Virtualized Security

Services
DATASHEET

Nuage Networks Virtualized Security security, visibility, and automation solution.

Services (VSS) is a software-defined
security solution for data centers and wide
area network (WAN) environments. It is
Nuage Networks based on the Nuage Networks Virtualized
VSS Highlights Services Platform (VSP) to help address
protection, detection, and operational
End-to-End security
security challenges in cloud environments
across enterprise
driven by emerging security threats and
minimizes risks
multi-tenancy. VSS is the industry’s first
- Security spanning
distributed, end-to-end (cloud, datacenter,
branch, datacenter
and branch) software-defined network
and cloud
VSS extends Nuage Networks VSP, a
software-defined networking (SDN)
platform, with value-added security
capabilities that provide contextual traffic
visibility and security monitoring, as well as
dynamic security automation for rapid
incident response. VSS delivers these
features in addition to inherent VSP
capabilities to provide secure
microsegmentation, policy automation,
and policy enforcement.

Unified policy and

visibility provides
better security and
manageability
- Security across
branch containers,
multi-hypervisor VMs
and bare-metal
Dynamic security
automation enables
faster response to
mitigate threats
- Automates policy
action in the network
based on analytics
Security needs to evolve with SD-WAN
Existing security models cannot effectively address the new security requirements driven by
move to cloud and the evolving threat landscape.
First, due to SD-WAN allowing the use of broadband internet as a transport mechanism, the
internet, which is traditionally not a guaranteed secured link, the access to it needs to be
made secure.
Second, current protection model in Enterprise branch is basic and not enough to secure
local internet breakout to cloud as all traffic is steered over MPLS to DC sites where security
is applied. Also, there is not much end to end micro-segmentation between branch and
DC/cloud applications across the enterprise.
Third, with the increasing attack sophistication and evolving threat landscape we cannot
assume that all attacks can be prevented by protective controls. Currently there is not much
visibility to branch user traffic. Visibility and security analytics are key to help detect attacks.

7850 Network Services Gateway (Virtualized Security Services) 1

 Lack of sufficient network segmentation inside
the datacenter, as well as between remote branch
sites and datacenters - Current perimeter-centric
approaches to securing datacenters are proving to be
insufficient to prevent new and emerging attacks that
move laterally between workloads within a datacenter. In
addition, a lack of sufficient end-to-end segmentation
across the WAN poses additional security risks where an
attacker can use the branch as an entry point to access
applications and data inside the datacenter.
Location-independent security policies and cloud
mobility - A key requirement for cloud architectures is
that applications and services be completely location
independent, able to migrate freely to the most efficient
resources on any server at any site in the cloud, without
introducing dependencies in the application. Traditional
security approaches cannot easily support location
independent workloads because security policies are
defined by location of security devices or rigid network
topologies. The traditional perimeter-centric network
security model cannot effectively address security and
visibility for east-west traffic inside the datacenter or
traffic from WAN networks.
7850 Network Services Gateway (Virtualized Security Services)
Lack of automation - Current network security
operations are largely manual and device-centric. It can
take weeks to provision or modify security policies,
including configuring network devices, firewalls, and
security protocols for a new application or branch
service. Incident response to suspected or identified
attacks is manual and slow. The lack of automation for
security tasks makes it difficult to deploy new
applications and services on-demand, in minutes, on
the most efficient resources as cloud architectures
strive for.
Lack of visibility of traffic inside the datacenter
and across the WAN - Organizations lack the visibility
and tools to detect advanced security threats across
the datacenter, cloud, and branch networks. Based on a
recent security survey, it takes, on average, several
months from initial compromise to when an attack is
actually detected.
2

