I2NSF Working Group R. Kumar
Internet-Draft A. Lohiya
Intended status: Informational Juniper Networks
Expires: February 4, 2017 D. Qi
Bloomberg
X. Long
August 3, 2016
Security Controller: Use Case Summary
draft-kumar-i2nsf-controller-use-cases-00
Abstract
This document provides use cases for the I2NSF security controller.
The use cases described here are from a wide varierty of deployment
scenarios in multipe market segments. The use cases would help in
developing a comprehensive set of client interfaces.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 4, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Kumar, et al. Expires February 4, 2017 [Page 1]
Internet-Draft Security Controller: Use Case Summary August 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in this Document . . . . . . . . . . . . . . 2
3. Security users . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Telecommunication Service Provider . . . . . . . . . . . 3
3.2. Enterprise . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Cloud Service Provider . . . . . . . . . . . . . . . . . 4
4. SP Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Managed Security Services for residential mobile and SMB
users . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2. Managed Security Services for Enterprise users . . . . . 5
4.3. Protect SP Infrastructure . . . . . . . . . . . . . . . . 6
5. Enterprise Branch and Campus Use Cases . . . . . . . . . . . 7
6. Data Center Use Cases . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. Normative References . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
In order to define and build client interfaces for the I2NSF security
controller, we must understand the security industry landscape from
the user's perspective and determine where I2NSF work could
potentially be valuable. The use cases would help I2NSF to develop
the client interface framework applicable to wide variety of
deployment scenarios. Basically, without a set of use cases, it is
hard to know whether the client interfaces, developed by I2NSF WG,
actually meet the targeted industry requirements.
This draft makes an attempt in categorizing the security users into
various market segments and providing a list of common use cases in
each market segment. This is by no means a complete list, but an
attempt to list the most common use cases.
2. Conventions Used in this Document
EPC: (3GPPP) Evolved Packet Core.
FW: Firewall.
HW: Hardware
GLBA: Gramm-Leach-Bliley Act.
Kumar, et al. Expires February 4, 2017 [Page 2]
Internet-Draft Security Controller: Use Case Summary August 2016
HIPAA: Health Insurance Portability and Accountability Act.
IDS: Intrusion Detection System.
IPS: Intrusion Protection System.
MEC: Mobile Edge Computing (ETSI-MEC).
NSF: Network Security Function, defined by
[I-D.ietf-i2nsf-problem-and-use-cases].
PCI DSS: Payment Card Industry Data Security Standard.
RBAC: Role Based Access Control.
SP: (Telecom) Service Provider.
SW: Software.
SMB: Small and Medium-sized Business.
WAF: Web Application Firewall.
XaaS: Everything As a Service.
3. Security users
There is a need for security solutions in almost every market
segment, but the use cases vary based on the requirements in that
segment. It would not be feasible to look at every industry and list
all the use cases. Instead, we categorize the industry into various
groups or domains with each group having similar use cases.
3.1. Telecommunication Service Provider
The service providers need a large network presence to provide
connectivity services to their clients and usually divide the large
network into multiple domains or zones. We consider two such
segments for security use cases.
Access: This part of the network usually deals with basic
connectivity, but lately this is undergoing rapid changes and
services are being deployed for various use cases. There is a new
working group ETSI MEC in this space.
Core: This is where a service provider deploys 3G, 4G and other
managed services. The SP's data center hosts various applications to
deliver these services.
Kumar, et al. Expires February 4, 2017 [Page 3]
Internet-Draft Security Controller: Use Case Summary August 2016
3.2. Enterprise
The Enterprise network varies based on the organization's size and
needs. We consider the following segments for use cases.
Branch: An organization's remote location that hosts workers, some
applications and data for efficiency reasons.
Campus: An organization's regional or corporate headquarters where
workers and applications are hosted. A small or medium Enterprise
may have just one location where all workers and applications are
hosted.
Data Center: The large Enterprise may have multiple hosting places
for their applications and data.
3.3. Cloud Service Provider
The primary use cases for a cloud service provider are related to
managed security services and security needs for deploying
applications in the public cloud.
Data Center: The Cloud Service Provider may have one or more
locations to deliver all its services.
4. SP Use Cases
This includes residential and enterprise users with different
requirements.
4.1. Managed Security Services for residential mobile and SMB users
The SP provides these as managed security services which may be
bundled in the subscription or separately sold
These services can be broadly categorized as the following:
Parental Control:
o Block inappropriate web contents based on identity.
o Filter web URLs.
o Identity based usage controls on web contents.
o Identity based usage controls on web contents.
