GSC 2015 Cruising Planning Meeting 16 Nov 2014 GSC Cruising Events 20151.
GSC Global Standards Collaboration GSC#10 28 August – 2 September 2005 Sophia Antipolis, France...
-
Upload
amia-curtis -
Category
Documents
-
view
215 -
download
0
Transcript of GSC Global Standards Collaboration GSC#10 28 August – 2 September 2005 Sophia Antipolis, France...
GSC
Global Standards CollaborationGSC#10
28 August – 2 September 2005Sophia Antipolis, France
ITU-T Security ITU-T Security StandardizationStandardization
Herb Bertine
Chairman ITU-T Study Group 17
Agenda Item: 5.6GSC10_gtsc3(05)04
GSC
2
ITU-T World Telecommunications Standardization Assembly (WTSA)
Resolution 50, Cyberscecurity Evaluate existing and evolving new
Recommendations with respect to their robustness of design and potential for exploitation by malicious parties
Raise awareness of the need to defend against the threat of cyber attack
Resolution 51, Combating spam Report on international initiatives for countering
spamMember States to take steps within their national legal frameworks to ensure measures are taken to combat spam
Resolution 52, Countering spam by technical means Study Groups, in cooperation with other relevant
groups, to develop as a matter of urgency technical Recommendations on countering spam
GSC
3
ITU-T Study Groupswww.itu.int/ITU-T/studygroups/com17
Study Group 17 is the Lead Study Group for Telecommunication Securitywww.itu.int/ITU-T/studygroups/com17/tel-security.html Coordination/prioritization of security efforts Development of core security Recommendations
Study Group 2 is responsible for defining the security requirements on the user point-of-view
Study Group 4 covers security for the network management
Study Group 9 develops security mechanisms for cable distribution systems
Study Group 13 defines the security framework for NGN
Study Group 16 concentrates on the security issues of Multimedia applications in next generation networks.
GSC
4
Awareness
SG 17 maintains a webpage providing for an overview on achievements of ITU-T on security standadization:
security manualsecurity compendium:
• catalogue of approved ITU-T Recommendations related to telecommunication security
• extract of ITU-T approved security definitions• listing of ITU-T security related Questions
www.itu.int/ITU-T/studygroups/com17/tel-security.html
Many ITU-T workshops have security in their agenda (New horizons for security standardization, NGN (in collaboration with IETF), Cybersecurity Symposiums I and II, Home networking and Home services,…)
GSC
5
ITU-T Security Manual
December 2003, October 2004
Basic security architecture and dimensions
Vulnerabilities, threats and risks Security framework requirements PKI and privilege management with X.509 Applications (VoIP, IPCablecom, Fax,
Network Management, e-prescriptions) Security terminology Catalog of ITU-T security-related
Recommendations List of Study Groups and security-related
Questions
www.itu.int/itudoc/itu-t/85097.pdfwww.itu.int/itudoc/itu-t/86435.pdf
GSC
6
GSC
7
SG 17 recent achievements
Security Architecture (X.805) New 2003 For end-to-end communications
Security Management System (X.1051) New 2004 For risk assessment, identification of assets and
implementation characteristics Mobile Security (X.1121 and X.1122) New 2004
For mobile end-to-end data communications Telebiometric Multimodal Model (X.1081) New
2004A framework for the specification of security and
safety aspects of telebiometrics Public Key and Attribute Certificate
Frameworks (X.509) Revision 2005 Ongoing enhancements as a result of more complex
uses and alignment with the IETF
GSC
8
SG 16 recent achievements
Major restructuring of H.235v3 and annexes in stand-alone sub-series Version 4 Recommendations of H.235.x
New H.235.0 (2005) “Security framework for H-series (H.323 and other H.245-based) multimedia systems” Overview of H.235.x sub-series and common procedures
and baseline text New H.235.1 (2005) “Baseline Security Profile“
Authentication & integrity for H.225.0 signaling using shared secrets
New H.235.2 (2005) “Signature Security Profile” Authentication & integrity for H.225.0 signaling using X.509
digital certificates and signatures New H.235.3 (2005) “Hybrid Security Profile”
Authentication & integrity for H.225.0 signaling using an optimized combination of X.509 digital certificates, signatures and shared secrets key management; specification of an optional proxy-based security processor
