An Information Model for the Monitoring of Network Security Functions (NSF)
Huawei
frank.xialiang@huawei.com
Huawei
dacheng.zhang@huawei.com
Aliababa Group
anren.wy@alibaba-inc.com
Juniper Networks
rkkumar@juniper.net
Juniper Networks
alohiya@juniper.net
Fraunhofer SIT
henk.birkholz@sit.fraunhofer.de
The Network Security Functions (NSF) NSF-facing interface exists
between the Service Provider’s management system (or Security
Controller) and the NSFs to enforce the security policy provisioning and
network security status monitoring. This document focuses on the
monitoring part of it and proposes the information model for it.
According to , the interface
provided by a NSF (e.g., FW, IPS, Anti-DDOS, or Anti-Virus function) to
administrative entities (e.g., NMS, security controller) for configuring
security function in the NSF and monitoring the NSF is referred to as a
“I2NSF NSF-Facing Interface”. The monitoring part of it is meant to
acquire vital information about the NSF via, e.g. notifications, events,
records, counters. The
monitoring of the NSF plays a very important role in the overall
security framework if done in a timely and comprehensive way. The
monitoring information generated by a NSF can very well be an early
indication of malicious activity, or anomalous behavior, or a potential
sign of denial of service attacks.
This draft proposes a comprehensive NSF monitoring information model
that provides visibility into NSFs. This document will not go into the
design details of NSF-Facing Interfaces. Instead, this draft is focused
on specifying the information and illustrates the methods that enable a NSF to provide
the information required in order to be monitored in a scalable and
efficient way via the NSF-Facing Interface. The information
model for monitoring presented in this document is a complement to the
information model for the security policy provisioning part of the
NSF-Facing Interface specified in .
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this
document are to be interpreted as described in .
This document uses the terms defined in .
As mentioned earlier, monitoring plays a very critical role in the
overall security framework. The monitoring of the NSF provides very
valuable information to the security controller in maintaining the
provisioned security posture. Besides this, there are various other
reasons to monitor the NSFs as listed below:
The security administrator can configure a policy that is
triggered on a specific event happened in the NSF or the network.
The security controller would monitor for the specified event and
once it happens, it configures additional security functions as per
the policy.
The events triggered by NSFs as a result of security policy
violation can be used by SIEM to detect any suspicious
activity.
The events and activity logs from NSFs can be used to build
advanced analytics such as behavior and predictive to improve the
security posture.
The security controller can use events from the NSF for
achieving high availability. It can take corrective actions such
as restarting a failed NSF, horizontally scaling the NSF etc.
The events and activity logs from the NSF can aid in debugging
and root cause analysis of an operational issue.
The activity logs from the NSF can be used to build historical
data for operational and business reasons.
In order to maintain a strong security posture, it is not only
necessary to configure NSF security policies but also to continuously
monitor NSF by consuming acquirable observable information. This enables
security admins to assess what is happening in the network timely. It is
not possible to block all the internal and external threats based on
static security posture. To achieve this goal, a very dynamic posture with
constant visibility is required. This draft defines a set of information elements
(and their scope) that can be acquired from NSF and can be used as
monitoring information. In essence, these types of monitoring information can be
leveraged to support constant visibility on multiple levels of
granularity and can be consumed by corresponding functions.
Three basic domains about the monitoring of information originating from a
system entity or a NSF are highlighted in this document.
Retention and Emission
Notifications and Events
Unsolicited Poll and Solicited Push
The Alarm Management Framework in defines an Event as “something
that happens which may be of interest. A fault, a change in status, crossing a
threshold, or an external input to the system, for example.” In the I2NSF
domain, I2NSF events are created and the scope of the
Alarm Management Framework Events is still applicable due to its broad
definition. The model presented in this document elaborates on the work-flow of
creating I2NSF events in the context of NSF monitoring and on how initial I2NSF
events are created.
As with I2NSF components, every generic system entity can include a set of
capabilities that creates information about the context,
composition, configuration, state or behavior of that system entity. This
information is intended to be provided to other consumers of informations—and
in the scope of this document, to monitor that information in an automated
fashion.
Typically, a system entity populates standardized interface, such as SNMP,
NETCONF, RESTCONF or CoMI to provide and emit created information directly via
NSF-Facing Interfaces . Alternatively, the created
information is retained inside the system entity (or hierarchy of system
entities in a composite device) via records or counters that are not exposed
directly via NSF-Facing Interfaces.
