Interface to Network Security Functions (I2NSF) L. Xia Internet-Draft Q. Lin Intended status: Standards Track Huawei Expires: January 3, 2018 July 2, 2017 Policy Object for Interface to Network Security Functions (I2NSF) draft-xia-i2nsf-security-policy-object-01 Abstract This document describes policy object used in the Interface to Network Security Functions (I2NSF) policy rules to provide re- usability and defines essential attributes for each policy object. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 3, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Xia & Lin Expires January 3, 2018 [Page 1] Internet-Draft Policy Object for I2NSF July 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Policy Object . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Address Object . . . . . . . . . . . . . . . . . . . . . 5 4.1.1. The addressName Attribute . . . . . . . . . . . . . . 5 4.1.2. The addressRange Attribute . . . . . . . . . . . . . 5 4.2. Address Group Object . . . . . . . . . . . . . . . . . . 6 4.2.1. The addressGroupName Attribute . . . . . . . . . . . 6 4.2.2. The addressReference Attribute . . . . . . . . . . . 6 4.2.3. The addressRange Attribute . . . . . . . . . . . . . 6 4.3. Service Object . . . . . . . . . . . . . . . . . . . . . 7 4.3.1. The serviceName Attribute . . . . . . . . . . . . . . 7 4.3.2. The serviceList Attribute . . . . . . . . . . . . . . 7 4.3.2.1. The serviceProtocol Attribute . . . . . . . . . . 7 4.3.2.2. The serviceProtocolNumber Attribute . . . . . . . 8 4.3.2.3. The serviceICMPType Attribute . . . . . . . . . . 8 4.3.2.4. The serviceICMPCode Attribute . . . . . . . . . . 8 4.3.2.5. The serviceSourcePort Attribute . . . . . . . . . 8 4.3.2.6. The serviceDestinationPort Attribute . . . . . . 8 4.4. Service Group Object . . . . . . . . . . . . . . . . . . 8 4.4.1. The serviceGroupName Attribute . . . . . . . . . . . 9 4.4.2. The serviceReference Attribute . . . . . . . . . . . 9 4.5. Application Object . . . . . . . . . . . . . . . . . . . 9 4.5.1. The applicationName Attribute . . . . . . . . . . . . 9 4.5.2. The applicationCategory Attribute . . . . . . . . . . 9 4.5.3. The applicationSubCategory Attribute . . . . . . . . 9 4.5.4. The applicationTransmissionModel Attribute . . . . . 10 4.5.5. The applicationVulnerability Attribute . . . . . . . 10 4.5.6. The applicationRiskLevel Attribute . . . . . . . . . 10 4.6. Application Group Object . . . . . . . . . . . . . . . . 10 4.6.1. The applicationGroupName Attribute . . . . . . . . . 10 4.6.2. The applicationReference Attribute . . . . . . . . . 10 4.7. Schedule Object . . . . . . . . . . . . . . . . . . . . . 10 4.7.1. The scheduleName Attribute . . . . . . . . . . . . . 11 4.7.2. The scheduleList Attribute . . . . . . . . . . . . . 11 4.7.2.1. The scheduleType Attribute . . . . . . . . . . . 11 4.7.2.2. The scheduleStartTime Attribute . . . . . . . . . 11 4.7.2.3. The scheduleEndTime Attribute . . . . . . . . . . 11 4.7.2.4. The scheduleWeekDay Attribute . . . . . . . . . . 11 4.8. User Object . . . . . . . . . . . . . . . . . . . . . . . 11 4.8.1. The userName Attribute . . . . . . . . . . . . . . . 12 4.8.2. The userParentGroup Attribute . . . . . . . . . . . . 12 4.8.3. The userSecurityGroup Attribute . . . . . . . . . . . 12 4.8.4. The userDomain Attribute . . . . . . . . . . . . . . 12 4.8.5. The userPassword Attribute . . . . . . . . . . . . . 13 Xia & Lin Expires January 3, 2018 [Page 2] Internet-Draft Policy Object for I2NSF July 2017 4.8.6. The userExpirationTime Attribute . . . . . . . . . . 13 4.9. User Group Object . . . . . . . . . . . . . . . . . . . . 13 4.9.1. The userGroupName Attribute . . . . . . . . . . . . . 13 4.9.2. The userGroupParentGroup Attribute . . . . . . . . . 13 4.9.3. The userGroupDomain Attribute . . . . . . . . . . . . 13 4.9.4. The userGroupReference Attribute . . . . . . . . . . 13 4.10. Security Group Object . . . . . . . . . . . . . . . . . . 13 4.10.1. The securityGroupName Attribute . . . . . . . . . . 14 4.10.2. The securityGroupParentGroup Attribute . . . . . . . 14 4.10.3. The securityGroupDomain Attribute . . . . . . . . . 14 4.10.4. The securityGroupType Attribute . . . . . . . . . . 14 4.10.5. The securityGroupReference Attribute . . . . . . . . 14 4.10.6. The securityGroupFilters Attribute . . . . . . . . . 14 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 15 Appendix A. Application Attributes . . . . . . . . . . . . . . . 15 A.1. Category and Subcategory . . . . . . . . . . . . . . . . 15 A.2. Data Transmission Model . . . . . . . . . . . . . . . . . 16 A.3. Vulnerability . . . . . . . . . . . . . . . . . . . . . . 17 Appendix B. Example of Application Scenario for Policy Object . 17 B.1. Security Policy Control for Marketing Departments . . . . 20 B.2. Security Policy Control for R&D Departments . . . . . . . 20 B.3. Security Policy Control for Server Access of Internet Users . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 1. Introduction I2NSF policy consists of policy rules that are used to provision NSF instances. The I2NSF policy rule is defined by using "Event- Condition-Action" (ECA) model described in I2NSF framework draft [I-D.ietf-i2nsf-framework]. In the ECA model, a condition is used to determine whether or not the predefined actions should be executed. A condition usually consists of several attributes. Information Model of NSFs Capabilities [I-D.ietf-i2nsf-capability] describes attributes of different condition subclasses. When configuring policy rules by attributes, it is common to see that the same attribute or the same set of several attributes are configured for several times or more. And modifications of the policy rules are also very tedious and time-consuming. To facilitate the provisioning of NSF instances, this document describes a set of policy objects which are reusable and can be referenced by variable I2NSF policy rules. A policy object consists Xia & Lin Expires January 3, 2018 [Page 3] Internet-Draft Policy Object for I2NSF July 2017 of a name attribute that identifies itself and one or several attributes that are typically used together to represent a certain condition. For example, protocol type and port number are usually used together to represent a certain service. Each policy object is predefined and named in order to be used in I2NSF policy rules. By defining policy objects, the creation and maintenance of policy rules are greatly simplified. o A policy object can be referenced in different policy rules as required to provide re-usability. And a policy rule can reference several policy objects. o The modification of a policy object will be propagated to the I2NSF policy rules that reference this object. No modification should be made to the related policy rules. In this document, a set of policy objects are described, and for each policy object, several essential attributes are defined. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Terminology This document uses the terminology described in Interface to Network Security Functions (I2NSF) Terminology [I-D.ietf-i2nsf-terminology]. 4. Policy Object IP addresses, port numbers, protocol types, services, applications, user accounts are commonly used attributes to determine whether a certain condition occurs. In real-world deployment, these attributes are often configured for many times. The definition of policy objects could help to minimize the configuration effort and provide simplicity. Figure 1 shows the policy objects defined in this document and their relationships. Xia & Lin Expires January 3, 2018 [Page 4] Internet-Draft Policy Object for I2NSF July 2017 +-----------------------------------------------------------------+ | Policy Object | +-----------------------------------------------------------------+ | | | | | | | | | | | | +-------+ +-------+ +-----------+ +-----+ +--------+ | |Address| |Service| |Application| |User | |Security| | |Group | |Group | |Group | |Group| |Group | | +-------+ +-------+ +-----------+ +-----+ +--------+ | | | | | | | | | | +---------+ | | | | | | +-------+ +-------+ +-----------+ +------+ +--------+ |Address| |Service| |Application| |User | |Schedule| |Object | |Object | |Object | |Object| |Object | +-------+ +-------+ +-----------+ +------+ +--------+ Figure 1: The Policy Objects Overview 4.1. Address Object A of IPv4/IPv6 addresses or MAC addresses can be defined as an address object, which may belongs to an address group object. An address object consists of the following attributes: 4.1.1. The addressName Attribute This attribute defines a unique name for the address object. 4.1.2. The addressRange Attribute This attribute defines a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. An IPv4 address range can be defined by one of the following representations: o IPv4 address with wildcard mask, e.g., 10.10.1.2\0.0.0.255. o IPv4 address with subnet mask (subnet mask address or length of the subnet mask), e.g., 10.10.1.2/255.255.255.0 or 10.10.1.2/32. o Start address and end address of the IPv4 address range, e.g., 10.10.1.2-10.10.1.254. An IPv6 address range can be defined by one of the following representations: Xia & Lin Expires January 3, 2018 [Page 5] Internet-Draft Policy Object for I2NSF July 2017 o IPv6 address with length of the prefix, e.g., a234::120/120. o Start address and end address of the IPv6 address range, e.g., a231::a237-b231::b237. 4.2. Address Group Object An address group object is comprised of several address items that require the same policy enforcement. An address item can be an IPv4/ IPv6 address, or a MAC address, or a range of contiguous IPv4/IPv6 addresses, or existing address object, or existing address group object. An address group object consists of the following attributes: 4.2.1. The addressGroupName Attribute This attribute defines a unique name for the address group object. 4.2.2. The addressReference Attribute This attribute refers to the existing address objects or existing address group objects identified by their unique names. 