I2NSF Working Group                                             R. Kumar
Internet-Draft                                                 A. Lohiya
Intended status: Informational                          Juniper Networks
Expires: February 4, 2017                                          D. Qi
                                                               Bloomberg
                                                                 X. Long
                                                          August 3, 2016


                 Security Controller: Use Case Summary
               draft-kumar-i2nsf-controller-use-cases-00

Abstract

   This document provides use cases for the I2NSF security controller.
   The use cases described here are from a wide varierty of deployment
   scenarios in multipe market segments.  The use cases would help in
   developing a comprehensive set of client interfaces.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 4, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Kumar, et al.           Expires February 4, 2017                [Page 1]


Internet-Draft    Security Controller: Use Case Summary      August 2016


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in this Document . . . . . . . . . . . . . .   2
   3.  Security users  . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Telecommunication Service Provider  . . . . . . . . . . .   3
     3.2.  Enterprise  . . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  Cloud Service Provider  . . . . . . . . . . . . . . . . .   4
   4.  SP Use Cases  . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  Managed Security Services for residential mobile and SMB
           users . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  Managed Security Services for Enterprise users  . . . . .   5
     4.3.  Protect SP Infrastructure . . . . . . . . . . . . . . . .   6
   5.  Enterprise Branch and Campus Use Cases  . . . . . . . . . . .   7
   6.  Data Center Use Cases . . . . . . . . . . . . . . . . . . . .   7
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   In order to define and build client interfaces for the I2NSF security
   controller, we must understand the security industry landscape from
   the user's perspective and determine where I2NSF work could
   potentially be valuable.  The use cases would help I2NSF to develop
   the client interface framework applicable to wide variety of
   deployment scenarios.  Basically, without a set of use cases, it is
   hard to know whether the client interfaces, developed by I2NSF WG,
   actually meet the targeted industry requirements.

   This draft makes an attempt in categorizing the security users into
   various market segments and providing a list of common use cases in
   each market segment.  This is by no means a complete list, but an
   attempt to list the most common use cases.

2.  Conventions Used in this Document

   EPC:  (3GPPP) Evolved Packet Core.

   FW:  Firewall.

   HW:  Hardware

   GLBA:  Gramm-Leach-Bliley Act.



Kumar, et al.           Expires February 4, 2017                [Page 2]


Internet-Draft    Security Controller: Use Case Summary      August 2016


   HIPAA:  Health Insurance Portability and Accountability Act.

   IDS:  Intrusion Detection System.

   IPS:  Intrusion Protection System.

   MEC:  Mobile Edge Computing (ETSI-MEC).

   NSF:  Network Security Function, defined by
      [I-D.ietf-i2nsf-problem-and-use-cases].

   PCI DSS:  Payment Card Industry Data Security Standard.

   RBAC:  Role Based Access Control.

   SP:  (Telecom) Service Provider.

   SW:  Software.

   SMB:  Small and Medium-sized Business.

   WAF:  Web Application Firewall.

   XaaS:  Everything As a Service.

3.  Security users

   There is a need for security solutions in almost every market
   segment, but the use cases vary based on the requirements in that
   segment.  It would not be feasible to look at every industry and list
   all the use cases.  Instead, we categorize the industry into various
   groups or domains with each group having similar use cases.

3.1.  Telecommunication Service Provider

   The service providers need a large network presence to provide
   connectivity services to their clients and usually divide the large
   network into multiple domains or zones.  We consider two such
   segments for security use cases.

   Access: This part of the network usually deals with basic
   connectivity, but lately this is undergoing rapid changes and
   services are being deployed for various use cases.  There is a new
   working group ETSI MEC in this space.

   Core: This is where a service provider deploys 3G, 4G and other
   managed services.  The SP's data center hosts various applications to
   deliver these services.



Kumar, et al.           Expires February 4, 2017                [Page 3]


Internet-Draft    Security Controller: Use Case Summary      August 2016


3.2.  Enterprise

   The Enterprise network varies based on the organization's size and
   needs.  We consider the following segments for use cases.

   Branch: An organization's remote location that hosts workers, some
   applications and data for efficiency reasons.

   Campus: An organization's regional or corporate headquarters where
   workers and applications are hosted.  A small or medium Enterprise
   may have just one location where all workers and applications are
   hosted.

   Data Center: The large Enterprise may have multiple hosting places
   for their applications and data.

3.3.  Cloud Service Provider

   The primary use cases for a cloud service provider are related to
   managed security services and security needs for deploying
   applications in the public cloud.

   Data Center: The Cloud Service Provider may have one or more
   locations to deliver all its services.

4.  SP Use Cases

   This includes residential and enterprise users with different
   requirements.

4.1.  Managed Security Services for residential mobile and SMB users

   The SP provides these as managed security services which may be
   bundled in the subscription or separately sold

   These services can be broadly categorized as the following:

   Parental Control:

   o  Block inappropriate web contents based on identity.

   o  Filter web URLs.

   o  Identity based usage controls on web contents.

   o  Identity based usage controls on web contents.