Key VSS features
As described above, security concerns
can be a major challenge to cloud-
readiness and the adoption of cloud
architectures. The multi-tenant
nature of cloud on shared or public
cloud resources, coupled with manual
security processes hinder on-demand
deployments and scalability.
VSS supports a three-pronged
security methodology with separate
components and features to address
each step in the security lifecycle:
Prevent security incidents by
minimizing the attack surface with
software-defined
microsegmentation and policy
enforcement across the cloud,
datacenter, and WAN.
Detect security threats and
monitor compliance with
contextual network visibility and
security analytics in real-time.
Respond faster to security
incidents and breaches by
automating remediation processes,
such as quarantining suspicious
applications or engaging deeper
analysis tools.
7850 Network Services Gateway (Virtualized Security Services)
To align with each of these security phases, the three-pronged VSS
architecture comprises VSS Prevent, VSS Detect, and VSS Respond.
VSS Prevent: Segmentation, distributed security policy
enforcement and centralized security policy management
VSS Prevent capabilities enable software-defined, end-to-end network
segmentation. This minimizes the attack surface and prevents the spread of
lateral malware by enabling microsegmentation for any workload (virtual
machines, containers, and bare-metal workloads) within the datacenter, as
well as by controlling user access from branch or WAN locations.
Please note that some the features are licensable as add-ons for VNS as
part of the NSG add-on licenses. Those features have (add-on) next to
their description.
Threat Prevention with IPS/IDS policies can be defined
native IDS/IPS (add-on) - and managed centrally via the GUI
Intrusion Detection System (IDS) or APIs. The signatures are
and Intrusion Prevention System updated dynamically from cloud
(IPS) are important to detect and and applied to NSG.
prevent the known attacks by
recognizing the virus signatures. Statistics and reports are provided
Threat prevention component on intrusion event details and rule
prevents malware from hit count.
penetrating the network,
regardless of application traffic in The IDP reports provide:
which they are hiding. It is • Reports per NSG and per domain
important to note that the • Intrusion attempts over time
IDS/IPS functionality is • Top threats by signature
implemented natively on • Top source IP (attackers)
the NSG. • Top destination IP (targets)
• IDP event details
It uses signatures of known
attacks to match traffic that
passes through the NSG in order
to prevent attacks and these
signatures have been divided into
groups of relevant signatures.
3

