An I2NSF Framework for Security Management Automation in Cloud-Based Security Systems
Department of Computer Science and Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Department of Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957patricklink@skku.edu
Standards & Open Source Research Division
Electronics and Telecommunications Research Institute218 Gajeong-Ro, Yuseong-GuDaejeon34129Republic of Korea+82 42 860 6514pjs@etri.re.kr
Telefonica I+D
Jose Manuel Lara, 9Seville41013Spain+34 682 051 091diego.r.lopez@telefonica.com
Huawei
7453 Hickory HillSalineMI48176USA+1-734-604-0332shares@ndzh.com
Security
I2NSF Working GroupInternet-Draft
This document describes a Framework for Interface to Network
Security Functions (I2NSF) in for
Security Management Automation (SMA) in Cloud-Based Security
Systems. This security management automation facilitates
Closed-Loop Security Control, Security Policy Translation, and
Security Audit. To support these three features in SMA, this
document specifies an extended architecture of the I2NSF
framework with new system components and new interfaces.
Thus, the SMA in this document can facilitate Intent-Based
Security Management with Intent-Based Networking (IBN) in
.
Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions (NSFs)
.
Note that an NSF is defined as software that provides a set of
security-related services, such as (i) detecting unwanted activity,
(ii) blocking or mitigating the effect of such unwanted activity
in order to fulfill service requirements, and (iii) supporting
communication stream integrity and confidentiality .
The NSF can be implemented as a Virtual Network Function (VNF) in
a Network Functions Virtualization (NFV) environment
.
This document describes Security Management Automation (SMA) of
cloud-based security services in the I2NSF framework. The security
management automation includes closed-loop security control, security
policy translation, and security audit. This document specifies an
augmented architecture of the I2NSF framework for the SMA services with
new system components and new interfaces.
For reliable management for networked security services, this document
proposes a network management and verification facility using a
secuirty audit system (e.g., remote attestation and blockchain ).
This security audit system can facilitate the non-repudiation of configuration
commands and monitoring data generated in the I2NSF framework.
Therefore, the Security Management Automation (SMA) in this document can
facilitate Intent-Based Security Management with Intent-Based Networking
(IBN) in for autonomous security services.
Note that the scope of this document is to propose an extension of the
standard I2NSF framework in such that it can
perform security management automation based on Intent-Based Networking
(IBN) in . This document augments the existing
I2NSF framework by adding the new features of security policy translation,
closed-loop security control, and security audit system to it. For this
system augmentation, a system component called I2NSF Analyzer and a new
external interface called Analytics Interface are introduced for
Closed-Loop Security Control on the basis of the analysis of NSF
monitoring data. This monitoring data is delivered from each NSF
to I2NSF Analyzer via Monitoring Interface
.
I2NSF Analyzer performs the analysis of the NSF monitoring data, and
sends the analysis results (e.g., policy reconfiguration and feedback
message) to Security Controller via Analytics Interface. For more details,
Refer to
in this document.
Also, note that Cloud or Edge-based Security Service Providers can get
benefits by automating security service management in terms of automatic
security policy enforcement and feedback-based security policy updates.
Eventually, they can save Operational Expenditure (OPEX) significantly by
this Intent-Based Security Management with Intent-Based Networking (IBN)
in .
This document uses the terminology described in , , and .
In addition, the following terms are defined below:
Security Management Automation (SMA): It means that a high-level
security policy from a user (or administrator) is well-enforced in
a target I2NSF system. The high-level security policy can be
translated into the corresponding low-level security policy by a
security policy translator and dispatched to appropriate NSFs.
Through the monitoring of the NSFs, the activity and performace of
the NSFs is monitored and analyzed. If needed, the security rules of
the low-level security policy are augmented or new security rules are
generated and configured to appropriate NSFs.
Security Policy Translation: It means that a high-level security
from an I2NSF User (e.g., administrator) policy is translated
to a low-level security policy that can be understood and
configured by an NSF for a specific security service, such as
firewall, web filter, deep packet inspection, DDoS-attack
mitigation, and anti-virus. A Security Policy Translator (SPT)
performs this security policy translation for the sake for
the I2NSF User .