GSC
9
SG 16 recent achievements
New H.235.4 (2005) “Direct and Selective Routed Call Security” Key management procedures in corporate and
interdomain environments to obtain key material for securing H.225.0 call signaling in GK direct-routed/selective routed scenarios
New H.235.5 (2005) “Framework for secure authentication in RAS using weak shared secrets” Secured password (using EKE/SPEKE approach) in
combination with Diffie-Hellman key agreement for stronger authentication during H.225.0 signaling
New H.235.6 (2005) “Voice encryption profile with native H.235/H.245 key management” Key management and encryption mechanisms for RTP
New H.235.7 (2005) “Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235” Usage of the MIKEY key management for SRTP
GSC
10
SG 16 recent achievements
New H.235.8 (2005) “Key Exchange for SRTP using secure Signalling Channels” SRTP keying parameter transport over secured signaling
channels (IPsec, TLS, CMS) New H.235.9 (2005) “Security Gateway Support for
H.323” Discovery of H.323 Security Gateways (SG represents
an H.323 NAT/FW ALG) and key management for H.225.0 signaling
GSC
11
SG 4 recent achievements: Security of the Management
Plane (M.3016-series)
Approved earlier this year (2005), the M.3016 series is viewed as a key aspect of NGN Management; it is included in the NGN Management Roadmap to be issued by the
NGNMFG In M.3060 on the Principles of NGN Management
The M.3016 series consists of 5 parts: M.3016.0: Overview M.3016.1: Requirements M.3016.2: Services M.3016.3: Mechanisms M.3016.4: Profile proforma
The role of M.3016.4 is unique in that it provides a template for other SDOs and forums to indicate for their membership what parts of M.3016 are mandatory or optional
GSC
12
Cyber Security*Vulnerability Information Sharing…*Incident Handling Operations*Security Strategy*Countering SPAM ( proposed Q.1717)
Secure Communication Services *Mobile Secure Communications *Home Network Security *Security Web Services *X.1121, X.1122
Q.6/17
Q.9/17
Q.7/17
Q.5/17
Communications System Security Project *Vision, Project Roadmap, …Q.4/17
Telebiometrics *Multimodal Model Framework *System Mechanism *Protection Procedure *X.1081
Q.8/17
SecurityArchitecture& Frameworks
*Architecture, Model, Concepts, Frameworks,*etc…*X.800 series*X.805
SecurityManagement*ISMS-T*Incident Management*Risk Assessment Methodology*etc…*X.1051
TelecomSystems
Telecom Systems Users
Study Group 17 Security Questions, 2005-2008
GSC
13
ITU-T Security workin development
Q.2/17: Directory services, Directory systems, and public-key/attribute certificates The Directory: Public-key and attribute certificate frameworks
(X.509)• The 5th edition entered Last Call period for approval on 1 August
2005 Consider new work on NGN directory protocol
Q.4/17: Communications systems security project Security Baseline for Network Operators Project
• Proposes a security baseline for network operators that will provide meaningful criteria against which each network operator can be assessed if required
Q.5/17: Security architecture and framework Applications of ITU-T Rec. X.805
• covering division of the security features between the networkservice provider and the user
• specifying procedures for network security assessment based on X.805 security architecture
GSC
14
ITU-T Security workin development
Q.6/17: Cybersecurity X.sno, framework for secure network operations X.vds, vulnerability data schema X.sds, spyware/deceptive software X.silc, security incident life-cycle processes X.svlc, security vulnerability life-cycle processes
Q.7/17: Security management X.ism-1, code of practice for information security
management X.ism-2, ISMS requirements specification X.1051, amendments/revision
Q.8/17: Telebiometrics X.physiol, Physiological quantities, their units and letter
symbols X.tsm-1, General telebiometric system models, protocol and
data contents X.tsm-2, Profile of client verification model on TSM X.tpp, Guideline on technical and managerial
countermeasures for biometric data security
GSC
15
ITU-T Security workin development
Telebiometric database ITU is constructing a database of safe limit value
pertaining to interfaces between telebiometric equipment and humans
This work is being done in collaboration with ISO TC 12 and IEC TC 25
We would appreciate the help of PSOs in populating the database.
