idnits 2.17.1 draft-kumar-i2nsf-controller-use-cases-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 3, 2016) is 2821 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-16) exists of draft-ietf-i2nsf-problem-and-use-cases-01 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group R. Kumar 3 Internet-Draft A. Lohiya 4 Intended status: Informational Juniper Networks 5 Expires: February 4, 2017 D. Qi 6 Bloomberg 7 X. Long 8 August 3, 2016 10 Security Controller: Use Case Summary 11 draft-kumar-i2nsf-controller-use-cases-00 13 Abstract 15 This document provides use cases for the I2NSF security controller. 16 The use cases described here are from a wide varierty of deployment 17 scenarios in multipe market segments. The use cases would help in 18 developing a comprehensive set of client interfaces. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on February 4, 2017. 37 Copyright Notice 39 Copyright (c) 2016 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions Used in this Document . . . . . . . . . . . . . . 2 56 3. Security users . . . . . . . . . . . . . . . . . . . . . . . 3 57 3.1. Telecommunication Service Provider . . . . . . . . . . . 3 58 3.2. Enterprise . . . . . . . . . . . . . . . . . . . . . . . 4 59 3.3. Cloud Service Provider . . . . . . . . . . . . . . . . . 4 60 4. SP Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 4 61 4.1. Managed Security Services for residential mobile and SMB 62 users . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 4.2. Managed Security Services for Enterprise users . . . . . 5 64 4.3. Protect SP Infrastructure . . . . . . . . . . . . . . . . 6 65 5. Enterprise Branch and Campus Use Cases . . . . . . . . . . . 7 66 6. Data Center Use Cases . . . . . . . . . . . . . . . . . . . . 7 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 68 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 69 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 72 1. Introduction 74 In order to define and build client interfaces for the I2NSF security 75 controller, we must understand the security industry landscape from 76 the user's perspective and determine where I2NSF work could 77 potentially be valuable. The use cases would help I2NSF to develop 78 the client interface framework applicable to wide variety of 79 deployment scenarios. Basically, without a set of use cases, it is 80 hard to know whether the client interfaces, developed by I2NSF WG, 81 actually meet the targeted industry requirements. 83 This draft makes an attempt in categorizing the security users into 84 various market segments and providing a list of common use cases in 85 each market segment. This is by no means a complete list, but an 86 attempt to list the most common use cases. 88 2. Conventions Used in this Document 90 EPC: (3GPPP) Evolved Packet Core. 92 FW: Firewall. 94 HW: Hardware 96 GLBA: Gramm-Leach-Bliley Act. 98 HIPAA: Health Insurance Portability and Accountability Act. 100 IDS: Intrusion Detection System. 102 IPS: Intrusion Protection System. 104 MEC: Mobile Edge Computing (ETSI-MEC). 106 NSF: Network Security Function, defined by 107 [I-D.ietf-i2nsf-problem-and-use-cases]. 109 PCI DSS: Payment Card Industry Data Security Standard. 111 RBAC: Role Based Access Control. 113 SP: (Telecom) Service Provider. 115 SW: Software. 117 SMB: Small and Medium-sized Business. 119 WAF: Web Application Firewall. 121 XaaS: Everything As a Service. 123 3. Security users 125 There is a need for security solutions in almost every market 126 segment, but the use cases vary based on the requirements in that 127 segment. It would not be feasible to look at every industry and list 128 all the use cases. Instead, we categorize the industry into various 129 groups or domains with each group having similar use cases. 131 3.1. Telecommunication Service Provider 133 The service providers need a large network presence to provide 134 connectivity services to their clients and usually divide the large 135 network into multiple domains or zones. We consider two such 136 segments for security use cases. 138 Access: This part of the network usually deals with basic 139 connectivity, but lately this is undergoing rapid changes and 140 services are being deployed for various use cases. There is a new 141 working group ETSI MEC in this space. 143 Core: This is where a service provider deploys 3G, 4G and other 144 managed services. The SP's data center hosts various applications to 145 deliver these services. 147 3.2. Enterprise 149 The Enterprise network varies based on the organization's size and 150 needs. We consider the following segments for use cases. 152 Branch: An organization's remote location that hosts workers, some 153 applications and data for efficiency reasons. 155 Campus: An organization's regional or corporate headquarters where 156 workers and applications are hosted. A small or medium Enterprise 157 may have just one location where all workers and applications are 158 hosted. 160 Data Center: The large Enterprise may have multiple hosting places 161 for their applications and data. 163 3.3. Cloud Service Provider 165 The primary use cases for a cloud service provider are related to 166 managed security services and security needs for deploying 167 applications in the public cloud. 169 Data Center: The Cloud Service Provider may have one or more 170 locations to deliver all its services. 172 4. SP Use Cases 174 This includes residential and enterprise users with different 175 requirements. 