1 / 36

ITU-T Security Standardization

GSC10_gtsc3(05)04. Agenda Item: 5.6. ITU-T Security Standardization. Herb Bertine Chairman ITU-T Study Group 17. ITU-T World Telecommunications Standardization Assembly (WTSA). Resolution 50, Cyberscecurity

leon
Download Presentation

ITU-T Security Standardization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GSC10_gtsc3(05)04 Agenda Item: 5.6 ITU-T Security Standardization Herb Bertine Chairman ITU-T Study Group 17

  2. ITU-T World Telecommunications Standardization Assembly (WTSA) • Resolution 50, Cyberscecurity • Evaluate existing and evolving new Recommendations with respect to their robustness of design and potential for exploitation by malicious parties • Raise awareness of the need to defend against the threat of cyberattack • Resolution 51, Combating spam • Report on international initiatives for countering spamMember States to take steps within their national legal frameworks to ensure measures are taken to combat spam • Resolution 52, Countering spam by technical means • Study Groups, in cooperation with other relevant groups, to develop as a matter of urgency technical Recommendations on countering spam

  3. ITU-T Study Groupswww.itu.int/ITU-T/studygroups/com17 • Study Group 17 is the Lead Study Group for Telecommunication Securitywww.itu.int/ITU-T/studygroups/com17/tel-security.html • Coordination/prioritization of security efforts • Development of core security Recommendations • Study Group 2 is responsible for defining the security requirements on the user point-of-view • Study Group 4 covers security for the network management • Study Group 9 develops security mechanisms for cable distribution systems • Study Group 13 defines the security framework for NGN • Study Group 16 concentrates on the security issues of Multimedia applications in next generation networks.

  4. Awareness • SG 17 maintains a webpage providing for an overview on achievements of ITU-T on security standadization: • security manual • security compendium: • catalogue of approved ITU-T Recommendations related to telecommunication security • extract of ITU-T approved security definitions • listing of ITU-T security related Questions www.itu.int/ITU-T/studygroups/com17/tel-security.html • Many ITU-T workshops have security in their agenda (New horizons for security standardization, NGN (in collaboration with IETF), Cybersecurity Symposiums I and II, Home networking and Home services,…)

  5. ITU-T Security ManualDecember 2003, October 2004 • Basic security architecture and dimensions • Vulnerabilities, threats and risks • Security framework requirements • PKI and privilege management with X.509 • Applications (VoIP, IPCablecom, Fax, Network Management, e-prescriptions) • Security terminology • Catalog of ITU-T security-related Recommendations • List of Study Groups and security-related Questions www.itu.int/itudoc/itu-t/85097.pdfwww.itu.int/itudoc/itu-t/86435.pdf

  6. SG 17 recent achievements • Security Architecture (X.805)New 2003 • For end-to-end communications • Security Management System (X.1051)New 2004 • For risk assessment, identification of assets and implementation characteristics • Mobile Security (X.1121 and X.1122)New 2004 • For mobile end-to-end data communications • Telebiometric Multimodal Model (X.1081)New 2004 • A framework for the specification of security and safety aspects of telebiometrics • Public Key and Attribute Certificate Frameworks (X.509)Revision 2005 • Ongoing enhancements as a result of more complex uses and alignment with the IETF

  7. SG 16 recent achievements • Major restructuring of H.235v3 and annexes in stand-alone sub-series Version 4 Recommendations of H.235.x • New H.235.0 (2005) “Security framework for H-series (H.323 and other H.245-based) multimedia systems” • Overview of H.235.x sub-series and common procedures and baseline text • New H.235.1 (2005) “Baseline Security Profile“ • Authentication & integrity for H.225.0 signaling using shared secrets • New H.235.2 (2005) “Signature Security Profile” • Authentication & integrity for H.225.0 signaling using X.509 digital certificates and signatures • New H.235.3 (2005) “Hybrid Security Profile” • Authentication & integrity for H.225.0 signaling using an optimized combination of X.509 digital certificates, signatures and shared secrets key management; specification of an optional proxy-based security processor

