Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interface to Network Security Functions Nov 2014 Linda Dunbar Myo Zarny

Published byAugustus Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "Interface to Network Security Functions Nov 2014 Linda Dunbar Myo Zarny"— Presentation transcript:

1 Interface to Network Security Functions Nov 2014 Linda Dunbar (linda.dunbar@huawei.com)linda.dunbar@huawei.com Myo Zarny (Myo.Zarny@gs.com )Myo.Zarny@gs.com Christian Jacquenet (Christian.jacquenet@orange.com)Christian.jacquenet@orange.com Shaibal Chakrabarty (shaibalc@us-ignite.org)shaibalc@us-ignite.org

2 Firewall box configuration: ports & links based

3 Challenges Internet vSwitch VM1 VM vSwitch VM1 VM2 VM Clients needs to control its network security functions for their virtual networks. VM2 Resource & Policies management Resource Pool Key properties: -Clients don’t know how their VMs are mapped in the network. -VMs being moved, which will have different network ports. -Clients can’t easily view/query the FW policies related to their virtual networks.

4 Common Functional components of FW Functional components: – User authentication, user privilege control – Policies, targets, – Configuration, query, validation – Logging, Reporting – Maintenance methods – … Interface to Clients: Restful API: Web Portal Web browser Customer WebPortal Automated Prov Sys

5 Goal: a common interface for client to specify desired network security functions Regardless if the policies are enforced by FW or other devices. Clients' policy stay the same regardless what IP/MAC address are assigned/changed as VMs move around DCs. App 1=IP11 App 2=IP12 App 3=IP13 App 4=IP14 … App 3 App 2 App 1 App 4 App 1=IP1 App 2=IP2 App 3=IP3 App 4=IP4 … App 3 App 2App 1 App 4 Config 2: Config 1 : Policies for Firewall IP1===>IP3 IP1===>IP4 IP2=X=>IP3 IP2===>IP4 IP3 ===>IP1 IP3 ===>IP2 IP4=X=>IP1 IP4 ===>IP2 Change of the policies : IP11===>IP12 IP11===>IP14 IP13===>IP12 IP13===>IP14 … IP12=X=>IP11 IP12=X=>IP13 IP14=X=>I1P1 IP14 =X=>IP13 … Zones : Yellow zone Green zone … Security Policy : Yellow===>Yellow, Green Green ===> Green Prohibited Green=X=>Yellow

6 Security Functions under consideration: The wide acceptance of security functions that are not running on customer premises. For example: – Security as a Service: https://cloudsecurityalliance.org/research/secaas/#_get-involved https://cloudsecurityalliance.org/research/secaas/#_get-involved – Firewall as a Service : http://docs.openstack.org/admin-guide- cloud/content/fwaas.htmlhttp://docs.openstack.org/admin-guide- cloud/content/fwaas.html – Security has the sense of “long lasting services”. So we don’t have to deal with “On-Demand” oscillation issues. Here are the network functions under consideration: – Firewall – IPS/IDS (Intrusion detection system/ Intrusion prevention system) – DDOS/AntiDoS – Access control/Authorization/Authentication – Secure Key management

7 FW as a service: potential attributes

8 Security as a Service: Potential attributes

9 Relevant Industry initiatives: Firewall as a Service by OpenStack – OpenStack completed the Firewall as a Service project and specified the set of APIs for Firewall services: http://docs.openstack.org/admin- guide-cloud/content/fwaas_api_abstractions.htmlhttp://docs.openstack.org/admin- guide-cloud/content/fwaas_api_abstractions.html – OpenStack has defined the APIs for managing Security Groups: http://docs.openstack.org/admin-guide- cloud/content/securitygroup_api_abstractions.html http://docs.openstack.org/admin-guide- cloud/content/securitygroup_api_abstractions.html – Attributes defined by OpenStack Firewall/Security as a Service will be the basis of the information model for the proposed work at VNFOD IETF initiative. Security as a Service by Cloud Security Alliance – SaaS by CSA is at the very initiate stage of defining the scope of work.

Download ppt "Interface to Network Security Functions Nov 2014 Linda Dunbar Myo Zarny"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
SDN in Openstack - A real-life implementation Leo Wong.

SDN in Openstack - A real-life implementation Leo Wong.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Chapter 12 Network Security.

Chapter 12 Network Security.
Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Andrew Fuqua 3/4/2015 LTEC 4550. A network HUB is a device that is used to link multiple devices over a network. The HUB is not a great choice when shopping.

Andrew Fuqua 3/4/2015 LTEC A network HUB is a device that is used to link multiple devices over a network. The HUB is not a great choice when shopping.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
How to protect your Virtual Datacenter Michiel van den Bos.

How to protect your Virtual Datacenter Michiel van den Bos.
Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.
Cloud Computing Cloud Security– an overview Keke Chen.

Cloud Computing Cloud Security– an overview Keke Chen.
Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 24-25 October 2013.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.
NAT (Network Address Translation) Natting means Translation of private IP address into public IP address . In order to communicate with internet we must.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.

Similar presentations

Ads by Google