Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey on Interfaces to Network Security

Similar presentations


Presentation on theme: "A Survey on Interfaces to Network Security"— Presentation transcript:

1 A Survey on Interfaces to Network Security
DC Workshop A Survey on Interfaces to Network Security Functions in Network Virtualization Hyunsu Jang1, Jaehoon (Paul) Jeong1, Hyoungshick Kim1, and Jung-Soo Park2 1Sungkyunkwan University and 2ETRI, Korea Speaker: Yiwen (Chris) Shen Cyber-Physical Systems Lab (CPS), SKKU, Suwon, Korea Most contents of these slides are from IETF meeting

2 Contents I Introduction Motivation II I2NSF III
Network Security Functions V Use Cases VI Discussion and Conclusion

3 Motivation Legacy Limitations:
Sophisticated network attacks are increasing. The effectiveness of existing security services is limited. Newly updated security services should be provided. Current State of Network Security Functions: Various Security as a Service (SaaS) in cloud Proprietary Hosted in data centers, thus additional overhead of network traffic Difficult to maintain consistent updates across all the devices No common mechanism to verify the fulfillment of demands

4 I2NSF Attention in Internet Engineering Task Force (IETF)
Security services, e.g., firewall, intrusion detection system (IDS), and intrusion prevention systems (IPS) Common network security applications and requirements I2NSF is an IETF effort to standardize the interface for network security functions offered on any kinds of cloud regardless of its location or operator. Network security functions can be: Firewall DDOS/Anti-DOS (Distributed Denial-of-Service/Anti-Denial-of Service) AAA (Authentication, Authorization, Accounting) Remote identity management Secure key management IDS/IPS (Intrusion Detection System/Intrusion Prevention System)

5 Use Case 1: Access Networks (1/2)
Lopez, et al. suggested an Open operation, Administration, and Management (OAM) interface. For residential and mobile network access Typical security applications: Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

6 Use Case 1: Access Networks (2/2)
Typical security applications: vNSF Online traffic User access Internet side Offline: Alerts vNSF Online traffic User access vNSF Offline: Alerts Online traffic Internet side Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

7 Use Case 2: Integrated Security with Mobile Networks (1/2)
M. Qi et al. provided a use case of vNSF in mobile networks Operator Network 3rd Party Private Network Internet One-way authentication with pre-shared key Mutual authentication with pre-shared key Mutual authentication with certificate Mobile devices -> BS, AP -> security functions (packet inspection, traffic control etc.,) - > 3rd party or internet All these security functions are on different hardwares

8 Use Case 2: Integrated Security with Mobile Networks (2/2)
Virtualized Security Function can provide more flexible and reliable protection Operator Network 3rd Party Private Network Internet Security functions set Install security instances

9 I2NSF Intent based Policies Controller (Translation)
Use Case 3: Data Center Leymann et al. proposed a data-center use case: Clients’ computing servers deployed across different physical servers Not technically and financially feasible to deploy demanded physical firewalls on every servers What is needed is the ability to dynamically deploy virtual firewalls for each client’s set of servers based on established security policies and underlying network topologies. Issue: how to control and reduce the overhead of network traffic from those security services? Third party Apps DC Clients I2NSF Intent based Policies Controller (Translation) Physical Resource Vendor Specific Setting Share physical resources Now, all SFs are on controller Issue: Use case 2 and 3 They both extract the Security Functions from cloud, network traffic overhead

10 Use Case 4: Security Services based on Software-Defined Networking
Jeong et al. proposed a framework for security services based on SDN. Suggested two use cases Centralized firewall system Centralized DDoS-attack mitigation system Issue: how to provide efficient, flexible security services? DDoS-Attack Mitigator Firewall SDN Controller Switch2 Switch3 Switch1 Install new rules (e.g., drop packets with suspicious patterns) Incoming packets

11 Use Case 5: Open Platform for NFV
Downley et al. explained an open NFV platform NFV Infrastructure (NFVI) Virtualized Infrastructure Management (VIM) API for other components of NFV

12 Research Challenges Design and Implementation of Application Layer Interface Application Layer Interface is API used for Applications to tell security policies to Security Service Manager. A candidate protocol is RESTCONF. The interface should consider expression capability, scalability, and efficiency.  Design and Implementation of Functional Layer Interface Functional Layer Interface is API used for Security Service Manager to tell configurations and operations to Virtual Machines (e.g., firewall and web filter), performing security functions. A candidate protocol is NETCONF. The interface should consider scalability and efficiency. Secure and authenticated APIs might be needed to prevent unauthorized API requests, i.e., key management.

13 I2NSF Security Services (e.g., SDN Approach)
Security Service Manager Application 1. App Layer Interface (Security Policy) e.g., RESTCONF 2. Functional Layer Interface (Functional Policy) e.g., NETCONF Firewall Web Filter e.g., I2RS Network Controller 3. Install new rules (e.g., drop packets with suspicious patterns) Incoming packets Switch1 Switch2 Valid packets Invalid packets Outgoing packets Switch3

14 Conclusion Demands for cloud-based network security functions are increasing. Nowadays, off-premise security services start to be used. Common interfaces for network security functions are required to accommodate multi-vendor products. An efficient and flexible manner is required for virtual network security function services in cloud. Standardization of I2NSF is a prerequisite for such effective, flexible security services.


Download ppt "A Survey on Interfaces to Network Security"

Similar presentations


Ads by Google