Telecommunication Security - PowerPoint PPT Presentation

About This Presentation
Title:

Telecommunication Security

Description:

Title: Slide 1 Author: Stephanie Montgomery Last modified by: Dave.Thompson Created Date: 2/27/2006 7:49:58 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:673
Avg rating:3.0/5.0
Slides: 114
Provided by: StephanieM151
Learn more at: https://docbox.etsi.org
Category:

less

Transcript and Presenter's Notes

Title: Telecommunication Security


1
Telecommunication Security
SOURCE ITU-T
TITLE ITU-T Security Standardization
AGENDA ITEM GTSC, agenda item 5.5
CONTACT Herb Bertine, hbertine_at_lucent.com
GSC11(06)_GTSC_07
  • Herbert Bertine
  • Chairman, ITU-T SG 17

2
High Level Security Drivers
  • ITU Plenipotentiary Conference (PP-02)
  • Intensify efforts on security
  • World Telecommunications Standardization Assembly
    (WTSA-04)
  • Security robustness of protocols
  • Combating/Countering spam
  • World Summit on the Information Society (WSIS-05)
  • Cyber security

3
ITU-T Study Groups
  • ITU-T work is divided up between Study Groups
    (SGs).
  • SG 2 Operational aspects of service provision,
    networks and performance
  • SG 4 Telecommunication management
  • SG 5 Protection against electromagnetic
    environment effects
  • SG 6 Outside Plant and related indoor
    installations
  • SG 9 Integrated broadband cable networks and
    television and sound transmission
  • SG 11 Signaling requirements and protocols
  • SG 12 Performance and quality of service
  • SG 13 Next Generation Networks
  • SG 15 Optical and other transport networks
  • SG 16 Multimedia services, systems and terminals
  • SG 17 Security, languages and telecommunication
    software
  • SG 19 Mobile Telecommunications Networks
  • SG17 is the Lead Study Group on
    telecommunication security.

4
Overview of ITU-T Security StandardizationCollabo
ration is key factor
5
WP 2/17 Security Questions (2005-2008)
Q8/17
Telecom Systems Users
Telebiometrics Multimodal Model Fwk System
Mechanism Protection Procedure X.1081
TelecomSystems
Q5/17
Secure Communication Services Mobile Secure
Communications Home Network Security
Security Web Services X.1121, X.1122
Q7/17
SecurityManagement ISM Guideline for
Telecom Incident Management Risk
Assessment Methodology etc X.1051
SecurityArchitecture Framework Architecture,
Model, Concepts, Frameworks,etc X.800
seriesX.805
Q9/17
Cyber SecurityOverview of Cyber-securityVulner
ability Information Sharing Incident Handling
Operations
Q6/17
Countering spam Technical anti-spam measures
Q17/17
New
Q4/17
Communications System Security
Vision, Coordination, Roadmap, Compendia
6
Highlights of whats new since GSC-10
  • Two new ITU-T Questions
  • Q.15/13, NGN security
  • Q.17/17, Countering spam by technical means
  • 38 security Recommendations are under development
    in Study Group 17
  • Other SGs are developing security Recommendations
    for specific technologies for example 5 on NGN
    security
  • Focus Group on Security Baseline For Network
    Operators
  • New Horizons for Security Standardization
    Workshop
  • Security standards roadmap
  • Cybersecurity web portal

7
Q.15/13 NGN Security
  • Recognizing that security is one of the
    defining features of NGN, it is essential to put
    in place a set of standards that will guarantee,
    to the maximum degree possible, the security of
    the telecommunications infrastructure as PSTNs
    evolve to NGNs.
  • The NGN Security studies must address
    and develop network architectures that
  • - Provide for maximal network and end-user
    resource protection
  • - Allow for highly-distributed intelligence
    end-to-end
  • - Allow for co-existence of multiple
    networking technologies
  • - Provide for end-to-end security mechanisms
  • - Provide for security solutions that apply
    over multiple administrative domains

8
Q.17/17 Combating spam by technical means
  • Spam has become a widespread problem
    causing a complex range of problems to users,
    service providers, and network operators around
    the globe. While spam was originally used to send
    unsolicited commercial messages, increasingly
    spam messages are being used to spread viruses,
    worms, and other malicious code that negatively
    impact the security and stability of the global
    telecommunication network. Spam may include the
    delivery of phishing and spyware. It is a global
    problem that requires a multifaceted,
    comprehensive approach.
  • Study items to be considered include,
    but are not limited to
  • - What risks does spam pose to the
    telecommunication network?
  • - What technical factors associated with
    the telecommunication network contribute to the
    difficulty of identifying the sources of spam?
  • - How can new technologies lead to
    opportunities to counter spam and enhance the
    security of the telecommunication network?
  • - Do advanced telecommunication network
    technologies (for example, SMS, instant
    messaging, VoIP) offer unique opportunities for
    spam that require unique solutions?
  • - What technical work is already being
    undertaken within the IETF, in other fora, and by
    private sector entities to address the problem of
    spam?
  • - What telecommunication network
    standardization work, if any, is needed to
    effectively counter spam as it relates to the
    stability and robustness of the telecommunication
    network?

9
SG 17 Security Recommendations under development
(1/3)
  • Summaries of all Study Group 17 Recommendations
    under development are available on the Study
    Group 17 web page at www.itu.int/itu-t/studygroup
    s/com17
  • Communications Systems Security Project
  • X.sbno, Security baseline for network operators
  • Security Architecture and Framework
  • X.805, Division of the security features between
    the network and the users
  • X.805nsa, Network security certification based on
    ITU-T Recommendation X.805
  • X.ngn-akm, Framework for authentication and key
    management for link layer security of NGN
  • X.pak, Password-authenticated key exchange (PAK)
  • X.spn, Framework for creation, storage,
    distribution and enforcement of security policies
    for networks