Information emitted via standardized interfaces can be consumed by an I2NSF
Agent that includes the capability to consume information not
only via I2NSF Interfaces but also via interfaces complementary to the
standardized interfaces a generic system entity provides.
Information retained on a system entity requires a corresponding I2NSF Agent to
access aggregated records of information, typically in the form of logfiles or
databases. There are ways to aggregate records originating from different system
entities over a network, for examples via Syslog or Syslog over TCP . But even
if records are conveyed, the result is the same kind of retention in form of a
bigger aggregate of records on another system entity.
An I2NSF Agent is required to process fresh records created by
I2NSF Functions in order to provide them to other I2NSF Components via corresponding
I2NSF Interfaces timely. This process is effectively based on homogenizing functions
that can access and convert specific kinds of records into information that can
be provided and emitted via I2NSF interfaces.
Retained or emitted, the information required to support monitoring processes
has to be processed by an I2NSF Agent at some point in the work-flow. Typical
locations of these I2NSF Agents are:
a system entity that creates the information
a system entity that retains an aggregation of records
an I2NSF Component that includes the capabilities of using standardized
interfaces provided by other system entities that are not I2NSF Components
an I2NSF Component that creates the information
A specific task of I2NSF Agents is to process I2NSF Policy Rules
. Rules are composed of three clauses: Events,
Conditions, and Actions. In consequence, an I2NSF Event is required to trigger
an I2NSF Policy Rule. “An I2NSF Event is defined as any important occurrence in
time of a change in the system being managed, and/or in the environment of the
system being managed.” , which aligns well with the
generic definition of Event from .
The model illustrated in this document introduces a complementary type of
information that can be conveyed—notification.
An occurrence of a change of context, composition, configuration, state or
behavior of a system entity that can be directly or indirectly observed by an
I2NSF Agent and can be used as input for an event-clause in I2NSF Policy Rules.
A notification is similar to an I2NSF Event with the exception that it is
created by a system entity that is not an I2NSF Component and that
its importances is yet to be assessed. Semantically, a notification is not an
I2NSF Event in the context of I2NSF, although they can potentially use the exact
same information or data model. In respect to , a Notification is a
specific subset of events, because they convey information about “something
that happens which may be of interest”.
In consequence, Notifications can contain information with very low expressiveness or
relevance. Hence, additional post-processing functions, such as
aggregation, correlation or simple anomaly detection, might have to be employed
to satisfy a level of expressiveness that is required for an event-clause of an
I2NSF Policy Rule.
It is important to note that the consumer of a notification (the observer)
assesses the importance of a notification and not the producer. The producer can
include metadata in a notification that supports the observer in assessing the
importance (even metadata about severity), but the deciding entity is an I2NSF Agent.
The freshness of the monitored information depends on the acquisition method.
Ideally, an I2NSF Agent is accessing every relevant information about the I2NSF
Component and is emitting I2NSF Events to a monitoring NSF timely. Publication of
events via a pubsub/broker model, peer-2-peer meshes, or static defined channels
are only a few examples on how a solicited push of I2NSF Events can be
facilitated. The actual mechanic implemented by an I2NSF Component is out of the
scope of this document.
Often, corresponding management interfaces have to be queried in intervals or
on-demand if required by an I2NSF Policy rule. In some cases, a collection of
information has to be conducted via login mechanics provided by a system
entity. Accessing records of information via this kind of unsolicited polls can
introduce a significant latency in regard to the freshness of the monitored
information. The actual definition of intervals implemented by an I2NSF
Component is also out of scope of this document.
Unlike information emitted via notifications and events, records
do not require immediate attention from an analyst but may be
useful for visibility and retroactive cyber forensic. Depending on the record
format, there are different qualities in regard to structure and detail. Records
are typically stored in logfiles or databases on a system entity or NSF.
Records in the form of logfiles usually include less structures but potentially
more detailed information in regard to changes of an system entity’s
characteristics. In contrast, databases often use more strict schemas or data
models, therefore enforcing a better structure, but inhibit storing information
that do not match those models (‘closed world assumption’). Records can be
continuously processed by I2NSF Agents that act as I2NSF Producer and emit
events via functions specifically tailored to a certain type of record.
Typically, records are information generated by NSF or system entity about their operational
and informational data, or various changes in system characteristics, such as user activities,
network/traffic status, network activity, etc. They are important for
debugging, auditing and security forensic.
