1 / 9

Interface to Network Security Functions Nov 2014

This article discusses the challenges faced by clients in controlling the network security functions for their virtual networks, specifically related to firewall box configuration and port and link mapping. It also explores potential solutions and relevant industry initiatives.

allenb
Download Presentation

Interface to Network Security Functions Nov 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interface to Network Security FunctionsNov 2014 Linda Dunbar (linda.dunbar@huawei.com) Myo Zarny (Myo.Zarny@gs.com ) Christian Jacquenet (Christian.jacquenet@orange.com) Shaibal Chakrabarty (shaibalc@us-ignite.org)

  2. Firewall box configuration: ports & links based

  3. Challenges Clients needs to control its network security functions for their virtual networks. • Key properties: • Clients don’t know how their VMs are mapped in the network. • VMs being moved, which will have different network ports. • Clients can’t easily view/query the FW policies related to their virtual networks. Internet Resource & Policies management vSwitch VM1 VM2 VM VM vSwitch VM1 VM2 Resource Pool

  4. Common Functional components of FW Interface to Clients: Restful API: • Functional components: • User authentication, user privilege control • Policies, targets, • Configuration, query, validation • Logging, Reporting • Maintenance methods • … Web browser Customer WebPortal Automated Prov Sys • Web Portal

  5. Goal: a common interface for client to specify desired network security functions • Security Policy: • Yellow===>Yellow, Green • Green ===>Green • Prohibited • Green=X=>Yellow Zones: Yellow zone Green zone … Change of the policies: IP11===>IP12 IP11===>IP14 IP13===>IP12 IP13===>IP14 … IP3 ===>IP1 IP3 ===>IP2 IP4=X=>IP1 IP4 ===>IP2 Policies for Firewall IP1===>IP3 IP1===>IP4 IP2=X=>IP3 IP2===>IP4 IP12=X=>IP11 IP12=X=>IP13 IP14=X=>I1P1 IP14 =X=>IP13 … • Regardless if the policies are enforced by FW or other devices. Clients' policy stay the same regardless what IP/MAC address are assigned/changed as VMs move around DCs. Config 1: App 4 App 3 App 2 App 3 App 4 App 2 App 1=IP1 App 2=IP2 App 3=IP3 App 4=IP4 … App 1 App 1 Config 2: App 1=IP11 App 2=IP12 App 3=IP13 App 4=IP14 …

  6. Security Functions under consideration: • The wide acceptance of security functions that are not running on customer premises. For example: • Security as a Service: https://cloudsecurityalliance.org/research/secaas/#_get-involved • Firewall as a Service : http://docs.openstack.org/admin-guide-cloud/content/fwaas.html • Security has the sense of “long lasting services”. So we don’t have to deal with “On-Demand” oscillation issues. • Here are the network functions under consideration: • Firewall • IPS/IDS (Intrusion detection system/ Intrusion prevention system) • DDOS/AntiDoS • Access control/Authorization/Authentication • Secure Key management

  7. FW as a service: potential attributes

  8. Security as a Service: Potential attributes

  9. Relevant Industry initiatives: • Firewall as a Service by OpenStack • OpenStack completed the Firewall as a Service project and specified the set of APIs for Firewall services: http://docs.openstack.org/admin-guide-cloud/content/fwaas_api_abstractions.html • OpenStack has defined the APIs for managing Security Groups: http://docs.openstack.org/admin-guide-cloud/content/securitygroup_api_abstractions.html • Attributes defined by OpenStack Firewall/Security as a Service will be the basis of the information model for the proposed work at VNFOD IETF initiative. • Security as a Service by Cloud Security Alliance • SaaS by CSA is at the very initiate stage of defining the scope of work.

More Related