10
SG 17 Security Recommendations under development
(2/3)
  • Cyber Security
  • X.cso, Overview of cybersecurity
  • X.sds, Guidelines for Internet Service Providers
    and End-users for Addressing the Risk of Spyware
    and Deceptive Software
  • X.cvlm, Guidelines on Cybersecurity Vulnerability
    Life-cycle Management
  • X.vds, A vendor-neutral framework for automatic
    checking of the presence of vulnerabilities
    information update
  • Security Management
  • X.1051 (R), Information security management
    guidelines for telecommunications based on
    ISO/IEC 27002
  • X.rmg, Risk management guidelines for
    telecommunications
  • X.sim, Security incident management guidelines
    for telecommunications
  • Telebiometrics
  • X.bip, BioAPI interworking protocol
  • X.physiol, Telebiometrics related to human
    physiology
  • X.tai, Telebiometrics authentication
    infrastructure
  • X.tpp-1, A guideline of technical and managerial
    countermeasures for biometric data security
  • X.tpp-2, A guideline for secure and efficient
    transmission of multi-modal biometric data
  • X.tsm-1, General biometric authentication
    protocol and profile on telecommunication systems
  • X.tsm-2, Profile of telecomunication device for
    Telebiometrics System Mechanism (TSM)

11
SG 17 Security Recommendations under development
(2/3)
  • Secure Communication Services
  • X.crs, Correlative reacting system in mobile
    network
  • X.homesec-1, Framework of security technologies
    for home network
  • X.homesec-2, Certificate profile for the device
    in the home network
  • X.homesec-3, User authentication mechanisms for
    home network service
  • X.msec-3, General security value added service
    (policy) for mobile data communication
  • X.msec-4, Authentication architecture in mobile
    end-to-end data communication
  • X.p2p-1, Requirements of security for
    peer-to-peer and peer-to-multi peer
    communications
  • X.p2p-2, Security architecture and protocols for
    peer to peer network
  • X.sap-1, Guideline on secure password-based
    authentication protocol with key exchange
  • X.sap-2, Secure communication using TTP service
  • X.websec-1, Security Assertion Markup Language
    (SAML) X.1141 now in AAP Last Call
  • X.websec-2, eXtensible Access Control Markup
    Language (XACML) X.1142 now in AAP Last Call
  • X.websec-3, Security architecture for message
    security in mobile web services
  • Countering spam by technical means
  • X.csreq, Requirement on countering spam
  • X.fcs, Technical framework for countering email
    spam
  • X.gcs, Guideline on countering email spam
  • X.ocsip, Overview of countering spam for IP
    multimedia application

12
SG 13 Security Recommendations under development
  • NGN Security
  • Security Requirements for NGN Release 1
  • Guidelines for NGN Security Release 1
  • Authentication requirements for NGN Release 1
  • AAA Service for Network Access to NGN
  • Security considerations for Pseudowire (PWE)
    technology
  • Continuation of the work originated in the
    ITU-T Focus Group on NGN

13
Focus Group Security Baseline for Network
Operators
  • Established October 2005 by SG 17
  • Objectives
  • Define a security baseline against which network
    operators can assess their network and
    information security posture in terms of what
    security standards are available, which of these
    standards should be used to meet particular
    requirements, when they should be used, and how
    they should be applied
  • Describe a network operators readiness and
    ability to collaborate with other entities
    (operators, users and law enforcement
    authorities) to counteract information security
    threats
  • Provide meaningful criteria that can be used by
    network operators against which other network
    operators can be assessed, if required.
  • Next Step
  • Survey network operators by means of a
    questionnaire

14
New Horizons for Security Standardization Workshop
  • Workshop held in Geneva 3-4 October 2005
  • Objectives
  • Provide an overview of key international security
    standardization activities
  • Seek to identify primary security concerns and
    issues
  • Determine which issues are amenable to a
    standards-based solution
  • Identify which SDOs are are best equipped to do
    so and
  • Consider how SDOs can collaborate to improve the
    timeliness and effectiveness of security
    standards and avoid duplication of effort.
  • Results reported under following topics
  • What are the crucial problems in ICT security
    standardization?
  • Meta issues and need for a global framework
  • Standards Requirements and Priorities
  • Liaison and information sharing
  • User issues
  • Technology and threat issues
  • Focus for future standardization work
  • Process issues
  • Follow-on issues
  • Report available at www.itu.int/ITU-T/worksem/sec
    urity/200510/index.html

15
ICT Security Standards Roadmap
  • Four Part Roadmap
  • Part 1 contains information about organizations
    working on ICT security standards
  • Part 2 is a database of existing security
    standards
  • Presently includes ITU-T, ISO/IEC JTC1 and IETF
    standards
  • Will be expanded to include other standards
  • Part 3 will be a list of standards in development
  • Part 4 will identify future needs and proposed
    new standards
  • Publicly available under Special Projects and
    Issues at
  • www.itu.int/ITU-T/studygroups/com17/index
  • We invite you to use the Roadmap, provide
    feedback and help us develop it to meet your needs

16
The ITU Global Cybersecurity Gateway
LIVE at http//www.itu.int/cybersecurity Provides
an easy-to-use information resource on national,
regional and international cybersecurity-related
activities and initiatives worldwide.
17
Structure of the Cybersecurity Gateway
  • The portal is geared towards four specific
    audiences Citizens Businesses
    Governments, International Organizations
  • Database information collected within five main
    themes
  • Information sharing of national approaches, good
    practices and guidelines
  • Developing watch, warning and incident response
    capabilities
  • Technical standards and industry solutions
  • Harmonizing national legal approaches and
    international legal coordination and enforcement
  • Privacy, data and consumer protection.
  • Additional information resources on the following
    topics spam, spyware, phishing, scams and
    frauds, worms and viruses, denial of service
    attacks, etc.