A specific representation of continuous value changes of information
elements that potentially occur in
high frequency. A prominent example are network interface counters, e.g. PDU amount or
byte amount, drop counters, error counters etc. Counters are useful in debugging and
visibility into operational behavior of the NSF. An I2NSF Agent that observes
the progression of counters can act as an I2NSF Producer and emit events in respect
to I2NSF Policy Rules.
As per the use cases of NSF monitoring data, information needs to be conveyed to
various I2NSF Consumers based on requirements imposed by I2NSF Capabilities and
work-flows. There are
multiple aspects to be considered in regard to emission of monitoring
information to
requesting parties as listed below:
Pull-Push Model: A set of data can be pushed by a NSF to the
requesting party or pulled by the requesting party from a NSF. Specific
types of information might need both the models at the same time if there are
multiple I2NSF Consumers with varying requirements. In general, any I2NSF Event
including a high severity assessment is considered to be of great importance
and should be processed as soon as possible (push-model). Records, in contrast,
are typically not as critical (pull-model). The I2NSF Architecture does not
mandate a specific scheme for each type of information and is therefore out of
scope of this document.
Pub-Sub Model: In order for an I2NSF Provider to push monitoring
information to multiple appropriate I2NSF Consumers, a subscription can be
maintained by both I2NSF Components. Discovery of available monitoring
information can be supported by an I2NSF Controller that takes on the role
of a broker and therefore includes I2NSF Capabilities that support registration.
Export Frequency: Monitoring information can be emitted immediately
upon generation by a NSF to requesting I2NSF Consumers or can be pushed
periodically. The frequency of exporting the data depends upon its
size and timely usefulness. It is out of the scope of I2NSF and left
to each NSF implementation.
Authentication: There may be a need for authentication between
I2NSF Producer of monitoring information and corresponding I2NSF Consumer
to ensure that critical information remains confidential. Authentication in
the scope of I2NSF can also require a corresponding content authorization.
This may be necessary, for example, if a NSF emits monitoring information to
I2NSF Consumer
outside its administrative domain. The I2NSF Architecture does not mandate when
and how specific authentication has to be implemented.
Data-Transfer Model: Monitoring information can be pushed by NSF using a
connection-less model that does require a persistent connection or
streamed over a persistent connection. An appropriate model depends on the
I2NSF Consumer requirements and the semantics of the information to be conveyed.
Data Model and Interaction Model for Data in Motion: There are a lot of
transport mechanisms such as
IP, UDP, TCP. There are also open source implementations for
specific set of data such as systems counter, e.g. IPFIX or
NetFlow . The I2NSF does not
mandate any specific method for a given data set, it is up to each
implementation.
As explained in the above section, there is a wealth of data
available from the NSF that can be monitored. Firstly, there must be
some general information with each monitoring message sent from an NSF
that helps consumer in identifying meta data with that message, which
are listed as below:
message_version: Indicate the version of the data format and is a
two-digit decimal numeral starting from 01
message_type: Event, Alert, Alarm, Log, Counter, etc
time_stamp: Indicate the time when the message is generated
vendor_name: The name of the NSF vendor
NSF_name: The name (or IP) of the NSF generating the message
Module_name: The module name outputting the message
Severity: Indicates the level of the logs. There are total eight
levels, from 0 to 7. The smaller the numeral is, the higher the
severity is.
This section covers the additional information associated with the
system messages. The extended information model is only for the
structured data such as alarm. Any unstructured data is specified with
basic information model only.
[Editors’ note]: This section remains the same as -02 version,
although the classification of the monitoring data has been changed from
-02 version. The new inconsistency will be addressed in next verion.
