MEF 88 Draft Release 1 Application Security for SD-WAN Services

2020 Aug

Summary:

This document specifies the Policy Criteria needed to add Application Security to SD-WAN Services. As such, it is based on the framework specified in MEF 70.1.

Specifically, security functions and related actions are defined, each of which can be applied per Application Flow. These security functions include:


Abstract

This document specifies the Policy Criteria needed to add Application Security to SD-WAN Services. As such, it is based on the framework specified in MEF 70.1.

Specifically, security functions and related actions are defined, each of which can be applied per Application Flow. These security functions include:

  • Middle-Box Function, which when enabled, supports the decryption and re-encryption of a TLS-encrypted Application Flow (e.g., HTTPS). While this breaks the end-to-end guarantee of TLS, as a result the following security functions are made available.
  • IP, Port and Protocol Filtering, which, when enabled, can block a list of IP addresses, protocols and/or port numbers.
  • NS Protocol Filtering, which when enabled, can block access to a list of prescribed DNS Servers operating using the DNS protocol over 53/TCP and 53/UDP.
  • Domain Name Filtering, which when enabled, can block access to a list of domains.
  • URL Filtering, which when enabled, can block access to a list of URLs.
  • Malware Detection and Removal, which when enabled, scans objects for malware and can remove the malware.

In addition, key concepts include:

  • Allow List, a list of match criteria entries (IP addresses, domain names, URLs or other IDs) that are allowed
  • Block List, a list of match criteria entries (IP addresses, domain names, URLs or other IDs) that are blocked
  • Quarantine List, a list of match criteria entries (IP addresses, domain names, URLs or other IDs) that are blocked, but can be managed by the Subscriber to move match criteria entries to an Allow List or a Block List
  • Security Event Notification (SEN), which is used to notify the Subscriber and Service Provider personnel, e.g., Security Operations Center (SOC) personnel, of security related events

Standards published by MEF are intended for general distribution to the public and may be downloaded from this site and reproduced without charge. Any reproduction of MEF documents shall contain the following statement: "Reproduced with permission of MEF Forum." All rights granted to MEF under applicable copyright laws are expressly reserved. No permission is granted to any recipient or user of MEF publications to modify any of the information contained therein and MEF disclaims all responsibility and liability for such modifications. Most standards are introduced by an overview presentation that gives background and explanations that are in addition to the normative definitions in the standards. Superseded standards are available to MEF members.