Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nicolas BOUTHORS Qosmos

Published byAngela MargaretMargaret Bryan Modified over 6 years ago

Similar presentations

Presentation on theme: "Nicolas BOUTHORS Qosmos"— Presentation transcript:

1 Nicolas BOUTHORS Qosmos
Information Model of Interface to Network Security Functions Capability Interface draft-xia-i2nsf-capability-interface-im-04 Liang Xia Huawei DaCheng Zhang Alibaba Edward Lopez Fortinet Nicolas BOUTHORS Qosmos November Yokohama

2 Introduction of I2NSF Architecture
NSF Registration For NSF vendors to register their available security functions and set of policies (or Service Profiles) that can be dynamically set by 3rd parties. Security Service Layer For clients or App Gateway to express and monitor security policies for their specific flows, Vendor management system Capability Layer For Controller to control and monitor the limited number of attributes (or Security capabilities) that are allowed by the respective vendors to the NSFs

3 Current Situations of NSF (or Security Capability) Provisioning
Security vendors use proprietary interfaces for NSF provisioning (i.e., SNMP, MIB, Restful, xml, syslog, etc); Various network security capabilities/functions provided by security vendors can not be integrated and applied as a whole. Furthermore, new network security capabilities are appearing quickly; NSaaS market grows very fast, which requires the automatic provisioning of massive NSF instances with high efficiency and flexibility.

4 Solution to Address the Problems Related with NSF Provisioning
A standard capability interface(by I2NSF) Decouple network security controller from security devices of specific vendors, and vice versa; Only be oriented to the logic network security capabilities, independent with specific device implementation; Flow-based paradigm builds a concrete basis for a large number of security capabilities.

5 Overview of Security Capabilities
Network security control: inspecting and processing the network packet/flow; differ in the depths of packet headers and/or payloads they can inspect, the various flow and context states they can maintain, and the actions they can apply; use a "Subject-Object-Action-Function" paradigm; Content security control: one category of security capabilities applied to application layer that requires: Flexibility, Generality, Scalability, Automation; detecting the malicious contents: file, url, data block, etc; Security profiles with standardized and configurable input/output parameters to control its specific functions and output results; Standardized interface for updating its intelligence: signature, and algorithm. Attack mitigation control: one category of security capabilities specially used to detect and mitigate various types of network attacks: DDoS attacks, Single-packet attacks; A standard interface is essential through which the security controller can choose and customize the given security capabilities to fight against various kinds of network attacks.

6 Overall Structure for Information Model for security capability management

7 Information Model for Network Security Control Block
- Match values based on packet data L2/L3/L4 Packet header Packet payload – Match values based on context Ex.: user, Schedule, Region, Target, State, Direction, etc. Many can (and should) be standardized, but many also from NSF capabilities Key goal: Flexible and comprehensive semantics; extensible IM for containing different vendors’ security capabilities, in essence, respective difference or innovation. – Egress processing Invoke signaling Packet forwarding and/or transformation Possibility for SDN/NFV integration - Vendor Unique innovation , Vendor specific e.g. IPS:<Profile> Profile: signature, Anti-virus, URL filtering, etc. Integrated and one-pass checks on the content of packets