18
(No Transcript)
19
Some useful web resources
  • ITU-T Home page www.itu.int/itu-t
  • Study Group 17 www.itu.int/itu-t/studygroups/com
    17
  • LSG on Security http//www.itu.int/ITU-T/studygrou
    ps/com17/tel-security.html
  • e-mail tsbsg17_at_itu.int
  • Recommendations www.itu.int/ITU-T/publications/re
    cs.html
  • ITU-T Lighthouse www.itu.int/ITU-T/lighthouse
  • ITU-T Workshops www.itu.int/ITU-T/worksem
  • Security Roadmap http//www.itu.int/ITU-T/studygr
    oups/com17/ict/index.html
  • Cybersecurity Portal http//www.itu.int/cybersecu
    rity

20
Closing Observations
  • Security is everybody's business
  • Collaboration with other SDOs is necessary
  • Security needs to be designed in upfront
  • Security must be an ongoing effort
  • Systematically addressing vulnerabilities
    (intrinsic properties of networks/systems) is
    keyso that protection can be provided
    independent of what the threats (which are
    constantly changing and may be unknown) may be
  • X.805 is helpful here

21
Additional details on security work in ITU-T
Study Groups- Study Group 17- Study Group
4- Study Group 9- Study Group 13- Study
Group 16- Study Group 19
22
  • ITU-T SG 17 Work on Security

23
Study Group 17 Security, languages and
telecommunication software
  • SG 17 is the Lead Study Group on
    telecommunication security - It is responsible
    for coordination of security across all Study
    Groups.
  • Subdivided into three Working Parties (WPs)
  • WP1 - Open systems technologies
  • WP2 - Telecommunications security and
  • WP3 - Languages and telecommunications software
  • Most (but not all) security Questions are in WP2
  • Summaries of all draft Recommendations under
    development in SG 17 are available on the SG 17
    web page at www.itu.int/itu-t/studygroups/com17

24
Current SG 17 security-related Questions
  • Working Party 1
  • 1/17 End-to-end Multicast Communications with
    QoS Managing Facility
  • 2/17 Directory services, Directory systems, and
    public- key/attribute certificates
  • 3/17 Open Systems Interconnection (OSI)
  • 16/17 Internationalized Domain Names (IDN)
  • Working Party 2
  • 4/17 Communications Systems Security Project
  • 5/17 Security Architecture and Framework
  • 6/17 Cyber Security
  • 7/17 Security Management
  • 8/17 Telebiometrics
  • 9/17 Secure Communication Services
  • 17/17   Countering spam by technical means

25
  • ITU-T SG 17 Question 4Communications Systems
    Security Project
  • Security Workshop
  • ICT Security Roadmap
  • Focus Group on Security Baseline For Network
    Operators

26
New Horizons for Security Standardization Workshop
  • Workshop held in Geneva 3-4 October 2005
  • Hosted by ITU-T SG17 as part of security
    coordination responsibility
  • ISO/IEC JTC1 played an important role in planning
    the program and in providing speakers/panelists.
  • Speakers, panelists, chairs from
  • ITU-T
  • ISO/IEC
  • IETF
  • Consortia OASIS, 3GPP
  • Regional SDOs ATIS, ETSI, RAIS

27
Workshop Objectives
  • Provide an overview of key international security
    standardization activities
  • Seek to find out from stakeholders (e.g., network
    operators, system developers, manufacturers and
    end-users) their primary security concerns and
    issues (including possible issues of adoption or
    implementation of standards)
  • Try to determine which issues are amenable to a
    standards-based solution and how the SDOs can
    most effectively play a role in helping address
    these issues
  • Identify which SDOs are already working on these
    issues or are best equipped to do so and
  • Consider how SDOs can collaborate to improve the
    timeliness and effectiveness of security
    standards and avoid duplication of effort.

28
Workshop Results
  • Excellent discussions, feedback and suggestions
  • Documented in detail in the Workshop report
  • Results are reported under following topics
  • What are the crucial problems in ICT security
    standardization?
  • Meta issues and need for a global framework
  • Standards Requirements and Priorities
  • Liaison and information sharing
  • User issues
  • Technology and threat issues
  • Focus for future standardization work
  • Process issues
  • Follow-on issues
  • The report is available on-line at
  • www.itu.int/ITU-T/worksem/security/200510/index.ht
    ml

29
ICT Security Standards Roadmap(An SG 17
Work-in-progress)
  • Part 1 contains information about organizations
    working on ICT security standards
  • Part 2 is database of existing security standards
  • Part 3 will be a list of standards in development
  • Part 4 will identify future needs and proposed
    new standards

30
Roadmap access
  • Part 2 includes ITU-T, ISO/IEC JTC1 and IETF
    standards. It will be expanded to include other
    standards (e.g. regional and consortia
    specifications).
  • It will also be converted to a Database format to
    allow searching and to allow organizations to
    manage their own data
  • Publicly available under Special Projects and
    Issues at
  • www.itu.int/ITU-T/studygroups/com17/index
  • We invite you to use the Roadmap, provide
    feedback and help us develop it to meet your
    needs

31
Other Q.4/17 projects
  • Security in Telecommunications and Information
    Technology an overview of existing ITU-T
    Recommendations for secure telecommunications.
  • www.itu.int/ITU-T/publications/index.html
  • Security compendium
  • catalogue of approved ITU-T Recommendations
    related to telecommunication security
  • extract of ITU-T approved security definitions
  • listing of ITU-T security related Questions
  • www.itu.int/ITU-T/studygroups/com17/tel-security.h
    tml
  • We are in the process of establishing a Security
    Experts Network (SEN) to maintain on-going
    dialogue on key issues of security
    standardization.

32
Focus Group Security Baseline for Network
Operators
  • Established October 2005 by SG 17
  • Objectives
  • Define a security baseline against which network
    operators can assess their network and
    information security posture in terms of what
    security standards are available, which of these
    standards should be used to meet particular
    requirements, when they should be used, and how
    they should be applied
  • Describe a network operators readiness and
    ability to collaborate with other entities
    (operators, users and law enforcement
    authorities) to counteract information security
    threats
  • Provide meaningful criteria that can be used by
    network operators against which other network
    operators can be assessed, if required.
  • Next Step
  • Survey network operators by means of a
    questionnaire

33
  • ITU-T SG 17 Question 5Security Architecture and
    Framework
  • Brief description of Q.5
  • Milestones
  • Draft Recommendations under development

34
Brief description of Q.5/17
  • Motivation
  • The telecommunications and information technology
    industries are seeking cost-effective
    comprehensive security solutions that could be
    applied to various types of networks, services
    and applications. To achieve such solutions in
    multi-vendor environment, network security should
    be designed around the standard security
    architectures and standard security technologies.
  • Major tasks
  • Development of a comprehensive set of
    Recommendations for providing standard security
    solutions for telecommunications in collaboration
    with other Standards Development Organizations
    and ITU-T Study Groups.
  • Maintenance and enhancements of Recommendations
    in the X.800 series
  • X.800, X.802, X.803, X.805, X.810, X.811,
    X.812, X.813, X.814, X.815, X.816, X.830, X.831,
    X.832, X.833, X.834, X.835, X.841, X.842 and
    X.843

35
Q.5/17 Milestones
  • ITU-T Recommendation X.805, Security Architecture
    for Systems Providing End-to-end Communications,
    was published in 2003.
  • ISO Standard 18028-2, Network security
    architecture, was developed in collaboration
    between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG
    1. The Standard is technically aligned with
    X.805. It was published in 2006.

