Download PPT Version

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Deep packet inspection wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Information security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security printing wikipedia , lookup

Airport security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
ITU-T Recommendation
X.805 Security Architecture for
Systems Providing End-to-End
Communications
IETF 63 meeting
Zachary Zeltsan,
Bell Laboratories,
Lucent Technologies
Rapporteur of Question 5 SG 17
Outline
 Origin of the ITU-T Recommendation X.805 - Security
Architecture for Systems Providing End-to-End
Communications






Three main issues that X.805 addresses
Security Dimensions
Security Layers
Security Planes
ITU-T X.805 Security Architecture
ITU-T Recommendation X.805 as a base for security work in
FGNGN Security Capability WG
2
Origin of the ITU-T
Recommendation X.805
• ITU-T Recommendation X.805 Security architecture for
systems providing end-to-end communications had
been developed by ITU-T SG 17 (ITU-T Lead Study
Group on Telecommunication Security) and was
published in October 2003.
• The group has developed a set of the well-recognized
Recommendations on security. Among them are X.800
Series of Recommendations on security and X.509 -
Public-key and Attribute Certificate Frameworks.
3
Three main issues that X.805
addresses
The security architecture addresses three essential
issues:
1. What kind of protection is needed and against what
threats?
2. What are the distinct types of network equipment and
facility groupings that need to be protected?
3. What are the distinct types of network activities that
need to be protected?
4
ITU-T X.800 Threat Model
(simplified)
1 - Destruction (an attack on availability):
– Destruction of information and/or network
resources
X
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or
other resources
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes
unavailable or unusable
X
5
Eight Security Dimensions Address
the Breadth of Network Vulnerabilities
• Limit & control access to
network elements, services &
applications
• Examples: password, ACL,
firewall
• Prevent ability to deny that an
activity on the network
occurred
• Examples: system logs,
digital signatures
• Ensure information only flows
from source to destination
• Examples: VPN, MPLS,
L2TP
• Ensure network elements,
services and application
available to legitimate users
• Examples: IDS/IPS, network
redundancy, BC/DR
Access Control
Authentication
Non-repudiation
• Provide Proof of Identity
• Examples: shared secret,
PKI, digital signature, digital
certificate
• Ensure confidentiality of data
• Example: encryption
Data Confidentiality
Communication Security
Data Integrity
• Ensure data is received as
sent or retrieved as stored
• Examples: MD5, digital
signature, anti-virus software
Availability
Privacy
• Ensure identification and
network use is kept private
• Examples: NAT, encryption
Eight Security Dimensions applied to each Security Perspective (layer and plane)
6
How the Security Dimensions
Map to the Security Threats
Security
Dimension
X.800 Security Threats
Destruction
Corruption
Removal
Disclosure








