-1-

Hyunsu Jang1, Jaehoon (Paul) Jeong1, Hyoungshick Kim1, and Jung-Soo Park2

1Sungkyunkwan University and 2ETRI, Korea

A Survey on Interfaces to Network SecurityFunctions in Network Virtualization

Speaker: Yiwen (Chris) ShenCyber-Physical Systems Lab (CPS), SKKU, Suwon, Korea

Most contents of these slides are from IETF meeting

DC2-2015 Workshop

-2-

Contents

I Introduction

V Use Cases

II

Motivation

III

I2NSF

IV

Network Security Functions

VI

Discussion and Conclusion

-3-

MotivationLegacy Limitations:

Sophisticated network attacks are increasing. The effectiveness of existing security services is limited. Newly updated security services should be provided.

Current State of Network Security Functions: Various Security as a Service (SaaS) in cloud Proprietary Hosted in data centers, thus additional overhead of net-

work traffic Difficult to maintain consistent updates across all the de-

vices No common mechanism to verify the fulfillment of de-

mands

3

-4-

I2NSF Attention in Internet Engineering Task Force (IETF)

Security services, e.g., firewall, intrusion detection system (IDS), and intrusion prevention systems (IPS)

Common network security applications and requirements

I2NSF is an IETF effort to standardize the interface for net-work security functions offered on any kinds of cloud re-gardless of its location or operator. Network security functions can be:

Firewall

DDOS/Anti-DOS (Distributed Denial-of-Service/Anti-Denial-of Service)

AAA (Authentication, Authorization, Accounting)

Remote identity management

Secure key management

IDS/IPS (Intrusion Detection System/Intrusion Prevention System) 4

-5-

Use Case 1: Access Networks (1/2)Lopez, et al. suggested an Open operation,

Administration, and Management (OAM) interface.

For residential and mobile network access

Typical security applications: Traffic inspection

• E.g., Deep packet inspection (DPI) Traffic manipulation

• Security functions (e.g., IPS, firewall, and virtual private network) control traffic

Traffic impersonation• Monitor intruders’ activities• Design decoy systems (e.g., honeypots)

5

-6-

Use Case 1: Access Networks (2/2)

Typical security applications:

6

vNSFOnline trafficUser access

Online trafficInternet side

Offline: AlertsvNSF

Online trafficUser access

vNSF

Offline: Alerts

Online trafficInternet side

-7-

Use Case 2: Integrated Security with Mobile Networks (1/2)

M. Qi et al. provided a use case of vNSF in mobile networks

7

Operator Network3rd Party Private Network

Internet

One-way authentication with pre-shared keyMutual authentication with pre-shared keyMutual authentication with certificate

-8-

Use Case 2: Integrated Security with Mobile Networks (2/2)

Virtualized Security Function can provide more flexible and reliable protection

8

Operator Network 3rd Party Private Network

Internet

-9-

Use Case 3: Data Center Leymann et al. proposed a data-cen-

ter use case: Clients’ computing servers deployed

across different physical servers Not technically and financially

feasible to deploy demanded physical firewalls on every servers

What is needed is the ability to dynamically deploy virtual firewalls for each client’s set of servers based on established security policies and underlying network topologies.

Issue: how to control and reduce the overhead of network traffic from those security services? 9

Third party Apps

DC Clients

I2NSF Intent based Policies

Controller (Translation)

Physical Resource

Vendor Specific Setting

-10-

Use Case 4: Security Services based on Software-Defined NetworkingJeong et al. proposed a framework for security services based on SDN.

Suggested two use cases Centralized firewall system Centralized DDoS-attack mitigation system

Issue: how to provide efficient, flexible security services? 10

DDoS-Attack MitigatorFirewall

SDN Controller

Switch2

Switch3

Switch1

Install new rules (e.g., drop packets with suspicious patterns)

Incoming packets Incoming packets

-11-

Use Case 5: Open Platform for NFVDownley et al. explained an open NFV platform

NFV Infrastructure (NFVI) Virtualized Infrastructure Management (VIM) API for other components of NFV

11

-12-

Research Challenges Design and Implementation of Application Layer

Interface Application Layer Interface is API used for Applications to tell

security policies to Security Service Manager. A candidate protocol is RESTCONF. The interface should consider expression capability, scalability,

and efficiency. 

Design and Implementation of Functional Layer Interface Functional Layer Interface is API used for Security Service

Manager to tell configurations and operations to Virtual Machines (e.g., firewall and web filter), performing security functions.

A candidate protocol is NETCONF. The interface should consider scalability and efficiency. Secure and authenticated APIs might be needed to prevent

unauthorized API requests, i.e., key management.12

-13- 13

I2NSF Security Services (e.g., SDN Ap-proach)

Web FilterFirewall

Network Controller

Switch2

Switch3

Switch1

3. Install new rules (e.g., drop packets with suspicious patterns)Incoming packets

Outgoing packets

e.g., I2RS

Application1. App Layer Interface (Security Policy) e.g., RESTCONF

Security Service Manager

2. Functional Layer Interface (Functional Policy) e.g., NETCONF

Valid packets

Invalid packets

-14-

Conclusion Demands for cloud-based network security functions are

increasing.

Nowadays, off-premise security services start to be used.

Common interfaces for network security functions are required to accommodate multi-vendor products.

An efficient and flexible manner is required for virtual network security function services in cloud.

Standardization of I2NSF is a prerequisite for such effective, flexible security services.

14