I2NSF Working Group | R. Kumar |
Internet-Draft | A. Lohiya |
Intended status: Informational | Juniper Networks |
Expires: January 7, 2017 | D. Qi |
Bloomberg | |
X. Long | |
July 6, 2016 |
Northbound Interfaces for Security Policy Controllers : A Framework and Information Model
draft-kumar-i2nsf-controller-northbound-framework-00
This document provides a framework and information model for the definition of northbound interfaces for a security policy controller. The interfaces are based on user-intent instead of vendor-specific or device-centric approaches that would require deep knowledge of vendor products and their security features. The document identifies the common interfaces needed to enforce the user-intent-based policies onto network security functions (NSFs) irrespective of how those functions are realized. The function may be physical or virtual in nature and may be implemented in networking or dedicated appliances.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 7, 2017.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Programming security policies in a network is a fairly complex task and requires very deep knowledge of the vendors' devices in order to implement a security policy. This has been the biggest challenge for both Service Providers and Enterprise, henceforth known as end-customers, to keep up-to-date with the security of their networks and assets. The challenge is amplified due to virtualization because security appliances come in both physical and virtual forms and are supplied by a variety of vendors who have their own proprietary interfaces to manage and implement the security policies on their devices.
Even if an end-customer deploys a single vendor solution across its entire network, it is difficult to manage security policies due to the complexity of network security features available in the devices. The end-customer may use a vendor-provided management system that gives some abstraction in the form of GUI and helps in provisioning and managing security policies. The single vendor approach is highly restrictive in today's network as explained below:
In order to provide the end-customer with a solution where they can deploy security policies across different vendors and devices whether physical or virtual, the Interface to Network Security Functions (I2NSF) working group in the IETF is defining a set of northbound interfaces.
This document discusses the requirements for these northbound interfaces and describes a framework and information model so that these interfaces can be easily used by end-customer security administrators without knowledge of specific security devices or features. We refer to this as "user-intent-based interfaces".
The IETF I2NSF working group has defined a framework for Interfaces to Network Security Functions that defines following terminology:
The "Client Facing Interface" ensures that an end-customer can deploy any device from any vendor and still be able to use same consistent interface. In essence, these interfaces give a framework to manage end-customer's security policies. Henceforth in this document, we "security policy management interface" interchangeably when we refer to these northbound interfaces.
This document describes a framework for security policy management interfaces. This document does not describe a framework for southbound interface: those may be defined in another draft.
Traditionally, medium and larger end-customers deploy management systems to manage their security policies. This approach may not be suitable for modern datacenters that are virtualized and manage their resources using controllers.
RESTful API SUPA or I2NSF Policy Management ^ Northbound | Security Policy Interface | (Independent of individual | NSFs, devices, and vendors) | | ------------------------------ | | | Security Policy Controller | | | ------------------------------ | ^ Southbound Security | I2NSF | Capability Interface | NSF-facing | (Specific to NSFs) | Interface | .............................. | | v | ------------- ------------- | I2NSF Agent | | I2NSF Agent | |-------------| |-------------| | |---| | | NSF | | NSF | NSFs | | | | (virtual -------------\ /------------- and | \ / | physical) | X | | / \ | -------------/ \------------- | I2NSF Agent | | I2NSF Agent | |-------------| |-------------| | |---| | | NSF | | NSF | | | | | ------------- -------------
Figure 1: Deployment without Management System
RESTful API SUPA or I2NSF Policy Management ^ Northbound | Security Policy Interface | (Independent of individual | NSFs, devices, and vendors) | | ------------------------------ | | | Security Policy Controller | | | ------------------------------ | ^ Southbound Security | I2NSF | Capability Interface | NSF-facing | (Specific to NSFs) | Interface | .............................. | | v | ------------------------------ | | | I2NSF Proxy Agent / | | Management System | | | ------------------------------ | ^ | Proprietary | | Functional | | Interface | .............................. | | v | ------------- ------------- | |---| | | NSF | | NSF | NSFs | | | | (virtual -------------\ /------------- and | \ / | physical) | X | | / \ | -------------/ \------------- | |---| | | NSF | | NSF | | | | | ------------- -------------
Figure 2: Deployment with Management System or I2NSF Proxy Agent
There are two different deployment models:
Although the deployment models discussed here don't necessarily affect the northbound security policy interface, they do give an overall context for defining a security policy interface based on abstraction.
In order to provide I2NSF northbound interface for security policies to client that are not specific to any vendor, device or feature implementation, it is important that security policies shall be configured and managed from a client's perspective. We refer to this as the user-intent based model since it is primarily driven by how security administrators view security policies from the deployment perspective.
The client perspective ensures that policy management is not only easy to understand for them (the actual users), but is also independent of vendor, device, and specific implementation which is the foremost goal for a northbound interface.
As mentioned earlier, it is important that the northbound interface be primarily driven by user-intent which is what a client understands well. In order to define this interface, we must understand the requirements and framework used by the security administrator.
A security policy that is based on user-intent is completely agnostic of how this policy is enforced in the end-customer's network. The security controller may choose to implement such a policy on any device (router, switch, firewall) in a physical or virtual form factor. The security policy controller's implementation is outside the scope of this document and the I2NSF working group.
