Presentation is loading. Please wait.

Presentation is loading. Please wait.

Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks.

Published byJoel Melton Modified over 6 years ago

Similar presentations

Presentation on theme: "Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks."— Presentation transcript:

1 Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks Anil Lohiya Juniper networks Dave Qi Bloomberg Nabll Bitar Nokia Senand Palislamovic Nokia Liang Xia Huawei IETF-97, Seoul November 14, 2016

2 Agenda Draft history Draft overview WG discussions
Next steps and plans

3 Draft history I2NSF client-facing interface requirements
First proposed as individual draft Presented in IETF-96 draft-kumar-i2nsf-controller-northbound-framework-00 Change the name as per WG chair suggestion draft-kumar-i2nsf-client-facing-interface-req Adopted as WG draft post IETF-96 WG decided to use this draft after some discussion Adopted draft-kumar-i2nsf-client-facing-interface-req-02

4 Client-facing Interface RESTful API
Draft scope – Identify requirements to build I2NSF client-facing Interface Client-facing Interface RESTful API ( User-construct based, independent of network topology, NSF type and its location in network) Security Controller End-user express security policies using client-facing interface All end-user interaction through an abstraction layer in security controller End-user security policies enforced on traffic originated and destined to end-points Security policy deployed in NSF by security controller NSF-Facing Interface NSFs (Routers, Switches, Firewall) (Virtual & Physical) I2NSF Agent End-points (Applications, Servers, Laptops, Users, Locations)

5 Draft overview – Set of requirements… (1/2)
Interface modeling requirements Based on user-construct Easier for end-user to express policy Not dependent on network topology, NSF Functional requirements for interface Multi-tenancy RBAC Authentication and authorization Security policy building blocks Use ECA model (need to reword existing text in the draft) Admin-event (manual, threat-level), Calendar-event (time-based), NSF-event (violation) Policy End-point groups Defined using meta-data User-group, device-group, application-group, location-group Policy Rules Generic set of match criteria using built-in construct and user-defined end-point groups Rich set of actions when a rule is matched

6 Draft overview – Set of requirements… (2/2)
Integration with external systems Threat feeds, Honeypots Security Information & Event Management (SIEM) Network and Behavior analytic engines Telemetry data collection Get data from NSF such system logs, syslog, NSF logs, security violations Export data to external systems for monitoring and analytics Miscellaneous Notification to end-user based on NSF events and policy violations Test policies for conflicts before deploying Affinity to allow end-user so that a policy is enforced on a specific NSF Need to work on it some more Operational requirements for interface Security Protection from attacks (DoS/DDoS) Misconfiguration, Input data validation APIs API versioning for backward compatibility API extensibility

7 Next steps and plans for draft draft-ietf-i2nsf-client-facing-interface-req-01
Add examples for requirement Illustrate each requirement with use-case example for clarity Expand on requirements based on WG contributions Look at diverse set of problem and use-cases Drafts for input draft-ietf-i2nsf-problem-and-use-cases-02 Incorporate ideas from WG mailing discussions Few comments received so far Diego R Lopez Work on listing the requirement more clearly in the draft Ed Lopez Work on the requirement contents Linda Dunbar Make policy lifecycle management using ECA model WG chair suggestion Think about security for the client-facing interface Solicit inputs on requirements Get more use-cases from WG members in different segments Service providers, Enterprise, cloud operators

8 Thanks! Rakesh Kumar

Download ppt "Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Department Of Computer Engineering

Department Of Computer Engineering
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0348-06-0000 Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.
Operational Security Capabilities for IP Network Infrastructure

Operational Security Capabilities for IP Network Infrastructure
November 2013TRILL Directory Assist Mechanisms1 TRILL Directory Assistance Mechanisms draft-dunbar-trill-scheme-for-directory-assist-06 draft-eastlake-trill-ia-appsubtlv-03.

November 2013TRILL Directory Assist Mechanisms1 TRILL Directory Assistance Mechanisms draft-dunbar-trill-scheme-for-directory-assist-06 draft-eastlake-trill-ia-appsubtlv-03.
The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.

The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.
Network Virtualization Overlays Use Cases draft-timy-nvo3-use-case-01 Lucy Yong Mehmet Toy Aldrin Isaac Vishwas Manral Linda Dunbar Vancouver July 31,

Network Virtualization Overlays Use Cases draft-timy-nvo3-use-case-01 Lucy Yong Mehmet Toy Aldrin Isaac Vishwas Manral Linda Dunbar Vancouver July 31,
PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.

PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.
Discussion on oneM2M and OSGi Interworking Group Name: ARC Source: Jessie, Huawei, Meeting Date: 2016.03.14---2016.03.18 Agenda Item:

Discussion on oneM2M and OSGi Interworking Group Name: ARC Source: Jessie, Huawei, Meeting Date: Agenda Item:

Similar presentations

Ads by Google