4.2.3. The addressRange Attribute This attribute is the same as the addressRange attribute of address object. It can define a set of IPv4/IPv6 addresses or MAC addresses, or a range of contiguous IPv4/IPv6 addresses. An IPv4 address range can be defined by one of the following representations: o IPv4 address with wildcard mask, e.g., 10.10.1.2\0.0.0.255. o IPv4 address with subnet mask (subnet mask address or length of the subnet mask), e.g., 10.10.1.2/255.255.255.0 or 10.10.1.2/32. o Start address and end address of the IPv4 address range, e.g., 10.10.1.2-10.10.1.254. An IPv6 address range can be defined by one of the following representations: o IPv6 address with length of the prefix, e.g., a234::120/120. o Start address and end address of the IPv6 address range, e.g., a231::a237-b231::b237. Xia & Lin Expires January 3, 2018 [Page 6] Internet-Draft Policy Object for I2NSF July 2017 4.3. Service Object A service object can be a single service based on IP, or ICMP, or UDP, or TCP, or SCTP and it can also contain a set of services. To identify services based on different protocols, different attributes should be specified (see Section 4.3.2 The serviceList Attribute). o IP based service is recognized by the value of the protocol field in IP packet header. o ICMP or ICMPv6 based service is recognized by two header fields in the ICMP or ICMPv6 packets: type field and code field. o UDP, TCP, or SCTP based service is recognized by port number. The source port number and destination port number are used to identify the sending and receiving service respectively. A set of well-known services should be predefined by NSFs as service objects to support direct reference. A service object consists of the following attributes: 4.3.1. The serviceName Attribute This attribute defines a unique name for the service object. 4.3.2. The serviceList Attribute This attribute defined a set of services. Each service can be defined by a subset of the following sub-attributes, according to the protocol on which the service is based. o For IP based service, the serviceProtocolNumber attribute should be specified. o For ICMP or ICMPv6 based service, the serviceICMPType attribute and serviceICMPCode attribute should be specified. o For UDP, TCP, or SCTP based service, the serviceSourcePort attribute and serviceDestinationPort attribute should be specified. 4.3.2.1. The serviceProtocol Attribute This attribute defines the protocol type on which the service is based, IP, ICMP, ICMPv6, TCP, UDP, or SCTP. Xia & Lin Expires January 3, 2018 [Page 7] Internet-Draft Policy Object for I2NSF July 2017 4.3.2.2. The serviceProtocolNumber Attribute This attribute defines the protocol number for IP based service. The protocol number is the value of protocol field in IP packet header which identifies the corresponding upper layer protocol. For example, to define a service object for IPsec Encapsulating Security Payload, this attribute should be set to 50. 4.3.2.3. The serviceICMPType Attribute This attribute defines the ICMP/ICMPv6 type number for ICMP/ICMPv6 based service. This attribute shall be used together with serviceICMPCode attribute. For example, to define a service object for IPv4 ping request, this attribute should be set to 8 and serviceICMPCode attribute should be set to 0. 4.3.2.4. The serviceICMPCode Attribute This attribute defines the ICMP/ICMPv6 message code for ICMP/ICMPv6 based service. This attribute shall be used together with serviceICMPType attribute. For example, to define a service object for IPv6 ping request, this attribute should be set to 0 and serviceICMPCode should be set to 128. 4.3.2.5. The serviceSourcePort Attribute This attribute defines the source port number for service based on TCP, UDP or SCTP. The value could be a single port number which identifies a single service, or a range of port numbers which identify a family of services or several services in consecutive port numbers. For example, to define a service object using port number greater or equal to 1024 and enforce security policy on the traffic that this object sends out, this attribute should be set as a port range, 1024-65535. 4.3.2.6. The serviceDestinationPort Attribute This attribute defines the destination port number for service based on TCP, UDP or SCTP. The value could be a single port number or a range of port numbers. For example, to define a service object for HTTP and enforce security policy on the traffic that communicates with this service object, this attribute should be set to 80. 4.4. Service Group Object A service group object is a collection of service objects that require the same policy enforcement. It consists of the following attributes: Xia & Lin Expires January 3, 2018 [Page 8] Internet-Draft Policy Object for I2NSF July 2017 4.4.1. The serviceGroupName Attribute This attribute defines a unique name for the service group object. 4.4.2. The serviceReference Attribute This attribute refers to the existing service objects or service group objects identified by their unique names. 