ETSI TC INT AFI WG 5G PoC 2020 Demo: 8th December 2020

End-to-End Autonomic (Closed-Loop) Security Management & Control for 5G Networks

Towards Standardization of a Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic (Closed-Loop) Security Management &

Control for 5G Slices, Networks/Services

Presenters

Tayeb Ben Meriem, PhD: Orange: Senior Standardization Manager & Technical Expert: ETSI TC-INT/AFI WG Chair; ETSI PoC Steering Committee Member; France

Ranganai Chaparadza, PhD: Altran CapGemini Germany: Technical & Standardization Expert & Senior Consultant for Vodafone Consultant; IPv6 Forum; ETSI PoC Steering Committee Member; Germany

Muslim Elkotob, PhD: Vodafone: Technical Expert and Solutions Design Architect & Standardization; Germany

Benoit Radier, PhD: Orange: Standardization & Technical Expert; ETSI PoC Steering Committee Member; France

Eugen Hinz: Check Point Software Technologies GmbH, Germany

Aviv Abramovich: Check Point Software Technologies, Israel

Michael Stichel: Check Point Software Technologies GmbH, Germany

Chris Federico: Check Point Software Technologies, Israel, USA

Javier Padilla: Check Point Software Technologies, Israel, USA

Ryan Darst: Check Point Software Technologies, Israel, USA

2 © ETSI 2012. All rights reserved

3 © ETSI 2012. All rights reserved

Key Messages & Reflections on the Need for Autonomic (Closed-Loop) Security Management &

Control in 5G, based on the White Paper No.6:https://intwiki.etsi.org/images/ETSI_5G_PoC_White_Paper_No_6.pdf

4 © ETSI 2012. All rights reserved

AGENDA Outlook

AGENDA Outlook

Opening/Introduction: Tayeb Ben Meriem, Chris Federico/Michael Stichel

Brief Overview of the 5G PoC and ETSI TC INT AFI WG; Business views of the overall 5G PoC: Presenter: Tayeb Ben Meriem, Chris Federico

Agenda Introduction: Presenter: Ranganai Chaparadza

ETSI GANA Framework for Multi-Layer Autonomics, and the Integration of the ETSI GANA Knowledge Plane (KP) with SDN, NFV, Big-Data, OSS/BSS & Other Frameworks/Systems: Presenters: Ranganai, Tayeb, Muslim, Benoit

The Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic (Closed-Loop) Security Management & Control for 5G Slices, Networks/Services: Presenters: Ranganai, Benoit

Summary of the Next Steps to launch Standardization of the Framework in ETSI: Presenters: Ranganai, Tayeb

Capabilities of Check Point Security Components & Functions that enable the Industry to Implement the Framework (in line with the ETSI GANA Framework): Presenters: Chris Federico, Ranganai, Benoit

How Checkpoint Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs: Presenters: Chris Federico, Ranganai,

DEMO on Autonomic Security Assurance for Differentiated Security SLAs for 5G Slices, while applying Security-as-a Service (SaaS) Model for Telcos: Presenters: Muslim, Javier Padilla

5 © ETSI 2012. All rights reserved

Introduction to the ETSI INT AFI WG 5G GANA PoCand Consortium (Open to Join)

ETSI 5G PoC Consortium

7 © ETSI 2012. All rights reserved

8

ETSI AFI

PoC

Program

2016

Demo#2 Demo#3

Demo#1 Demo#4

2019

2020

2018

2017

Autonomic Service

Assurance for the IoT

(Smart Insurance

Implementing C-SON

as an ETSI GANA

KnowledgePlane

Programmable Traffic

Monitoring Autonomic

Service Monitoring

Autonomic Security

Management &

Control fro 5G Networks

9 © ETSI 2012. All rights reserved

ETSI GANA Multi-Layer Autonomics and the Integration of the ETSI GANA Knowledge Plane (KP) with other systems, e.g. with Orchestrators, SDN Controllers,

NFV MANO, and OSS/BSS or Configuration Management Systems

ETSI GANA as a Holistic & Unifying Model for AMC (Autonomic Management & Control) that fuses together the well-established models for AMC: (Reference : ETSI TS 103 195-2)