The following information should be included in a Memory
Alarm:
event_name: ‘MEM_USAGE_ALARM’
module_name: Indicate the NSF module responsible for
generating this alarm
usage: specifies the amount of memory used
threshold: The threshold triggering the alarm
severity: The severity of the alarm such as critical, high,
medium, low
message: ‘The memory usage exceeded the threshold’
The following information should be included in a CPU Alarm:
event_name: ‘CPU_USAGE_ALARM’
usage: Specifies the amount of CPU used
threshold: The threshold triggering the event
severity: The severity of the alarm such as critical, high,
medium, low
message: ‘The CPU usage exceeded the threshold’
The following information should be included in a Disk Alarm:
event_name: ‘DISK_USAGE_ALARM’
usage: Specifies the amount of disk space used
threshold: The threshold triggering the event
severity: The severity of the alarm such as critical, high,
medium, low
message: ‘The disk usage exceeded the threshold’
The following information should be included in a Hardware
Alarm:
event_name: ‘HW_FAILURE_ALARM’
component_name: Indicate the HW component responsible for
generating this alarm
threshold: The threshold triggering the alarm
severity: The severity of the alarm such as critical, high,
medium, low
message: ‘The HW component has failed or degraded’
The following information should be included in a Interface
Alarm:
event_name: ‘IFNET_STATE_ALARM’
interface_Name: The name of interface
interface_state: ‘UP’, ‘DOWN’, ‘CONGESTED’
threshold: The threshold triggering the event
severity: The severity of the alarm such as critical, high,
medium, low
message: ‘Current interface state’
The following information should be included in this event:
event_name: ‘ACCESS_DENIED’
user: Name of a user
group: Group to which a user belongs
login_ip_address: Login IP address of a user
authentication_mode: User authentication mode. e.g., Local
Authentication, Third-Party Server Authentication,
Authentication Exemption, SSO Authentication
message: ‘access denied’
The following information should be included in this event:
event_name: ‘CONFIG_CHANGE’
user: Name of a user
group: Group to which a user belongs
login_ip_address: Login IP address of a user
authentication_mode: User authentication mode. e.g., Local
Authentication, Third-Party Server Authentication,
Authentication Exemption, SSO Authentication
message: ‘Configuration modified’
Access logs record administrators’ login, logout, and operations
on the device. By analyzing them, security vulnerabilities can be
identified. The following information should be included in
operation report:
Administrator: Administrator that operates on the device
login_ip_address: IP address used by an administrator to log
in
login_mode: Specifies the administrator logs in mode e.g.
root, user
operation_type: The operation type that the administrator
execute, e.g., login, logout, configuration, etc
result: Command execution result
content: Operation performed by an administrator after
login.
Running reports record the device system’s running status, which
is useful for device monitoring. The following information should be
included in running report:
system_status: The current system’s running status
CPU_usage: Specifies the CPU usage
memory_usage: Specifies the memory usage
disk_usage: Specifies the disk usage
disk_left: Specifies the available disk space left
session_number: Specifies total concurrent sessions
process_number: Specifies total number of system
processes
in_traffic_rate: The total inbound traffic rate in pps
out_traffic_rate: The total outbound traffic rate in pps
in_traffic_speed: The total inbound traffic speed in bps
out_traffic_speed: The total outbound traffic speed in
bps
User activity logs provide visibility into users’ online records
(such as login time, online/lockout duration, and login IP
addresses) and the actions users perform. User activity reports are
helpful to identify exceptions during user login and network access
activities.
user: Name of a user
group: Group to which a user belongs
login_ip_address: Login IP address of a user
authentication_mode: User authentication mode. e.g., Local
Authentication, Third-Party Server Authentication,
Authentication Exemption, SSO Authentication
access_mode: User access mode. e.g., PPP, SVN, LOCAL
online_duration: Online duration
lockout_duration: Lockout duration
type: User activities. e.g., Successful User Login, Failed
Login attempts, User Logout, Successful User Password Change,
Failed User Password Change, User Lockout, User Unlocking,
Unknown
cause: Cause of a failed user activity
Interface counters provide visibility into traffic into and out
of NSF, bandwidth usage.
interface_name: Network interface name configured in NSF
in_total_traffic_pkts: Total inbound packets
out_total_traffic_pkts: Total outbound packets
in_total_traffic_bytes: Total inbound bytes
out_total_traffic_bytes: Total outbound bytes
in_drop_traffic_pkts: Total inbound drop packets
out_drop_traffic_pkts: Total outbound drop packets
in_drop_traffic_bytes: Total inbound drop bytes
out_drop_traffic_bytes: Total outbound drop bytes
in_traffic_ave_rate: Inbound traffic average rate in pps
in_traffic_peak_rate: Inbound traffic peak rate in pps
in_traffic_ave_speed: Inbound traffic average speed in
bps
in_traffic_peak_speed: Inbound traffic peak speed in bps
out_traffic_ave_rate: Outbound traffic average rate in
pps
out_traffic_peak_rate: Outbound traffic peak rate in pps
out_traffic_ave_speed: Outbound traffic average speed in
bps
out_traffic_peak_speed: Outbound traffic peak speed in
bps.