36
ITU-T Recommendation X.805
X.805 defines a network security architecture for
providing end-to-end network security. The
architecture can be applied to various kinds of
networks where the end-to-end security is a
concern and independently of the networks
underlying technology.
37
Q.5/17 Draft Recommendations 1/2
  • Applications and further development of major
    concepts of ITU-T Recommendation X.805
  • X.805, Division of the security features between
    the network and the users. This Recommendation
    specifies division of security features between
    the networks and users. It provides guidance on
    applying concepts of the X.805 architecture to
    securing service providers, application
    providers networks and the end users equipment.
  • X.805nsa, Network security certification based on
    ITU-T Recommendation X.805. This Recommendation
    describes the methodology, processes and controls
    required for network security certification based
    on ITU-T Recommendation X.805, Security
    Architecture for Systems Providing End-to-End
    Communications.

38
Q.5/17 Draft Recommendations 2/2
  • Standardization in support of Authentication
    Security Dimension (defined in X.805)
  • X.pak, Password-authenticated Key Exchange
    Protocol (PAK). This Recommendation specifies a
    password-based protocol for authentication and
    key exchange, which ensures mutual authentication
    of both parties in the act of establishing a
    symmetric cryptographic key via Diffie-Hellman
    exchange.
  • X.ngn-akm, Framework for authentication and key
    management for link layer security of NGN. This
    Recommendation establishes a framework for
    authentication and key management for securing
    the link layer of NGN. It also provides guidance
    on selection of the EAP methods for NGN.
  • Standardization of network security policies
  • X.spn, Framework for creation, storage,
    distribution, and enforcement of security
    policies for networks. This Recommendation
    establishes security policies that are to drive
    security controls of a system or service. It also
    specifies a framework for creation, storage,
    distribution, and enforcement of policies for
    network security that can be applied to various
    environmental conditions and network devices.

39
  • ITU-T SG 17 Question 6Cyber Security
  • Motivation
  • Objectives
  • Scope
  • Current area of focus
  • Draft Recommendations under development

40
Q.6/17 Motivation
  • Network connectivity and ubiquitous access is
    central to todays IT systems
  • Wide spread access and loose coupling of
    interconnected IT systems is a primary source of
    widespread vulnerability
  • Threats such as denial of service, theft of
    financial and personal data, network failures and
    disruption of voice and data telecommunications
    are on the rise
  • Network protocols in use today were developed in
    an environment of trust.
  • Most new investments and development is dedicated
    to building new functionality and not on securing
    that functionality
  • An understanding of cybersecurity is needed in
    order to build a foundation of knowledge that
    can aid in securing the networks of tomorrow

41
Q.6/17 Objectives
  • Perform actions in accordance with Lead Study
    Group (LSG) responsibility with the focus on
    cybersecurity
  • Work with Q.1 of SG 2 on a definition of
    Cybersecurity
  • Identify and develop standards required for
    addressing the challenges in cybersecurity,
    within the scope of Q.6/17
  • Provide assistance to other ITU-T Study Groups in
    applying relevant cybersecurity Recommendations
    for specific security solutions. Review
    project-oriented security solutions for
    consistency.
  • Maintain and update existing Recommendations
    within the scope of Q.6/17.
  • Coordinate security activities with other ITU-T
    SGs, ISO/IEC JTC 1 eg. SC6, SC27 and SC37), and
    consortia as appropriate.
  • Provide awareness on new security technologies
    related to cybersecurity

42
Q.6/17 Scope
  • Definition of Cybersecurity
  • Security of Telecommunications Network
    Infrastructure
  • Security Knowledge and Awareness of Telecom
    Personnel and Users
  • Security Requirements for Design of New
    Communications Protocol and Systems
  • Communications relating to Cybersecurity
  • Security Processes Life-cycle Processes
    relating to Incident and Vulnerability
  • Security of Identity in Telecommunication Network
  • Legal/Policy Considerations

43
Q.6/17 Current Area of Focus
  • Work with SG 2 on the definition and requirements
    of cybersecurity.
  • Collaborate with Q5,7,9,17/17 and SG 2 in order
    to achieve better understanding of various
    aspects of network security.
  • Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C,
    APEC-TEL and other standardization bodies on
    cybersecurity.
  • Work on framework for secure network operations
    to address how telecommunications network
    providers secure their infrastructure and
    maintain secure operations.
  • Work on Recommendation for standardization of
    vulnerability data definition.
  • Study new cybersecurity issues How should ISPs
    deal with botnets, evaluating the output of
    appropriate bodies when available.
  • Call for contributions for the outstanding
    questions identified in the revised scope.

