ETSI TC INT AFI WG 5G PoC 2020 Demo: 8th December 2020
End-to-End Autonomic (Closed-Loop) Security Management & Control for 5G Networks
Towards Standardization of a Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic (Closed-Loop) Security Management &
Control for 5G Slices, Networks/Services
Presenters
Tayeb Ben Meriem, PhD: Orange: Senior Standardization Manager & Technical Expert: ETSI TC-INT/AFI WG Chair; ETSI PoC Steering Committee Member; France
Ranganai Chaparadza, PhD: Altran CapGemini Germany: Technical & Standardization Expert & Senior Consultant for Vodafone Consultant; IPv6 Forum; ETSI PoC Steering Committee Member; Germany
Muslim Elkotob, PhD: Vodafone: Technical Expert and Solutions Design Architect & Standardization; Germany
Benoit Radier, PhD: Orange: Standardization & Technical Expert; ETSI PoC Steering Committee Member; France
Eugen Hinz: Check Point Software Technologies GmbH, Germany
Aviv Abramovich: Check Point Software Technologies, Israel
Michael Stichel: Check Point Software Technologies GmbH, Germany
Chris Federico: Check Point Software Technologies, Israel, USA
Javier Padilla: Check Point Software Technologies, Israel, USA
Ryan Darst: Check Point Software Technologies, Israel, USA
2 © ETSI 2012. All rights reserved
3 © ETSI 2012. All rights reserved
Key Messages & Reflections on the Need for Autonomic (Closed-Loop) Security Management &
Control in 5G, based on the White Paper No.6:https://intwiki.etsi.org/images/ETSI_5G_PoC_White_Paper_No_6.pdf
4 © ETSI 2012. All rights reserved
AGENDA Outlook
AGENDA Outlook
Opening/Introduction: Tayeb Ben Meriem, Chris Federico/Michael Stichel
Brief Overview of the 5G PoC and ETSI TC INT AFI WG; Business views of the overall 5G PoC: Presenter: Tayeb Ben Meriem, Chris Federico
Agenda Introduction: Presenter: Ranganai Chaparadza
ETSI GANA Framework for Multi-Layer Autonomics, and the Integration of the ETSI GANA Knowledge Plane (KP) with SDN, NFV, Big-Data, OSS/BSS & Other Frameworks/Systems: Presenters: Ranganai, Tayeb, Muslim, Benoit
The Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic (Closed-Loop) Security Management & Control for 5G Slices, Networks/Services: Presenters: Ranganai, Benoit
Summary of the Next Steps to launch Standardization of the Framework in ETSI: Presenters: Ranganai, Tayeb
Capabilities of Check Point Security Components & Functions that enable the Industry to Implement the Framework (in line with the ETSI GANA Framework): Presenters: Chris Federico, Ranganai, Benoit
How Checkpoint Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs: Presenters: Chris Federico, Ranganai,
DEMO on Autonomic Security Assurance for Differentiated Security SLAs for 5G Slices, while applying Security-as-a Service (SaaS) Model for Telcos: Presenters: Muslim, Javier Padilla
5 © ETSI 2012. All rights reserved
Introduction to the ETSI INT AFI WG 5G GANA PoCand Consortium (Open to Join)
ETSI 5G PoC Consortium
7 © ETSI 2012. All rights reserved
8
ETSI AFI
PoC
Program
2016
Demo#2 Demo#3
Demo#1 Demo#4
2019
2020
2018
2017
Autonomic Service
Assurance for the IoT
(Smart Insurance
Implementing C-SON
as an ETSI GANA
KnowledgePlane
Programmable Traffic
Monitoring Autonomic
Service Monitoring
Autonomic Security
Management &
Control fro 5G Networks
9 © ETSI 2012. All rights reserved
ETSI GANA Multi-Layer Autonomics and the Integration of the ETSI GANA Knowledge Plane (KP) with other systems, e.g. with Orchestrators, SDN Controllers,
NFV MANO, and OSS/BSS or Configuration Management Systems
ETSI GANA as a Holistic & Unifying Model for AMC (Autonomic Management & Control) that fuses together the well-established models for AMC: (Reference : ETSI TS 103 195-2)
10
KNOWLEDGEPLANE
(D. Clark), MIT
EC-Funded FP7 EFIPSANS, Self-NET, E3,
SOCRATES, 4WARD, and other R&D Projects
Instantiation onto CSPs’ Networks (e.g. 5G Nets)
ETSI GANA Reference Model; Instantiations onto various Networks and Mgmt&Control Architectures
11
ETSI TS 103 195-2
GANA is a Model for Multi-Layer Autonomics & Multi-Layer AI Models & Algorithms
interne Orange12
GAN Multi-Layer Autonomics & AI and ETSI GANA Knowledge Plane(KP) Integration with other Systems