L7 Application and SaaS
Control - One of the prime
benefits of SD-WAN is its ability
to allow a direct access for a
branch user to the cloud and
SaaS applications. A good secure
SD-WAN must have the ability to
restrict user access to a specific
application, be able to set
application-based policies and
monitor and log application
usage. For this, it needs to have a
layer-7 DPI engine to recognize
thousands of application types.
Nuage SD-WAN security supports
a powerful Layer-7 DPI that
recognizes thousands of
applications. It also supports
pre-defined SaaS services –
Office365, WebEx, Salesforce,
GitHub, JIRA, Azure, AWS, Google
among others for easy access as
well as monitoring.
7850 Network Services Gateway (Virtualized Security Services)
Threat Prevention (IDP) Reports
Enterprises can define access
rules and policies to allow or deny
traffic to/from the application –
for example the administrator can
define a policy to deny access to
cloud storage app that is not in
the corporate IT’s management
domain. There could be a policy
allowing access to an application
like say, Office365.
Web/URL Filtering (add-on) -
URL filtering restricts branch
user access to inappropriate or
malicious internet content. It
restricts local internet access to
cloud services/whitelisted
websites.
URL filtering also helps mitigate
malware and phishing attacks by
blocking malicious webpages.
URL filtering bases its filtering
policies on a database that
classifies URLs by topic and by
"blocked" or "allowed" status.
URL filtering can block individual
URLs or categories of URLs. By
blacklisting individual URLs, users
can block specific webpages that
are known to be dangerous or
inappropriate. Meanwhile
blocking URL categories allows to
more efficiently restrict the type
of content accessed over their
networks by blocking large
groups of URLs at once instead
of having to list hundreds of
individual URLs.
Within Nuage URL/Web filtering
function, we support 1800+ web
categories and millions of
websites. Each attempt of the
blocked website access is logged
for reporting which can be used
4
 for auditing and compliance.
DPI engine to recognize
thousands of application types.
Nuage SD-WAN security supports
a powerful Layer-7 DPI that
recognizes thousands of
applications. It also supports
pre-defined SaaS services –
Office365, WebEx, Salesforce,
GitHub, JIRA, Azure, AWS, Google
among others for easy access as
well as monitoring.
Software-defined
segmentation & distributed
security policy enforcement
- Within the datacenter, VSS
provides enforcement of
fine-grained, applicationspecific
security policies, also known as
microsegmentation, for any
workload. Microsegmentation
effectively provides a “whitelist”
approach to all traffic within
the cloud network, blocking all
connections between all
applications except those that
are explicitly allowed. This much
more thorough approach to
security policy management has
been called a “Zero Trust” policy
by Forrester Research, and is a
rapidly emerging requirement for
multi-tenant cloud networks
VSS includes a Layer 4
distributed firewall and enforces
Layer 4 stateful Access Control
Lists (ACL), as well as forwarding
and service chaining policies for
re-directing traffic to
advanced security appliances,
such as next generation firewalls
(NGFWs) and intrusion
prevention systems (IPS). Layer 4
ingress/egress ACLs can be
centrally defined based
on flexible groupings of
end-points based on policy
groups in Nuage Networks VSP.
7850 Network Services Gateway (Virtualized Security Services)
Beyond the datacenter, VSS also
provides software defined
end-to-end segmentation and
policy enforcement based on a
common policy model across the
enterprise WAN and datacenters.
Layer 4 stateful ACLs can be
used for better security at the
branch perimeter to restrict user
access to cloud applications. For
example, access to the corporate
network can be restricted to guest
users.
The Nuage Networks Layer 4
distributed firewall, using Layer 4
statefulACLs, has also been
validated by independent PCI
auditors for network
segmentation in a PCI-compliant
environment across datacenter
and branch locations.
Organizations can trust that VSS
can be an effective tool to help
meet compliance requirements in
a payment card environment.
Simplified security
management based on
templates - VSS enables
network security administrators
to simplify security policy
management across multiple
virtual networks and automate
compliance enforcement based
on ACL templates. Security
administrators can centrally
define and manage network-wide
security policies based on a
template defined for specific
applications or tenants.
For example, the network
security team can block the
spread of a new worm or virus
across enterprise networks. This
can be done by making a
template-level ACL change to
block network communication
based on a specific port or
protocol used by the worm or
virus. The resulting policy change
quickly and automatically
propagates to all relevant
application or overlay networks,
as needed.compliance
enforcement based on ACL
templates. Security
administrators can centrally
define and manage network-wide
security policies based on a
template defined for specific
applications or tenants.
Multi-layer security policy
management - The multi-layer
security policy management
capability enables multiple
teams, (such as the network
security and application teams)
to manage different aspects of
the overall security policy.
To ensure compliance, the
network security team can
control network-wide security
policies, while providing
application teams the ability to
specify application-specific
whitelist policies for micro-
segmentation between
application tiers as dictated by
the application design.
This is achieved using an ACL
sandwich, which is composed of
the top, middle,and bottom
layers of ACL entries. Network
security teams can define the top
and bottom layers as a part of
the ACL template to specify all
traffic that shouldnever reach any
of the end-points or deny traffic
that isn’t explicitly allowed by a
matching ACL.
Top and bottom layer ACLs from
the template are combined with
applicationspecific whitelist
policies. ACLs, defined per
domain instance in the middle
layer to form an ACL sandwich,
provide fine-grained policy for
microsegmentation while
ensuring compliance with overall
network security policies.
5
 VSS Detect: Visibility, security monitoring and
analytics (requires VSS license for full functionality
in addition to the Nuage Networks VSP)
VSS Detect provides security operations and auditors with
contextual visibility of traffic flows, near real-time security
alerts, and a dashboard of their virtual network across the
datacenter and WAN.

Contextual flow visualization - For compliance

validation, network security administrators and
auditors can visualize traffic flows with context
(e.g., policy group, and domain), both within the
datacenter as well as between datacenters and
branch networks. In addition, application flow
mapping based on contextual flow visualization
(e.g., Layer 4 protocol/ports information used by
flows between application components or policy
groups) enables auditing and definition of whitelist
security policies for microsegmentation.