   Content Management:



Kumar, et al.           Expires February 4, 2017                [Page 4]


Internet-Draft    Security Controller: Use Case Summary      August 2016


   o  Identify and block malicious activities from web contents

   o  Attack mitigation using email cleaning and file scanning

   External Threat Management:

   o  Identify and block threats such as malware and botnets

4.2.  Managed Security Services for Enterprise users

   The Enterprises are rapidly moving to the cloud.  This comes with
   more services consumed from the cloud instead of being deployed at
   their premise.  The reason for this is to cut costs and avoid
   constant HW/SW upgrades.

   The managed security services for Enterprise can be broken into two
   broad categories:

   External Threat Management:

   An Enterprise might subscribe to one of the following services.

   o  Clean pipe, which means SP will filter known malwares, botnets and
      attack vectors

   o  DDoS attack mitigation.

   o  Application and phising attack mitigation

   o  Managed FW service as per Enterprisea€™s requirements

   o  WAF for regulatory or compliance reasons such as PCI

   Lateral Threat Management:

   An Enterprise might subscribe to one of the following services in
   addition to connectivity services such as VPN.

   o  Detect threats moving from one location to another within the
      organization using IPS, IDP and malware analysis

   o  Encryption services

   o  Endpoint security compliance management







Kumar, et al.           Expires February 4, 2017                [Page 5]


Internet-Draft    Security Controller: Use Case Summary      August 2016


4.3.  Protect SP Infrastructure

   The SPs selling the security services must also protect their own
   infrastructure to ensure that there is no disruption to their
   customers.

   Threat Management:

   o  Manage DDoS attacks on networking and server infrastructure.

   o  Identify and block botnets and malwares

   Robust Service Delivery:

   o  Deliver services such as VoIP, LTE, VPN in a secure manner

   o  Security for multi-tenant service delivery

   Gi FW: The set of security features needed to protect the SP's mobile
   infrastructure and mobile user handset.

   o  Encryption services to secure mobile usera€™s identity

   o  Protocol attack mitigation using IPS, IDP and Application controls

   o  Block DoS/DDoS attack on mobile user end-point

   o  Block DoS/DDoS attack on EPC core elements

   o  Web content filtering

   GiLAN Services: The set of security services configured for mobile
   users.

   o  FW Services

   o  Clean pipe service

   MEC Service Delivery: The set of security features needed to deliver
   MEC services

   o  MEC server protection from DDoS and malware attacks

   o  Encryption services







Kumar, et al.           Expires February 4, 2017                [Page 6]


Internet-Draft    Security Controller: Use Case Summary      August 2016


5.  Enterprise Branch and Campus Use Cases

   The Enterprise Branch and Campus security use cases are simple and
   usually related to threat management from Web. These are categorized
   as following:

   Threat Management:

   o  Manage DDoS attacks on networking and server infrastructure

   o  Identify and block application attacks using IPS and IDP

   o  Identify and block attacks from the Web using WAF

   o  Identify and block botnets and malwares

   Access and Data Management:

   o  Isolation across various Enterprise functional groups

   o  Encryption service from Branch to Campus

   o  Block certain social media applications

   o  Data loss prevention by filtering social media contents

6.  Data Center Use Cases

   The Enterprise landscape is evolving rapidly due to virtualization
   and the move towards cloud based XaaS consumption models.  The data
   centers are now built with mutli-vendor devices, in physical and
   virtual form factors.  This creates a problem for data center
   operators as the attack vectors multiply.

   The cloud data centers have more dimensions such as a large presence
   and multi-tenant environment, but must still deliver services in a
   secure manner.  The use cases in this category are fairly large and
   diverse, so we are listing the most common ones below:

   Threat Management: Same as above

   Regulatory and Compliance:

   o  Payment industry's PCI DSS

   o  Finance industry's GLBA

   o  Health industry's HIPPA



Kumar, et al.           Expires February 4, 2017                [Page 7]


Internet-Draft    Security Controller: Use Case Summary      August 2016


   o  Orgnaziation's resource (Data and Application) access policy based
      on location or device

7.  IANA Considerations

   This document requires no IANA actions.  RFC Editor: Please remove
   this section before publication.

8.  Acknowledgements

9.  Normative References

   [I-D.ietf-i2nsf-problem-and-use-cases]
              Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C.
              Jacquenet, "I2NSF Problem Statement and Use cases", draft-
              ietf-i2nsf-problem-and-use-cases-01 (work in progress),
              July 2016.

Authors' Addresses

   Rakesh Kumar
   Juniper Networks
   1133 Innovation Way
   Sunnyvale, CA  94089
   US

   Email: rkkumar@juniper.net


   Anil Lohiya
   Juniper Networks
   1133 Innovation Way
   Sunnyvale, CA  94089
   US

   Email: alohiya@juniper.net


   Dave Qi
   Bloomberg
   731 Lexington Avenue
   New York, NY  10022
   US

   Email: DQI@bloomberg.net






Kumar, et al.           Expires February 4, 2017                [Page 8]


Internet-Draft    Security Controller: Use Case Summary      August 2016


   Xiaobo Long
   4 Cottonwood Lane
   Warren, NJ  07059
   US

   Email: long.xiaobo@gmail.com













































Kumar, et al.           Expires February 4, 2017                [Page 9]