The telebiometric database will be publicly available on the ITU-T website:www.itu.int/BiometricDB/Home
GSC
16
ITU-T Security workin development
Q.9/17: Secure communication services X.homesec-1, Framework for security technologies for home
network X.homesec-2, Certificate profile for the device in the home
network X.msec-3, General security value added service (policy) for
mobile data communication X.msec-4, Authentication architecture in mobile end-to-end
data communication X.crs, Correlative reacting system in mobile network X.websec-1, based on OASIS standard SAML, Security
Assertion Markup Language X.websec-2, based on OASIS standard XACML, eXtensible
Access Control Markup Language Proposed Q.17/17: Countering SPAM
X.gcs, Guideline on countering SPAM X.fcs, Technical framework for countering SPAM X.tcs, Technical means for countering SPAM
GSC
17
ITU-T Security workin development
Q.11/4 – Protocols for management interfaces Security Management System Requirements (M.xxxx)
Q.1513 – NGN security Ensure that the developed NGN architecture is consistent with
established security principles. Will further process the security-related FGNGN deliverables
GSC
18
ITU-T Security workin development
Security Deliverables from NGN Focus Group
Deliverable Title
Current Draft Target Date
Security Requirements for NGN Release 1
FGNGN-OD-00132
November 2005
Guidelines for NGN Security
FGNGN-OD-00173
November 2005
Both draft specifications are planned to be moved to SG 13 for processing as new ITU-T Recommendations
GSC
19
ITU-T Security workin development
Q.25/16 - Multimedia Security in Next-Generation Networks (NGN-MM-SEC)Standardizes MM Security for H.323 systems and for Advanced multimedia (MM) applications including NGN Anti-DDOS countermeasures for Multimedia and for
(H.323-based) NAT/FW proxy Federated Security Architecture for Internet-based
Conferencing (H.FSIC) Security for MM-QoS (H.mmqos.security) Negotiate security protocols (IPsec or TLS) for H.323
signaling (H.460.spn) MM security aspects of Vision H.325
“Next-generation Multimedia Terminals and Systems”
GSC
20
Concluding Observations
Security is everybody's business
Collaboration with other SDOs is necessary
Security needs to be designed in upfront
Security must be an ongoing effort
Systematically addressing vulnerabilities (intrinsic properties of networks/systems)is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be – X.805 is helpful here
GSC
Global Standards CollaborationGSC#10
28 August – 2 September 2005Sophia Antipolis, France
Thank you !Thank you !
GSC
22
Additional material on recently approved security
Recommendations in Study Group 17
GSC
23
Three main issues that X.805 addresses
The security architecture addresses three essential issues:What kind of protection is needed and against
what threats?What are the distinct types of network
equipment and facility groupings that need to be protected?
What are the distinct types of network activities that need to be protected?
X.805
GSC
24
X.805: Security Architecturefor End-to-End Communications
Vulnerabilities can exist in each Layer, Plane and Dimension 72 Security Perspectives (3 Layers Ò 3 Planes Ò 8 Dimensions)
Acc
ess
Man
agem
ent
Infrastructure Security
Applications Security
Services Security
End User Security
Control/Signaling Security
Management Security
8 Security Dimensions
Dat
a C
on
fid
enti
ali
ty
Co
mm
un
icat
ion
Sec
uri
ty
Inte
gri
ty
Ava
ila
bil
ity
Pri
vacy
Au
then
tic
atio
n
No
n -re
pu
dia
tio
n
Security Layers
Security Planes
Acc
ess
Co
ntr
ol
Infrastructure Security
Applications Security
Services Security
End User Security
Control/Signaling Security
Management Security
THREATS
VULNERABILITIES
8 Security Dimensions
ATTACKS
Dat
a C
on
fid
enti
ali
ty
Co
mm
un
icat
ion
Sec
uri
ty
Dat
a In
teg
rity
Ava
ila
bil
ity
Pri
vacy
Au
then
tic
atio
n
No
n -re
pu
dia
tio
n
Security Layers
Security Planes
Destruction
Disclosure
Corruption
Removal
Interruption
X.805
GSC
25
X.805: Three security layers
• Each Security Layer has unique vulnerabilities, threats• Infrastructure security enables services security enables applications security
Infrastructure Security
Applications Security
Services Security
THREATS
VULNERABILITIES
ATTACKS
Destruction
Disclosure
Corruption
Removal
Infrastructure Security
Applications Security
Services SecurityVULNERABILITIES
InterruptionVulnerabilities Can ExistIn Each Layer
1 - Infrastructure Security Layer:• Fundamental building blocks of networks
services and applications• Examples:
– Individual routers, switches, servers– Point-to-point WAN links– Ethernet links
2 - Services Security Layer:• Services Provided to End-Users• Examples:
– Frame Relay, ATM, IP– Cellular, Wi-Fi,– VoIP, QoS, IM, Location services– Toll free call services
3 - Applications Security Layer:• Network-based applications accessed by
end-users• Examples:
– Web browsing– Directory assistance– Email– E-commerce
X.805
GSC
26
• Security Planes represent the types of activities that occur on a network.• Each Security Plane is applied to every Security Layer to yield nine security
Perspectives (3 x 3)• Each security perspective has unique vulnerabilities and threats
X.805: Three security planes
Infrastructure Security
Applications Security
Services Security
End User Security
Control/Signaling Security
Management Security
VULNERABILITIES
Security Layers
Security Planes
Infrastructure Security
Applications Security
Services Security
End User Security
Control/Signaling Security
Management Security
VULNERABILITIES