  8. SG 16 recent achievements • New H.235.4 (2005) “Direct and Selective Routed Call Security” • Key management procedures in corporate and interdomain environments to obtain key material for securing H.225.0 call signaling in GK direct-routed/selective routed scenarios • New H.235.5 (2005) “Framework for secure authentication in RAS using weak shared secrets” • Secured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H.225.0 signaling • New H.235.6 (2005) “Voice encryption profile with native H.235/H.245 key management” • Key management and encryption mechanisms for RTP • New H.235.7 (2005) “Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235” • Usage of the MIKEY key management for SRTP

  9. SG 16 recent achievements • New H.235.8 (2005) “Key Exchange for SRTP using secure Signalling Channels” • SRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS) • New H.235.9 (2005) “Security Gateway Support for H.323” • Discovery of H.323 Security Gateways (SG represents an H.323 NAT/FW ALG) and key management for H.225.0 signaling

  10. SG 4 recent achievements: Security of the Management Plane (M.3016-series) • Approved earlier this year (2005), the M.3016 series is viewed as a key aspect of NGN Management; it is included • in the NGN Management Roadmap to be issued by the NGNMFG • In M.3060 on the Principles of NGN Management • The M.3016 series consists of 5 parts: • M.3016.0: Overview • M.3016.1: Requirements • M.3016.2: Services • M.3016.3: Mechanisms • M.3016.4: Profile proforma • The role of M.3016.4 is unique in that it provides a template for other SDOs and forums to indicate for their membership what parts of M.3016 are mandatory or optional

  11. Study Group 17 Security Questions, 2005-2008 Telecom Systems Users Q.8/17 Telebiometrics *Multimodal ModelFramework *System Mechanism *Protection Procedure *X.1081 Q.7/17 Q.5/17 TelecomSystems SecurityManagement *ISMS-T *Incident Management *Risk Assessment Methodology *etc… *X.1051 Q.9/17 SecurityArchitecture& Frameworks *Architecture, Model, Concepts, Frameworks,*etc… *X.800 series*X.805 Secure Communication Services *Mobile Secure Communications *Home Network Security *SecurityWeb Services *X.1121, X.1122 Q.6/17 Cyber Security*Vulnerability Information Sharing…*Incident Handling Operations*Security Strategy*Countering SPAM ( proposed Q.1717) Q.4/17 Communications System Security Project*Vision, Project Roadmap, …

  12. ITU-T Security workin development • Q.2/17: Directory services, Directory systems, and public-key/attribute certificates • The Directory: Public-key and attribute certificate frameworks (X.509) • The 5th edition entered Last Call period for approval on 1 August 2005 • Consider new work on NGN directory protocol • Q.4/17: Communications systems security project • Security Baseline for Network Operators Project • Proposes a security baseline for network operators that will provide meaningful criteria against which each network operator can be assessed if required • Q.5/17: Security architecture and framework • Applications of ITU-T Rec. X.805 • covering division of the security features between the networkservice provider and the user • specifying procedures for network security assessment based on X.805 security architecture

  13. ITU-T Security workin development • Q.6/17: Cybersecurity • X.sno, framework for secure network operations • X.vds, vulnerability data schema • X.sds, spyware/deceptive software • X.silc, security incident life-cycle processes • X.svlc, security vulnerability life-cycle processes • Q.7/17: Security management • X.ism-1, code of practice for information security management • X.ism-2, ISMS requirements specification • X.1051, amendments/revision • Q.8/17: Telebiometrics • X.physiol, Physiological quantities, their units and letter symbols • X.tsm-1, General telebiometric system models, protocol and data contents • X.tsm-2, Profile of client verification model on TSM • X.tpp, Guideline on technical and managerial countermeasures for biometric data security

  14. ITU-T Security workin development • Telebiometric database • ITU is constructing a database of safe limit value pertaining to interfaces between telebiometric equipment and humans • This work is being done in collaboration with ISO TC 12 and IEC TC 25 • We would appreciate the help of PSOs in populating the database. • The telebiometric database will be publicly available on the ITU-T website:www.itu.int/BiometricDB/Home

  15. ITU-T Security workin development • Q.9/17: Secure communication services • X.homesec-1, Framework for security technologies for home network • X.homesec-2, Certificate profile for the device in the home network • X.msec-3, General security value added service (policy) for mobile data communication • X.msec-4, Authentication architecture in mobile end-to-end data communication • X.crs, Correlative reacting system in mobile network • X.websec-1, based on OASIS standard SAML, Security Assertion Markup Language • X.websec-2, based on OASIS standard XACML, eXtensible Access Control Markup Language • Proposed Q.17/17: Countering SPAM • X.gcs, Guideline on countering SPAM • X.fcs, Technical framework for countering SPAM • X.tcs, Technical means for countering SPAM