4.5. Application Object Due to the diversity and large amount of applications, it is not able to identify a certain application based on protocol type and port number. For example, there are many web applications with different risk levels run on ports 80 and 443 using HTTP and HTTPS, such as web gaming application and web chat application. Protocol type and port number could not distinguish applications using the same application protocol. In this document, category, subcategory, data transmission model, vulnerability, and risk level are used to describe an application. A set of well-known application objects should be predefined in NSFs to support direct reference. For a newly created application object, the rules for NSFs to identify this application in the traffic should be configured. In this document, the configuration of these rules is out of scope. An application object consists of the following attributes: 4.5.1. The applicationName Attribute This attribute defines a unique name for the application object. 4.5.2. The applicationCategory Attribute This attribute defines the category for the application. The value of this attribute is selected from a predefined set of categories, e.g., general category, network category. Values of this attribute are defined in Appendix A.1. Each category is broken down into several subcategories. 4.5.3. The applicationSubCategory Attribute This attribute defines the subcategory for the application. The value of this attribute is selected from the predefined subcategories of a category. For example, the entertainment category has seven subcategories, and Facebook application belongs to social networking subcategory. (See Appendix A.1 for details about subcategory and examples of applications belong to each subcategory.) Xia & Lin Expires January 3, 2018 [Page 9] Internet-Draft Policy Object for I2NSF July 2017 4.5.4. The applicationTransmissionModel Attribute This attribute defines the data transmission model of the application. Four types of data transmission model are defined in this document: client/server, browser-based, network protocol, peer- to-peer. (See Appendix A.2 for more details.) 4.5.5. The applicationVulnerability Attribute This attribute describes a set of possible threats for the application. The values of this attribute are selected from a predefined set of vulnerabilities, e.g., exploitable, bandwidth consuming. (See Appendix A.3 for more details.) 4.5.6. The applicationRiskLevel Attribute This attribute defines a risk level for the application. The value of this attribute is selected from a predefined number of risk levels, e.g., 5 risk levels. The risk level is determined by the vulnerabilities of this application object. 4.6. Application Group Object An application group object is a collection of application objects that will be processed according to the same security policy. It consists of the following attributes: 4.6.1. The applicationGroupName Attribute This attribute defines a unique name for the application group object. 4.6.2. The applicationReference Attribute This attribute refers to the existing application objects or application group objects identified by their unique names. 4.7. Schedule Object A schedule object is a set of time ranges. There are two kinds of time ranges: periodic time range and absolute time range. A periodic time range occurs every week. An absolute time range occurs only once. A schedule object consists of the following attributes: Xia & Lin Expires January 3, 2018 [Page 10] Internet-Draft Policy Object for I2NSF July 2017 4.7.1. The scheduleName Attribute This attribute defines a unique name for the schedule object. 4.7.2. The scheduleList Attribute This attribute defines a set of time ranges. A time range can be defined by the following sub-attributes. o For a periodic time range, the start and end time in a day, and the days in a week that it takes effect, should be specified. o For an absolute time range, the start time and date, and the end time and date, should be specified. 4.7.2.1. The scheduleType Attribute This attribute defines the type of a time range, periodic, absolute. 4.7.2.2. The scheduleStartTime Attribute For a periodic time range, this attribute defines the start time in a week day, such as 9:00 am. For an absolute time range, this attribute defines the start time and start date, such as 00:00 am 2017-07-03. 4.7.2.3. The scheduleEndTime Attribute For a periodic time range, this attribute defines the end time in a week day, such as 18:00 pm. For an absolute time range, this attribute defines the end time and end date, such as 23:59 pm 2017-07-03. 4.7.2.4. The scheduleWeekDay Attribute This attribute defines the days in a week that the periodic time range takes effect. For example, to define working hours in a week, the scheduleStartTime can be set to 9:00 am, the scheduleEndTime can be set to 18:00 pm, and this attribute should contain fives days, from Monday to Friday. 