Professional Documents
Culture Documents
Nokia Nuage Networks Virtualized Security Services Data Sheet EN
Nokia Nuage Networks Virtualized Security Services Data Sheet EN
Services
DATASHEET
Location-independent security policies and cloud Lack of visibility of traffic inside the datacenter
mobility - A key requirement for cloud architectures is and across the WAN - Organizations lack the visibility
that applications and services be completely location and tools to detect advanced security threats across
independent, able to migrate freely to the most efficient the datacenter, cloud, and branch networks. Based on a
resources on any server at any site in the cloud, without recent security survey, it takes, on average, several
introducing dependencies in the application. Traditional months from initial compromise to when an attack is
security approaches cannot easily support location actually detected.
independent workloads because security policies are
defined by location of security devices or rigid network
topologies. The traditional perimeter-centric network
security model cannot effectively address security and
visibility for east-west traffic inside the datacenter or
traffic from WAN networks.
VSS supports a three-pronged Please note that some the features are licensable as add-ons for VNS as
security methodology with separate part of the NSG add-on licenses. Those features have (add-on) next to
components and features to address their description.
each step in the security lifecycle:
Threat Prevention with IPS/IDS policies can be defined
Prevent security incidents by
native IDS/IPS (add-on) - and managed centrally via the GUI
minimizing the attack surface with
Intrusion Detection System (IDS) or APIs. The signatures are
software-defined
and Intrusion Prevention System updated dynamically from cloud
microsegmentation and policy
(IPS) are important to detect and and applied to NSG.
enforcement across the cloud,
prevent the known attacks by
datacenter, and WAN.
recognizing the virus signatures. Statistics and reports are provided
Detect security threats and
Threat prevention component on intrusion event details and rule
monitor compliance with
prevents malware from hit count.
contextual network visibility and
penetrating the network,
security analytics in real-time.
regardless of application traffic in The IDP reports provide:
Respond faster to security
which they are hiding. It is • Reports per NSG and per domain
incidents and breaches by
important to note that the • Intrusion attempts over time
automating remediation processes,
IDS/IPS functionality is • Top threats by signature
such as quarantining suspicious
implemented natively on • Top source IP (attackers)
applications or engaging deeper
the NSG. • Top destination IP (targets)
analysis tools.
• IDP event details
It uses signatures of known
attacks to match traffic that
passes through the NSG in order
to prevent attacks and these
signatures have been divided into
groups of relevant signatures.
L7 Application and SaaS Enterprises can define access classifies URLs by topic and by
Control - One of the prime rules and policies to allow or deny "blocked" or "allowed" status.
benefits of SD-WAN is its ability traffic to/from the application –
to allow a direct access for a for example the administrator can URL filtering can block individual
branch user to the cloud and define a policy to deny access to URLs or categories of URLs. By
SaaS applications. A good secure cloud storage app that is not in blacklisting individual URLs, users
SD-WAN must have the ability to the corporate IT’s management can block specific webpages that
restrict user access to a specific domain. There could be a policy are known to be dangerous or
application, be able to set allowing access to an application inappropriate. Meanwhile
application-based policies and like say, Office365. blocking URL categories allows to
monitor and log application more efficiently restrict the type
usage. For this, it needs to have a Web/URL Filtering (add-on) - of content accessed over their
layer-7 DPI engine to recognize URL filtering restricts branch networks by blocking large
thousands of application types. user access to inappropriate or groups of URLs at once instead
malicious internet content. It of having to list hundreds of
Nuage SD-WAN security supports restricts local internet access to individual URLs.
a powerful Layer-7 DPI that cloud services/whitelisted
recognizes thousands of websites. Within Nuage URL/Web filtering
applications. It also supports function, we support 1800+ web
pre-defined SaaS services – URL filtering also helps mitigate categories and millions of
Office365, WebEx, Salesforce, malware and phishing attacks by websites. Each attempt of the
GitHub, JIRA, Azure, AWS, Google blocking malicious webpages. blocked website access is logged
among others for easy access as URL filtering bases its filtering for reporting which can be used
well as monitoring. policies on a database that
VSS Layer 4 stateful, Layer 4 ingress/egress ACLs can be Minimizes attack surface with
Prevent distributed firewall centrally defined based on flexible microsegmentation and policy
grouping of end points at the Policy enforcement for east-west traffic
Group, Zone, Subnet levels. inside the datacenter, as well as
perimeter security in WAN
Layer 4 forwarding ACLs can be defined environments.
to selectively steer traffic to re-
direction targets such as NGFW or IPS. Service chaining for advanced
insertion of external security
Layer 4 security policies can be appliances (e.g., NGFW, IPS) inside
enforced using Nuage VRS as host for the datacenter, as well as at branch
VM, containers as well as bare-metal, locations.
and at branch with the Nuage NSG.
Protects bare-metal, virtual
Layer 4 distributed firewall was machine, and container workloads
validated by independent PCI auditors seamlessly.
for network segmentation in a PCI
compliant environment.
VSS Threat Prevention Embedded security capability in NSG IDS/IPS are important to detect and
Prevent with native IDS/IPS prevent the known attacks by
Uses signatures of known attacks to recognizing the virus signatures.
match traffic that passes through the Prevents malware from penetrating
NSG in order to prevent attacks the network, regardless of
Signatures have been divided into application traffic in which they are
different groups that contain relevant hiding.
signatures - based on use case - Reputation-managed protection -
corresponding groups can be applied. IPS subscribes to reputation-based
IDS/IPS policies defined and managed list of known malicious sites and
centrally domains, that is used to protect the
Stats/Reports on intrusion event details users.
and rule hit count Fewer Security Incidents – IPS
Support targeted for NSG E-20* and ensures less disruption
above Since IDS/IPS is implemented
Signatures updated dynamically from natively on NSG, there is no need to
cloud and applied to NSG install any external IDS/IPS
appliance.
