Wikis > Software-Defined Security Services > January 5, 2016 – Meeting Notes

Use Cases: [virtual and physical] / [control and data plane; policy, orchestration, enforcement]

  1. 1. Dynamically capture packets from ToR bare metal switches (vSwitches)
  2. 2. Networks are becoming app aware, at what point do they become data aware?  Need to tag data (ADAPT?) [tags can be applied at any point in ILC] – avoid and data aggregation/inference
  3. 3. Encryption – is good but blinds defenders [how to protect confidentiality]
  4. 4. How do we assess/measure the ability of elements on the network to protect CIA of services they are delivering
  5. 5. Automate security response
  6. 6. Predictive
  7. 7. Common language to define declaratives and policy that can be consumed up and down the stack, physically and virtually 
  8. 8. Would like to be able to instantiate an “Internet-facing workload” in my software-defined data center.  Today I operate a physically separate area of the network – separate switches, dedicated top and bottom firewalls, separate racks, servers/ADCs, data telemetry systems, etc.  Much of that is security concerns about accidentally bypassing controls if things are placed too close together, or if physical things are shared by logically separated environments.  I would like the security fabric to deliver the comfort that a virtually isolated environment is just as secure as a physically isolated one.  In my mind that means the ability to validate that connectivity and “service chaining” is constructed as intended and has not been altered/bypassed, and the ability to attest to that in a manner that would satisfy regulators who are used to requesting physical isolation.
  9. 9. Look at it from perspective of a regulator/auditor
  10. 10. Messaging bus implementation
  11. 11. Don’t like at SDN, look at SD”X” — everything should be software defined
  12. 12. Policy should be bound to the workload — VM, Container, App, Service, micro service 
  13. 13. {aspiration} Write security policy in one place [declarative language] and deploy everywhere [see #7]
  14. 14. {reasonable} Provide capabilities for #12 and apply not only on virtual (like Nuage) and do it to the physical network