8 Match Condition Details

9 Information Model for Content Security Control

10 Information Model for Attack Mitigation Control

11 Information Model Grammar Details
<Policy> ::= <policy-name> <policy-id> (<Rule> ...) <Rule> ::= <rule-name> <rule-id> <Match> <Action> <Match> ::= [<subject-based-match>] [<object-based-match>] <subject-based-match> ::= [<L234-packet-header> ...] [<packet-payload> ...] <L234-packet-header> ::= [<address-scope>] [<layer-2-header>] [<layer-3-header>] [<layer-4-header>] <address-scope> ::= <route-type> (<ipv4-route> | <ipv6-route> | <mpls-route> | <mac-route> | <interface-route>) <route-type> ::= <IPV4> | <IPV6> | <MPLS> | <IEEE_MAC> | <INTERFACE> <ipv4-route> ::= <ip-route-type> (<destination-ipv4-address> | <source-ipv4-address> | (<destination-ipv4-address> <source-ipv4-address>)) <destination-ipv4-address> ::= <ipv4-prefix> <source-ipv4-address> ::= <ipv4-prefix> <ipv4-prefix> ::= <IPV4_ADDRESS> <IPV4_PREFIX_LENGTH> <ipv6-route> ::= <ip-route-type> (<destination-ipv6-address> | <source-ipv6-address> | (<destination-ipv6-address> <source-ipv6-address>)) <destination-ipv6-address> ::= <ipv6-prefix> <source-ipv6-address> ::= <ipv6-prefix> <ipv6-prefix> ::= <IPV6_ADDRESS> <IPV6_PREFIX_LENGTH> <ip-route-type> ::= <SRC> | <DEST> | <DEST_SRC> <layer-3-header> ::= <ipv4-header> | <ipv6-header> <ipv4-header> ::= <SOURCE_IPv4_ADDRESS> <DESTINATION_IPv4_ADDRESS> <PROTOCOL> [<TTL>] [<DSCP>] <ipv6-header> ::= <SOURCE_IPV6_ADDRESS> <DESTINATION_IPV6_ADDRESS> <NEXT_HEADER> [<TRAFFIC_CLASS>] [<FLOW_LABEL>] [<HOP_LIMIT>] <object-based-match> ::= [<user> ...] [<schedule>] [<region>] [<target>] [<state>] <user> ::= (<login-name> <group-name> <parent-group> <password> <expired-date> <allow-multi-account-login> <address-binding>) | <tenant> | <VN-id> <schedule> ::= <name> <type> <start-time> <end-time> <weekly-validity-time> <type> ::= <once> | <periodic> <target> ::= [<service>] [<application>] [<device>] <service> ::= <name> <id> <protocol> [<protocol-num>] [<src-port>] [<dest-port>] <protocol> ::= <TCP> | <UDP> | <ICMP> | <ICMPv6> | <IP> <application> ::= <name> <id> <category> <subcategory> <data-transmission-model> <risk-level> <signature> <category> ::= <business-system> | <Entertainment> | <internet> | <network> | <general> <subcategory> ::= <Finance> | < > | <Game> | <media-sharing> | <social-network> | <web-posting> | <proxy> | ... <data-transmission-model> ::= <client-server> | <browser-based> |<networking> | <peer-to-peer> | <unassigned> <risk-level> ::= <Exploitable> | <Productivity-loss> | <Evasive> | <Data-loss> | <Malware-vehicle> |<Bandwidth-consuming> | <Tunneling> <signature> ::= <server-address> <protocol> <dest-port-num> <flow-direction> <object> <keyword> <flow-direction> ::= <request> | <response> | <bidirection> <object> ::= <packet> | <flow> <context based match> ::= [<user-group> ...] [<session-state>] [<schedule>] [<region-group>] <user-group> ::= <user>... <user> ::= (<login-name> <group-name> <parent-group> <password> <expired-date> <allow-multi-account-login> <address-binding>) | <tenant> | <VN-id> <session-state> ::= <new> | <established> | <related> | <invalid> | <untracked> <schedule> ::= <name> <type> <start-time> <end-time> <weekly-validity-time> <type> ::= <once> | <periodic> <action> ::= <basic-action> [<advanced-action>] <basic-action> ::= <pass> | <deny> | <mirror> | <call-function> | <encapsulation> <advanced-action> ::= [<profile-antivirus>] [<profile-IPS>] [<profile-url-filtering>] [<profile-file-blocking>] [<profile-data-filtering>] [<profile-application-control>]

12 Next Step Solicit Comments Keep on improvement, including:
control security control IM; attack mitigation control IM; improving information model structure and grammar.

13 Thanks! Liang Xia (Frank)

Download ppt "Nicolas BOUTHORS Qosmos"

Similar presentations

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
Department Of Computer Engineering

Department Of Computer Engineering
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Midterm Review - Network Layers. Computer 1Computer 2 2.

Midterm Review - Network Layers. Computer 1Computer 2 2.

Similar presentations

Ads by Google