A Survey on Interfaces to Network Security

Slides:

Advertisements

Similar presentations

I2NSF Use Cases in Access Networks Diego Lopez Telefónica I+D IETF91, Honolulu, 9-14 Nov.

Advertisements

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Security Awareness: Applying Practical Security in Your World

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.

Data Security in Local Networks using Distributed Firewalls

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Customer Sales Presentation Stoneware webNetwork Powered by ThinkServer.

A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum Speaker: George Lapiotis

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Software-Defined Networks Jennifer Rexford Princeton University.

Chapter 13 – Network Security

IETF-84 (29 July – 3 Aug. 2012) Cloud Computing, Networking, and Service (CCNS) Update for GISFI-10, New Delhi, India Sept Monday-10-September-20121IETF84.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Draft-qi-i2nsf-access-network- usecase-00 Author: Minpeng Qi, Xiaojun Zhuang.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Security fundamentals Topic 10 Securing the network perimeter.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

I2NSF Data Center Use Cases draft-zarny-i2nsf-data-center-use-cases-00 M. Zarny: Goldman Sachs S. Magee: F5 networks N. Leymann: Deutsche Telecom L. Dunbar:

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

SDN and Beyond Ghufran Baig Mubashir Adnan Qureshi.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet

Clouding with Microsoft Azure

CLOUD ARCHITECTURE Many organizations and researchers have defined the architecture for cloud computing. Basically the whole system can be divided into.

SDN challenges Deployment challenges

Chapter 6: Securing the Cloud

I2NSF IETF-97 Hackathon Jaehoon (Paul) Jeong Sungkyunkwan University

Top 5 Open Source Firewall Software for Linux User

User-group-based Security Policy for Service Layer

Federated IdM Across Heterogeneous Clouding Environment

Use Cases and Requirements for I2NSF_

* Essential Network Security Book Slides.

ISMS Information Security Management System

IS4680 Security Auditing for Compliance

Goals Introduce the Windows Server 2003 family of operating systems

IETF 98, Chicago, US March 26, 2017 Jaehoon (Paul) Jeong

NFV and SD-WAN Multi vendor deployment

Presentation transcript:

A Survey on Interfaces to Network Security DC2-2015 Workshop A Survey on Interfaces to Network Security Functions in Network Virtualization Hyunsu Jang1, Jaehoon (Paul) Jeong1, Hyoungshick Kim1, and Jung-Soo Park2 1Sungkyunkwan University and 2ETRI, Korea Speaker: Yiwen (Chris) Shen Cyber-Physical Systems Lab (CPS), SKKU, Suwon, Korea Most contents of these slides are from IETF meeting

Contents I Introduction Motivation II I2NSF III Network Security Functions V Use Cases VI Discussion and Conclusion

Motivation Legacy Limitations: Sophisticated network attacks are increasing. The effectiveness of existing security services is limited. Newly updated security services should be provided. Current State of Network Security Functions: Various Security as a Service (SaaS) in cloud Proprietary Hosted in data centers, thus additional overhead of network traffic Difficult to maintain consistent updates across all the devices No common mechanism to verify the fulfillment of demands

I2NSF Attention in Internet Engineering Task Force (IETF) Security services, e.g., firewall, intrusion detection system (IDS), and intrusion prevention systems (IPS) Common network security applications and requirements I2NSF is an IETF effort to standardize the interface for network security functions offered on any kinds of cloud regardless of its location or operator. Network security functions can be: Firewall DDOS/Anti-DOS (Distributed Denial-of-Service/Anti-Denial-of Service) AAA (Authentication, Authorization, Accounting) Remote identity management Secure key management IDS/IPS (Intrusion Detection System/Intrusion Prevention System)

Use Case 1: Access Networks (1/2) Lopez, et al. suggested an Open operation, Administration, and Management (OAM) interface. For residential and mobile network access Typical security applications: Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

Use Case 1: Access Networks (2/2) Typical security applications: vNSF Online traffic User access Internet side Offline: Alerts vNSF Online traffic User access vNSF Offline: Alerts Online traffic Internet side Traffic inspection E.g., Deep packet inspection (DPI) Traffic manipulation Security functions (e.g., IPS, firewall, and virtual private network) control traffic Traffic impersonation Monitor intruders’ activities Design decoy systems (e.g., honeypots)

Use Case 2: Integrated Security with Mobile Networks (1/2) M. Qi et al. provided a use case of vNSF in mobile networks Operator Network 3rd Party Private Network Internet One-way authentication with pre-shared key Mutual authentication with pre-shared key Mutual authentication with certificate Mobile devices -> BS, AP -> security functions (packet inspection, traffic control etc.,) - > 3rd party or internet All these security functions are on different hardwares

Use Case 2: Integrated Security with Mobile Networks (2/2) Virtualized Security Function can provide more flexible and reliable protection Operator Network 3rd Party Private Network Internet Security functions set Install security instances

I2NSF Intent based Policies Controller (Translation) Use Case 3: Data Center Leymann et al. proposed a data-center use case: Clients’ computing servers deployed across different physical servers Not technically and financially feasible to deploy demanded physical firewalls on every servers What is needed is the ability to dynamically deploy virtual firewalls for each client’s set of servers based on established security policies and underlying network topologies. Issue: how to control and reduce the overhead of network traffic from those security services? Third party Apps DC Clients I2NSF Intent based Policies Controller (Translation) Physical Resource Vendor Specific Setting Share physical resources Now, all SFs are on controller Issue: Use case 2 and 3 They both extract the Security Functions from cloud, network traffic overhead

Use Case 4: Security Services based on Software-Defined Networking Jeong et al. proposed a framework for security services based on SDN. Suggested two use cases Centralized firewall system Centralized DDoS-attack mitigation system Issue: how to provide efficient, flexible security services? DDoS-Attack Mitigator Firewall SDN Controller Switch2 Switch3 Switch1 Install new rules (e.g., drop packets with suspicious patterns) Incoming packets

Use Case 5: Open Platform for NFV Downley et al. explained an open NFV platform NFV Infrastructure (NFVI) Virtualized Infrastructure Management (VIM) API for other components of NFV

Research Challenges Design and Implementation of Application Layer Interface Application Layer Interface is API used for Applications to tell security policies to Security Service Manager. A candidate protocol is RESTCONF. The interface should consider expression capability, scalability, and efficiency. Design and Implementation of Functional Layer Interface Functional Layer Interface is API used for Security Service Manager to tell configurations and operations to Virtual Machines (e.g., firewall and web filter), performing security functions. A candidate protocol is NETCONF. The interface should consider scalability and efficiency. Secure and authenticated APIs might be needed to prevent unauthorized API requests, i.e., key management.

I2NSF Security Services (e.g., SDN Approach) Security Service Manager Application 1. App Layer Interface (Security Policy) e.g., RESTCONF 2. Functional Layer Interface (Functional Policy) e.g., NETCONF Firewall Web Filter e.g., I2RS Network Controller 3. Install new rules (e.g., drop packets with suspicious patterns) Incoming packets Switch1 Switch2 Valid packets Invalid packets Outgoing packets Switch3

Conclusion Demands for cloud-based network security functions are increasing. Nowadays, off-premise security services start to be used. Common interfaces for network security functions are required to accommodate multi-vendor products. An efficient and flexible manner is required for virtual network security function services in cloud. Standardization of I2NSF is a prerequisite for such effective, flexible security services.