  16. ITU-T Security workin development • Q.11/4 – Protocols for management interfaces • Security Management System Requirements(M.xxxx) • Q.1513 – NGN security • Ensure that the developed NGN architecture is consistent with established security principles. Will further process the security-related FGNGN deliverables

  17. Security Deliverables from NGN Focus Group ITU-T Security workin development Both draft specifications are planned to be moved to SG 13 for processing as new ITU-T Recommendations

  18. ITU-T Security workin development • Q.25/16 - Multimedia Security in Next-Generation Networks (NGN-MM-SEC) Standardizes MM Security for H.323 systems and for Advanced multimedia (MM) applications including NGN • Anti-DDOS countermeasures for Multimedia and for (H.323-based) NAT/FW proxy • Federated Security Architecture for Internet-based Conferencing (H.FSIC) • Security for MM-QoS (H.mmqos.security) • Negotiate security protocols (IPsec or TLS) for H.323 signaling (H.460.spn) • MM security aspects of Vision H.325“Next-generation Multimedia Terminals and Systems”

  19. Concluding Observations • Security iseverybody's business • Collaboration with other SDOs isnecessary • Security needs to bedesigned in upfront • Security must be anongoing effort • Systematically addressingvulnerabilities(intrinsic properties of networks/systems)is key so that protection can be provided independent of what thethreats(which are constantly changing and may be unknown) may be – X.805 is helpful here

  20. Thank you !

  21. Additional material on recently approved security Recommendations in Study Group 17

  22. Three main issues that X.805 addresses • The security architecture addresses three essential issues: • What kind of protection is needed and against what threats? • What are the distinct types of network equipment and facility groupings that need to be protected? • What are the distinct types of network activities that need to be protected? X.805

  23. Security Layers Security Layers Applications Security Applications Security THREATS Destruction Corruption Data Integrity repudiation repudiation VULNERABILITIES Services Security Services Security Access Management Communication Security Communication Security Data Confidentiality Data Confidentiality Authentication Authentication Availability Availability Removal Integrity Privacy Privacy Access Control - - Disclosure Non Non Interruption Infrastructure Security Infrastructure Security ATTACKS End User Security End User Security 8 Security Dimensions 8 Security Dimensions Control/Signaling Security Control/Signaling Security Security Planes Security Planes Management Security Management Security X.805: Security Architecturefor End-to-End Communications • Vulnerabilities can exist in each Layer, Plane and Dimension • 72 Security Perspectives (3 Layers Ò 3 Planes Ò 8 Dimensions) X.805

  24. X.805: Three security layers Applications Security Applications Security THREATS Destruction Services Security Services Security Corruption VULNERABILITIES VULNERABILITIES Removal Disclosure Interruption Vulnerabilities Can Exist In Each Layer Infrastructure Security Infrastructure Security ATTACKS • 3 - Applications Security Layer: • Network-based applications accessed by end-users • Examples: • Web browsing • Directory assistance • Email • E-commerce • 2 - Services Security Layer: • Services Provided to End-Users • Examples: • Frame Relay, ATM, IP • Cellular, Wi-Fi, • VoIP, QoS, IM, Location services • Toll free call services • 1 - Infrastructure Security Layer: • Fundamental building blocks of networks services and applications • Examples: • Individual routers, switches, servers • Point-to-point WAN links • Ethernet links • Each Security Layer has unique vulnerabilities, threats • Infrastructure security enables services security enables applications security X.805

  25. Security Layers Security Layers Applications Security Applications Security THREATS Services Security Services Security VULNERABILITIES VULNERABILITIES Vulnerabilities Can Exist In Each Layer and Plane Interruption Infrastructure Security Infrastructure Security ATTACKS End User Security End User Security Control/Signaling Security Control/Signaling Security Security Planes Security Planes Management Security Management Security Destruction Corruption Removal Disclosure X.805: Three security planes • 1 - End-User Security Plane: • Access and use of the network by the customers for various purposes: • Basic connectivity/transport • Value-added services (VPN, VoIP, etc.) • Access to network-based applications (e.g., email) • 3 - Management Security Plane: • The management and provisioning of network elements, services and applications • Support of the FCAPS functions • 2 - Control/Signaling Security Plane: • Activities that enable efficient functioning of the network • Machine-to-machine communications X.805 • Security Planes represent the types of activities that occur on a network. • Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) • Each security perspective has unique vulnerabilities and threats

