ITU-T Security Standardization

1
ITU-T Security Standardization
GSC10_gtsc3(05)04
Agenda Item 5.6

• Herb Bertine
• Chairman ITU-T Study Group 17

2
ITU-T World Telecommunications Standardization
Assembly (WTSA)

• Resolution 50, Cyberscecurity
• Evaluate existing and evolving new
  Recommendations with respect to their robustness
  of design and potential for exploitation by
  malicious parties
• Raise awareness of the need to defend against the
  threat of cyber attack
• Resolution 51, Combating spam
• Report on international initiatives for
  countering spamMember States to take steps
  within their national legal frameworks to ensure
  measures are taken to combat spam
• Resolution 52, Countering spam by technical means
• Study Groups, in cooperation with other relevant
  groups, to develop as a matter of urgency
  technical Recommendations on countering spam

3
ITU-T Study Groupswww.itu.int/ITU-T/studygroups/c
om17

• Study Group 17 is the Lead Study Group for
  Telecommunication Securitywww.itu.int/ITU-T/study
  groups/com17/tel-security.html
• Coordination/prioritization of security efforts
• Development of core security Recommendations
• Study Group 2 is responsible for defining the
  security requirements on the user point-of-view
• Study Group 4 covers security for the network
  management
• Study Group 9 develops security mechanisms for
  cable distribution systems
• Study Group 13 defines the security framework for
  NGN
• Study Group 16 concentrates on the security
  issues of Multimedia applications in next
  generation networks.

4
Awareness

• SG 17 maintains a webpage providing for an
  overview on achievements of ITU-T on security
  standadization
• security manual
• security compendium
• catalogue of approved ITU-T Recommendations
  related to telecommunication security
• extract of ITU-T approved security definitions
• listing of ITU-T security related Questions
• www.itu.int/ITU-T/studygroups/com17/tel-security.h
  tml
• Many ITU-T workshops have security in their
  agenda (New horizons for security
  standardization, NGN (in collaboration with
  IETF), Cybersecurity Symposiums I and II, Home
  networking and Home services,)

5
ITU-T Security Manual December 2003, October 2004

• Basic security architecture and dimensions
• Vulnerabilities, threats and risks
• Security framework requirements
• PKI and privilege management with X.509
• Applications (VoIP, IPCablecom, Fax, Network
  Management, e-prescriptions)
• Security terminology
• Catalog of ITU-T security-related Recommendations
• List of Study Groups and security-related
  Questions

www.itu.int/itudoc/itu-t/85097.pdfwww.itu.int/itu
doc/itu-t/86435.pdf
6
(No Transcript)
7
SG 17 recent achievements

• Security Architecture (X.805) New 2003
• For end-to-end communications
• Security Management System (X.1051) New 2004
• For risk assessment, identification of assets and
  implementation characteristics
• Mobile Security (X.1121 and X.1122) New 2004
• For mobile end-to-end data communications
• Telebiometric Multimodal Model (X.1081) New 2004
• A framework for the specification of security and
  safety aspects of telebiometrics
• Public Key and Attribute Certificate Frameworks
  (X.509) Revision 2005
• Ongoing enhancements as a result of more complex
  uses and alignment with the IETF

8
SG 16 recent achievements

• Major restructuring of H.235v3 and annexes in
  stand-alone sub-series Version 4 Recommendations
  of H.235.x
• New H.235.0 (2005) Security framework for
  H-series (H.323 and other H.245-based) multimedia
  systems
• Overview of H.235.x sub-series and common
  procedures and baseline text
• New H.235.1 (2005) Baseline Security Profile
• Authentication integrity for H.225.0 signaling
  using shared secrets
• New H.235.2 (2005) Signature Security Profile
• Authentication integrity for H.225.0 signaling
  using X.509 digital certificates and signatures
• New H.235.3 (2005) Hybrid Security Profile
• Authentication integrity for H.225.0 signaling
  using an optimized combination of X.509 digital
  certificates, signatures and shared secrets key
  management specification of an optional
  proxy-based security processor