The following information should be included in a DDoS Event:
event_name: ‘SEC_EVENT_DDoS’
sub_attack_type: Any one of Syn flood, ACK flood, SYN-ACK
flood, FIN/RST flood, TCP Connection flood, UDP flood, Icmp
flood, HTTPS flood, HTTP flood, DNS query flood, DNS reply
flood, SIP flood, and etc.
dst_ip: The IP address of a victum under attack
dst_port: The port numbers that the attrack traffic aims
at.
start_time: The time stamp indicating when the attack
started
end_time: The time stamp indicating when the attack ended. If
the attack is still undergoing when sending out the alarm, this
field can be empty.
attack_rate: The PPS of attack traffic
attack_speed: the bps of attack traffic
rule_id: The ID of the rule being triggered
rule_name: The name of the rule being triggered
profile: Security profile that traffic matches.
The following information should be included in a Session Table
Event:
event_name: ‘SESSION_USAGE_HIGH’
current: The number of concurrent sessions
max: The maximum number of sessions that the session table
can support
threshold: The threshold triggering the event
message: ‘The number of session table exceeded the
threshold’
The following information should be included in a Virus
Event:
event_Name: ‘SEC_EVENT_VIRUS’
virus_type: Type of the virus, e.g., trojan, worm, macro
Virus type
virus_name
dst_ip: The destination IP address of the packet where the
virus is found
src_ip: The source IP address of the packet where the virus
is found
src_port: The source port of the packet where the virus is
found
dst_port: The destination port of the packet where the virus
is found
src_zone: The source security zone of the packet where the
virus is found
dst_zone: The destination security zone of the packet where
the virus is found
file_type: The type of the file where the virus is hided
within
file_name: The name of the file where the virus is hided
within
virus_info: The brief introduction of virus
raw_info: The information describing the packet triggering
the event.
rule_id: The ID of the rule being triggered
rule_name: The name of the rule being triggered
profile: Security profile that traffic matches.
The following information should be included in a Intrustion
Event:
event_name: The name of event: ‘SEC_EVENT_Intrusion’
sub_attack_type: Attack type, e.g., brutal force, buffer
overflow
src_ip: The source IP address of the packet
dst_ip: The destination IP address of the packet
src_port:The source port number of the packet
dst_port: The destination port number of the packet
src_zone: The source security zone of the packet
dst_zone: The destination security zone of the packet
protocol: The employed transport layer protocol, e.g.,TCP,
UDP
app: The employed application layer protocol, e.g.,HTTP,
FTP
rule_id: The ID of the rule being triggered
rule_name: The name of the rule being triggered
profile: Security profile that traffic matches
intrusion_info: Simple description of intrusion
raw_info: The information describing the packet triggering
the event.
The following information should be included in a Botnet
Event:
event_name: the name of event: ‘SEC_EVENT_Botnet’
botnet_name: The name of the detected botnet
src_ip: The source IP address of the packet
dst_ip: The destination IP address of the packet
src_port: The source port number of the packet
dst_port: The destination port number of the packet
src_zone: The source security zone of the packet
dst_zone: The destination security zone of the packet
protocol: The employed transport layer protocol, e.g.,TCP,
UDP
app: The employed application layer protocol, e.g.,HTTP,
FTP
role: The role of the communicating parties within the
botnet:
the packet from zombie host to the attacker
The packet from the attacker to the zombie host
The packet from the IRC/WEB server to the zombie host
The packet from the zombie host to the IRC/WEB server
The packet from the attacker to the IRC/WEB server
The packet from the IRC/WEB server to the attacker
The packet from the zombie host to the victim
botnet_info: Simple description of Botnet
rule_id: The ID of the rule being triggered
rule_name: The name of the rule being triggered
profile: Security profile that traffic matches
raw_info: The information describing the packet triggering
the event.
The following information should be included in a Web Attack
Alarm:
event_name: the name of event: ‘SEC_EVENT_WebAttack’
sub_attack_type: Concret web attack type, e.g., sql
injection, command injection, XSS, CSRF
src_ip: The source IP address of the packet
dst_ip: The destination IP address of the packet
src_port: The source port number of the packet
dst_port: The destination port number of the packet
src_zone: The source security zone of the packet
dst_zone: The destination security zone of the packet
req_method: The method of requirement. For instance, ‘PUT’ or
‘GET’ in HTTP
req_url: Requested URL
url_category: Matched URL category
filtering_type: URL filtering type, e.g., Blacklist,
Whitelist, User-Defined, Predefined, Malicious Category,
Unknown
rule_id: The ID of the rule being triggered
rule_name: The name of the rule being triggered
profile: Security profile that traffic matches.