Security Layers
Security Planes
Vulnerabilities Can ExistIn Each Layer and Plane
THREATS
ATTACKS
Destruction
Disclosure
Corruption
Removal
Interruption
1 - End-User Security Plane:• Access and use of the network by the
customers for various purposes:– Basic connectivity/transport– Value-added services (VPN, VoIP,
etc.)– Access to network-based applications
(e.g., email)
2 - Control/Signaling Security Plane:• Activities that enable efficient functioning
of the network• Machine-to-machine communications
3 - Management Security Plane:• The management and provisioning of
network elements, services and applications
• Support of the FCAPS functions
X.805
GSC
27
X.805 Approach
Advanced Technologies Lucent Technologies - Proprietary 21
Access Control
Authentication
Non-repudiation
Data Confidentiality
Module NineModule SixModule ThreeUser Plane
Module EightModule FiveModule TwoControl/Signaling Plane
Module SevenModule FourModule OneManagement Plane
Applications LayerServices LayerInfrastructure Layer
Communication Security
Data Integrity
Availability
Privacy
The 8 Security DimensionsAre Applied to Each Security Perspective
Execute– Top Row for Analysis of Management Network
–Middle Column for Analysis of Network Services
– Intersection of Each Layer and Plane for analysis of Security
X.805
GSC
28
X.805
Provides A Holistic Approach: Comprehensive, End-to-End Network View of Security Applies to Any Network Technology
Wireless, Wireline, Optical Networks Voice, Data, Video, Converged Networks
Applies to Any Scope of Network Function Service Provider Networks Enterprise Networks Government Networks Management/Operations, Administrative Networks Data Center Networks
Can Map to Existing Standards Completes the Missing Piece of the Security Puzzle of
what to do next
X.805
GSC
29
Security Management
Information security management system – Requirements for telecommunications(ISMS-T) specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the telecommunication’s overall business risks
leverages ISO/IEC 17799:2000, Information technology, Code of practice for information security management
based on BS 7799-2:2002, Information Security Management Systems — Specifications with Guidance for use
X.1051
GSC
30
3. Asset classification& control
2. Organizational Security
1. Security policy
5. Physical & environmental security
4. Personnel security
7. Access control
10. Compliance
9. Business continuitymanagement
8. Systems development &maintenance
Information Assetsfor Telecom
6. Communications &operations management
Information Security Management Domains defined in
ISO/IEC 17799
GSC
31
Organizational security Asset management Personnel security Physical and environmental security Communications and operations
management Access control System development and maintenance
ISMS
Information Security
Management System
X.1051
GSC
32
Mobile Security
Multi-part standard Framework of security
technologies for mobile end-to-end data communications describes security threats, security
requirements, and security functions for mobile end-to-end data communication
from the perspectives of the mobile user and application service provider (ASP)
Guideline for implementing secure mobile systems based on PKI describes considerations of implementing
secure mobile systems based on PKI, as a particular security technology
X.1121
X.1122
GSC
33
Mobile Network Open Network
Data communication
Application Server
(ASP)
MobileTerminal
(Mobile User)
Datacommunication
Application Server
(ASP)
MobileTerminal
(Mobile User)
Datacommunication
General communication Framework
Gateway Framework Security threats
Relationship of security threats and models Security requirements Relationship of security requirements and threats Security functions for satisfying requirements
X.1121
Security framework for mobileend-to-end data communications
Mobile Securit
yGatew
ay
GSC
34
Mobile Network
Open Network
Application Server
(ASP)
MobileTerminal
(Mobile User)
MobileUser VA
ASP’s VA
Mobile user’sside CA
CA
RA
Repository
Repository
ASP’s side CA
Mobile Network
Open Network
Application Server
(ASP)
MobileTerminal
(Mobile User)
MobileUser VA
ASP’s VA
Mobile user’sside CA
CA
RA
Repository
Repository
ASP’s side CA
Gateway Model
General Model
X.1122
Secure mobile systems basedon PKI
ASP Application Service Provider CA Certification AuthorityRA Registration AuthorityVA Validation Authority
GSC
35
Telebiometrics
A model for security and public safety in telebiometrics that can assist with the derivation of safe limits for the
operation of telecommunications systems and biometric devices
provide a framework for developing a taxonomy of biometric devices; and
facilitate the development of authentication mechanisms, based on both static (for example finger-prints) and dynamic (for example gait, or signature pressure variation) attributes of a human being
A taxonomy is provided of the interactions that can occur where the human body meets devices capturing biometric parameters or impacting on the body
X.1081
GSC
36
Telebiometric Multimodal Model:A Three Layer Model
the scientific layer5 disciplines: physics, chemistry, biology,
culturology, psychology the sensory layer – 3 overlapping
classifications of interactionsvideo (sight), audio (sound), chemo (smell,
taste), tango (touch); radio (radiation) - each with an out (emitted) and in (received) state
behavioral, perceptual, conceptualpostural, gestural, facial, verbal, demeanoral,
not-a-sign the metric layer
7 SI base units (m, kg, s, A, K, mol, cd)X.108
1