Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey on Interfaces to Network Security

Published byOpal Green Modified over 8 years ago

Similar presentations

Presentation on theme: "A Survey on Interfaces to Network Security"— Presentation transcript:

1 A Survey on Interfaces to Network Security
DC Workshop A Survey on Interfaces to Network Security Functions in Network Virtualization Hyunsu Jang1, Jaehoon (Paul) Jeong1, Hyoungshick Kim1, and Jung-Soo Park2 1Sungkyunkwan University and 2ETRI, Korea Speaker: Yiwen (Chris) Shen Cyber-Physical Systems Lab (CPS), SKKU, Suwon, Korea Most contents of these slides are from IETF meeting

2 Contents I Introduction Motivation II I2NSF III
Network Security Functions V Use Cases VI Discussion and Conclusion

3 Motivation Legacy Limitations:
Sophisticated network attacks are increasing. The effectiveness of existing security services is limited. Newly updated security services should be provided. Current State of Network Security Functions: Various Security as a Service (SaaS) in cloud Proprietary Hosted in data centers, thus additional overhead of network traffic Difficult to maintain consistent updates across all the devices No common mechanism to verify the fulfillment of demands

4 I2NSF Attention in Internet Engineering Task Force (IETF)
Security services, e.g., firewall, intrusion detection system (IDS), and intrusion prevention systems (IPS) Common network security applications and requirements I2NSF is an IETF effort to standardize the interface for network security functions offered on any kinds of cloud regardless of its location or operator. Network security functions can be: Firewall DDOS/Anti-DOS (Distributed Denial-of-Service/Anti-Denial-of Service) AAA (Authentication, Authorization, Accounting) Remote identity management Secure key management IDS/IPS (Intrusion Detection System/Intrusion Prevention System)

5 Use Case 1: Access Networks (1/2)
Lopez, et al. suggested an Open operation, Administration, and Management (OAM) interface. For residential and mobile network access Typical security applications: Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

6 Use Case 1: Access Networks (2/2)
Typical security applications: vNSF Online traffic User access Internet side Offline: Alerts vNSF Online traffic User access vNSF Offline: Alerts Online traffic Internet side Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

7 Use Case 2: Integrated Security with Mobile Networks (1/2)
M. Qi et al. provided a use case of vNSF in mobile networks Operator Network 3rd Party Private Network Internet One-way authentication with pre-shared key Mutual authentication with pre-shared key Mutual authentication with certificate Mobile devices -> BS, AP -> security functions (packet inspection, traffic control etc.,) - > 3rd party or internet All these security functions are on different hardwares

8 Use Case 2: Integrated Security with Mobile Networks (2/2)
Virtualized Security Function can provide more flexible and reliable protection Operator Network 3rd Party Private Network Internet Security functions set Install security instances

9 I2NSF Intent based Policies Controller (Translation)
Use Case 3: Data Center Leymann et al. proposed a data-center use case: Clients’ computing servers deployed across different physical servers Not technically and financially feasible to deploy demanded physical firewalls on every servers What is needed is the ability to dynamically deploy virtual firewalls for each client’s set of servers based on established security policies and underlying network topologies. Issue: how to control and reduce the overhead of network traffic from those security services? Third party Apps DC Clients I2NSF Intent based Policies Controller (Translation) Physical Resource Vendor Specific Setting Share physical resources Now, all SFs are on controller Issue: Use case 2 and 3 They both extract the Security Functions from cloud, network traffic overhead

10 Use Case 4: Security Services based on Software-Defined Networking
Jeong et al. proposed a framework for security services based on SDN. Suggested two use cases Centralized firewall system Centralized DDoS-attack mitigation system Issue: how to provide efficient, flexible security services? DDoS-Attack Mitigator Firewall SDN Controller Switch2 Switch3 Switch1 Install new rules (e.g., drop packets with suspicious patterns) Incoming packets

11 Use Case 5: Open Platform for NFV
Downley et al. explained an open NFV platform NFV Infrastructure (NFVI) Virtualized Infrastructure Management (VIM) API for other components of NFV

12 Research Challenges Design and Implementation of Application Layer Interface Application Layer Interface is API used for Applications to tell security policies to Security Service Manager. A candidate protocol is RESTCONF. The interface should consider expression capability, scalability, and efficiency.  Design and Implementation of Functional Layer Interface Functional Layer Interface is API used for Security Service Manager to tell configurations and operations to Virtual Machines (e.g., firewall and web filter), performing security functions. A candidate protocol is NETCONF. The interface should consider scalability and efficiency. Secure and authenticated APIs might be needed to prevent unauthorized API requests, i.e., key management.

13 I2NSF Security Services (e.g., SDN Approach)
Security Service Manager Application 1. App Layer Interface (Security Policy) e.g., RESTCONF 2. Functional Layer Interface (Functional Policy) e.g., NETCONF Firewall Web Filter e.g., I2RS Network Controller 3. Install new rules (e.g., drop packets with suspicious patterns) Incoming packets Switch1 Switch2 Valid packets Invalid packets Outgoing packets Switch3

14 Conclusion Demands for cloud-based network security functions are increasing. Nowadays, off-premise security services start to be used. Common interfaces for network security functions are required to accommodate multi-vendor products. An efficient and flexible manner is required for virtual network security function services in cloud. Standardization of I2NSF is a prerequisite for such effective, flexible security services.

Download ppt "A Survey on Interfaces to Network Security"

Similar presentations

I2NSF Use Cases in Access Networks Diego Lopez Telefónica I+D IETF91, Honolulu, 9-14 Nov.

I2NSF Use Cases in Access Networks Diego Lopez Telefónica I+D IETF91, Honolulu, 9-14 Nov.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Customer Sales Presentation Stoneware webNetwork Powered by ThinkServer.

Customer Sales Presentation Stoneware webNetwork Powered by ThinkServer.

Similar presentations

Ads by Google