Besides the fields in an DDoS Alarm, the following information
should be included in a DDoS Logs:
attack_type: DDoS
attack_ave_rate: The average pps of the attack traffic within
the recorded time
attack_ave_speed: The average bps of the attack traffic
within the recorded time
attack_pkt_num: The number attack packets within the recorded
time
attack_src_ip: The source IP addresses of attack traffics. If
there are a large amount of IP addresses, then pick a certain
number of resources according to different rules.
action: Actions against DDoS attacks, e.g., Allow, Alert,
Block, Discard, Declare, Block-ip, Block-service.
Besides the fields in an Virus Alarm, the following information
should be included in a Virus Logs:
attack_type: Virus
protocol: The transport layer protocol
app: The name of the application layer protocol
times: The time of detecting the virus
action: The actions dealing with the virus, e.g., alert,
block
os: The OS that the virus will affect, e.g., all, android,
ios, unix, windows
Besides the fields in an Intrusion Alarm, the following
information should be included in a Intrusion Logs:
attack_type: Intrusion
times: The times of intrusions happened in the recorded
time
os: The OS that the intrusion will affect, e.g., all,
android, ios, unix, windows
action: The actions dealing with the intrusions, e.g., e.g.,
Allow, Alert, Block, Discard, Declare, Block-ip,
Block-service
attack_rate: NUM the pps of attack traffic
attack_speed: NUM the bps of attack traffic
Besides the fields in an Botnet Alarm, the following information
should be included in a Botnet Logs:
attack_type: Botnet
botnet_pkt_num:The number of the packets sent to or from the
detected botnet
action: The actions dealing with the detected packets, e.g.,
Allow, Alert, Block, Discard, Declare, Block-ip, Block-service,
etc
os: The OS that the attack aiming at, e.g., all, android,
ios, unix, windows, etc.
DPI Logs provide statistics on uploaded and downloaded files and
data, sent and received emails, and alert and block records on
websites. It’s helpful to learn risky user behaviors and why access
to some URLs is blocked or allowed with an alert record.
type: DPI action types. e.g., File Blocking, Data Filtering,
Application Behavior Control
file_name: The file name
file_type: The file type
src_zone: Source security zone of traffic
dst_zone: Destination security zone of traffic
src_region: Source region of the traffic
dst_region: Destination region of the traffic
src_ip: Source IP address of traffic
src_user: User who generates traffic
dst_ip: Destination IP address of traffic
src_port: Source port of traffic
dst_port: Destination port of traffic
protocol: Protocol type of traffic
app: Application type of traffic
policy_id: Security policy id that traffic matches
policy_name: Security policy name that traffic matches
action: Action defined in the file blocking rule, data
filtering rule, or application behavior control rule that
traffic matches.
Vulnerability scanning logs record the victim host and its
related vulnerability information that should to be fixed. the
following information should be included in the report:
victim_ip: IP address of the victim host which has
vulnerabilities
vulnerability_id: The vulnerability id
vulnerability_level: The vulnerability level. e.g., high,
middle, low
OS: The operating system of the victim host
service: The service which has vulnerabillity in the victim
host
protocol: The protocol type. e.g., TCP, UDP
port: The port number
vulnerability_info: The information about the
vulnerability
fix_suggestion: The fix suggestion to the vulnerability.
Besides the fields in an Web Attack Alarm, the following
information should be included in a Web Attack Report:
attack_type: Web Attack
rsp_code: Response code
req_clientapp: The client application
req_cookies: Cookies
req_host: The domain name of the requested host
raw_info: The information describing the packet triggering
the event.
