hyunsu jang 1, jaehoon (paul) jeong 1, hyoungshick kim 1, and jung-soo park 2 1 sungkyunkwan...
TRANSCRIPT
-1-
Hyunsu Jang1, Jaehoon (Paul) Jeong1, Hyoungshick Kim1, and Jung-Soo Park2
1Sungkyunkwan University and 2ETRI, Korea
A Survey on Interfaces to Network SecurityFunctions in Network Virtualization
Speaker: Yiwen (Chris) ShenCyber-Physical Systems Lab (CPS), SKKU, Suwon, Korea
Most contents of these slides are from IETF meeting
DC2-2015 Workshop
-2-
Contents
I Introduction
V Use Cases
II
Motivation
III
I2NSF
IV
Network Security Functions
VI
Discussion and Conclusion
-3-
MotivationLegacy Limitations:
Sophisticated network attacks are increasing. The effectiveness of existing security services is limited. Newly updated security services should be provided.
Current State of Network Security Functions: Various Security as a Service (SaaS) in cloud Proprietary Hosted in data centers, thus additional overhead of net-
work traffic Difficult to maintain consistent updates across all the de-
vices No common mechanism to verify the fulfillment of de-
mands
3
-4-
I2NSF Attention in Internet Engineering Task Force (IETF)
Security services, e.g., firewall, intrusion detection system (IDS), and intrusion prevention systems (IPS)
Common network security applications and requirements
I2NSF is an IETF effort to standardize the interface for net-work security functions offered on any kinds of cloud re-gardless of its location or operator. Network security functions can be:
Firewall
DDOS/Anti-DOS (Distributed Denial-of-Service/Anti-Denial-of Service)
AAA (Authentication, Authorization, Accounting)
Remote identity management
Secure key management
IDS/IPS (Intrusion Detection System/Intrusion Prevention System) 4
-5-
Use Case 1: Access Networks (1/2)Lopez, et al. suggested an Open operation,
Administration, and Management (OAM) interface.
For residential and mobile network access
Typical security applications: Traffic inspection
• E.g., Deep packet inspection (DPI) Traffic manipulation
• Security functions (e.g., IPS, firewall, and virtual private network) control traffic
Traffic impersonation• Monitor intruders’ activities• Design decoy systems (e.g., honeypots)
5
-6-
Use Case 1: Access Networks (2/2)
Typical security applications:
6
vNSFOnline trafficUser access
Online trafficInternet side
Offline: AlertsvNSF
Online trafficUser access
vNSF
Offline: Alerts
Online trafficInternet side
-7-
Use Case 2: Integrated Security with Mobile Networks (1/2)
M. Qi et al. provided a use case of vNSF in mobile networks
7
Operator Network3rd Party Private Network
Internet
One-way authentication with pre-shared keyMutual authentication with pre-shared keyMutual authentication with certificate
-8-
Use Case 2: Integrated Security with Mobile Networks (2/2)
Virtualized Security Function can provide more flexible and reliable protection
8
Operator Network 3rd Party Private Network
Internet
-9-
Use Case 3: Data Center Leymann et al. proposed a data-cen-
ter use case: Clients’ computing servers deployed
across different physical servers Not technically and financially
feasible to deploy demanded physical firewalls on every servers
What is needed is the ability to dynamically deploy virtual firewalls for each client’s set of servers based on established security policies and underlying network topologies.
Issue: how to control and reduce the overhead of network traffic from those security services? 9
Third party Apps
DC Clients
I2NSF Intent based Policies
Controller (Translation)
Physical Resource
Vendor Specific Setting
-10-
Use Case 4: Security Services based on Software-Defined NetworkingJeong et al. proposed a framework for security services based on SDN.
Suggested two use cases Centralized firewall system Centralized DDoS-attack mitigation system
Issue: how to provide efficient, flexible security services? 10
DDoS-Attack MitigatorFirewall
SDN Controller
Switch2
Switch3
Switch1
Install new rules (e.g., drop packets with suspicious patterns)
Incoming packets Incoming packets
-11-
Use Case 5: Open Platform for NFVDownley et al. explained an open NFV platform
NFV Infrastructure (NFVI) Virtualized Infrastructure Management (VIM) API for other components of NFV
11
-12-
Research Challenges Design and Implementation of Application Layer
Interface Application Layer Interface is API used for Applications to tell
security policies to Security Service Manager. A candidate protocol is RESTCONF. The interface should consider expression capability, scalability,
and efficiency.
Design and Implementation of Functional Layer Interface Functional Layer Interface is API used for Security Service
Manager to tell configurations and operations to Virtual Machines (e.g., firewall and web filter), performing security functions.
A candidate protocol is NETCONF. The interface should consider scalability and efficiency. Secure and authenticated APIs might be needed to prevent
unauthorized API requests, i.e., key management.12
-13- 13
I2NSF Security Services (e.g., SDN Ap-proach)
Web FilterFirewall
Network Controller
Switch2
Switch3
Switch1
3. Install new rules (e.g., drop packets with suspicious patterns)Incoming packets
Outgoing packets
e.g., I2RS
Application1. App Layer Interface (Security Policy) e.g., RESTCONF
Security Service Manager
2. Functional Layer Interface (Functional Policy) e.g., NETCONF
Valid packets
Invalid packets
-14-
Conclusion Demands for cloud-based network security functions are
increasing.
Nowadays, off-premise security services start to be used.
Common interfaces for network security functions are required to accommodate multi-vendor products.
An efficient and flexible manner is required for virtual network security function services in cloud.
Standardization of I2NSF is a prerequisite for such effective, flexible security services.
14