I2NSF Working Group R. Kumar Internet-Draft A. Lohiya Intended status: Informational Juniper Networks Expires: February 4, 2017 D. Qi Bloomberg X. Long August 3, 2016 Security Controller: Use Case Summary draft-kumar-i2nsf-controller-use-cases-00 Abstract This document provides use cases for the I2NSF security controller. The use cases described here are from a wide varierty of deployment scenarios in multipe market segments. The use cases would help in developing a comprehensive set of client interfaces. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 4, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Kumar, et al. Expires February 4, 2017 [Page 1] Internet-Draft Security Controller: Use Case Summary August 2016 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in this Document . . . . . . . . . . . . . . 2 3. Security users . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Telecommunication Service Provider . . . . . . . . . . . 3 3.2. Enterprise . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Cloud Service Provider . . . . . . . . . . . . . . . . . 4 4. SP Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Managed Security Services for residential mobile and SMB users . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. Managed Security Services for Enterprise users . . . . . 5 4.3. Protect SP Infrastructure . . . . . . . . . . . . . . . . 6 5. Enterprise Branch and Campus Use Cases . . . . . . . . . . . 7 6. Data Center Use Cases . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction In order to define and build client interfaces for the I2NSF security controller, we must understand the security industry landscape from the user's perspective and determine where I2NSF work could potentially be valuable. The use cases would help I2NSF to develop the client interface framework applicable to wide variety of deployment scenarios. Basically, without a set of use cases, it is hard to know whether the client interfaces, developed by I2NSF WG, actually meet the targeted industry requirements. This draft makes an attempt in categorizing the security users into various market segments and providing a list of common use cases in each market segment. This is by no means a complete list, but an attempt to list the most common use cases. 2. Conventions Used in this Document EPC: (3GPPP) Evolved Packet Core. FW: Firewall. HW: Hardware GLBA: Gramm-Leach-Bliley Act. Kumar, et al. Expires February 4, 2017 [Page 2] Internet-Draft Security Controller: Use Case Summary August 2016 HIPAA: Health Insurance Portability and Accountability Act. IDS: Intrusion Detection System. IPS: Intrusion Protection System. MEC: Mobile Edge Computing (ETSI-MEC). NSF: Network Security Function, defined by [I-D.ietf-i2nsf-problem-and-use-cases]. PCI DSS: Payment Card Industry Data Security Standard. RBAC: Role Based Access Control. SP: (Telecom) Service Provider. SW: Software. SMB: Small and Medium-sized Business. WAF: Web Application Firewall. XaaS: Everything As a Service. 3. Security users There is a need for security solutions in almost every market segment, but the use cases vary based on the requirements in that segment. It would not be feasible to look at every industry and list all the use cases. Instead, we categorize the industry into various groups or domains with each group having similar use cases. 3.1. Telecommunication Service Provider The service providers need a large network presence to provide connectivity services to their clients and usually divide the large network into multiple domains or zones. We consider two such segments for security use cases. Access: This part of the network usually deals with basic connectivity, but lately this is undergoing rapid changes and services are being deployed for various use cases. There is a new working group ETSI MEC in this space. Core: This is where a service provider deploys 3G, 4G and other managed services. The SP's data center hosts various applications to deliver these services. Kumar, et al. Expires February 4, 2017 [Page 3] Internet-Draft Security Controller: Use Case Summary August 2016 3.2. Enterprise The Enterprise network varies based on the organization's size and needs. We consider the following segments for use cases. Branch: An organization's remote location that hosts workers, some applications and data for efficiency reasons. Campus: An organization's regional or corporate headquarters where workers and applications are hosted. A small or medium Enterprise may have just one location where all workers and applications are hosted. Data Center: The large Enterprise may have multiple hosting places for their applications and data. 3.3. Cloud Service Provider The primary use cases for a cloud service provider are related to managed security services and security needs for deploying applications in the public cloud. Data Center: The Cloud Service Provider may have one or more locations to deliver all its services. 4. SP Use Cases This includes residential and enterprise users with different requirements. 