44
Q.6/17 Draft Recommendations 1/2
  • Overview of Cybersecurity (X.cso)
  • This Recommendation provides a definition for
    Cybersecurity. The Recommendation provides a
    taxonomy of security threats from an operator
    point of view. Cybersecurity vulnerabilities and
    threats are presented and discussed at various
    network layers.
  • Various Cybersecurity technologies that are
    available to remedy the threats include Routers,
    Firewalls, Antivirus protection, Intrusion
    detection systems, Intrusion protection systems,
    Secure computing, Audit and Monitoring. Network
    protection principles such as defence in depth,
    access and identity management with application
    to Cybersecurity are discussed. Risk Management
    strategies and techniques are discussed including
    the value of training and education in protecting
    the network. A discussion of Cybersecurity
    Standards, Cybersecurity implementation issues
    and certification are presented.
  • A vendor-neutral framework for automatic checking
    of the presence of vulnerabilities information
    update (X.vds)
  • This Recommendation provides a framework of
    automatic notification on vulnerability
    information. The key point of the framework is
    that it is a vendor-neutral framework. Once users
    register their software, updates on the
    vulnerabilities and patches of the registered
    software will automatically be made available to
    the users. Upon notification, users can then apply

45
Q.6/17 Draft Recommendations 2/2
  • Guidelines for Internet Service Providers and
    End-users for Addressing the Risk of Spyware and
    Deceptive Software (X.sds)
  • This Recommendation provides guidelines for
    Internet Service Providers (ISP) and end-users
    for addressing the risks of spyware and deceptive
    software. The Recommendation promotes best
    practices around principles of clear notices, and
    users consents and controls for ISP web hosting
    services. The Recommendation also promotes best
    practices to end-users on the Internet to secure
    their computing devices and information against
    the risks of spyware and deceptive software
  • Guidelines on Cybersecurity Vulnerability
    Life-cycle Management(X.cvlm)
  • The Recommendation provides a framework for the
    provision of monitoring, discovering, responding
    and post-analysis of vulnerabilities. Service
    providers can use this Recommendation to
    complement their existing Information Security
    Management System process in the aspect of
    regular vulnerability assessment, vulnerability
    management, incident handling and incident
    management.

46
  • ITU-T SG 17 Question 7Security Management
    Systems
  • Tasks
  • Recommendations planned
  • Revised X.1051
  • Approach for revised X.1051

47
Q.7/17 Tasks
  • Information Security Management Guidelines for
    telecommunications (Existing X.1051,
    Information security management system
    Requirements for telecommunications (ISMS-T) )
    Maintain and revise Recommendation X.1051,
    Information Security Management Guidelines for
    telecommunications based on ISO/IEC27002.Jointl
    y develop a guideline of information security
    management with ISO/IEC JTC 1/SC 27.
  • Risk Management MethodologyStudy and develop a
    methodology of risk management for
    telecommunications in line with Recommendation
    X.1051.Produce and consent a new ITU-T
    Recommendation for risk management methodology.
  • Incident ManagementStudy and develop a handling
    and response procedure on security incidents for
    the telecommunications in line with
    Recommendation X.1051.Produce and consent a new
    ITU-T Recommendation for incident management
    methodology and procedures.

48
Recommendations planned in Q.7/17 (Security
Management)
  • X.1050 To be proposed
  • X.1051 In revision process Information Security
    Management Guidelines for Telecommunications
    based on ISO/IEC 27002
  • X.1052 To be proposed
  • X.1053 To be proposed (Implementation Guide for
    Telecoms)
  • X.1054 To be proposed (Measurements and metrics
    for Telecommunications)
  • X.1055 In the first stage of development Risk
    Management Guidelines for Telecommunications
  • X.1056 In the first stage of development
    Security Incident Management Guidelines for
    Telecommunications
  • X.1057 To be proposed (Identity Management for
    Telecoms)

49
Information security management guidelines for
Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security
Physical environmental security
Communications operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Compliance
50
Q.7/17 Approach to develop revised
Recommendation X.1051
27002
51
  • ITU-T SG 17 Question 8Telebiometrics
  • Objectives
  • Study areas on Biometric Processes
  • X.1081 and draft Recommendations under development

52
Q.8/17 Objectives
  • 1)To define telebiometric multimodal model
    framework
  • 2)To specify biometric authentication mechanism
    in open network
  • 3)To provide protection procedures and
    countermeasures for telebiometric systems

53
Q.8/17 Study areas on Biometric Processes
54
Q.8/17 Recommendations 1/4
  • X.1081 The telebiometric multimodal model
    framework A framework for the specification of
    security and safety aspects of telebiometrics
  • This Recommendation defines a telebiometric
    multimodal model that can be used as a framework
    for identifying and specifying aspects of
    telebiometrics, and for classifying biometric
    technologies used for identification (security
    aspects).
  • X.physiol Telebiometrics related to human
    physiology
  • This Recommendation gives names and symbols for
    quantities and units concerned with emissions
    from the human body that can be detected by a
    sensor, and with effects on the human body
    produced by the telebiometric devices in his
    environments.

55
Q.8/17 Recommendations 2/4
  • X.tsm-1 General biometric authentication
    protocol and profile on telecommunication system
  • This Recommendation defines communication
    mechanism and protocols of biometric
    authentication for unspecified end-users and
    service providers on open network.
  • X.tsm-2 Profile of telecomunication device for
    Telebiometrics System Mechanism (TSM)
  • This Recommendation defines the requirements,
    security profiles of client terminals for
    biometric authentication over the open network.

56
Q.8/17 Recommendations 3/4
  • X.tai Telebiometrics authentication
    infrastructure
  • This Recommendation specifies a framework to
    implement biometric identity authentication with
    certificate issuance, management, usage and
    revocation.
  • X.bip BioAPI interworking protocol
  • This Recommendation is common text of ITU-T and
    ISO/IEC JTC1 SC37. It specifies the syntax,
    semantics, and encodings of a set of messages
    ("BIP messages") that enable BioAPI-conforming
    application in telebiometric systems.

57
Q.8/17 Recommendations 4/4
  • X.tpp-1 A guideline of technical and managerial
    countermeasures for biometric data security
  • This Recommendation defines weakness and
    threats in operating telebiometric systems and
    proposes a general guideline of security
    countermeasures from both technical and
    managerial perspectives.
  • X.tpp-2 A guideline for secure and efficient
    transmission of multi-modal biometric data
  • This Recommendation defines threat
    characteristics of multi-modal biometric system,
    and provides cryptographic methods and network
    protocols for transmission of multi-modal
    biometric data.