Data Confidentiality


Communication
Security


Access Control
Authentication
Non-Repudiation

Data Integrity

Availability

Privacy

Interruption




7
Security Layers
• Concept of Security Layers represents hierarchical
approach to securing a network
• Mapping of the network equipment and facility
groupings to Security Layers could be instrumental for
determining how the network elements in upper layers
can rely on protection that the lower layers provide.
8
Three Security Layers
Applications Security
3 - Applications Security Layer:
THREATS
Destruction
Services Security
Corruption
VULNERABILITIES
Removal
Disclosure
Vulnerabilities Can Exist
In Each Layer
Interruption
Infrastructure Security
ATTACKS
• Network-based applications accessed by
end-users
• Examples:
– Web browsing
– Directory assistance
– Email
– E-commerce
1 - Infrastructure Security Layer:
2 - Services Security Layer:
• Fundamental building blocks of networks
services and applications
• Examples:
– Individual routers, switches, servers
– Point-to-point WAN links
– Ethernet links
• Services Provided to End-Users
• Examples:
– Frame Relay, ATM, IP
– Cellular, Wi-Fi,
– VoIP, QoS, IM, Location services
– Toll free call services
• Each Security Layer has unique vulnerabilities, threats
• Infrastructure security enables services security enables applications security
9
Example: Applying Security Layers to
IP Networks
Applying Security Layers to IP Networks
Infrastructure Security Layer
– Individual routers, servers
– Communication links
Services Security Layer
– Basic IP transport
– IP support services (e.g., AAA, DNS, DHCP)
– Value-added services: (e.g., VPN, VoIP, QoS)
Applications Security Layer
– Basic applications (e.g. FTP, web access)
– Fundamental applications (e.g., email)
– High-end applications (e.g., e-commerce, e-training)
10
Security Planes
• Concept of Security Planes could be instrumental for
ensuring that essential network activities are protected
independently (e.g. compromise of security at the Enduser Security Plane does not affect functions
associated with the Management Security Plane).
• Concept of Security Planes allows to identify potential
network vulnerabilities that may occur when distinct
network activities depend on the same security
measures for protection.
11
Three Security Planes
Security Layers
Applications Security
THREATS
Destruction
Services Security
VULNERABILITIES
Corruption
Removal
Disclosure
Vulnerabilities Can Exist
In Each Layer and Plane
Interruption
Infrastructure Security
ATTACKS
1 - End-User Security Plane:
• Access and use of the network by the
customers for various purposes:
– Basic connectivity/transport
– Value-added services (VPN, VoIP, etc.)
– Access to network-based applications
(e.g., email)
End User Security
Security Planes
Control/Signaling Security
Management Security
3 - Management Security Plane:
2 - Control/Signaling Security Plane:
• The management and provisioning of
network elements, services and applications
• Support of the FCAPS functions
• Activities that enable efficient functioning of
the network
• Machine-to-machine communications
• Security Planes represent the types of activities that occur on a network.
• Each Security Plane is applied to every Security Layer to yield nine security
Perspectives (3 x 3)
• Each security perspective has unique vulnerabilities and threats
12
Example: Applying Security
Planes to Network Protocols
End User Security Plane
Activities
•End-user data transfer
•End-user – application
interactions
Protocols
• HTTP, RTP, POP, IMAP
• TCP, UDP, FTP
• IPsec, TLS
Control/Signaling Security Plane
Activities
•Update of routing/switching tables
•Service initiation, control, and
teardown
•Application control
Protocols
• BGP, OSPF, IS-IS, RIP,
PIM
• SIP, RSVP, H.323, SS7.
• IKE, ICMP
• PKI, DNS, DHCP, SMTP
Management Security Plane
Activities
•Operations
•Administration
•Management
•Provisioning
Protocols
•SNMP
•Telnet
•FTP
•HTTP
13
ITU-T X.805: Security Architecture for Systems
Providing End-to-End Communications
THREATS
Privacy
Destruction
Availability
Integrity
Integrity
Data
Communication Security
Data Confidentiality
Infrastructure Security
Non-repudiation
Vulnerabilities
Can Exist
In Each
Layer,
Plane
Services Security
Authentication
VULNERABILITIES
Management
Access Control
Security Layers
Applications Security
Corruption
Removal
Disclosure
Interruption
ATTACKS
End User Security
Security Planes
Control/Signaling Security
8 Security Dimensions
Management Security
14
Modular Form of X.805
Infrastructure
Layer
Services Layer
Applications
Layer
Management
Plane
Module one
Module four
Module seven
Control/Signaling
Plane
Module two
Module five
Module eight
Module three
Module six
Module Nine
User Plane
– Management Network: top row
– Network Services: middle column
– Security Module: Layer & Plane
Intersection
Access Control
Communication Security
Authentication
Data Integrity
Non-repudiation
Availability
Data Confidentiality
Privacy
The eight Security Dimensions Are
Applied to Each Security Module
Provides a systematic, organized way for performing network security
assessments and planning
15
Module 3 – Infrastructure Layer – EndUser Plane
Security
Dimension
Access Control
Authentication
Security Objectives
Ensure that only authorised personnel or devices are allowed access to end-user data that is
transiting a network element or communications link or is resident in an offline storage device.
Verify the identity of the person or device attempting to access end-user data that is transiting a
network element of communications link or is resident in an offline storage device.
Authentication techniques may be required as part of Access Control.
Non-Repudiation
Provide a record identifying each individual or device that accessed end-user data that is transiting
a network element or communications link, or is resident in offline devices and that the action was
performed. The record is to be used as proof of access to end-user data.
Data
Confidentiality
Protect end-user data that is transiting a network element or communications link, or is resident in
an offline storage device against unauthorised access or viewing. Techniques used to address
access control may contribute to providing data confidentiality for end-user data.
www.lucent.com/security
Communication
Security
Ensure that end-user data that is transiting a network element or communications link is not
diverted or intercepted as it flows between the end points (without an authorised access)
Data Integrity
Protect end-user data that is transiting a network element or communications link or is resident in
offline storage devices against unauthorised modification, deletion, creation and replication.
Availability
Ensure that access to end-user data resident in in offline storage devices by authorised personnel
and devices cannot be denied.
Privacy
Ensure that network elements do not provide information pertaining to the end-users network
activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.
16
Summary: X.805 Provides a Holistic
Approach to Network Security
 Comprehensive, end-to-end network view of security
 Applies to any network technology
– Wireless, wireline, optical networks
– Voice, data, video, converged networks
 Applies to variety of networks
– Service provider networks
– Enterprise (service provider’s customer) networks
– Government networks
– Management/operations, administrative networks
– Data center networks
 Is aligned with other security ITU-T Recommendations and ISO standards
17
ITU-T Recommendation X.805 is a
Base for Security work in FGNGN
Security Capability WG
 Guidelines for NGN security and X.805
 NGN threat model (based on ITU-T X.800 and X.805
Recommendations)
 Security Dimensions and Mechanisms (based on ITU-T X.805)
Access control
Authentication
Non-repudiation
Data confidentiality