VSS L7 Application and Restricts branch user access to specific Enterprises can define access rules
Prevent SaaS Control applications using L7 DPI and policies to allow or deny traffic
Supports thousands of application to/from the application
signatures Define application based security
Visibility and logging of L7 application policies
information
Supports pre-defined SaaS services –
Office365, Webex, Salesforce, Github,
JIRA, Azure, AWS, Google
VSS Web/URL Filtering URL filtering restricts branch user URL filtering helps mitigate
Prevent access to inappropriate or malicious malware and phishing attacks by
internet content. blocking malicious webpages.
URL filtering can block individual URLs
or categories of URLs.
Within Nuage URL/Web filtering
function, we support 1800+ web
categories and thousands of websites.
Each attempt of the blocked website
access is logged for reporting which can
be used for auditing and compliance.
VSS Simplified security Layer 4 stateful security policies Enables network security admin to
Prevent management (ingress/egress/ forwarding ACLs) can be automate compliance enforcement.
based on ACL defined as a part of the template and Admins can centrally define and
templates automatically inherited for any domain automate enforcement of Layer 4
that is instantiated based on security policies enterprise/tenant-
the template. wide across multiple virtual networks.
VSS Multi-layer security Top and bottom ACLs can be defined as Multi-layer security policy
Prevent policy management a part of the template to specify all management capability using ACL
using ACL sandwich traffic that should never reach any of sandwich feature enables multiple
the end points or deny traffic that isn’t teams (network security and
explicitly allowed by a matching application team) to manage different
instance ACL. aspects of security policies.
Top and bottom ACLs are combined It enables network security team to
with application-specific whitelist control network-wide security policies
policies/ACLs defined per domain to ensure compliance while providing
instance in the middle layer to form an application teams the ability to specify
ACL sandwich that is both fine-grained application-specific whitelist policies
policy for microsegmentation and for microsegmentation.
compliant with overall network
security policy.
VSS Contextual Visualize traffic flows between groups Provides contextual visibility to
Detect flow of end points (policy groups) within a east-west traffic between VMs,
visualization domain. containers and bare-metal workloads
inside the datacenter, as well as traffic
Select a flow between policy groups and crossing the branch perimeter to
get details on flow (src ip/dst ip/src validate compliance with policy.
port/dst port/ proto, bytes/packets) for
each collection time-interval.
Threat Intelligence Reports on access the branch to high Near real time detection of malicious
based on IP risk and medium risk IP address communication between botnet/
Reputation Uses IP reputation data for high / phishing /malware sites and
medium risk IPs that are updated daily branch/DC endpoints.
from cloud
Top branch IPs communicating with
risky IPs in the Internet
IP reputation, security category (e.g.,
botnet/phishing) and geo location for
each flow is enriched by stats collector
and stored in flow index
Security events (event index) generated
for risky IP access
Threshold Crossing Generate real time alerts based on traffic Detect and alert policy violation, port
Alerts (TCA) metrics. The metrics include - Packets scan, port sweep and DoS attacks.
in/out, Bytes in/out, Dropped packets
in/out, Anti-spoof packets count, Portscan
port count and port sweep IP count, ACL
deny event count, and Anti-spoof
event count.
ACL analytics Reports based on: Monitor and alert on ACL policy
and alerts ACL allow/deny hits vs. time violations for compliance and early
ACL allow/deny hits by destination PG threat detection.
Top ACLs by # of hits and information
on Flows matching an ACL entry
Security event Reports based on: Provides a dashboard view into various
analytics Security events by event type (ACL security events happening in the
Deny, TCA alert event) SDN/SD-WAN environment for
Security events details (source, time, compliance monitoring.
type, context).
Policy based Policy based mirroring provides mirroring Enables detection of advanced
mirroring of select allowed traffic matching an security attacks by selectively
(VCS only) ACL entry. mirroring traffic to security analyzer
for traffic that requires full
packet inspection.
VSS Alerts with Threshold crossing alerts can be Provides contextual visibility to
Respond automated defined based on metric (average or east-west traffic between VMs,
action absolute) exceeding a specific containers and bare-metal workloads
threshold value over a time period. inside the datacenter, as well as traffic
crossing the branch perimeter to
An automated action can be associated validate compliance with policy.
on a TCA event to moveor add the end
point/vPort to a new policy group.
APIs to automate Incident response systems can automate Shortens remediation process
incident response quarantine of an infected end point by
using VSP APIs.
VSS licensing VSS license per VRS and NSG VSS license per VSD Analytics
enables VRS and NSG to function /Stats node enables Layer 4 flow
VSS capabilities are enabled with a as a securityevent and flow data collection, security analytics, as
feature license on existing VSD, VRS, source, providing near real-time well as alerts with automated
and NSG components for software- information on Layer-4 flows, as policy action.
defined security across datacenter well as security events.
and branch deployments.
www.nuagenetworks.net Nuage Networks and the Nuage Networks logo are trademarks of the Nokia group of companies. Nokia is
a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade
names of their respective owners. © 2020 Nokia.