58
  • ITU-T SG 17 Question 9
  • Secure Communication Services
  • Focus
  • Position of each topic
  • Mobile security
  • Home network security
  • Web services security
  • Secure applications services

59
Q.9/17 Focus
  • Develop a set of standards of secure application
    services, including
  • Mobile security Under study
  • Home network security Under study
  • Web Services security Under study
  • Secure application services Under study
  • Privacy protection for RFID and multimedia
    content and digital Identity management To be
    studied

60
Position of each topic
Web Services security
Application Server
Home Network
Mobile Terminal
Open Network
Mobile Network
Home network security
Mobile security
Secure application services
61
Q.9/17 - Mobile Security
  • X.1121, Framework of security technologies for
    mobile end-to-end data communications Approved
    2004
  • X.1122, Guideline for implementing secure mobile
    systems based on PKI Approved 2004
  • X.msec-3, General security value added service
    (policy) for mobile data communication
  • Develops general security service as value added
    service for secure mobile end-to-end data
    communication.
  • X.msec-4, Authentication architecture in mobile
    end-to-end data communication
  • Constructs generic authentication architecture
    for mobile data communication between mobile
    users and application servers.
  • X.crs, Correlative reacting system in mobile
    network
  • Develops the generic architecture of a
    correlative reactive system to protect the mobile
    terminal against Virus, worms, Trojan-Horses or
    other network attacks to both the mobile network
    and its mobile users.

62
Q.9/17 - Home network security
  • X.homesec-1, Framework for security technologies
    for home network
  • Framework of security technologies for home
    network
  • Define security threats and security
    requirements, security functions, security
    function requirements for each entity in the
    network, and possible implementation layer
  • X.homesec-2, Certificate profile for the device
    in the home network
  • Device certificate profile for the home network
  • Develops framework of home network device
    certificate.
  • X.homesec-3, User authentication mechanisms for
    home network service
  • User authentication mechanisms for home network
    service.
  • Provides the user authentication mechanism in the
    home network, which enables various
    authentication means such as password,
    certificate, biometrics and so on.

63
Q.9/17 - Web Services security
  • X.websec-1, Security Assertion Markup Language
    (SAML)
  • Security assertion markup language
  • Adoption of OASIS SAML v2.0 into ITU-T
    Recommendation X.1141 - Consented April 2006
  • Define XML-based framework for exchanging
    security information.
  • The security information expressed in the form of
    assertions about subjects, where a subject is an
    entity (either human or computer) that has an
    identity in some security domain.
  • X.websec-2, eXtensible Access Control Markup
    Language (XACML)
  • eXtensible Access Control Markup Language
  • Adoption of OASIS XACML v2.0 into ITU-T
    Recommendation X.1142 - Consented April 2006
  • Provides an XML vocabulary for expressing access
    control policies and the syntax of the language
    and the rules for evaluating policies.
  • X.websec-3, Security architecture for message
    security in mobile Web Services
  • Develops a guideline on message security
    architecture and service scenarios for securing
    messages for mobile Web Services.

64
Q.9/17 - Secure applications services
  • X.sap-1, Guideline on strong password
    authentication protocols
  • Guideline on secure password-based authentication
    protocol with key exchange.
  • Define a set of requirements for password-based
    protocol with key exchange and a selection
    guideline by setting up criteria that can be used
    in choosing an optimum authentication protocol
    for each application.
  • X.sap-2, Secure communication using TTP service
  • Secure end-to-end data communication techniques
    using TTP services
  • Specifies secure end-to-end data communication
    techniques using TTP services that are services
    defined in X.842 or other services.
  • X.p2p-1, Anonymous authentication architecture in
    community communication
  • Requirements of security for peer-to-peer and
    peer-to-multi peer communications
  • Investigates threat analysis for P2P and P2MP
    communication services and describes security
    requirements for secure P2P and P2MP
    communication services.
  • X.p2p-2, Security architecture and protocols for
    peer to peer network
  • Security architecture and protocols for peer to
    peer network
  • Describes the security techniques and protocols
    in the P2P environment.

65
  • ITU-T SG 17 Question 17
  • Countering spam by technical means
  • Objectives
  • Set of Recommendations

66
Q.17/17 Objectives
  • The aim of this Question is to develop a set of
    Recommendations on countering spam by technical
    means for ITU-T, taking into account the need for
    collaboration with ITU-T other Study Groups and
    cooperation with other SDOs. The Question focuses
    particularly on technical requirement, frameworks
    and new technologies for countering spam.
    Guidelines on countering spam by technical means
    are also studied.

67
Q.17/17 Set of Recommendations
68
Q.17/17 Brief Summaries of draft Recommendations
under development 1/2
  • X.csreq, Requirement on countering spamThis
    Recommendation provides the general
    characteristics of spam, elicits generic
    objectives and provides an overview of the
    technical requirements on countering spam. In
    addition, this Recommendation provides checklist
    to evaluate the solution on countering spam.
  • X.fcs, Technical framework for countering email
    spam
  • This Recommendation specifies the technical
    framework for network structure for the
    countering spam. Functions inside the framework
    are defined. It also includes the commonsensible
    characteristics of email spam, the universal
    rules of judgement and the common methods of
    countering email spam.

69
Q.17/17 Brief Summaries of draft Recommendations
under development 2/2
  • X.gcs, Guideline on countering email spam
    (X.gcs)
  • This Recommendation specifies technical
    issues on countering email spam. It provides the
    current technical solutions and related
    activities from various SDOs and relevant
    organizations on countering email spam. It will
    be used as a basis for further development of
    technical Recommendations on countering email
    spam.
  • X.ocsip, Overview of countering spam for IP
    multimedia applicationThis Recommendation
    specifies basic concepts, characteristics, and
    effects of spam in IP multimedia applications
    such as IP Telephony, video on demand, IP TV,
    instant messaging, multimedia conference, etc. It
    will provide basis and guideline for developing
    further technical solutions on countering spam.

