Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nicolas BOUTHORS Qosmos

Published byAlberto Herrera Roldán Modified over 6 years ago

Similar presentations

Presentation on theme: "Nicolas BOUTHORS Qosmos"— Presentation transcript:

1 Nicolas BOUTHORS Qosmos
Information Model of Interface to Network Security Functions Capability Interface draft-xia-i2nsf-capability-interface-im-03 Liang Xia Huawei DaCheng Zhang Alibaba Edward Lopez Fortinet Nicolas BOUTHORS Qosmos July Prague

2 Vendor management system
I2NSF Architecture NSF Registration For NSF vendors to register their available security functions and set of policies (or Service Profiles) that can be dynamically set by 3rd parties. Security Service Layer For clients or App Gateway to express and monitor security policies for their specific flows, Vendor management system Capability Layer For Controller to specify and monitor the limited number of attributes (or Security Profiles) that are allowed by the respective vendors to the NSFs

3 Current Dilemma of NSF Provisioning
A lot of security vendors with its proprietary interface (i.e., management plane protocol, information model and data model); Various network security capabilities/functions provided by security vendors can not be integrated and applied as a whole. More seriously, more new network security capabilities are appearing; NSaaS market grows very fast, which requires the automatic provision of massive NSF instances with high efficiency and flexibility.

4 Answer A standard capability interface(by I2NSF)
Decouple network security controller from security devices of specific vendors, and vice versa; Only be oriented to the logic network security capabilities, independent with specific device model; Flow-based paradigm builds a concrete basis for most common security capabilities. Start from a limited set of NSFs (do not boil the ocean), and be patient for its self-evolvement!

5 Information Model for I2NSF Capability Interface
- Match values based on packet data Packet header - Can be standardized Packet payload - Provided by NSF capabilities – Match values based on context Ex.: user, State, time, geo-location, etc. Many can (and should) be standardized, but many also from NSF capabilities Key goal: Flexible and comprehensive semantics; extensible IM for containing different vendors’ security capabilities, in essence, respective difference or innovation. – Egress processing Invoke signaling Packet forwarding and/or transformation Possibility for SDN/NFV integration - Vendor Unique innovation , Vendor specific e.g. IPS:<Profile> Profile: signature, Anti-virus, URL filtering, etc. Integrated and one-pass checks on the content of packets

6 Information Model Grammar Details
<Policy> ::= <policy-name> <policy-id> (<Rule> ...) <Rule> ::= <rule-name> <rule-id> <Match> <Action> <Match> ::= [<packet-based-match>] [<context-based-match>] <packet-based-match> ::= [<packet-header-payload> ...] [<service> ...] [<application> ...] <packet-header-payload> ::= [<address-scope>] [<layer-2-header>] [<layer-3-header>] [<layer-4-header>] [<payload>] <address-scope> ::= <route-type> (<ipv4-route> | <ipv6-route> | <mpls-route> | <mac-route> | <interface-route>) <route-type> ::= <IPV4> | <IPV6> | <MPLS> | <IEEE_MAC> | <INTERFACE> <ipv4-route> ::= <ip-route-type> (<destination-ipv4-address> | <source-ipv4-address> | (<destination-ipv4-address> <source-ipv4-address>)) <destination-ipv4-address> ::= <ipv4-prefix> <source-ipv4-address> ::= <ipv4-prefix> <ipv4-prefix> ::= <IPV4_ADDRESS> <IPV4_PREFIX_LENGTH> <ipv6-route> ::= <ip-route-type> (<destination-ipv6-address> | <source-ipv6-address> | (<destination-ipv6-address> <source-ipv6-address>)) <destination-ipv6-address> ::= <ipv6-prefix> <source-ipv6-address> ::= <ipv6-prefix> <ipv6-prefix> ::= <IPV6_ADDRESS> <IPV6_PREFIX_LENGTH> <ip-route-type> ::= <SRC> | <DEST> | <DEST_SRC> <layer-3-header> ::= <ipv4-header> | <ipv6-header> <ipv4-header> ::= <SOURCE_IPv4_ADDRESS> <DESTINATION_IPv4_ADDRESS> <PROTOCOL> [<TTL>] [<DSCP>] <ipv6-header> ::= <SOURCE_IPV6_ADDRESS> <DESTINATION_IPV6_ADDRESS> <NEXT_HEADER> [<TRAFFIC_CLASS>] [<FLOW_LABEL>] [<HOP_LIMIT>] <service> ::= <name> <id> <protocol> [<protocol-num>] [<src-port>] [<dest-port>] <protocol> ::= <TCP> | <UDP> | <ICMP> | <ICMPv6> | <IP> <application> ::= <name> <id> <category> <subcategory> <data-transmission-model> <risk-level> <signature> <category> ::= <business-system> | <Entertainment> | <internet> | <network> | <general> <subcategory> ::= <Finance> | < > | <Game> | <media-sharing> | <social-network> | <web-posting> | <proxy> | ... <data-transmission-model> ::= <client-server> | <browser-based> |<networking> | <peer-to-peer> | <unassigned> <risk-level> ::= <Exploitable> | <Productivity-loss> | <Evasive> | <Data-loss> | <Malware-vehicle> |<Bandwidth-consuming> | <Tunneling> <signature> ::= <server-address> <protocol> <dest-port-num> <flow-direction> <object> <keyword> <flow-direction> ::= <request> | <response> | <bidirection> <object> ::= <packet> | <flow> <context based match> ::= [<user-group> ...] [<session-state>] [<schedule>] [<region-group>] <user-group> ::= <user>... <user> ::= (<login-name> <group-name> <parent-group> <password> <expired-date> <allow-multi-account-login> <address-binding>) | <tenant> | <VN-id> <session-state> ::= <new> | <established> | <related> | <invalid> | <untracked> <schedule> ::= <name> <type> <start-time> <end-time> <weekly-validity-time> <type> ::= <once> | <periodic> <action> ::= <basic-action> [<advanced-action>] <basic-action> ::= <pass> | <deny> | <mirror> | <call-function> | <encapsulation> <advanced-action> ::= [<profile-antivirus>] [<profile-IPS>] [<profile-url-filtering>] [<profile-file-blocking>] [<profile-data-filtering>] [<profile-application-control>]

7 Yang Data Model Specification

8 Next Step Solicit Comments Maybe remove the Yang data model part
Keep on improvement, including: more content about security profiles, improving information model structure and grammar, examples, etc

9 Thanks! Dacheng Zhang Liang Xia (Frank)

Download ppt "Nicolas BOUTHORS Qosmos"

Similar presentations

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
OSI Model.

OSI Model.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.

COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Midterm Review - Network Layers. Computer 1Computer 2 2.

Midterm Review - Network Layers. Computer 1Computer 2 2.
1 Computer Networks DA2402. 2 Chapter 1-3 Introduction.

1 Computer Networks DA Chapter 1-3 Introduction.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Security fundamentals Topic 10 Securing the network perimeter.

Security fundamentals Topic 10 Securing the network perimeter.
Individual Project 1 Sarah Pritchard. Fran, a customer of your company, would like to visit your company’s website from her home computer… How does your.

Individual Project 1 Sarah Pritchard. Fran, a customer of your company, would like to visit your company’s website from her home computer… How does your.
1 Internet Protocols To support the Internet and all its services, many protocols are necessary Some of the protocols that we will look at: –Internet Protocol.

1 Internet Protocols To support the Internet and all its services, many protocols are necessary Some of the protocols that we will look at: –Internet Protocol.

Similar presentations

Ads by Google