4.8. User Object A user object identifies a person who may access network resources. It is the basis of implementing user-based policy control. The user objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. User objects that require the same policy enforcement are grouped as user group objects or Xia & Lin Expires January 3, 2018 [Page 11] Internet-Draft Policy Object for I2NSF July 2017 security group objects. The user group objects are organized as a hierarchical structure, See Figure 2. A security group object consists of user objects from different user group objects that require the same policy enforcement. +---------------------------+ | UserGroup_3 | +---------------------------+ | | | | +--------------+ +--------------+ | UserGroup_1 | | UserGroup_2 | +--------------+ +--------------+ | | | | | | | | +--------+ +--------+ +--------+ +--------+ | User_1 | | User_2 | | User_a | | User_b | +--------+ +--------+ +--------+ +--------+ Figure 2: Hierarchical Structure of User Group A user object consists of the following attributes: 4.8.1. The userName Attribute This attribute refers to the user name that used for user authentication. 4.8.2. The userParentGroup Attribute This attribute refers to the existing parent user group object to which this user object belongs. The parent user group object is identified by its unique name. A user object can only belong to one user group object. 4.8.3. The userSecurityGroup Attribute This attribute refers to the existing security group object to which this user object belongs. The security user group object is identified by its unique name. A user object can belong to several security group objects. 4.8.4. The userDomain Attribute This attribute refers to the authentication domain to which this user object belongs. Xia & Lin Expires January 3, 2018 [Page 12] Internet-Draft Policy Object for I2NSF July 2017 4.8.5. The userPassword Attribute If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name. 4.8.6. The userExpirationTime Attribute This attribute defines when will this user object expire. 4.9. User Group Object A user object group is a collection of user objects that require the same policy enforcement and it usually corresponds to a physical entity such as a department. The user group objects are organized as a hierarchical structure. A user group object may belong to another user group object. The user group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. It consists of the following attributes: 4.9.1. The userGroupName Attribute This attribute defines a unique name for the user group object. 4.9.2. The userGroupParentGroup Attribute This attribute refers to the existing parent user group object to which this user group object belongs. The parent user group object is identified by its unique name. A user group object can only belong to one parent user group object. 4.9.3. The userGroupDomain Attribute This attribute refers to the authentication domain to which this user group object belongs. 4.9.4. The userGroupReference Attribute This attribute refers to the existing user objects or user group objects which belong to this user group object. 4.10. Security Group Object A security group object consists of user objects from different user group objects that require the same policy enforcement. The security group objects may be created locally on the NSFs, or be imported from third parties, such as authentication servers. This attribute consists of the following attributes: Xia & Lin Expires January 3, 2018 [Page 13] Internet-Draft Policy Object for I2NSF July 2017 4.10.1. The securityGroupName Attribute This attribute defines a unique name for the security group object. 4.10.2. The securityGroupParentGroup Attribute This attribute refers to the existing parent security group objects to which this security group object belongs. The parent security group objects are identified by their unique names. 4.10.3. The securityGroupDomain Attribute This attribute refers to the authentication domain to which this security group object belongs. 4.10.4. The securityGroupType Attribute This attribute defines the type of the security group object. There are two types: static and dynamic. For static security group, the member objects are fixed and added as required. For dynamic security group, the member objects are dynamically generated by setting filtering rules. 4.10.5. The securityGroupReference Attribute This attribute defines the member objects for static security group object. It refers to the existing user objects or security group objects which belong to this security group object. 4.10.6. The securityGroupFilters Attribute This attribute defines the filtering rules for dynamic security group object. 5. Acknowledgements 6. IANA Considerations This document requires no IANA actions. 