13 © ETSI 2012. All rights reserved
The Generic Framework for Multi-Domain Federated ETSI GANA Knowledge Planes (KPs) for End-to-End Autonomic
(Closed-Loop) Security Management & Control for 5G Slices, Networks/Services
interne Orange14
Hierachical Security Management & Control in GANA Framework and Security as a Service (SaaS) Enablers
Security Management DE Programming StandaloneSecurity Functions or Embedded in Network Functions
interne Orange16
Federation of GANA Knowledge Planes (KP) for E2E Autonomic (Closed-Loop) Service Assurance of 5G Slices
interne Orange17
Federation of GANA Knowledge Planes for E2E Autonomic (Closed-Loop) Service Assurance of 5G Slices
Intra-KP Decision Elements (DEs) Communications and Coordinations
GANA ONIX – Real-Time Security Info/KnowledgeRepository as part of ONIX Federated Information Servers
ONIX = Overlay Network for Information Exchange
Federation of Real-Time Security Info/KnowledgeRepositories Across Operators (as Multi-Domains)
ONIX = Overlay Network for Information Exchange
Example Approach on How to Design a GANA Decision Element (DE) Logic, e.g. based on IBM MAPE-K Model
Correlation Role of a Security-DE in Open / Closed-Loop Autonomic Security Management & Control
23 © ETSI 2012. All rights reserved
Capabilities of Check Point Security Components & Functions that enable the Industry to Implement the Framework (in line with the ETSI GANA
Framework)
Implementation of Security Management-DE and Real-Time Repository for Threats Information using the CheckPoint Threat Cloud
Currently the Security-Management-DE is implemented in the ThreatCloud to run in Open-Loop Mode but can be made to run in Closed-Loop Mode.
Security Mgnt-DE of Specific KPs programs the Checkpoint Security Function under its responsibility
Fast Control-Loop Security Management DEs may beimplemented in Infra
Check Point Programmability: Option-A: Horizontal Federation of GANA Knowledge Plane (KP) Platforms, and
Check Point Programmability: Option-B: Hierarchical Federation of GANA Knowledge Plane (KP) Platforms,
Security Mgnt-DE of Specific KPs programs its part of Checkpoint Platform
Enablers for Correlation Role of a GANA KP Security-DE in Open / Closed-Loop Autonomic Security Management & Control
Implementing “Fast Control-Loops DEs (GANA Level-3)” Embedment in Security Functions or Appliances
Attack/Threat Detection & Prediction Engine (Module) at NE/NF Level (the module may be powered by AI) and Threat-Info Sharing
The Question of “What Information is the
Attack/Threat Detection Module accessing/using for
its analytics and output” is to be answered by “Fast
Control-Loop Innovators/Implementers”
Hyperscale Architectures and Integrations with GANA Knowledge Plane (KP) Platforms
Interworking of the GANA KP Level Security Management DE and NE/NF Level Security Management DE and ONIX
Detected Attack/Threat Info Dissemination (Federation) within the Same Operator Domain & to Other Collaboration Operator Domains
The standardization of the F-MBTS will
describe in full the role that can be played
by the F-MBTS
There is a role that can be played by the
ThreatCloud Repository in Federation of
Knowledge and flexibity to implement
Algorithms that run on the Repository to
create Knowledge for use by the KPs
Example Scenario
CheckPoint ThreatCloud Capability for Implementing the Realtime Inventory for Security Info/Knowledge can be used for Federation of the Info/Knowledge across Multiple Operators and Multi-Domains
KP Security DEs implementation in a Cloud Environment using the CloudGuard Dome9 Cloud Security Management
33 © ETSI 2012. All rights reserved
How Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs
Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs
Exploring the Features of the Checkpoint Security Management Platform R80 that can be used to implement Security Management-DEs of ETSI GANA Knowledge Planes for specific Network Segments
Real-Time Event Correlation Capabilities of the R80 Management Platform
Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs
Considering Diversity of the Data Sources that can be used and correlated in security policies implementations using the Checkpoint Security Management R80 Platform that can be used to implement Security Management-DEs of ETSI GANA Knowledge Planes for specific Network Segments
The R80 Management API of the Checkpoint Security Management R80 Platform can be used in enhancing it with GANA Security Management-DEs(characterized as AI Models that customize the operations of the Checkpoint Security Management R80 Platform)
Check Point Security Management Platform R80 can be used to implement GANA KPs’ Security Management-DEs
The R80 Management API of the Checkpoint Security Management R80 Platform that can be used in enhancing it with GANA Security Management-DEs(characterized as AI Models that customize the operations of the Checkpoint Security Management R80 Platform)
Using the Check Point Platform R80 to implement Security Management-DEs of KPs for specific Network Segments
38 © ETSI 2012. All rights reserved
Demo Part: Autonomic Security Assurance for Differentiated Security SLAs for 5G Slices, while applying Security-as-a Service (SaaS) Model for
Telcos
Drivers for Differentiated Security: SaaS Model by Default for Telcos:• 5G/Cloud/EdgeCloud scene;
• Single Operator, multiple tenants (users) and user groups (customer classes, differentiated QoS, differentiated subscribedsecurity services)
• Subscribed security services (based on eMBB default-slice): Implying the Concept of „Security Quality of a Slice offered“
• Option (Scenario Use Case) A: Real-time Threat Protection (Security as a Service SaaS granularity andcomposabilitymicroservices in the form of multimedia flows within eMBB compose/form the overall slice)
Protection Class 0 no security service subscription
Protection Class 1 low security protection: threat detection of DDoS attack on user device
Protection Class 2 medium security protection: threat detection of DDoS attack on user device and infrastructure
Protection Class 3 high security protection: threat detection as in Class 2 SaaS and additionally encryption per segment(MEC, Transport, Core) or/and E2E;
• Option (Scenario Use Case) B: Real-time Self-Protection Against Attacks/Threats (Security Services Mix through KP Federation)
Protection Class 0 no security service subscription
Protection Class 1 low security protection: scope only covering the mobile edge
Protection Class 2 medium security protection: scope covering mobile edge and metro transport/access
Protection Class 3 high security protection: scope covering E2E mobile edge, access, transport and core part ofservices;
Our Demo Class: Protection Class 4: Protection of Slice User (Consumer) from Infected Documents that can be downloaded or exchanged with Peers
Insert Confidentiality Level in slide footer 39
7 December 2020
Use Case Demo Scenario for Autonomic Security Management; Drivers for Differentiated Security: SaaS by Default for 5G Telcos
Insert Confidentiality Level in slide footer 40
7 December 2020
SaaS Class
1
SaaS
Class 2
SaaS
Class 3
Vertical SaaS Segmentation (Acrossall tiers MEC through
Core):
Class 1 SaaS: DDoSprotection UE
Class 2 SaaS: DDoSprotection on UE and
Network
Class 3 SaaS: DDoSProtection on UE and
Network and Encryption of slice per Tier or/and
E2E
SaaS Vertical Segmentation
Insert Confidentiality Level in slide footer 41
7 December 2020
SaaS Class
1
SaaS
Class 2
SaaS
Class 3
SaaS Horizontal Segmentation
42 © ETSI 2012. All rights reserved
Demo: GANA Autonomics in SaaS SLA for “Protection Class” in a 5G Slice: Protection of Slice
User/Consumer from Infected Documents that can be downloaded or exchanged with Peers
Threat Cache
Domain A (eg. Orange)
POST new IoC Public Feed
Check PointManagement
Domain B (eg. Orange/Vodafone)
NE/Node Level Security DEFast Loop Security Enforcement
Enrichment
Phishing resources
5G eMBB Slice User[Internal Use] for Check Point employees
NE/Node Level Security DE
Edgecloud
Knowledge Plane Security DE
Knowledge PlaneSecurity DE
F-MBTSF-MBTS Translation Function may beemployed
Threat Detection Info Dissemination (Federation) within the Same Operator Domain and to Other Collaboration Operator Domains
Q&A Session
Thank You
Q & A