9
SG 16 recent achievements

• New H.235.4 (2005) Direct and Selective Routed
  Call Security
• Key management procedures in corporate and
  interdomain environments to obtain key material
  for securing H.225.0 call signaling in GK
  direct-routed/selective routed scenarios
• New H.235.5 (2005) Framework for secure
  authentication in RAS using weak shared secrets
• Secured password (using EKE/SPEKE approach) in
  combination with Diffie-Hellman key agreement for
  stronger authentication during H.225.0 signaling
• New H.235.6 (2005) Voice encryption profile with
  native H.235/H.245 key management
• Key management and encryption mechanisms for RTP
• New H.235.7 (2005) Usage of the MIKEY Key
  Management Protocol for the Secure Real Time
  Transport Protocol (SRTP) within H.235
• Usage of the MIKEY key management for SRTP

10
SG 16 recent achievements

• New H.235.8 (2005) Key Exchange for SRTP using
  secure Signalling Channels
• SRTP keying parameter transport over secured
  signaling channels (IPsec, TLS, CMS)
• New H.235.9 (2005) Security Gateway Support for
  H.323
• Discovery of H.323 Security Gateways (SG
  represents an H.323 NAT/FW ALG) and key
  management for H.225.0 signaling

11
SG 4 recent achievements Security of the
Management Plane (M.3016-series)

• Approved earlier this year (2005), the M.3016
  series is viewed as a key aspect of NGN
  Management it is included
• in the NGN Management Roadmap to be issued by the
  NGNMFG
• In M.3060 on the Principles of NGN Management
• The M.3016 series consists of 5 parts
• M.3016.0 Overview
• M.3016.1 Requirements
• M.3016.2 Services
• M.3016.3 Mechanisms
• M.3016.4 Profile proforma
• The role of M.3016.4 is unique in that it
  provides a template for other SDOs and forums to
  indicate for their membership what parts of
  M.3016 are mandatory or optional

12
Study Group 17 Security Questions, 2005-2008
Q.8/17
Telecom Systems Users
Telebiometrics Multimodal Model Framework
System Mechanism Protection Procedure
X.1081
Q.7/17
Q.5/17
TelecomSystems
SecurityManagement ISMS-T Incident
Management Risk Assessment
Methodology etc X.1051
Q.9/17
SecurityArchitecture Frameworks Architecture,
Model, Concepts, Frameworks,etc X.800
seriesX.805
Secure Communication Services Mobile Secure
Communications Home Network Security
Security Web Services X.1121, X.1122
Q.6/17
Cyber SecurityVulnerability Information
SharingIncident Handling OperationsSecurity
StrategyCountering SPAM ( proposed Q.1717)
Q.4/17
Communications System Security
Project Vision, Project Roadmap,
13
ITU-T Security workin development

• Q.2/17 Directory services, Directory systems,
  and public-key/attribute certificates
• The Directory Public-key and attribute
  certificate frameworks (X.509)
• The 5th edition entered Last Call period for
  approval on 1 August 2005
• Consider new work on NGN directory protocol
• Q.4/17 Communications systems security project
• Security Baseline for Network Operators Project
• Proposes a security baseline for network
  operators that will provide meaningful criteria
  against which each network operator can be
  assessed if required
• Q.5/17 Security architecture and framework
• Applications of ITU-T Rec. X.805
• covering division of the security features
  between the networkservice provider and the user
• specifying procedures for network security
  assessment based on X.805 security architecture

14
ITU-T Security workin development

• Q.6/17 Cybersecurity
• X.sno, framework for secure network operations
• X.vds, vulnerability data schema
• X.sds, spyware/deceptive software
• X.silc, security incident life-cycle processes
• X.svlc, security vulnerability life-cycle
  processes
• Q.7/17 Security management
• X.ism-1, code of practice for information
  security management
• X.ism-2, ISMS requirements specification
• X.1051, amendments/revision
• Q.8/17 Telebiometrics
• X.physiol, Physiological quantities, their units
  and letter symbols
• X.tsm-1, General telebiometric system models,
  protocol and data contents
• X.tsm-2, Profile of client verification model on
  TSM
• X.tpp, Guideline on technical and managerial
  countermeasures for biometric data security