Firewall counters provide visibility into traffic signatures,
bandwidth usage, and how the configured security and bandwidth
policies have been applied.
src_zone: Source security zone of traffic
dst_zone: Destination security zone of traffic
src_region: Source region of the traffic
dst_region: Destination region of the traffic
src_ip: Source IP address of traffic
src_user: User who generates traffic
dst_ip: Destination IP address of traffic
src_port: Source port of traffic
dst_port: Destination port of traffic
protocol: Protocol type of traffic
app: Application type of traffic
policy_id: Security policy id that traffic matches
policy_name: Security policy name that traffic matches
in_interface: Inbound interface of traffic
out_interface: Outbound interface of traffic
total_traffic: Total traffic volume
in_traffic_ave_rate: Inbound traffic average rate in pps
in_traffic_peak_rate: Inbound traffic peak rate in pps
in_traffic_ave_speed: Inbound traffic average speed in
bps
in_traffic_peak_speed: Inbound traffic peak speed in bps
out_traffic_ave_rate: Outbound traffic average rate in
pps
out_traffic_peak_rate: Outbound traffic peak rate in pps
out_traffic_ave_speed: Outbound traffic average speed in
bps
out_traffic_peak_speed: Outbound traffic peak speed in
bps.
Policy Hit Counters record the security policy that traffic
matches and its hit count. It can check if policy configurations are
correct.
src_zone: Source security zone of traffic
dst_zone: Destination security zone of traffic
src_region: Source region of the traffic
dst_region: Destination region of the traffic
src_ip: Source IP address of traffic
src_user: User who generates traffic
dst_ip: Destination IP address of traffic
src_port: Source port of traffic
dst_port: Destination port of traffic
protocol: Protocol type of traffic
app: Application type of traffic
policy_id: Security policy id that traffic matches
policy_name: Security policy name that traffic matches
hit_times: The hit times that the security policy matches the
specified traffic.
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC.
The monitoring information of NSF should be protected by the secure
communication channel, to ensure its confidentiality and integrity. In
another side, the NSF and security controller can all be faked, which
lead to undesireable results, i.e., leakage of NSF’s important
operational information, faked NSF sending false information to mislead
security controller. The mutual authentication is essential to protected
against this kind of attack. The current mainstream security
technologies (i.e., TLS, DTLS, IPSEC, X.509 PKI) can be employed
approriately to provide the above security functions.
In addition, to defend against the DDoS attack caused by a lot of
NSFs sending massive monitoring information to the security controller,
the rate limiting or similar mechanisms should be considered in NSF and
security controller, whether in advance or just in the process of DDoS
attack.
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Alarm Management Information Base (MIB)
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes management objects used for modelling and storing alarms. [STANDARDS-TRACK]
Internet Security Glossary, Version 2
This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.
The Syslog Protocol
This document describes the syslog protocol, which is used to convey event notification messages. This protocol utilizes a layered architecture, which allows the use of any number of transport protocols for transmission of syslog messages. It also provides a message format that allows vendor-specific extensions to be provided in a structured way.This document has been written with the original design goals for traditional syslog in mind. The need for a new layered specification has arisen because standardization efforts for reliable and secure syslog extensions suffer from the lack of a Standards-Track and transport-independent RFC. Without this document, each other standard needs to define its own syslog packet format and transport mechanism, which over time will introduce subtle compatibility issues. This document tries to provide a foundation that syslog extensions can build on. This layered architecture approach also provides a solid basis that allows code to be written once for each syslog feature rather than once for each transport. [STANDARDS-TRACK]
Transmission of Syslog Messages over TCP
There have been many implementations and deployments of legacy syslog over TCP for many years. That protocol has evolved without being standardized and has proven to be quite interoperable in practice. This memo describes how TCP has been used as a transport for syslog messages. This document defines a Historic Document for the Internet community.
Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information
This document specifies the IP Flow Information Export (IPFIX) protocol, which serves as a means for transmitting Traffic Flow information over the network. In order to transmit Traffic Flow information from an Exporting Process to a Collecting Process, a common representation of flow data and a standard means of communicating them are required. This document describes how the IPFIX Data and Template Records are carried over a number of transport protocols from an IPFIX Exporting Process to an IPFIX Collecting Process. This document obsoletes RFC 5101.
Cisco Systems NetFlow Services Export Version 9
This document specifies the data export format for version 9 of Cisco Systems' NetFlow services, for use by implementations on the network elements and/or matching collector programs. The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics. This memo provides information for the Internet community.
Interface to Network Security Functions (I2NSF) Terminology
This document defines a set of terms that are used for the Interface to Network Security Functions (I2NSF) effort.
Information Model of NSFs Capabilities
This document defines the concept of an NSF (Network Security Function) Capability, as well as its information model. Capabilities are a set of features that are available from a managed entity, and are represented as data that unambiguously characterizes an NSF. Capabilities enable management entities to determine the set offer features from available NSFs that will be used, and simplify the management of NSFs.