Information model for Client-Facing Interface to Security Controller

The security controller's client-facing interfaces would be built using a set of objects, with each object capturing a unique set of information from security admin. The objects may have relationship with other objects to express complete requirement. An information model captures the managed objects and relationship among these. The information model proposed in this draft is in accordance with the client interface requirements as defined in . The explains the difference between information and data model. This draft use those guidlines to define the information model in this draft. A data model, that represents an implementation of this proposed information model in a specific data representation language, will be defined in a separate draft.

Business Support System Command Line Interface Configuration Management Database Used interchangeably with Service Provider Security Controller or management system throughout this document Create, Retrieve, Update, Delete Firewall Graphical User Interface Intrusion Detection System Intrusion Protection System Lightweight Directory Access Protocol Network Security Function, defined by Operation Support System Role Based Access Control Security Information and Event Management Universal Resource Locator Refers to NSF being instantiated on Virtual Machines

The multi-tenancy is an important aspect of any application that enables multiple administrative domains for managing the application resources. An oganization may have multiple tenants or departments such as HR, Finance, Legal, with each tenant having a need to manage its own security policies. There are multiple managed objects that constitute multi-tenancy aspects. This section lists these objects and any relationship among these objects.

This object defines an oragnization boundary for the purpose of policy management. This may vary based on how security controller is deployed and hosted. For example, if an Enterprise host a security controller in their network; the domain in this case could just be the one that reperesents that Enterprise. But if a cloud service provider host managed services, then a domain could represent a single customer of the service provider. The multi-tenancy model should be applicable in all such environments. The domain object SHALL have following infomation: Name of the organization or customer representing this domain Address of the organization or customer Contact information of the organization or customer Date this account was created or last modified Authentication method to be used for this domain. It should be reference to a 'policy-management-auth-method' object

This object defines an entity within an organization that wants to manage its own security posture. The entity could be a department or a division that manages its own security policies due to regulatory compliance or organizational structure. The tenant object SHALL have the following information: Name of the department or division within an organization Date this account was created or last modified This field identifies the domain to which this tenent belongs. This should be reference to a 'policy-domain' object

This object defines a set of permissions assigned to a user in an organization that want to manage its own security posture. It provides a convenient way to assign policy users to a job function or set of permissions within the organization. The role object SHALL have following information: This field identifies the name of the role Date this role was created or last modified This field identifies the access profile for the role. The profile grants or denies access to policy objects. Multiple access profiles can be concatenated together

This object represents a unique identity within an organization. This identity authenticates with the security controller using credentials such as a password or token in order to do policy management. A user may be an individual, system, or application requiring access to security controller. The user object SHALL have following information: Name of the user Date this user was created or last modified User password for basic authentication E-mail address of the user This field identifies whether the user has domain-wide or tenent-wide privileges This field should be reference to either a 'policy-domain' or a 'policy-tenant' object This field should be reference to a 'policy-role' object that defines the specific permissions

This object represents authentication schemes supported by security controller. This object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies the authentication methods. It could be a password based, token based, certificate based or single sign-on authentication This field indicates whether mutual authentication is mandatory or not This field stores the information about server that validates the token submitted as credentials This field stores the infromation about server that validates certificates submitted as credentials This field stores the infromation about server that validates user credentials

The policy endpoint groups are very important part of building user-construct policy. The security admins could use these objects to represent a logical entity in their business enviroment, where a security policy is to be applied. There are multiple managed objects that constitute policy endpoint groups. This section lists these objects and relationship among these objects.

This object represents information source for the meta-data or tag. The meta-data in a group must be mapped to corresponding contents to enforce a security policy. The meta data source object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies the Endpoint group type. It can be either a 'User' group or 'App' group or 'Device' group, or 'Location' group based policy This field identifies the information related to the source of the tag such as IP address and UDP/TCP port information This filed identifies the protocol e.g. LDAP, Active Directory, or CMDB This field identifies the credential information needed to access the tag server

This object represents a user group based on either tag or other information. The user-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the user group is based on 'User-tag', 'User-names', or 'IP-addresses' This field should be reference to a 'meta-data-source' object This field is the 'User-tag, or 'User-names', or IP addresses based on the 'Group Type' This field represents the threat level; valid range may be 0 to 9

This object represents a device group based on either tag or other information. The device-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the device group is based on 'Device-tag' or 'Device-names', or IP addresses This field should be reference to a 'meta-data-source' object This field is the 'Device-tag, or 'Device-names', or IP addresses based on the 'Group Type' This field represents the threat level; valid range may be 0 to 9

This object represents an application group based on either tag or other information. The application-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the device group is based on 'App-tag' or 'App-names', or IP addresses This field should be reference to a 'meta-data-source' object This field is the 'Device-tag, or 'Device-names', or IP addresses and port information based on the 'Group Type' This field represents the threat level; valid range may be 0 to 9

This object represents an location group based on either tag or other information. The location-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the location group is based on 'Location-tag' or 'Location-names', or IP addresses This field should be reference to a 'meta-data-source' object This field is the 'Location-tag, or 'Location-names', or IP addresses based on the 'Group Type' This field represents the threat level; valid range may be 0 to 9

The threat prevention plays an important part in the overall security posture by reducing the attack surface. This information could come in the form of threat feeds such as Botnet, GeoIP usually from a third party or external service. There are multiple managed objects that constitute this category. This section lists these objects and relationship among these objects.