7. Security Considerations When the policy objects are transmitted, the integrity of these policy objects should be guaranteed. NSFs should verify that the modifications of policy objects come from the authenticated security controller. And NSF should protect the stored policy objects from being tampered. Xia & Lin Expires January 3, 2018 [Page 14] Internet-Draft Policy Object for I2NSF July 2017 8. References 8.1. Normative References [I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", 2017, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 8.2. Informative References [I-D.ietf-i2nsf-framework] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", 2017, . [I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", 2017, . Appendix A. Application Attributes An application object is described by five items, category, subcategory, data transmission model, vulnerability and risk level. This appendix illustrates the possible values of applicationCategory attribute, applicationSubCategory attribute, applicationTransmissionModel attribute and applicationVulnerability attribute. A.1. Category and Subcategory This section lists the possible values for applicationCategory attribute and applicationSubCategory attribute. Xia & Lin Expires January 3, 2018 [Page 15] Internet-Draft Policy Object for I2NSF July 2017 +-------------------+------------------------+------------------------+ | Category | Subcategory | Example | +-------------------+------------------------+------------------------+ | General | General_TCP | TCP-based applications | | | General_UDP | UDP-based applications | | | Other | Error_Packets | +-------------------+------------------------+------------------------+ | Network | IP_Protocol | ICMP, IGMP, OSPF | | | Encrypted_Tunnel | GRE, L2TP, IKEv2 | | | Infrastructure | FTP, HTTP, DNS | | | Proxy | HTTP_Proxy | | | Network_Admin | Syslog | +-------------------+------------------------+------------------------+ | General_Internet | Search_Engine | www.google.com | | | Web_Content_Aggregate | FeedReader | | | Utility | Google Earth | | | Web_Desktop | Zimbra Desktop | | | Browser_Plugin | Adobe | | | File_Sharing | XDCC | | | FileShare_P2P | BT, Thunder | | | Network_Storage | DBank | | | App_Download | AndroidMarket | | | Software_Update | WindowsUpdate | | | Web_Browsing | OperaMobile | +-------------------+------------------------+------------------------+ | Entertainment | Social_Networking | Facebook, Twitter | | | Instant_Messaging | QQ, MSN | | | Media_Sharing | RayV | | | Peer_Casting | QQLive | | | Web_Video | YouKu, YouTube | | | Game | QQGame | | | VoIP | Skype | +-------------------+------------------------+------------------------+ | Business_Systems | Electronic_Business | Taobao | | | Remote_Access | Radmin | | | Database | Oracle | | | Finance | DaZhiHui, Fix | | | Enterprise_Application | LotusNotes | | | Internet_Conferencing | NetMeeting | | | Data_Backup | Rsync | | | Email | GMail | +-------------------+------------------------+------------------------+ A.2. Data Transmission Model This section lists four types of models for applicationTransmissionModel attribute. Xia & Lin Expires January 3, 2018 [Page 16] Internet-Draft Policy Object for I2NSF July 2017 +------------------+----------------------------------------------------+ | Model | Description | +------------------+----------------------------------------------------+ | Client/Server | One or more client applications communicate with a | | | communicate with a sever | +------------------+----------------------------------------------------+ | Browser-Based | Applications run on web browser | +------------------+----------------------------------------------------+ | Network Protocol | Applications that is used for system-to-system | | | communication | +------------------+----------------------------------------------------+ | Peer-to-Peer | Applications directly communicate with each other | +------------------+----------------------------------------------------+ A.3. Vulnerability This section lists five types of possible risks for applicationVulnerabiltiy attribute. +---------------------+-------------------------------------------------+ | Vulnerability | Description | +---------------------+-------------------------------------------------+ | Exploitable | Has known vulnerabilities | +---------------------+-------------------------------------------------+ | Evasive | Used to evade the original purpose and traverse | | | the firewall, for example, a proxy software | +---------------------+-------------------------------------------------+ | Data Loss | Used for transferring files or uploading texts, | | | may cause information leaks | +---------------------+-------------------------------------------------+ | Used by Malware | Used by malware for propagation, attack, or | | | data theft, or distributed with malware | +---------------------+-------------------------------------------------+ | Bandwidth Consuming | Consume large bandwidths | +---------------------+-------------------------------------------------+ Appendix B. Example of Application Scenario for Policy Object This appendix describes the utilization of policy objects in policy rules for enterprise scenario. NSFs are key components to protect security in enterprise network. For the typical architecture of an enterprise network, NSFs are deployed on-premise at network perimeter. The inbound and outbound traffic of the enterprise network are processed according to the predefined security policies rules. Xia & Lin Expires January 3, 2018 [Page 17] Internet-Draft Policy Object for I2NSF July 2017 Figure 3 demonstrates an example of enterprise network topology. Firewall is a typical NSF that used at the network perimeter to protect enterprise intranet. Assuming that the firewall should be