120 likes | 274 Views
The need for TMN security & the P710 effort Description of the P710 Security Solution Possible future security capabilities (STASE-ROSE) Summary and Conclusions. EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D. Presentation Contents.
E N D
The need for TMN security & the P710 effort Description of the P710 Security Solution Possible future security capabilities (STASE-ROSE) Summary and Conclusions EURESCOM Project P710“Security for the TMN X-interface”by Pål Kristiansen, Telenor R&D Presentation Contents
TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack. TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily manipulated and misused by an intruder. Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it. The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion: Open interfaces are by nature vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the use and provision of management services. The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe. Why is security important ?
Commercial automated X-interfaces in Europe may become a reality in the very near future. A commercial driver for P710 is the planned ATM MoU. Today there exist no common accepted (i.e. standardised) off-the-shelf security solution available for the protection of CMIP communications. Any proposed security solution should be validated through practical implementation and experimentation before it is accepted and applied in a real environment. Theoretical studies are not sufficient. EURESCOM is currently in a good position to provide important practical results in the area of X-interface security. P710 Rationale
P710 needed to select a solution that can operate in amulti-operatorandmulti-vendorenvironment. P710 wanted to select a security solution that conforms toexisting security standardsto ensure a certain level ofmarket acceptance. The mainsecurity problem for CMIPenvironments is the lack of support for integrating security services within the OSI-stack. P710 wanted to design a security solution that is flexible enough to be able toutilise existing management platform security capabilitiesas much as possible. P710 has to selectcommercial products for the purpose of implementationand validationbut has no intention to mandate one particular product for an operational phase. Some Important Considerations
STASE-ROSE, if implemented, would become an option to the P710 IPsec solution. In addition to integrity/confidentiality protection, STASE-ROSE will be able to provide a basis for non-repudiation. STASE-ROSE with GSS-API support could be an add-on capability to the P710 application level architecture. In this case the same cryptographic module (GSS-API module) could be used to provide the entire range of cryptographic services. The possibility of commercial implementation may seem promising, however yet very unclear (if, who and when?). X-interface solutions may require multi-vendor support for STASE-ROSE. Since P710 needs to implement and validate solutions that are available today, STASE-ROSE is not an option. Considerations regarding STASE-ROSE
Today there is no complete standardised off-the-shelf security solution available for CMIP. Existing management platforms have either very little or no support at all for security. It is a goal for P710 to enable the use of platform supported capabilities (particularly access control) whenever available. It should be possible to provide a secure CMIP solution today (apart from maybe non-repudiation) using existing “standard” security technology. A dividing of security functionality between application level and network level is however recommended to provide all the main security services. The use of GSS-API provides for easy and standard way of integration (and easy replacement) of cryptographic services at application level. Summary and Conclusions (1)
IP security (IPsec) should provide an investment guaranteed solution for creating a secure VPN (requires the use of CMIP over IP). Host-integration of IPsec may be considered as a future option. STASE-ROSE, if implemented with GSS-API support, would become an add-on capability to the P710 solution. It may, however, take a while before this solution is applicable for multi-vendor environments. An “easy to use” manual public key management solution, appropriate for smaller user-groups, should be sufficient in a first phase. Full PKI functionality may be considered as a future option. The P710 security solution is designed to be flexible and is not tailored to one specific X-interface environment. Summary and Conclusions (2)
e-mail : pal.kristiansen@fou.telenor.no Questions ?