Threat Intelligence based on IP Reputation

(add-on) - Threat Intelligence feature enables near
real-time detection of security threats based on
reputation of source or destination public IP
address in the flow records collected by VSS to
known risky public IP addresses based on IP
reputation data. When the Threat Intelligence
feature is enabled, VSS uses a periodically updated
IP reputation database of high risk IP addresses to
detect communications with the risky IP address
and enriches the flow record information with IP
reputation and additional meta-data (for example,
high risk IP, botnet security category, IP
geo-location data) to provide additional context for
security analytics and threat hunting In addition,
new security events of type “Risky IP Access” are
generated near real-time and stored by VSS in
Elasticsearch security event index.

Threshold Crossing Alerts (TCA) - Generate real

time alerts based on traffic metrics. The metrics
include - Packets in/out, Bytes in/out, Dropped
packets in/out, Anti-spoof packets count, Portscan
port count and port sweep IP count, ACL deny event
count, and Anti-spoof event count.

7850 Network Services Gateway (Virtualized Security Services) 6

 Virtualized network monitoring and security Figure 2. VSS Enterprise ACL Deny vs Time
analytics - Network security and operations teams
can get insight into network security events with 1,000,000

near real-time security alerts, security dashboards, 1,000,000

1,000,000
and reports based on ACL allow/deny hits and 1,000,000

security events, as well as traffic analytics. 1,000,000

1,000,000
Examples of security reports include: 1,000,000
- ACL deny/allow count vs. time within a domain or 1,000,000

the entire enterprise 1,000,000

1,000,000
-View security events (e.g, ACL deny event, port
09 AM 12 PM 03 PM 06 PM 05 PM Wed 28 03AM 06 AM
scan, port sweep, risky IP access, spoofing, IDP
events, TCA alerts) and associated details per
Enterprise and L3/L2 domain

Policy-based mirroring - Policy-based mirroring

enables select traffic that matches an ACL entry to
be mirrored to security analytics/traffic analyzers
for more advanced threat analytics, business
intelligence, or troubleshooting.

Only traffic that matches a defined policy will be

mirrored, so users can be selective about what they
choose to analyze and not overwhelm the system.
For example, users can choose to mirror suspicious
traffic based on anomalous behavior that matches
unusual ingress/egress ACL policies.

Please note that Policy-based mirroring is only

available for VCS and not for VNS.

7850 Network Services Gateway (Virtualized Security Services) 7

VSS Respond: Dynamic Security
Automation (requires VSS license
for full functionality, in addition
to relevant VSP licenses)
VSS Respond enables rapid response to a
security event or an incident by
dynamically automating security policies
and remediation steps to mitigate the
attack in near real-time.
Alarm filtering with deeper
analytics - For example, a
threshold crossing alert can be
defined based on a metric, such
as ACL deny count (at the zone,
policy group, vPort or subnet level).
If the ACL deny count exceeds a
threshold, the end point can be put
into a suspect category and be
more closely monitored by:
- Inserting advanced security
services for traffic from suspicious
end points (e.g., sending traffic to
an NGFW or IPS)
- Mirroring select traffic from such as a SIEM (security incident event
suspicious end points manager) as a part of the incident
response workflow.
Alerts with automated actions can
be defined based on various
metrics at particular vPort/policy VSS solution components
group/zone /subnet levels,
VSS requires the Nuage Networks
including Packets in/out, Bytes
VSP solution, (including the VSD
in/out, Dropped packets in/out,
and VSC SDN controller
Anti-spoof packet count, ACL deny
components). In addition, the
event count, and Anti-spoof
VSS solution requires VRS for
event count.
policy enforcement and flow
visibility in the datacenter or
private clouds, as well as NSG for
Automated quarantine of
branch environment.
affected end points - Another
use case is to quarantine an
infected end-point by dynamically
reassigning the infected end-point
to a quarantine policy group to
enforce a more stringent security
policy and restrict communication
from the quarantined endpoint.
This can be triggered by a security
analysis from an external system