177 4.1. Managed Security Services for residential mobile and SMB users 179 The SP provides these as managed security services which may be 180 bundled in the subscription or separately sold 182 These services can be broadly categorized as the following: 184 Parental Control: 186 o Block inappropriate web contents based on identity. 188 o Filter web URLs. 190 o Identity based usage controls on web contents. 192 o Identity based usage controls on web contents. 194 Content Management: 196 o Identify and block malicious activities from web contents 198 o Attack mitigation using email cleaning and file scanning 200 External Threat Management: 202 o Identify and block threats such as malware and botnets 204 4.2. Managed Security Services for Enterprise users 206 The Enterprises are rapidly moving to the cloud. This comes with 207 more services consumed from the cloud instead of being deployed at 208 their premise. The reason for this is to cut costs and avoid 209 constant HW/SW upgrades. 211 The managed security services for Enterprise can be broken into two 212 broad categories: 214 External Threat Management: 216 An Enterprise might subscribe to one of the following services. 218 o Clean pipe, which means SP will filter known malwares, botnets and 219 attack vectors 221 o DDoS attack mitigation. 223 o Application and phising attack mitigation 225 o Managed FW service as per Enterprisea€™s requirements 227 o WAF for regulatory or compliance reasons such as PCI 229 Lateral Threat Management: 231 An Enterprise might subscribe to one of the following services in 232 addition to connectivity services such as VPN. 234 o Detect threats moving from one location to another within the 235 organization using IPS, IDP and malware analysis 237 o Encryption services 239 o Endpoint security compliance management 241 4.3. Protect SP Infrastructure 243 The SPs selling the security services must also protect their own 244 infrastructure to ensure that there is no disruption to their 245 customers. 247 Threat Management: 249 o Manage DDoS attacks on networking and server infrastructure. 251 o Identify and block botnets and malwares 253 Robust Service Delivery: 255 o Deliver services such as VoIP, LTE, VPN in a secure manner 257 o Security for multi-tenant service delivery 259 Gi FW: The set of security features needed to protect the SP's mobile 260 infrastructure and mobile user handset. 262 o Encryption services to secure mobile usera€™s identity 264 o Protocol attack mitigation using IPS, IDP and Application controls 266 o Block DoS/DDoS attack on mobile user end-point 268 o Block DoS/DDoS attack on EPC core elements 270 o Web content filtering 272 GiLAN Services: The set of security services configured for mobile 273 users. 275 o FW Services 277 o Clean pipe service 279 MEC Service Delivery: The set of security features needed to deliver 280 MEC services 282 o MEC server protection from DDoS and malware attacks 284 o Encryption services 286 5. Enterprise Branch and Campus Use Cases 288 The Enterprise Branch and Campus security use cases are simple and 289 usually related to threat management from Web. These are categorized 290 as following: 292 Threat Management: 294 o Manage DDoS attacks on networking and server infrastructure 296 o Identify and block application attacks using IPS and IDP 298 o Identify and block attacks from the Web using WAF 300 o Identify and block botnets and malwares 302 Access and Data Management: 304 o Isolation across various Enterprise functional groups 306 o Encryption service from Branch to Campus 308 o Block certain social media applications 310 o Data loss prevention by filtering social media contents 312 6. Data Center Use Cases 314 The Enterprise landscape is evolving rapidly due to virtualization 315 and the move towards cloud based XaaS consumption models. The data 316 centers are now built with mutli-vendor devices, in physical and 317 virtual form factors. This creates a problem for data center 318 operators as the attack vectors multiply. 320 The cloud data centers have more dimensions such as a large presence 321 and multi-tenant environment, but must still deliver services in a 322 secure manner. The use cases in this category are fairly large and 323 diverse, so we are listing the most common ones below: 325 Threat Management: Same as above 327 Regulatory and Compliance: 329 o Payment industry's PCI DSS 331 o Finance industry's GLBA 333 o Health industry's HIPPA 334 o Orgnaziation's resource (Data and Application) access policy based 335 on location or device 337 7. IANA Considerations 339 This document requires no IANA actions. RFC Editor: Please remove 340 this section before publication. 342 8. Acknowledgements 344 9. Normative References 346 [I-D.ietf-i2nsf-problem-and-use-cases] 347 Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C. 348 Jacquenet, "I2NSF Problem Statement and Use cases", draft- 349 ietf-i2nsf-problem-and-use-cases-01 (work in progress), 350 July 2016. 352 Authors' Addresses 354 Rakesh Kumar 355 Juniper Networks 356 1133 Innovation Way 357 Sunnyvale, CA 94089 358 US 360 Email: rkkumar@juniper.net 362 Anil Lohiya 363 Juniper Networks 364 1133 Innovation Way 365 Sunnyvale, CA 94089 366 US 368 Email: alohiya@juniper.net 370 Dave Qi 371 Bloomberg 372 731 Lexington Avenue 373 New York, NY 10022 374 US 376 Email: DQI@bloomberg.net 377 Xiaobo Long 378 4 Cottonwood Lane 379 Warren, NJ 07059 380 US 382 Email: long.xiaobo@gmail.com