70
  • Security Work in other ITU-T Study Groups
  • SG 4 Security of Management plane
  • SG 9 IPCablecom
  • SG 13 NGN security
  • SG 16 Multimedia security
  • SG 19 Security in IMT-2000

71
  • ITU-T SG 4 Work on Security

72
SG 4 Security of the Management Plane (M.3016
series)
  • Approved last year, the M.3016 series is viewed
    as a key aspect of NGN Management it is included
  • in the NGN Management Roadmap issued by the
    NGNMFG
  • In M.3060 on the Principles of NGN Management
  • The M.3016 series consists of 5 parts
  • M.3016.0 Overview
  • M.3016.1 Requirements
  • M.3016.2 Services
  • M.3016.3 Mechanisms
  • M.3016.4 Profile proforma
  • The role of M.3016.4 is unique in that it
    provides a template for other SDOs and forums to
    indicate for their membership what parts of
    M.3016 are mandatory or optional

73
  • ITU-T SG 9 Work on Security

74
SG 9 IPCablecom Evolution
  • Enhance cables existing IP service environment
    to accelerate the convergence of voice, video,
    data, and mobility
  • Define an application agnostic architecture that
    allows cable operators to rapidly innovate new
    services
  • Provide a suite of Recommendations that define
    the elements and interfaces needed to facilitate
    multi-vendor interoperability
  • Incorporate leading communications technologies
    from the IETF and 3GPP IMS

75
SG 9 IPCablecom Evolution
76
SG 9 Targeted Applications
  • Enhanced Cable Voice and Video IP Telephony
  • Support for new media and client types (e.g.,
    video telephony, soft clients)
  • Call treatment based on presence, device
    capability, identity
  • Maintain support for cable telephony features
    enabled by current IPCablecom Recommendations
  • Fixed-mobile Convergence over Cable
  • Support for dual mode cellular/WiFi handsets over
    DOCSIS
  • Call handover between IPCablecom VoIP networks
    and cellular networks
  • Integrated features and call control between
    cellular and VoIP platforms
  • Cable Cross-Platform Features
  • Cross platform notification, messaging (e.g.,
    Caller-ID on TV)
  • Third-party call control features, such as Click
    to dial

77
SG 9 Design Approach
  • Incorporate new IP communication technologies
  • Focus on the Session Initiation Protocol (SIP)
    and supporting protocols
  • Leverage the 3GPP IMS as a service delivery
    platform
  • Develop a modular and extensible architecture
    that allows new services to be added without
    impacting the core IPCablecom infrastructure
  • Ensure backward compatibility with existing
    IPCablecom Recommendations
  • Support a wide variety of client devices

78
SG 9 IPCablecom Security Requirements Under
Consideration
  • Support a range of authentication schemes
  • UICCs (similar to SIM card)
  • Digital Certificates (existing IPCablecom EMTAs)
  • SIP digest (software clients)
  • Support a range of secure signaling options
  • IPsec
  • TLS
  • Disabled
  • Support secure configuration before registration
  • Support TLS for intra-domain security
  • Minimize changes to IMS
  • Reuse existing standards

79
SG 9 DOCSIS Base Line Privacy Plus
  • The primary goals of DOCSIS BPI are to provide
    privacy of customer traffic, integrity of
    software downloads, and prevent theft of service.
  • DOCSIS BPI provides a number of tools to support
    these goals
  • Traffic encryption for privacy/confidentiality.
  • Secure Software Download to assure a valid CM
    image.
  • Configuration file authentication to help secure
    the provisioning process.
  • Focus is on the link layer between the CMTS and
    CM. Security outside the DOCSIS network is
    provided by applications and other networks.

80
SG 9 DOCSIS BPI Security Algorithms
  • A Cable Modem Terminations System (CMTS)
    authenticates cable modems (CM) using X.509
    certificates and RSA public key cryptography.
  • Subscriber Traffic encryption
  • 3DES used for key exchange
  • DES used for traffic encryption. AES being
    considered for future DOCSIS versions.
  • SW download image validation is performed using
    X.509 certificates and digital signatures using
    RSA public key cryptography.
  • Message integrity checks (MIC) with keyed MD5
    hash used for CM configuration file security.

81
  • ITU-T SG 13 Work on Security

82
SG 13 NGN Security Outline
  • Why NGN security?
  • The ITU-T work on NGN Security
  • Relationship to other SDOs
  • Output of the NGN Focus Group
  • Recent developmentsstarting the SG 13 Security
    work
  • Top NGN security issues that need resolution

Security is among the key differentiators of the
NGN. It is also among its biggest challenges!..
83
SG 13 Why Security?(Threat examples)
  • Providers perspective
  • Theft of service
  • Denial of service
  • Disclosure of network topology
  • Non-audited configuration changes
  • Additional related risks to the PSTN
  • Subscribers perspective
  • Eavesdropping, theft of PIN codes
  • Tele-spam
  • Identity theft
  • Infection by viruses, worms, and spyware
  • Loss of privacy (call patterns, location, etc.)
  • Flooding attacks on the end point

In NGN, known IP security vulnerabilities can
make PSTN vulnerable, too!
84
SG 13 The ITU-T work on NGN Security
  • SG 13 Lead Study Group on the NGN
    standardization. (Question 15/13 is responsible
    for X.805-based NGN security)
  • SG 17 Lead Study Group on Telecommunication
    Securitythe fundamental X.800 series, PKI, etc.
  • SG 4 Lead Study Group on Telecommunication
    ManagementManagement Plane security
  • SG 11 Lead Study Group on signaling and
    protocolssecurity of the Control and Signaling
    planes
  • SG 16 Lead Study Group on multimedia terminals,
    systems and applicationsMultimedia security

FGNGN has concluded its work has moved to SG 13
85
Collaboration of ITU-T with other bodies on NGN
security Recommendations
ATIS
ISO/IEC JTC1 SC 27,
ITU-T SG 13, 17, 4, 11, 16
IETF
3GPP
3GPP2
Fora (such as OASIS)
ETSI TISPAN
TIA
SG 13 is the Lead Study Group for NGN SG 17 is
the Lead Study Group for Security
86
SG 13 Question 15, NGN security
  • Question 15 (NGN security) of SG 13 ITU-T lead
    study group for NGN and satellite matters - will
    continue standards work started by FGNGN WG 5.
  • Q.15/13 major tasks are
  • Lead the NGN-specific security project-level
    issues within SG 13 and with other Study Groups.
    Recognizing SG 17s overall role as the Lead
    Study Group for Telecommunication Security,
    advise and assist SG 17 on NGN security
    coordination issues.
  • Apply the X.805 Security architecture for systems
    providing end-to-end communication within the
    context of an NGN environment
  • Ensure that
  • the developed NGN architecture is consistent with
    accepted security principles
  • Ensure that AAA principles are integrated as
    required throughout the NGN