This object represents threat feed such as Botnet servers and GeoIP. The threat-feed object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether a feed type is IP address based or URL based. This field identifies the information about the feed provider, it may be an external service or local server This field represents the feed priority level to resolve conflict if there are multiple feed sources; valid range may be 0 to 9

This object represents custom list created for the purpose of defining exception to threat feeds. An organization may want to allow certain exception to threat feeds obtained from a third party The custom-list object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the list type is IP address based or URL based. This field identifies the attributes of the list property e.g. Blacklist or Whitelist. This field contains the blacklist or whitelist contents such as IP addresses or URL names.

This object represents information needed to detect malware. This information could come from a local server or uploaded periodically from third party. The malware-scan-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field contains information about the server from where signatures can be downloaded periodically as updates become available This field contains list of file types needed to be scanned for the virus This field contains list of malware signatures or hash

This object represents an event map containing security events and threat levels used for dyanmic policy enforcement. The event-map-group object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This contains a list of security events This contains a list of threat levels

Telemetry provides visibility into the network activities which can be tapped for further security analytics e.g. detecting potential vulnerabilities, malicious activities etc.

This object contains information collected for telemetry. The telemetry-data object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether 'Logs' need to be collected This field identifies whether 'Syslogs' need to be collected This field identifies whether 'SNMP traps' and 'SNMP alarms' need to be collected This field identifies whether 'sFlow' data need to be collected This field identifies whether 'NetFlow' data need to be collected This field identifies whether 'Interface' data such as packet bytes and counts need to be collected

This object contains information related to telemetry source. The source would be a NSF element in the network. The telemetry-source object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field contains type of the NSF telemetry source: "NETWORK-NSF", "FIREWALL-NSF", "IDS-NSF", "IPS-NSF", "PROXY-NSF", "VPN-NSF", "DNS", "ACTIVE-DIRECTORY","IP Reputation Authority", "Web Reputation Authority", "Anti-Malware Sandbox", "Honey Pot", "DHCP", "Other Third Party", "ENDPOINT" This field contains information such as IP address and protocol (UDP or TCP) port number of the NSF providing telemetry data This field contains username and passwod to authenticate with the NSF This field contains time in milliseconds between data collections. For example, value of 5000 means data is streamed to collector every 5 seconds. Value of 0 means data streaming is event-based. This field contains method of collection whether it is PUSH-based or PULL-based This field contains time in seconds the source must send telemetry heartbeat This field contains DSCP value source MUST mark on its generated telemetry packets

This object contains information related to telemetry destination. The destination is usually a collector which is either a part of security controller or external system such as SIEM. The telemetry-destination object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field contains the state info regarding the collector This field contains the infromation such as IP address and protocol (UDP or TCP) port number for the collector's destination This field contains the username and passwod for the collector This field contains the telemetry data encoding, which could in the form of a schema This field contains streaming telemetry data protocols: whether it is gRPC, protocol buffer over UDP, etc.

In order to enforce a security policy, a policy instance must have complete information such as where and when a policy need to be applied. The policy instantination is done by combining the managed objects described so far and a few others listed below.

This object contains information related to scheduling a policy. The policy could be activated based on a time calendar or security event including threat level changes. The Policy Calendar object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies whether the policy enforcement is 'ADMIN-ENFORCED' or 'TIME-ENFORCED', or 'EVENT-ENFORCED' This field contains time calendar such as 'BEGIN-TIME' and 'END-TIME' for one time enforcement or recurring time calendar for periodic enforcement This field contains security events and threat map when this policy need to be activated

This object represents actions that a security admin want to perform based on certain traffic class. The action object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identifies the action when a policy rule is matched by NSF. The action could be one of 'PERMIT', 'DENY', 'RATE-LIMIT', 'TRAFFIC-CLASS', 'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL' The security admin can also specify additional action if a rule is matched. This could be one of 'LOG', 'SYSLOG', 'SESSION-LOG'

This object represents rules that a security admin want to define in order to express its business objectives through a security policy. The policy-rule object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field identfies the source of the traffic. This could be reference to either 'Policy Endpoint Group' or 'threat-feed' or 'custom-list' if security admin wants to specify the source otherwise the default is to match all traffic This field identfies the destination of the traffic. This could be reference to either 'Policy Endpoint Group' or 'threat-feed' or 'custom-list' if security admin wants to specify the destination otherwise the default is to match all traffic This field identifies the exception consideration when 'Source' and 'Destination' are matched for a given communication. This should be reference to 'Policy Endpoint Group' object This field identifies the action taken when 'Source' and 'Destination' are matched for a given communication This field identifies the precedence assigned to this rule by security admin. This is helpful in conflict resolution when two or more rules match a given traffic class

This object represents a security policy expressed by security admin that would be taken by security controller and enforced on NSF as per the instructions specfied in policy instance. The policy-instance object SHALL have following information: This field identifies the name of this object Date this object was created or last modified This field contains list of rules. If the rule does not have a user defined precedence, then any conflict must be manually resolved This field specifies when this policy should be scheduled. The policy could be scheduled based on time calendar or event-map This field contanins either the 'Calendar' or 'Event-map' based on 'Schedule type' This field defines the owner of this policy. Only the owner is authrozied to modify the the contents of the policy

This document requires no IANA actions. RFC Editor: Please remove this section before publication.

The authors would like to thank Kunal Modasiya, Prakash T. Sehsadri and Srinivas Nimmagadda from Juniper Networks for helpful discussions.