10

KNOWLEDGEPLANE

(D. Clark), MIT

EC-Funded FP7 EFIPSANS, Self-NET, E3,

SOCRATES, 4WARD, and other R&D Projects

Instantiation onto CSPs’ Networks (e.g. 5G Nets)

ETSI GANA Reference Model; Instantiations onto various Networks and Mgmt&Control Architectures

11

ETSI TS 103 195-2

GANA is a Model for Multi-Layer Autonomics & Multi-Layer AI Models & Algorithms

interne Orange12

GAN Multi-Layer Autonomics & AI and ETSI GANA Knowledge Plane(KP) Integration with other Systems

13 © ETSI 2012. All rights reserved

The Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic

(Closed-Loop) Security Management & Control for 5G Slices, Networks/Services

interne Orange14

Hierachical Security Management & Control in GANA Framework and Security as a Service (SaaS) Enablers

Security Management DE Programming StandaloneSecurity Functions or Embedded in Network Functions

interne Orange16

Federation of GANA Knowledge Planes (KP) for E2E Autonomic (Closed-Loop) Service Assurance of 5G Slices

interne Orange17

Federation of GANA Knowledge Planes for E2E Autonomic (Closed-Loop) Service Assurance of 5G Slices

Intra-KP Decision Elements (DEs) Communications and Coordinations

GANA ONIX – Real-Time Security Info/KnowledgeRepository as part of ONIX Federated Information Servers

ONIX = Overlay Network for Information Exchange

Federation of Real-Time Security Info/KnowledgeRepositories Across Operators (as Multi-Domains)

ONIX = Overlay Network for Information Exchange

Example Approach on How to Design a GANA Decision Element (DE) Logic, e.g. based on IBM MAPE-K Model

Correlation Role of a Security-DE in Open / Closed-Loop Autonomic Security Management & Control

23 © ETSI 2012. All rights reserved

Capabilities of Check Point Security Components & Functions that enable the Industry to Implement the Framework (in line with the ETSI GANA

Framework)

Implementation of Security Management-DE and Real-Time Repository for Threats Information using the CheckPoint Threat Cloud

Currently the Security-Management-DE is implemented in the ThreatCloud to run in Open-Loop Mode but can be made to run in Closed-Loop Mode.

Security Mgnt-DE of Specific KPs programs the Checkpoint Security Function under its responsibility

Fast Control-Loop Security Management DEs may beimplemented in Infra

Check Point Programmability: Option-A: Horizontal Federation of GANA Knowledge Plane (KP) Platforms, and

Check Point Programmability: Option-B: Hierarchical Federation of GANA Knowledge Plane (KP) Platforms,

Security Mgnt-DE of Specific KPs programs its part of Checkpoint Platform

Enablers for Correlation Role of a GANA KP Security-DE in Open / Closed-Loop Autonomic Security Management & Control

Implementing “Fast Control-Loops DEs (GANA Level-3)” Embedment in Security Functions or Appliances

Attack/Threat Detection & Prediction Engine (Module) at NE/NF Level (the module may be powered by AI) and Threat-Info Sharing

The Question of “What Information is the

Attack/Threat Detection Module accessing/using for

its analytics and output” is to be answered by “Fast

Control-Loop Innovators/Implementers”

Hyperscale Architectures and Integrations with GANA Knowledge Plane (KP) Platforms

Interworking of the GANA KP Level Security Management DE and NE/NF Level Security Management DE and ONIX

Detected Attack/Threat Info Dissemination (Federation) within the Same Operator Domain & to Other Collaboration Operator Domains

The standardization of the F-MBTS will

describe in full the role that can be played

by the F-MBTS

There is a role that can be played by the

ThreatCloud Repository in Federation of

Knowledge and flexibity to implement

Algorithms that run on the Repository to

create Knowledge for use by the KPs

Example Scenario

CheckPoint ThreatCloud Capability for Implementing the Realtime Inventory for Security Info/Knowledge can be used for Federation of the Info/Knowledge across Multiple Operators and Multi-Domains

KP Security DEs implementation in a Cloud Environment using the CloudGuard Dome9 Cloud Security Management

33 © ETSI 2012. All rights reserved

How Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs

Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs

Exploring the Features of the Checkpoint Security Management Platform R80 that can be used to implement Security Management-DEs of ETSI GANA Knowledge Planes for specific Network Segments