15
ITU-T Security workin development

• Telebiometric database
• ITU is constructing a database of safe limit
  value pertaining to interfaces between
  telebiometric equipment and humans
• This work is being done in collaboration with ISO
  TC 12 and IEC TC 25
• We would appreciate the help of PSOs in
  populating the database.
• The telebiometric database will be publicly
  available on the ITU-T websitewww.itu.int/Biomet
  ricDB/Home

16
ITU-T Security workin development

• Q.9/17 Secure communication services
• X.homesec-1, Framework for security technologies
  for home network
• X.homesec-2, Certificate profile for the device
  in the home network
• X.msec-3, General security value added service
  (policy) for mobile data communication
• X.msec-4, Authentication architecture in mobile
  end-to-end data communication
• X.crs, Correlative reacting system in mobile
  network
• X.websec-1, based on OASIS standard SAML,
  Security Assertion Markup Language
• X.websec-2, based on OASIS standard XACML,
  eXtensible Access Control Markup Language
• Proposed Q.17/17 Countering SPAM
• X.gcs, Guideline on countering SPAM
• X.fcs, Technical framework for countering SPAM
• X.tcs, Technical means for countering SPAM

17
ITU-T Security workin development

• Q.11/4 Protocols for management interfaces
• Security Management System Requirements (M.xxxx)
• Q.1513 NGN security
• Ensure that the developed NGN architecture is
  consistent with established security principles.
  Will further process the security-related FGNGN
  deliverables

18
ITU-T Security workin development

• Security Deliverables from NGN Focus Group

Deliverable Title Current Draft Target Date

Security Requirements for NGN Release 1 FGNGN-OD-00132 November 2005

Guidelines for NGN Security FGNGN-OD-00173 November 2005
Both draft specifications are planned to be moved
to SG 13 for processing as new ITU-T
Recommendations
19
ITU-T Security workin development

• Q.25/16 - Multimedia Security in Next-Generation
  Networks (NGN-MM-SEC)
• Standardizes MM Security for H.323 systems and
  for Advanced multimedia (MM) applications
  including NGN
• Anti-DDOS countermeasures for Multimedia and for
  (H.323-based) NAT/FW proxy
• Federated Security Architecture for
  Internet-based Conferencing (H.FSIC)
• Security for MM-QoS (H.mmqos.security)
• Negotiate security protocols (IPsec or TLS) for
  H.323 signaling (H.460.spn)
• MM security aspects of Vision H.325Next-generati
  on Multimedia Terminals and Systems

20
Concluding Observations

• Security is everybody's business
• Collaboration with other SDOs is necessary
• Security needs to be designed in upfront
• Security must be an ongoing effort
• Systematically addressing vulnerabilities
  (intrinsic properties of networks/systems)is key
  so that protection can be provided independent of
  what the threats (which are constantly changing
  and may be unknown) may be X.805 is helpful here

21
Thank you !
22
Additional material on recently approved security
Recommendations in Study Group 17
23
Three main issues that X.805 addresses

• The security architecture addresses three
  essential issues
• What kind of protection is needed and against
  what threats?
• What are the distinct types of network equipment
  and facility groupings that need to be protected?
• What are the distinct types of network activities
  that need to be protected?

X.805
24
X.805 Security Architecturefor End-to-End
Communications

• Vulnerabilities can exist in each Layer, Plane
  and Dimension
• 72 Security Perspectives (3 Layers Ò 3 Planes Ò
  8 Dimensions)

X.805
25
X.805 Three security layers

• 3 - Applications Security Layer
• Network-based applications accessed by end-users
• Examples
• Web browsing
• Directory assistance
• Email
• E-commerce

• 1 - Infrastructure Security Layer
• Fundamental building blocks of networks services
  and applications
• Examples
• Individual routers, switches, servers
• Point-to-point WAN links
• Ethernet links

• 2 - Services Security Layer
• Services Provided to End-Users
• Examples
• Frame Relay, ATM, IP
• Cellular, Wi-Fi,
• VoIP, QoS, IM, Location services
• Toll free call services

