[I2nsf] What kind of policy that can be dynamicaly sent to "Screen" feature (was RE: "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Linda Dunbar <linda.dunbar@huawei.com> Wed, 18 March 2015 11:26 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BCD31A0055 for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 04:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEXrCmZP1I8d for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 04:26:19 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9F31A003A for <i2nsf@ietf.org>; Wed, 18 Mar 2015 04:26:18 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BQJ60616; Wed, 18 Mar 2015 11:26:16 +0000 (GMT)
Received: from DFWEML703-CHM.china.huawei.com (10.193.5.130) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 18 Mar 2015 11:26:16 +0000
Received: from DFWEML701-CHM.china.huawei.com ([10.193.5.50]) by dfweml703-chm ([10.193.5.130]) with mapi id 14.03.0158.001; Wed, 18 Mar 2015 04:26:06 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Alexey Gorbunov <alexey.gorbunov82@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: What kind of policy that can be dynamicaly sent to "Screen" feature (was RE: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Thread-Index: AQHQYRhPI/b3HTX4YEK2ZP3ji0vxCZ0iGaIA
Date: Wed, 18 Mar 2015 11:26:06 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F657BF5B30@dfweml701-chm>
References: <CAJd_XJh9rfJKAXziZzsvZqSnENGE+5sA3VvDc+P0=1Ua+wtWmQ@mail.gmail.com>
In-Reply-To: <CAJd_XJh9rfJKAXziZzsvZqSnENGE+5sA3VvDc+P0=1Ua+wtWmQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.200.65.105]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F657BF5B30dfweml701chm_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/sZTFbxy8K8uKo7fziB86wAvcFFE>
Subject: [I2nsf] What kind of policy that can be dynamicaly sent to "Screen" feature (was RE: "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 11:26:21 -0000
Alexey, You stated: -“Screens” – Juniper calls it screens, cisco doesn’t have name for it. Basically it’s protection against well-know network attacks. Is there any run time policy (based on some events) that can be sent to the “Screen” feature? Thanks, Linda From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Alexey Gorbunov Sent: Tuesday, March 17, 2015 8:10 PM To: i2nsf@ietf.org Subject: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments. Hi Folks Just read "draft-dunbar-i2nsf-problem-statement-02.txt" and would like to share my thoughts and concerns. From my point of view it’s better to not focus on the specific names but on the functionality of network security function itself. Most probably the main use case for NSF is virtual firewall with IPS/IDS and VPN capabilities. Openstack is the ideal candidate for NSF. We have already virtual firewall and it's good to look at it's features and functionality. I summarized most of the firewall features below: -Access-list. Defines which traffic are allowed to enter and pass firewall. It's covered in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02 - Policy. Defines which traffic are allowed to pass firewall and in which direction. - Dos protection: multicast, broadcast rate limiting. DHCP, ARP protection and rate-limiting. Limitation of mac-address numbers. -“Screens” – Juniper calls it screens, cisco doesn’t have name for it. Basically it’s protection against well-know network attacks. - “Intrusion prevention” – Signatures of any malicious activity. - VPN PKI- configuration of IPSEC with PKI. - Control-plane protection of firewall itself. - L7 filtering and proxy. - Application detection. Some applications uses tcp port 80 and most of the firewall can detect it. - Monitoring and reporting traffic. Something similar to Openflow, Jflow and etc. What exactly is going to be covered in by i2nsf? Is i2nsf going to meet in the Dallas at IETF 92? Thanks everybody for attention to this email. Alexey Gorbunov Telco Cloud and Security Architect at Nokia CCIE R&S 41088
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] What kind of policy that can be dynamical… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Alexey Gorbunov