4.1. Managed Security Services for residential mobile and SMB users The SP provides these as managed security services which may be bundled in the subscription or separately sold These services can be broadly categorized as the following: Parental Control: o Block inappropriate web contents based on identity. o Filter web URLs. o Identity based usage controls on web contents. o Identity based usage controls on web contents. Content Management: Kumar, et al. Expires February 4, 2017 [Page 4] Internet-Draft Security Controller: Use Case Summary August 2016 o Identify and block malicious activities from web contents o Attack mitigation using email cleaning and file scanning External Threat Management: o Identify and block threats such as malware and botnets 4.2. Managed Security Services for Enterprise users The Enterprises are rapidly moving to the cloud. This comes with more services consumed from the cloud instead of being deployed at their premise. The reason for this is to cut costs and avoid constant HW/SW upgrades. The managed security services for Enterprise can be broken into two broad categories: External Threat Management: An Enterprise might subscribe to one of the following services. o Clean pipe, which means SP will filter known malwares, botnets and attack vectors o DDoS attack mitigation. o Application and phising attack mitigation o Managed FW service as per Enterprisea€™s requirements o WAF for regulatory or compliance reasons such as PCI Lateral Threat Management: An Enterprise might subscribe to one of the following services in addition to connectivity services such as VPN. o Detect threats moving from one location to another within the organization using IPS, IDP and malware analysis o Encryption services o Endpoint security compliance management Kumar, et al. Expires February 4, 2017 [Page 5] Internet-Draft Security Controller: Use Case Summary August 2016 4.3. Protect SP Infrastructure The SPs selling the security services must also protect their own infrastructure to ensure that there is no disruption to their customers. Threat Management: o Manage DDoS attacks on networking and server infrastructure. o Identify and block botnets and malwares Robust Service Delivery: o Deliver services such as VoIP, LTE, VPN in a secure manner o Security for multi-tenant service delivery Gi FW: The set of security features needed to protect the SP's mobile infrastructure and mobile user handset. o Encryption services to secure mobile usera€™s identity o Protocol attack mitigation using IPS, IDP and Application controls o Block DoS/DDoS attack on mobile user end-point o Block DoS/DDoS attack on EPC core elements o Web content filtering GiLAN Services: The set of security services configured for mobile users. o FW Services o Clean pipe service MEC Service Delivery: The set of security features needed to deliver MEC services o MEC server protection from DDoS and malware attacks o Encryption services Kumar, et al. Expires February 4, 2017 [Page 6] Internet-Draft Security Controller: Use Case Summary August 2016 5. Enterprise Branch and Campus Use Cases The Enterprise Branch and Campus security use cases are simple and usually related to threat management from Web. These are categorized as following: Threat Management: o Manage DDoS attacks on networking and server infrastructure o Identify and block application attacks using IPS and IDP o Identify and block attacks from the Web using WAF o Identify and block botnets and malwares Access and Data Management: o Isolation across various Enterprise functional groups o Encryption service from Branch to Campus o Block certain social media applications o Data loss prevention by filtering social media contents 6. Data Center Use Cases The Enterprise landscape is evolving rapidly due to virtualization and the move towards cloud based XaaS consumption models. The data centers are now built with mutli-vendor devices, in physical and virtual form factors. This creates a problem for data center operators as the attack vectors multiply. The cloud data centers have more dimensions such as a large presence and multi-tenant environment, but must still deliver services in a secure manner. The use cases in this category are fairly large and diverse, so we are listing the most common ones below: Threat Management: Same as above Regulatory and Compliance: o Payment industry's PCI DSS o Finance industry's GLBA o Health industry's HIPPA Kumar, et al. Expires February 4, 2017 [Page 7] Internet-Draft Security Controller: Use Case Summary August 2016 o Orgnaziation's resource (Data and Application) access policy based on location or device 7. IANA Considerations This document requires no IANA actions. RFC Editor: Please remove this section before publication. 8. Acknowledgements 9. Normative References [I-D.ietf-i2nsf-problem-and-use-cases] Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C. Jacquenet, "I2NSF Problem Statement and Use cases", draft- ietf-i2nsf-problem-and-use-cases-01 (work in progress), July 2016. Authors' Addresses Rakesh Kumar Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 US Email: rkkumar@juniper.net Anil Lohiya Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 US Email: alohiya@juniper.net Dave Qi Bloomberg 731 Lexington Avenue New York, NY 10022 US Email: DQI@bloomberg.net Kumar, et al. Expires February 4, 2017 [Page 8] Internet-Draft Security Controller: Use Case Summary August 2016 Xiaobo Long 4 Cottonwood Lane Warren, NJ 07059 US Email: long.xiaobo@gmail.com Kumar, et al. Expires February 4, 2017 [Page 9]