we don’t have to deal with “On-Demand” oscillation issues. • Here are the network functions under consideration: • Firewall • IPS/IDS (Intrusion detection system/ Intrusion prevention system) • DDOS/AntiDoS • Access control/Authorization/Authentication • Secure Key management
Relevant Industry initiatives: • Firewall as a Service by OpenStack • OpenStack completed the Firewall as a Service project and specified the set of APIs for Firewall services: http://docs.openstack.org/admin-guide-cloud/content/fwaas_api_abstractions.html • OpenStack has defined the APIs for managing Security Groups: http://docs.openstack.org/admin-guide-cloud/content/securitygroup_api_abstractions.html • Attributes defined by OpenStack Firewall/Security as a Service will be the basis of the information model for the proposed work at VNFOD IETF initiative. • Security as a Service by Cloud Security Alliance • SaaS by CSA is at the very initiate stage of defining the scope of work.