Content Management:
Kumar, et al. Expires February 4, 2017 [Page 4]
Internet-Draft Security Controller: Use Case Summary August 2016
o Identify and block malicious activities from web contents
o Attack mitigation using email cleaning and file scanning
External Threat Management:
o Identify and block threats such as malware and botnets
4.2. Managed Security Services for Enterprise users
The Enterprises are rapidly moving to the cloud. This comes with
more services consumed from the cloud instead of being deployed at
their premise. The reason for this is to cut costs and avoid
constant HW/SW upgrades.
The managed security services for Enterprise can be broken into two
broad categories:
External Threat Management:
An Enterprise might subscribe to one of the following services.
o Clean pipe, which means SP will filter known malwares, botnets and
attack vectors
o DDoS attack mitigation.
o Application and phising attack mitigation
o Managed FW service as per Enterprisea€™s requirements
o WAF for regulatory or compliance reasons such as PCI
Lateral Threat Management:
An Enterprise might subscribe to one of the following services in
addition to connectivity services such as VPN.
o Detect threats moving from one location to another within the
organization using IPS, IDP and malware analysis
o Encryption services
o Endpoint security compliance management
Kumar, et al. Expires February 4, 2017 [Page 5]
Internet-Draft Security Controller: Use Case Summary August 2016
4.3. Protect SP Infrastructure
The SPs selling the security services must also protect their own
infrastructure to ensure that there is no disruption to their
customers.
Threat Management:
o Manage DDoS attacks on networking and server infrastructure.
o Identify and block botnets and malwares
Robust Service Delivery:
o Deliver services such as VoIP, LTE, VPN in a secure manner
o Security for multi-tenant service delivery
Gi FW: The set of security features needed to protect the SP's mobile
infrastructure and mobile user handset.
o Encryption services to secure mobile usera€™s identity
o Protocol attack mitigation using IPS, IDP and Application controls
o Block DoS/DDoS attack on mobile user end-point
o Block DoS/DDoS attack on EPC core elements
o Web content filtering
GiLAN Services: The set of security services configured for mobile
users.
o FW Services
o Clean pipe service
MEC Service Delivery: The set of security features needed to deliver
MEC services
o MEC server protection from DDoS and malware attacks
o Encryption services
Kumar, et al. Expires February 4, 2017 [Page 6]
Internet-Draft Security Controller: Use Case Summary August 2016
5. Enterprise Branch and Campus Use Cases
The Enterprise Branch and Campus security use cases are simple and
usually related to threat management from Web. These are categorized
as following:
Threat Management:
o Manage DDoS attacks on networking and server infrastructure
o Identify and block application attacks using IPS and IDP
o Identify and block attacks from the Web using WAF
o Identify and block botnets and malwares
Access and Data Management:
o Isolation across various Enterprise functional groups
o Encryption service from Branch to Campus
o Block certain social media applications
o Data loss prevention by filtering social media contents
6. Data Center Use Cases
The Enterprise landscape is evolving rapidly due to virtualization
and the move towards cloud based XaaS consumption models. The data
centers are now built with mutli-vendor devices, in physical and
virtual form factors. This creates a problem for data center
operators as the attack vectors multiply.
The cloud data centers have more dimensions such as a large presence
and multi-tenant environment, but must still deliver services in a
secure manner. The use cases in this category are fairly large and
diverse, so we are listing the most common ones below:
Threat Management: Same as above
Regulatory and Compliance:
o Payment industry's PCI DSS
o Finance industry's GLBA
o Health industry's HIPPA
Kumar, et al. Expires February 4, 2017 [Page 7]
Internet-Draft Security Controller: Use Case Summary August 2016
o Orgnaziation's resource (Data and Application) access policy based
on location or device
7. IANA Considerations
This document requires no IANA actions. RFC Editor: Please remove
this section before publication.
8. Acknowledgements
9. Normative References
[I-D.ietf-i2nsf-problem-and-use-cases]
Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C.
Jacquenet, "I2NSF Problem Statement and Use cases", draft-
ietf-i2nsf-problem-and-use-cases-01 (work in progress),
July 2016.
Authors' Addresses
Rakesh Kumar
Juniper Networks
1133 Innovation Way
Sunnyvale, CA 94089
US
Email: rkkumar@juniper.net
Anil Lohiya
Juniper Networks
1133 Innovation Way
Sunnyvale, CA 94089
US
Email: alohiya@juniper.net
Dave Qi
Bloomberg
731 Lexington Avenue
New York, NY 10022
US
Email: DQI@bloomberg.net
Kumar, et al. Expires February 4, 2017 [Page 8]
Internet-Draft Security Controller: Use Case Summary August 2016
Xiaobo Long
4 Cottonwood Lane
Warren, NJ 07059
US
Email: long.xiaobo@gmail.com
Kumar, et al. Expires February 4, 2017 [Page 9]