Key features and benefits summary

Category Feature Feature Description Benefits

VSS Layer 4 stateful, Layer 4 ingress/egress ACLs can be
Prevent distributed firewall centrally defined based on flexible
grouping of end points at the Policy
Group, Zone, Subnet levels.
Layer 4 forwarding ACLs can be defined
to selectively steer traffic to re-
direction targets such as NGFW or IPS.
Layer 4 security policies can be
enforced using Nuage VRS as host for
VM, containers as well as bare-metal,
and at branch with the Nuage NSG.
Layer 4 distributed firewall was
validated by independent PCI auditors
for network segmentation in a PCI
compliant environment.
Minimizes attack surface with
microsegmentation and policy
enforcement for east-west traffic
inside the datacenter, as well as
perimeter security in WAN
environments.
Service chaining for advanced
insertion of external security
appliances (e.g., NGFW, IPS) inside
the datacenter, as well as at branch
locations.
Protects bare-metal, virtual
machine, and container workloads
seamlessly.

7850 Network Services Gateway (Virtualized Security Services) 8

Key features and benefits summary (cont.)
Category Feature Feature Description
VSS Threat Prevention Embedded security capability in NSG
Prevent with native IDS/IPS
Uses signatures of known attacks to
match traffic that passes through the
NSG in order to prevent attacks
Signatures have been divided into
different groups that contain relevant
signatures - based on use case -
corresponding groups can be applied.
IDS/IPS policies defined and managed
centrally
Stats/Reports on intrusion event details
and rule hit count
Support targeted for NSG E-20* and
above
Signatures updated dynamically from
cloud and applied to NSG
VSS L7 Application and Restricts branch user access to specific
Prevent SaaS Control applications using L7 DPI
Supports thousands of application
signatures
Visibility and logging of L7 application
information
Supports pre-defined SaaS services –
Office365, Webex, Salesforce, Github,
JIRA, Azure, AWS, Google
VSS Web/URL Filtering URL filtering restricts branch user
Prevent access to inappropriate or malicious
internet content.
URL filtering can block individual URLs
or categories of URLs.
Within Nuage URL/Web filtering
function, we support 1800+ web
categories and thousands of websites.
Each attempt of the blocked website
access is logged for reporting which can
be used for auditing and compliance.
VSS Simplified security Layer 4 stateful security policies
Prevent management (ingress/egress/ forwarding ACLs) can be
based on ACL defined as a part of the template and
templates automatically inherited for any domain
that is instantiated based on
the template.
7850 Network Services Gateway (Virtualized Security Services)
Benefits
IDS/IPS are important to detect and
prevent the known attacks by
recognizing the virus signatures.
Prevents malware from penetrating
the network, regardless of
application traffic in which they are
hiding.
Reputation-managed protection -
IPS subscribes to reputation-based
list of known malicious sites and
domains, that is used to protect the
users.
Fewer Security Incidents – IPS
ensures less disruption
Since IDS/IPS is implemented
natively on NSG, there is no need to
install any external IDS/IPS
appliance.
Enterprises can define access rules
and policies to allow or deny traffic
to/from the application
Define application based security
policies
URL filtering helps mitigate
malware and phishing attacks by
blocking malicious webpages.
Enables network security admin to
automate compliance enforcement.
Admins can centrally define and
automate enforcement of Layer 4
security policies enterprise/tenant-
wide across multiple virtual networks.
9
Key features and benefits summary (cont.)

Category Feature Feature Description Benefits

VSS Multi-layer security Top and bottom ACLs can be defined as Multi-layer security policy
Prevent policy management a part of the template to specify all management capability using ACL
using ACL sandwich traffic that should never reach any of sandwich feature enables multiple
the end points or deny traffic that isn’t teams (network security and
explicitly allowed by a matching application team) to manage different
instance ACL. aspects of security policies.

Top and bottom ACLs are combined
with application-specific whitelist
policies/ACLs defined per domain
instance in the middle layer to form an
ACL sandwich that is both fine-grained
policy for microsegmentation and
compliant with overall network
security policy.
It enables network security team to
control network-wide security policies
to ensure compliance while providing
application teams the ability to specify
application-specific whitelist policies
for microsegmentation.