At a high level, the objects that are required in order to express and build the security policies fall into the following categories:
The above categories are by no means a complete list and may not be sufficient for all use-cases and all end-customers, but should be a good start for a wide variety of use-cases in both Service Provider networks and Enterprise networks.
The following sections provide further details on the above mentioned security policies categories.
An end-customer that uses security policies may have internal tenants and would like to have a framework wherein each tenant manages its own security policies to provide isolation across different tenants.
An end-customer may be a cloud service provider with multi-tenant deployments where each tenant is a different organization and must allow complete isolation across different tenants.
The RBAC objects and method needed to build such a framework is defined below.
In order to provide more sophisticated security framework, there should be a mechanism to express that a policy becomes dynamically active/enforced or inactive based on either security administrator intervention or an event.
One example of dynamic policy management is when the security administrator pre-configures all the security policies, but the policies get activated/enforced or deactivated based on dynamic threats faced by the end-customer. Basically, a threat event may activate certain inactive policies, and once a new event indicates that the threat has gone away, the policies become inactive again.
The northbound interface should support the following mechanisms for policy enforcement:
Typically, when the security administrator configures a security policy, the intention is to apply this policy to certain subsets of the network. The subsets may be identified based on criteria such as users, devices, and applications. We refer to such a subset of the network as a "Policy Endpoint Group".
One of the biggest challenges for a security administrator is how to make sure that security policies remain effective while constant changes are happening to the "Policy Endpoint Group" for various reasons (e.g., organizational changes). If the policy is created based on static information such as user names, application, or network subnets, then every time that this static information changes policies would need to be updated. For example, if a policy is created that allows access to an application only from the group of Human Resource users (the HR-users group), then each time the HR-users group changes, the policy needs to be updated.
Changes to policy could be highly taxing to the end-customer for various operational reasons. The policy management framework must allow "Policy Endpoint Group" to be dynamic in nature so that changes to the group (HR-users in our example) automatically result in updates to its content.
We call these dynamic Policy Endpoint Groups "Meta-data Driven Groups". The meta-data is a tag associated with endpoint information such as users, applications, and devices. The mapping from meta-data to dynamic content could come either from standards-based or proprietary tools. The security controller could use any available mechanisms to derive this mapping and to make automatic updates to the policy content if the mapping information changes.
The northbound policy interface must support endpoint groups for user-intent based policy management. The following meta-data driven groups are typically used for configuring security polices:
The security policy rules can be as simple as specifying a match for the user or application specified through "Policy Endpoint Group" and take one of the "Policy Actions" or more complicated rules that specify how two different "Policy Endpoint Groups" interact with each other. The northbound interface must support mechanisms to allow the following rule matches.
Policy Endpoint Groups: The rule must allow a way to match either a single or a member of a list of "Policy Endpoint Groups".
There must also be a way to express whether a group is a source or a destination so that the security administrator can apply the rule in only one direction of a communication.
There must also be a way to express a match between two "Policy Endpoint Groups" so that a policy can be effective for communication between two groups.
The threat could be from malware and this requires a way to match for virus signatures or file hashes.
The security administrator must be able to configure a variety of actions within a security policy. Typically, security policy specifies a simple action of "deny" or "permit" if a particular rule is matched. Although this may be enough for most of the simple policies, the I2NSF northbound interface must also provide a more comprehensive set of actions so that the interface can be used effectively across various security functions.
The security policies in the end-customer's network may require the use of specialty devices such as honeypots, behavioral analytics, or SIEM in the network, and may also involve threat feeds, virus signatures, and malicious file hashes as part of comprehensive security policies.
The northbound interface must allow the security administrator to configure these threat sources and any other information to provide integration and fold this into policy management.
One of the most important aspect of security is to have visibility into the networks. As threats become more sophisticated, the security administrator must be able to gather different types of telemetry data from various devices in the network. The collected data could simply be logged or sent to security analysis engines for behavioral analysis and for threat detection.
The northbound interface must allow the security administrator to collect various kinds of data from NSFs. The data source could be syslog, flow records, policy violation records, and other available data.
The northbound interface must support a version number for each RESTful API. This is very important because the client application and the controller application will most likely come from different vendors. Even if the vendor is same, it is hard to imagine that two different applications would be released in lock step.
Without API versioning, it hard to debug and figure out issues if application breaks. Although API versioning does not guarantee that applications will always work, it helps in debugging if the problem is caused by an API mismatch.
Abstraction and standardization of the northbound interface is of tremendous value to end-customers as it gives them the flexibility of deploying any vendors' NSF. However this might also look like as an obstacle to innovation.
If an NSF vendor comes up with new feature or functionality that can't be expressed through the currently defined northbound interface, there must be a way to extend existing APIs or to create a new API that is relevant for that NSF vendor only.
This document requires no IANA actions. RFC Editor: Please remove this section before publication.
The editors would like to thank Adrian Farrel for helpful discussions and advice.
[I-D.ietf-i2nsf-problem-and-use-cases] | Hares, S., Dunbar, L., Lopez, D., Zarny, M. and C. Jacquenet, "I2NSF Problem Statement and Use cases", Internet-Draft draft-ietf-i2nsf-problem-and-use-cases-00, February 2016. |