Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

Published byLester Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman"— Presentation transcript:

1 Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman mrw@painless-security.com

2 SDN Security Requirements Draft  Security Requirements in the SDN Model  http://tools.ietf.org/html/draft-hartman-sdnsec- requirements-00 http://tools.ietf.org/html/draft-hartman-sdnsec- requirements-00  Currently individual work, not tied to any WG  Feedback to authors, discussion on saag@ietf.org 2

3 Security Requirements for SDN  Discusses requirements for an SDN protocol running between “applications” and an SDN controller  Describes security requirements for three classes of applications  Apps may not be run by the same organization as the Managed Service Provider (MSP) 3 App SDN Controller (run by MSP) Switch

4 Three Classes of Applications (1)  Class 1: Network Sensitive Applications  Applications that require particular network characteristics  Needs access to ports in particular VLAN  Requires specific path characteristics  Traffic stays within a specific jurisdiction  Traffic travels only over certain equipment  Wants to monitor costs of traffic/flows  May want to reject or accept certain flows 4

5 Three Classes of Applications (2)  Class 2: Services for the Network  Application provides a service for the network  e.g. Firewall, content inspection or intrusion detection 5

6 Three Classes of Applications (3)  Class 3: Packaged Network Services  Combines previous two classes  e.g. Application of Class 1 that wishes for all traffic to be sent through a border firewall service  Application is requesting instantiation of another application as a virtual element in the network  Permits abstraction and re-use of network applications 6

7 Authentication & Authorization  Need for authentication and authorization across multiple organizations 7

8 Security Requirements (1)  REQ1: Authentication is REQUIRED to the controller. Authentication SHOULD support existing credentials that are likely to be used in the datacenter.  REQ2: The interface to the SDN controller MUST support authorizing specific network resources to applications and manipulating the authorizations of applications.  REQ3: The SDN controller MUST provide facilities to isolate one application from another. 8

9 Security Requirements (2)  REQ 4: The SDN controller interface MUST support a controller acting as a proxy on behalf of applications.  REQ 4a: The SDN interface SHOULD support a way of associating an audit ID or other tracking ID so that requests can be correlated with an original application when a proxy acts on behalf of an application.  REQ 5: The SDN controller interface MUST provide mechanisms for operators and applications to enforce privacy. 9

10 Security Requirements (3)  REQ 6: The SDN controller interface MUST support delegating access to a subset of resources; as part of delegation new authorization and privacy constraints MAY be supplied. This supports the security needs of the debugging use case, aspects of the nested application use case, and facilitates other inter-organization uses. 10

11 Nested Application Security (1)  REQ N1: The SDN controller interface MUST support controlling authorization for what nested applications an outer application can nest.  REQ N2: The controller MUST separate authorizations held by one instance of a nested application from authorizations help by other instances of the same nested application. 11

12 Nested Application Security (2)  REQ N3: The SDN controller interface SHOULD provide outer applications a way to learn a nested application's policy for sharing information between instances.  REQ N4: Nested applications MUST be able to authenticate on behalf of a specific outer application. This facilitates authorization, accounting and auditing. 12

13 Nested Application Security (3)  REQ N5: Nested applications MUST be able to specify privacy policy for what resources are visible to the outer application.  REQ N6: Outer applications MUST be able to specify privacy policy and authorizations with regard to what outer resources the nested application can interact with. 13

14 Questions? Feedback?  Send questions of feedback to the draft authors  Sam Hartman  Margaret Wasserman mrw@painless-security.commrw@painless-security.com  Dacheng Zhang zhangdacheng@huawei.comzhangdacheng@huawei.com  Or, discuss these drafts on saag@ietf.org 14

Download ppt "Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman"

Similar presentations

SDN Abstractions. In an SDN Ideal World, we want… multiple applications (Composition): – So, need to worry about sharing. – About isolation. Network policies.

SDN Abstractions. In an SDN Ideal World, we want… multiple applications (Composition): – So, need to worry about sharing. – About isolation. Network policies.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,
SDN-based OmniRAN Use Cases Date: [2014-03-20] Authors: NameAffiliationPhone Antonio de la OlivaUC3M+34 Juan Carlos ZúñigaInterDigital+1.

SDN-based OmniRAN Use Cases Date: [ ] Authors: NameAffiliationPhone Antonio de la OlivaUC3M+34 Juan Carlos ZúñigaInterDigital+1.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.

Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.

Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Kostas Giotis, Yiannos Kryftis, Vasilis Maglaris

Kostas Giotis, Yiannos Kryftis, Vasilis Maglaris
Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.

Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.
Chapter 13 – Network Security

Chapter 13 – Network Security
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:

SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:

Similar presentations

Ads by Google