Presentation is loading. Please wait.

Presentation is loading. Please wait.

Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.

Published byDenis Smith Modified over 6 years ago

Similar presentations

Presentation on theme: "Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks."— Presentation transcript:

1 Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks Anil Lohiya Juniper networks Dave Qi Bloomberg Nabll Bitar Nokia Senand Palislamovic Nokia Liang Xia Huawei IETF-99, Prague July 18, 2017

2 Agenda Draft overview Main updates outline Next steps and plans

3 Client-facing Interface RESTful API
Draft scope – Identify requirements to build I2NSF client-facing Interface Client-facing Interface RESTful API ( User-construct based, independent of network topology, NSF type and its location in network) Security Controller End-user/application express security policies using client-facing interface All end-user interaction through an abstraction layer in security controller End-user security policies enforced on traffic originated and destined to end-points Security policy deployed in NSF by security controller NSF-Facing Interface NSFs (Routers, Switches, Firewall) (Virtual & Physical) I2NSF Agent End-points (Applications, Servers, Laptops, Users, Locations)

4 Main Updates Outline Introduce requirements preference
MUST MAY RECOMMENDED Several new requirements based on ONUG feedback 3 new categories of security policy: Segmentation policies, Threat policies, Governance and Compliance policies More fine-grained policy building blocks: Source Policy Endpoint Group, Destination Policy Endpoint Group, Direction, Threat Group, Match Condition, Exceptions, Actions… Consistent policy enforcement: according to network/policy building blocks change, audit and log the change A lot of improved description Security controller takes care of all the mapping and conversion.

5 Draft overview – Designing Principles
User-construct based modeling: abstract + decoupling Easier for end-user to express policy which reflects business needs Not dependent on low level network information More concretely: Decoupling from low level network information: network topology, NSF type/model/location… Using Declarative/Descriptive model instead of Imperative/Prescriptive model Being not dependent on NSFs’ operation in network, such as: How to be connected in network Control plane interactions: HA, scalability, etc Data plane implementations: encap, sfc, etc Deployment Models: direct interaction, NMS proxy interaction Security controller takes care of all the mapping and conversion.

6 Draft overview – Set of requirements… (1/2)
Functional requirements for interface, to support: Multi-tenancy (isolation): Policy-Administrator of Policy-Tenant manages Policy-User Authentication and authorization RBAC Protection against: attacks (DoS/DDoS) Misconfiguration, Input data validation Dynamic control of policy enforcement Admin-Enforced Time-Enforced Event-Enforced Definition of dynamic policy end group User-Group, Device-Group, Application-Group, Location-Group Security policy building blocks 3 categories of security policy: Segmentation policies, Threat policies, Governance and Compliance policies Building blocks: Source Policy Endpoint Group, Destination Policy Endpoint Group, Direction, Threat Group, Match Condition, Exceptions, Actions…

7 Draft overview – Set of requirements… (2/2)
Comprehensive set of actions: Permit, Deny, Drop connection, Log, Authenticate connection, Quarantine/Redirect, Netflow, Count, Encrypt, Decrypt, Throttle, Mark, Instantiate-NSF Consistent policy enforcement: according to network/policy building blocks change, audit and log the change detect and correct policy conflicts, and backward compatibility Integration with external systems Threat feeds, Honeypots Security Information & Event Management (SIEM) Network and Behavior analytic engines Telemetry data collection Get data from NSF system logs, syslog, flow records, security violations Export data to external systems for monitoring and analytics Operational requirements for interface APIs API versioning for problem debugging, and backward compatibility API extensibility Data Model Transport: Yang + netconf/restconf Miscellaneous Notification to end-user based on NSF events and policy violations Test policies for conflicts before deploying Affinity to allow end-user so that a policy is enforced on a specific NSF Need to work on it some more

8 Next steps and plans for draft draft-ietf-i2nsf-client-facing-interface-req-03
Add examples for requirement Illustrate each requirement with use-case example for clarity Align to I2NSF Terminology draft Incorporate ideas from WG mailing discussions Few comments received so far Linda Dunbar Clarification about actual requirements vs high level requirements More clear clarification of the difference between “User-construct based policies” and the general “intent-based policy” Solicit inputs on requirements Get more use-cases from WG members in different segments Service providers, Enterprise, cloud operators

9 Thanks! Rakesh Kumar

Download ppt "Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Information Security Policies and Standards

Information Security Policies and Standards
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.

Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Department Of Computer Engineering

Department Of Computer Engineering
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Network security policy: best practices

Network security policy: best practices
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
1 Open Pluggable Edge Services OPES Abbie Barbir, Ph.D.

1 Open Pluggable Edge Services OPES Abbie Barbir, Ph.D.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

Similar presentations

Ads by Google