• Each Security Layer has unique vulnerabilities,
  threats
• Infrastructure security enables services security
  enables applications security

X.805
26
X.805 Three security planes

• 1 - End-User Security Plane
• Access and use of the network by the customers
  for various purposes
• Basic connectivity/transport
• Value-added services (VPN, VoIP, etc.)
• Access to network-based applications (e.g., email)

• 2 - Control/Signaling Security Plane
• Activities that enable efficient functioning of
  the network
• Machine-to-machine communications

• 3 - Management Security Plane
• The management and provisioning of network
  elements, services and applications
• Support of the FCAPS functions

X.805

• Security Planes represent the types of activities
  that occur on a network.
• Each Security Plane is applied to every Security
  Layer to yield nine security Perspectives (3 x 3)
• Each security perspective has unique
  vulnerabilities and threats

27
X.805 Approach
X.805
28
X.805

• Provides A Holistic Approach
• Comprehensive, End-to-End Network View of
  Security
• Applies to Any Network Technology
• Wireless, Wireline, Optical Networks
• Voice, Data, Video, Converged Networks
• Applies to Any Scope of Network Function
• Service Provider Networks
• Enterprise Networks
• Government Networks
• Management/Operations, Administrative Networks
• Data Center Networks
• Can Map to Existing Standards
• Completes the Missing Piece of the Security
  Puzzle of what to do next

X.805
29
Security Management

• Information security management system
  Requirements for telecommunications(ISMS-T)
• specifies the requirements for establishing,
  implementing, operating, monitoring, reviewing,
  maintaining and improving a documented ISMS
  within the context of the telecommunications
  overall business risks
• leverages ISO/IEC 177992000, Information
  technology, Code of practice for information
  security management
• based on BS 7799-22002, Information Security
  Management Systems Specifications with Guidance
  for use

X.1051
30
Information Security Management Domains defined
in ISO/IEC 17799
31
ISMS Information SecurityManagement System

• Organizational security
• Asset management
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• System development and maintenance

X.1051
32
Mobile Security

• Multi-part standard
• Framework of security technologies for mobile
  end-to-end data communications
• describes security threats, security
  requirements, and security functions for mobile
  end-to-end data communication
• from the perspectives of the mobile user and
  application service provider (ASP)
• Guideline for implementing secure mobile systems
  based on PKI
• describes considerations of implementing secure
  mobile systems based on PKI, as a particular
  security technology

X.1121
X.1122
33
Security framework for mobileend-to-end data
communications
General communication Framework
Mobile SecurityGateway
Gateway Framework

• Security threats
• Relationship of security threats and models
• Security requirements
• Relationship of security requirements and
  threats
• Security functions for satisfying requirements

X.1121
34
Secure mobile systems basedon PKI
General Model
ASP Application Service Provider CA
Certification AuthorityRA Registration
Authority VA Validation Authority
Gateway Model
X.1122
35
Telebiometrics

• A model for security and public safety in
  telebiometrics that can
• assist with the derivation of safe limits for the
  operation of telecommunications systems and
  biometric devices
• provide a framework for developing a taxonomy of
  biometric devices and
• facilitate the development of authentication
  mechanisms, based on both static (for example
  finger-prints) and dynamic (for example gait, or
  signature pressure variation) attributes of a
  human being
• A taxonomy is provided of the interactions that
  can occur where the human body meets devices
  capturing biometric parameters or impacting on
  the body

X.1081
36
Telebiometric Multimodal ModelA Three Layer
Model

• the scientific layer
• 5 disciplines physics, chemistry, biology,
  culturology, psychology
• the sensory layer 3 overlapping classifications
  of interactions
• video (sight), audio (sound), chemo (smell,
  taste), tango (touch) radio (radiation) - each
  with an out (emitted) and in (received) state
• behavioral, perceptual, conceptual
• postural, gestural, facial, verbal, demeanoral,
  not-a-sign
• the metric layer
• 7 SI base units (m, kg, s, A, K, mol, cd)

X.1081