VSS Contextual Visualize traffic flows between groups
Detect flow of end points (policy groups) within a
visualization domain.
Select a flow between policy groups and
get details on flow (src ip/dst ip/src
port/dst port/ proto, bytes/packets) for
each collection time-interval.
Provides contextual visibility to
east-west traffic between VMs,
containers and bare-metal workloads
inside the datacenter, as well as traffic
crossing the branch perimeter to
validate compliance with policy.

Threat Intelligence Reports on access the branch to high Near real time detection of malicious
based on IP risk and medium risk IP address communication between botnet/
Reputation Uses IP reputation data for high / phishing /malware sites and
medium risk IPs that are updated daily branch/DC endpoints.
from cloud
Top branch IPs communicating with
risky IPs in the Internet
IP reputation, security category (e.g.,
botnet/phishing) and geo location for
each flow is enriched by stats collector
and stored in flow index
Security events (event index) generated
for risky IP access

Threshold Crossing Generate real time alerts based on traffic Detect and alert policy violation, port
Alerts (TCA) metrics. The metrics include - Packets scan, port sweep and DoS attacks.
in/out, Bytes in/out, Dropped packets
in/out, Anti-spoof packets count, Portscan
port count and port sweep IP count, ACL
deny event count, and Anti-spoof
event count.

7850 Network Services Gateway (Virtualized Security Services) 10

Key features and benefits summary (cont.)

Category Feature Feature Description Benefits

ACL analytics Reports based on:
and alerts ACL allow/deny hits vs. time
ACL allow/deny hits by destination PG
Top ACLs by # of hits and information
on Flows matching an ACL entry
Monitor and alert on ACL policy
violations for compliance and early
threat detection.

Traffic analytics Reports based on: Enables detection of security attacks

and alerts TCP conn vs. time based on abnormal spike in network
UDP traffic vs. time traffic (e.g., during DDoS attack).
ICMP vs. time
Ability to define alerts based on traffic
metrics (bytes) at G/zone/subnet
/vPort level

Security event Reports based on: Provides a dashboard view into various
analytics Security events by event type (ACL security events happening in the
Deny, TCA alert event) SDN/SD-WAN environment for
Security events details (source, time, compliance monitoring.
type, context).

Policy based Policy based mirroring provides mirroring Enables detection of advanced
mirroring of select allowed traffic matching an security attacks by selectively
(VCS only) ACL entry. mirroring traffic to security analyzer
for traffic that requires full
packet inspection.

7850 Network Services Gateway (Virtualized Security Services) 11

Key features and benefits summary (cont.)

Category Feature Feature Description Benefits

VSS Alerts with Threshold crossing alerts can be
Respond automated defined based on metric (average or
action absolute) exceeding a specific
threshold value over a time period.
An automated action can be associated
on a TCA event to moveor add the end
point/vPort to a new policy group.
Provides contextual visibility to
east-west traffic between VMs,
containers and bare-metal workloads
inside the datacenter, as well as traffic
crossing the branch perimeter to
validate compliance with policy.

Metrics include: Packets in/out, Bytes

in/out, Dropped packets in/out,
Anti-spoof packets count, ACL deny
event count, Port Scan port count, Port
Sweep IP countand Anti-spoof
event count.

APIs to automate Incident response systems can automate Shortens remediation process
incident response quarantine of an infected end point by
using VSP APIs.

VSS licensing
VSS capabilities are enabled with a
feature license on existing VSD, VRS,
and NSG components for software-
defined security across datacenter
and branch deployments.
VSS license per VRS and NSG
enables VRS and NSG to function
as a securityevent and flow data
source, providing near real-time
information on Layer-4 flows, as
well as security events.
VSS license per VSD Analytics
/Stats node enables Layer 4 flow
collection, security analytics, as
well as alerts with automated
policy action.

www.nuagenetworks.net Nuage Networks and the Nuage Networks logo are trademarks of the Nokia group of companies. Nokia is
a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade
names of their respective owners. © 2020 Nokia.

Document Code: SR2006044711EN (June) CID200839