This SPT is an subcomponent of Security Controller
which is a main component to govern the I2NSF Framework.
Feedback-Based Security Management (FSM): It means that a security
service is evolved by updating a security policy (having security rules)
and adding new security rules for detected security attacks by
processing and analzing the monitoring data of NSFs.
This section describes an extended I2NSF framework for security
management automation, where the I2NSF framework is defined in
in .
As shown in ,
an I2NSF User can use security functions by delivering high-level security policies,
which specify security requirements that the I2NSF user wants to enforce, to
the Security Controller via the Consumer-Facing Interface (CFI)
.
|Developer's Mgmt System|
+-------------------+ Interface +-----------------------+
^ ^
| |
| | Analytics Interface +-----------------------+
| +------------------------>| I2NSF Analyzer |
| +-----------------------+
| NSF-Facing Interface ^ ^ ^
| | | |
| | | |
| +------------------------------+ | |
| | +-----------------------+ |
| | | Monitoring Interface |
v v v v
+----------------+ +---------------+ +-----------------------+
| NSF-1 |-| NSF-2 |...| NSF-n |
| (Firewall) | | (Web Filter) | |(DDoS-Attack Mitigator)|
+----------------+ +---------------+ +-----------------------+
]]>
The following are the system components for the SMA-based I2NSF framework.
I2NSF User: An entity that delivers a high-level security policy to
Security Controller.
Security Controller: An entity that controls and manages other system
components in the I2NSF framework. It translates a high-level security
policy into the corresponding low-level security policy and selects
appropriate NSFs to execute the security rules of the low-level security
policy. A Security Policy Translator (SPT) can perform this security
policy translation from a high-level security policy into a low-level
security policy .
Developer's Management System (DMS): An entity that provides an image of
of a virtualized NSF for a security service to the I2NSF framework, and
registers the capability and access information of an NSF with Security
Controller.
Network Security Function (NSF): An entity that is a Virtual Network
Function (VNF) or Container Network Function (CNF), which is called
Cloud-native Network Function, for a specific network security service
such as firewall, web filter, deep packet inspection, DDoS-attack
mitigation, and anti-virus.
I2NSF Analyzer: An entity that collects monitoring data from NSFs and
analyzes such data for checking the activity and performance of the NSFs
using machine learning techniques (e.g., Deep Learning ).
If there is a suspicious attack activity for the target network or NSF,
I2NSF Analyzer delivers a report of the augmentation or generation of
security rules to Security Controller.
For SMA-based security services with Feedback-Based Security Management (FSM),
I2NSF Analyzer is required as a new I2NSF component for the legacy I2NSF
framework to collect monitoring data from NSFs and
analyzing the monitoring data. The actual implementation of the analysis of
monitoring data is out of the scope of this document.
The following are the interfaces for the SMA-based I2NSF framework. Note that
the interfaces are modeled with YANG and security
policies are delivered through either RESTCONF or
NETCONF .
Consumer-Facing Interface: An interface between I2NSF User and Security
Controller for the delivery of a high-level security policy
.
NSF-Facing Interface: An interface between Security Controller and an NSF
for the delivery of a low-level security policy
.
Registration Interface: An interface between a DMS and Security Controller
for the registration of an NSF's capability and access information with the
Security Controller or the query of an NSF for a required low-level security
policy .
Monitoring Interface: An interface between an NSF and I2NSF Analyzer for
collecting monitoring data from an NSF to check the activity and performance
of an NSF for a possible malicious traffic .
Analytics Interface: An interface between I2NSF Analyzer and Security
Controller for the delivery of an analytics report of the augmentation
or generation of security rules to Security Controller.
This interface lets Security Controller get the report for security rules
to its security policy management.
For SMA-based security services with FSM, Analytics Interface is required
as a new I2NSF interface for the legacy I2NSF framework
to deliver an analytics report of the augmentation or generation of security rules to Security
Controller through the analysis of the monitoring data from NSFs.