Real-Time Event Correlation Capabilities of the R80 Management Platform

Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs

Considering Diversity of the Data Sources that can be used and correlated in security policies implementations using the Checkpoint Security Management R80 Platform that can be used to implement Security Management-DEs of ETSI GANA Knowledge Planes for specific Network Segments

The R80 Management API of the Checkpoint Security Management R80 Platform can be used in enhancing it with GANA Security Management-DEs(characterized as AI Models that customize the operations of the Checkpoint Security Management R80 Platform)

Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs

The R80 Management API of the Checkpoint Security Management R80 Platform that can be used in enhancing it with GANA Security Management-DEs(characterized as AI Models that customize the operations of the Checkpoint Security Management R80 Platform)

Using the Check Point Platform R80 to implement Security Management-DEs of KPs for specific Network Segments

38 © ETSI 2012. All rights reserved

Demo Part: Autonomic Security Assurance for Differentiated Security SLAs for 5G Slices, while applying Security-as-a Service (SaaS) Model for

Telcos

Drivers for Differentiated Security: SaaS Model by Default for Telcos:• 5G/Cloud/EdgeCloud scene;

• Single Operator, multiple tenants (users) and user groups (customer classes, differentiated QoS, differentiated subscribedsecurity services)

• Subscribed security services (based on eMBB default-slice): Implying the Concept of „Security Quality of a Slice offered“

• Option (Scenario Use Case) A: Real-time Threat Protection (Security as a Service SaaS granularity andcomposabilitymicroservices in the form of multimedia flows within eMBB compose/form the overall slice)

Protection Class 0 no security service subscription

Protection Class 1 low security protection: threat detection of DDoS attack on user device

Protection Class 2 medium security protection: threat detection of DDoS attack on user device and infrastructure

Protection Class 3 high security protection: threat detection as in Class 2 SaaS and additionally encryption per segment(MEC, Transport, Core) or/and E2E;

• Option (Scenario Use Case) B: Real-time Self-Protection Against Attacks/Threats (Security Services Mix through KP Federation)

Protection Class 0 no security service subscription

Protection Class 1 low security protection: scope only covering the mobile edge

Protection Class 2 medium security protection: scope covering mobile edge and metro transport/access

Protection Class 3 high security protection: scope covering E2E mobile edge, access, transport and core part ofservices;

Our Demo Class: Protection Class 4: Protection of Slice User (Consumer) from Infected Documents that can be downloaded or exchanged with Peers

Insert Confidentiality Level in slide footer 39

7 December 2020

Use Case Demo Scenario for Autonomic Security Management; Drivers for Differentiated Security: SaaS by Default for 5G Telcos

Insert Confidentiality Level in slide footer 40

7 December 2020

SaaS Class

1

SaaS

Class 2

SaaS

Class 3

Vertical SaaS Segmentation (Acrossall tiers MEC through

Core):

Class 1 SaaS: DDoSprotection UE

Class 2 SaaS: DDoSprotection on UE and

Network

Class 3 SaaS: DDoSProtection on UE and

Network and Encryption of slice per Tier or/and

E2E

SaaS Vertical Segmentation

Insert Confidentiality Level in slide footer 41

7 December 2020

SaaS Class

1

SaaS

Class 2

SaaS

Class 3

SaaS Horizontal Segmentation

42 © ETSI 2012. All rights reserved

Demo: GANA Autonomics in SaaS SLA for “Protection Class” in a 5G Slice: Protection of Slice

User/Consumer from Infected Documents that can be downloaded or exchanged with Peers

Threat Cache

Domain A (eg. Orange)

POST new IoC Public Feed

Check PointManagement

Domain B (eg. Orange/Vodafone)

NE/Node Level Security DEFast Loop Security Enforcement

Enrichment

Phishing resources

5G eMBB Slice User[Internal Use] for Check Point employees

NE/Node Level Security DE

Edgecloud

Knowledge Plane Security DE

Knowledge PlaneSecurity DE

F-MBTSF-MBTS Translation Function may beemployed

Threat Detection Info Dissemination (Federation) within the Same Operator Domain and to Other Collaboration Operator Domains

Q&A Session

Thank You

Q & A