Communication security
Data integrity
Availability
Privacy
NGN security requirements for Release 1 and X.805
 General considerations based on the concepts of X.805
18
Acronyms
AAA
Authentication, Authorization, Accounting
L2TP
Layer Two Tunneling Protocol
ACL
Access Control List
MPLS Multi-Protocol Label Switching
ATM Asynchronous Transfer Mod
NAT
BC
OSPF Open Shortest Path First
Business Continuity
Network Address Translation
BGP Border Gateway Protocol
PIM
Protocol-Independent Multicast
DHCP Dynamic Host Configuration Protocol
PKI
Public Key Infrastructure
DNS
Domain Name Service
POP
Post Office Protocol
DR
Disaster Recovery
QoS
Quality of Service
RIP
Routing Information Protocol
FCAPS Fault-management, Configuration,
Accounting, Performance, and Security
FTP
File Transfer Protocol
HTTP Hyper Text Transfer Protocol
ICMP Internet Control Message Protocol
IDS
Intrusion Detection System
IKE
Internet Key Exchange protocol
IM
Instant Messaging
IMAP Internet Message Access Protocol
IPS
Intrusion Prevention System
IPsec IP security (set of protocols)
IS-IS Intermediate System-to-Intermediate System
(routing protocol)
RSVP Resource Reservation Setup Protocol
RTP
Real-time Transport Protocol
SIP
Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SS7
Signaling System 7
TCP
Transmission Control Protocol
TLS
Transport Layer Security protocol
UDP
User Datagram Protocol
VoIP
Voice over IP
VPN
Virtual Private Network
19
Thank you!
20
Related documents
Body Orientation Project
Body Orientation Project
Points, Lines, and Planes Notes
Points, Lines, and Planes Notes
Jan 5: An axiom system includes: ‚ undefined terms, and ‚ axioms
Jan 5: An axiom system includes: ‚ undefined terms, and ‚ axioms
Lesson 1-2: Points, Lines, & Planes
Lesson 1-2: Points, Lines, & Planes
Add and Subtract Integers
Add and Subtract Integers
Practice B 3.1
Practice B 3.1
Security Guidance for ITU
Security Guidance for ITU
How to solve inequalities and apply the distance formula
How to solve inequalities and apply the distance formula
Anatomical terms - Sonoma Valley High School
Anatomical terms - Sonoma Valley High School
Bellringer: All directional terms are relative to proper anatomical
Bellringer: All directional terms are relative to proper anatomical
0002_hsm11gmtr_0301.indd
0002_hsm11gmtr_0301.indd
No Slide Title
No Slide Title
Anatomical Planes - MizzBedenareaROP
Anatomical Planes - MizzBedenareaROP
BIO ITU-T/ ATIS Workshop “Next Generation Technology and
BIO ITU-T/ ATIS Workshop “Next Generation Technology and
الشريحة 1
الشريحة 1
anatomical reference systems
anatomical reference systems