The I2NSF framework is weak to both an insider attack and a supply chain attack
since it trusts in NSFs provided by Developer's Management System (DMS) and
assumes that NSFs work for their security services appropriately
.
To detect the malicious activity of either an insider attack by a malicious
DMS or a supply chain attack by a compromised DMS, a security audit
system is required by the I2NSF framework. This security audit system can
facilitate the non-repudiation of configuration commands and monitoring data
generated in the I2NSF framework.
A security audit system has the following four main objectives:
To check the existence of a security policy, a management system, and
its procedures; To identify and understand the existing vulnerabilities and risks of
either an insider attack or a supply chain attack; To review existing security controls on operational and administrative
issues; To provide recommendations and corrective actions to Security Controller
for further security improvement. | Audit |
| | ^ | System |
+--------------+--------------+ | +---------+--------+
| NSF-Facing Interface | ^
| | Remote |
Low-level Security Policy | Attestation |
| | Interface |
V | |
+--------------+--------------+ | +--------+-------+
| NSF(s) +------------+ | I2NSF Analyzer |
| +------------------>| |
+-----------------------------+ Monitoring +----------------+
Interface
]]>
shows activity auditing with a security audit system in the I2NSF
framework. All the components in the I2NSF framwork report its
activities (such as configuration commands and monitoring data)
to Security Audit System as transactions through Remote Attestation
Interface .
The security audit system can analyze the reported activities from the
I2NSF components to detect malicious activities such as an insider attack
and a supply chain attack.
Note that such a security audit system can be implemented by remote
attestation
or Blockchain . The details of the implementation
of the security audit system are out of the scope of this document.
In order to determine a minimum set of controls required to reduce the
risks from either an insider attack or a supply chain attack, the security
audit system should analyze the activities of all the components in the
I2NSF framework periodically, evaluate possible risks, and take an action
to such risks since vulnerabilities and threats may change in
different environments over time.
This document does not require any IANA actions.
The same security considerations for the I2NSF framework
are applicable to this document.
The development and introduction of I2NSF Analyzer and Security Audit
System in the I2NSF Framework may create new security concerns that
have to be anticipated at the design and specification time. The usage
of machine learning to analyze monitoring data of malicious NSFs may add a
risk to its model to be attacked (e.g., adversarial attack) and can result
in a bad security policy that is deployed into the I2NSF system.
Deep LearningIEEE Transactions on Dependable Secure ComputingNetwork Functions Virtualisation (NFV); Architectural FrameworkBitcoin: A Peer-to-Peer Electronic Cash SystemDeep LearningThe MIT Press
The following changes are made from draft-jeong-i2nsf-security-management-automation-07:
This version updates the Abstract and Introduction for the explanation
of the purpose and usefulness of this document.
The section for Security Policy Translation in version 07 is removed
so that this document can have the shape of a standard document
without the design and implementation of a Security Policy Translator.
Instead, This version cites a Journal Paper rather
than an Internet Draft for the Security Policy Translator.
This document benefited from discussions in the I2NSF Working Group,
especially from Linda Dunbar and Yoav Nir. This document took
advantage of the review and comments from the following
experts: Qin Wu and Adrian Farrel. The authors sincerely
appreciate their sincere efforts and kind help.
This work was supported by Institute of Information &
Communications Technology Planning & Evaluation (IITP) grant
funded by the Korea Ministry of Science and ICT (MSIT)(RS-2024-00398199).
This work was supported in part by Institute of Information &
Communications Technology Planning & Evaluation (IITP) grant
funded by the Korea Ministry of Science and ICT (MSIT)(No. 2022-0-01015,
Development of Candidate Element Technology for Intelligent 6G Mobile Core Network).
The following are coauthors of this document: Standards & Open Source Research DivisionElectronics and Telecommunications Research Institute218 Gajeong-ro, Yuseong-gu,Daejeon34129Republic of Koreacyc79@etri.re.krSchool of Electronic EngineeringSoongsil University369, Sangdo-ro, Dongjak-guSeoul06978Republic of Koreayounghak@ssu.ac.kr