87
SG 13 FGNGN output Security Requirements for
NGN Release 1 (highlights)
  • Security requirements for the Transport Stratum
  • NGN customer network domain
  • Customer network to IP-Connectivity Access
    Network (IP-CAN) interface
  • Core network functions
  • NGN customer network to NGN customer network
    interface
  • Security requirements for the Service Stratum
  • IMS security
  • Transport domain to NGN core network interface
  • Open service platforms and applications security
  • VoIP
  • Emergency Telecommunication Services and
    Telecommunications for Disaster Relief

88
SG 13 FGNGN output Guidelines for NGN Security
Release 1 (highlights)
  • General
  • General principles and guidelines for building
    secure Next Generation Networks
  • Detailed examination of IMS access security and
    NAT and firewall traversal
  • NGN Security Models
  • Security Associations model for NGN
  • Security of the NGN subsystems
  • IP-Connectivity Access Network
  • IMS Network domain and IMS-to-non-IMS network
    security
  • IMS access
  • Framework for open platform for services and
    applications in NGN
  • Emergency Telecommunications Service (ETS) and
    Telecommunications for Disaster Relief (TDR)
    Security
  • Overview of the existing standard solutions
    related to NAT and firewall traversal

89
SG 13 Focus of the current work of Question 15,
NGN security
  • Security Requirements for NGN Release 1
  • Authentication requirements for NGN Release 1
  • AAA Service for Network Access to NGN
  • Guidelines for NGN Security Release 1
  • Security considerations for Pseudowire (PWE)
    technology

At the heart of securing network protocols, the
biggest challenge is authentication.
90
SG 13 Major Issues for NGN Security
Standardization
  • Key distribution (for end-users and network
    elements) and Public Key Infrastructure
  • Network privacytopology hiding and
    NAT/Firewall traversal for real-time applications
  • Convergence with IT security
  • Management of security functions (e.g., policy)
  • Guidelines on the implementation of the IETF
    protocols (e.g., IPsec options)
  • Security for supporting access DSL, WLAN, and
    cable access scenarios
  • Guidelines for handling 3GPP vs. 3GPP2
    differences in IMS Security

Bothnetwork assets and network trafficmust be
protected. Proper management procedures will help
prevent attacks from within.
91
SG 13 NGN Architecture
92
  • ITU-T SG 16 Work on Security

93
Question 25/16 Multimedia Security
inNext-Generation Networks (NGN-MM-SEC)
  • Study Group 16 concentrates on Multimedia
    systems.
  • Q.25/16 focuses on the application-security
    issues of MM applications in next generation
    networks
  • Standardizes Multimedia Security
  • So far Q.25 has been standardizing MM-security
    for the 1st generation MM/pre-NGN?-systems
  • H.323/H.248-based systems.

94
Evolution of H.235
Improvement and Additions
Consolidation
1st Deployment
Core SecurityFrameworkEngineering
H.235V3 Amd1 Annex H
H.235V3 Amd1
H.235V3 Annex I
H.235 Annex G
H.235V2 Annex D Annex E approved
Security Profiles Annex D Annex E started
Annex F H.530 consent
H.235V1 approved
Initial Draft
H.323V5
H.323V2
H.323V4
1997
1998
1999
2000
2001
2002
2003
2004
1996
gt 2005
95
H.235 V4 Subseries Recommendations
  • Major restructuring of H.235v3 Amd1 and annexes
    in stand-alone subseries Recommendations
  • H.235.x subseries specify scenario-specific
    MM-security procedures as H.235-profiles for
    H.323
  • Some new parts added
  • Some enhancements and extensions
  • Incorporated corrections
  • Approved in Sept. 2005

96
H.323 Security Recommendations (1)
  • H.235.0 Security framework for H-series (H.323
    and other H.245-based) multimedia systems
  • Overview of H.235.x subseries and common
    procedures with baseline text
  • H.235.1 "Baseline Security Profile
  • Authentication integrity for H.225.0 signaling
    using shared secrets
  • H.235.2 "Signature Security Profile
  • Authentication integrity for H.225.0 signaling
    using X.509 digital certificates and signatures

97
H.323 Security Recommendations (2)
  • H.235.3 "Hybrid Security Profile"
  • Authentication integrity for H.225.0 signaling
    using an optimized combination of X.509 digital
    certificates, signatures and shared secret key
    managementspecification of an optional
    proxy-based security processor
  • H.235.4 "Direct and Selective Routed Call
    Security"
  • Key management procedures in corporate and in
    interdomain environments to obtain key material
    for securing H.225.0 call signaling in GK
    direct-routed/selective routed scenarios

enhanced
extended
98
H.323 Security Recommendations (3)
  • H.235.5 "Framework for secure authentication in
    RAS using weak shared secrets"
  • Secured password (using EKE/SPEKE approach) in
    combination with Diffie-Hellman key agreement for
    stronger authentication during H.225.0 signaling
  • H.235.6 "Voice encryption profile with native
    H.235/H.245 key management"
  • Key management and encryption mechanisms for RTP

enhanced
modified
99
H.323 Security Recommendations (4)
  • H.235.7 "Usage of the MIKEY Key Management
    Protocol for the Secure Real Time Transport
    Protocol (SRTP) within H.235"
  • Usage of the MIKEY key management for SRTP
  • H.235.8 "Key Exchange for SRTP using secure
    Signalling Channels"
  • SRTP keying parameter transport over secured
    signaling channels (IPsec, TLS, CMS)
  • H.235.9 "Security Gateway Support for H.323"
  • Discovery of H.323 Security Gateways(SG H.323
    NAT/FW ALG) and key management for H.225.0
    signaling

100
Other SG16 MM-SEC Results
  • H.350.2 (2003) H.350.2 Directory Services
    Architecture for H.235
  • An LDAP schema to represent H.235 elements (PWs,
    certificates, ID infor
Write a Comment
User Comments (0)
About PowerShow.com