provisioned to provide different network access controls for marketing departments and R&D departments. o Marketing departments are allowed to access the Internet website but could not use entertainment applications such as online games, instant messaging software, in work day. o R&D departments are not allowed to access the Internet. But managers of R&D departments have Internet access. For Internet users who want to access the public website of this enterprise, they are only allowed to access the servers deployed in DMZ. Xia & Lin Expires January 3, 2018 [Page 18] Internet-Draft Policy Object for I2NSF July 2017 +----------+ | Internet | +----------+ | +--------+ | Router | +--------+ | +-----------------------------------+ | Firewall | +-----------------------------------+ | +-----------------------------------+ +--------+ +-----+ | Core Layer Switch |---| Switch |---| DMZ | +-----------------------------------+ +--------+ +-----+ / \ +-----------------+ +-----------------+ | Aggregation | | Aggregation | | Layer Switch | | Layer Switch | +-----------------+ +-----------------+ / \ / \ +--------------+ +--------------+ +--------------+ +--------------+ | Access Layer | | Access Layer | | Access Layer | | Access Layer | | Switch | | Switch | | Switch | | Switch | +--------------+ +--------------+ +--------------+ +--------------+ | | | | +--------------+ +--------------+ +--------------+ +--------------+ | Marketing | | Marketing | | R&D | | R&D | | Department A | | Department B | | Department A | | Department B | +--------------+ +--------------+ +--------------+ +--------------+ Figure 3: A Typical Architecture of Enterprise Network To set security policy rules for this scenario, the following policy objects should be created. Xia & Lin Expires January 3, 2018 [Page 19] Internet-Draft Policy Object for I2NSF July 2017 +--------------------+----------------------------------------------+ | Policy Object Name | Description | +--------------------+----------------------------------------------+ | Marketing_A | User group object for Marketing Department A | +--------------------+----------------------------------------------+ | Marketing_B | User group object for Marketing Department B | +--------------------+----------------------------------------------+ | R&D_A | User group object for R&D Department A | +--------------------+----------------------------------------------+ | R&D_B | User group object for R&D Department B | +--------------------+----------------------------------------------+ | R&D_Manager | Security group object for managers of R&D | | | Department A and R&D Department B | +--------------------+----------------------------------------------+ | Entertainment_App | Application group object for all recognized | | | entertainment applications | +--------------------+----------------------------------------------+ | Server_Address | Address object for servers in DMZ | +--------------------+----------------------------------------------+ | Web_Service | Service object for HTTP, HTTPS protocols | +--------------------+----------------------------------------------+ | Work_Day | Schedule object for five week days | +--------------------+----------------------------------------------+ B.1. Security Policy Control for Marketing Departments For traffic from marketing departments to Internet, the following policy objects can be used as conditions to filter traffic. +--------------------------------------+--------+ | Policy Objects used in Condition | Action | +--------------------------------------+--------+ | User Group: Marketing_A, Marketing_B | Deny | | Application Group: Entertainment_App | | | Schedule: Work_Day | | +--------------------------------------+--------+ | User Group: Marketing_A, Marketing_B | Permit | | Service: Web_Service | | +--------------------------------------+--------+ B.2. Security Policy Control for R&D Departments For traffic from R&D departments to Internet, the following policy objects can be used as conditions to filter traffic. Xia & Lin Expires January 3, 2018 [Page 20] Internet-Draft Policy Object for I2NSF July 2017 +--------------------------------------+--------+ | Policy Objects used in Condition | Action | +--------------------------------------+--------+ | Security Group: R&D_Manager | Permit | +--------------------------------------+--------+ | User Group: R&D_A, R&D_B | Deny | +--------------------------------------+--------+ B.3. Security Policy Control for Server Access of Internet Users For traffic from Internet to web servers deployed in DMZ, the following policy objects can be used as conditions to filter traffic. +--------------------------------------+--------+ | Policy Objects used in Condition | Action | +--------------------------------------+--------+ | Address: Server_Address | Permit | +--------------------------------------+--------+ Authors' Addresses Liang Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: Frank.xialiang@huawei.com Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China Email: linqiushi@huawei.com Xia & Lin Expires January 3, 2018 [Page 21]