  26. Infrastructure Services Layer Applications Layer Layer Management Plane Module One Module Four Module Seven Control/Signaling Module Two Module Five Module Eight Plane User Plane Module Three Module Six Module Nine Execute – Top Row for Analysis of Management Access Control Communication Security Network Authentication Data Integrity – Middle Column for Analysis of Network Availability Non - repudiation Services Data Confidentiality Privacy – Intersection of Each The 8 Security Dimensions Layer and Plane for Are Applied to Each analysis of Security Security Perspective 21 Advanced Technologies Lucent Technologies - Proprietary X.805 Approach X.805

  27. X.805 Provides A Holistic Approach: • Comprehensive, End-to-End Network View of Security • Applies to Any Network Technology • Wireless, Wireline, Optical Networks • Voice, Data, Video, Converged Networks • Applies to Any Scope of Network Function • Service Provider Networks • Enterprise Networks • Government Networks • Management/Operations, Administrative Networks • Data Center Networks • Can Map to Existing Standards • Completes the Missing Piece of the Security Puzzle of what to do next X.805

  28. Security Management • Information security management system – Requirements for telecommunications(ISMS-T) • specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the telecommunication’s overall business risks • leverages ISO/IEC 17799:2000, Information technology, Code of practice for information security management • based on BS 7799-2:2002, Information Security Management Systems — Specifications with Guidance for use X.1051

  29. Information Security Management Domains defined in ISO/IEC 17799

  30. ISMS Information SecurityManagement System • Organizational security • Asset management • Personnel security • Physical and environmental security • Communications and operations management • Access control • System development and maintenance X.1051

  31. Mobile Security X.1121 Multi-part standard • Framework of security technologies for mobile end-to-end data communications • describes security threats, security requirements, and security functions for mobile end-to-end data communication • from the perspectives of the mobile user and application service provider (ASP) • Guideline for implementing secure mobile systems based on PKI • describes considerations of implementing secure mobile systems based on PKI, as a particular security technology X.1122

  32. Security framework for mobileend-to-end data communications Data communication Application Server (ASP) MobileTerminal(Mobile User) Mobile Network Open Network Datacommunication Datacommunication Application Server (ASP) MobileTerminal(Mobile User) General communication Framework Mobile SecurityGateway Gateway Framework • Security threats • Relationship of security threats and models • Security requirements • Relationship of security requirements and threats • Security functions for satisfying requirements X.1121

  33. Secure mobile systems basedon PKI Repository Repository CA CA Mobile user’sside CA Mobile user’sside CA RA RA ASP’s side CA ASP’s side CA Repository Repository ASP’s VA ASP’s VA MobileUser VA MobileUser VA Application Server (ASP) Application Server (ASP) MobileTerminal (Mobile User) MobileTerminal (Mobile User) Open Network Open Network Mobile Network Mobile Network General Model ASP Application Service Provider CA Certification AuthorityRA Registration Authority VA Validation Authority Gateway Model X.1122

  34. Telebiometrics • A model for security and public safety in telebiometrics that can • assist with the derivation of safe limits for the operation of telecommunications systems and biometric devices • provide a framework for developing a taxonomy of biometric devices; and • facilitate the development of authentication mechanisms, based on both static (for example finger-prints) and dynamic (for example gait, or signature pressure variation) attributes of a human being • A taxonomy is provided of the interactions that can occur where the human body meets devices capturing biometric parameters or impacting on the body X.1081

  35. Telebiometric Multimodal Model:A Three Layer Model • the scientific layer • 5 disciplines: physics, chemistry, biology, culturology, psychology • the sensory layer – 3 overlapping classifications of interactions • video (sight), audio (sound), chemo (smell, taste), tango (touch); radio (radiation) - each with an out (emitted) and in (received) state • behavioral, perceptual, conceptual • postural, gestural, facial, verbal, demeanoral, not-a-sign • the metric layer • 7 SI base units (m, kg, s, A, K, mol, cd) X.1081

More Related