telecommunication security

92
Telecommunication Security Herbert Bertine Chairman, ITU-T Study Group 17 SOURCE: ITU-T TITLE: Telecommunication Security AGENDA ITEM: CONTACT: [Insert Document File Name]

Upload: tayyab236

Post on 18-Nov-2014

614 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Telecommunication Security

Telecommunication Security

Herbert Bertine

Chairman, ITU-T Study Group 17

SOURCE: ITU-T

TITLE: Telecommunication Security

AGENDA ITEM:

CONTACT:

[Insert Document File Name]

Page 2: Telecommunication Security

Cooperation

Awareness

Standards

Page 3: Telecommunication Security

ITU-T Study Groups

SG 2* Operational aspects of service provision, networks and performance

SG 3 Tariff and accounting principles including related telecommunications economic and policy issues

SG 4* Telecommunication management SG 5 Protection against electromagnetic environment effects SG 6 Outside plant and related indoor installations SG 9 Integrated broadband cable networks and television and sound

transmission  SG 11* Signalling requirements and protocols SG 12 Performance and quality of service SG 13* Next generation networks SG 15 Optical and other transport network infrastructures SG 16* Multimedia terminals, systems and applications SG 17** Security, languages and telecommunication software SG 19 Mobile telecommunication networks * Significant security work ** Lead Study Group on Security

Page 4: Telecommunication Security

ITU-T Security Building Blocks

Directory Services and Authentication

(X.500-series)

NGN Security (Y.2700-series)

New

Security Architecture Framework

(X.800-series)

Security Techniques

(X.841,2,3)

Network Management Security

(M.3000-series)

Protocols(X.273,4)

Telecommunication Security

(X.805, X.1000-series)

New

Securityin Frame Relay

(X.272)

Systems Management (X.733,5,6, X.740,1)

Facsimile (T-series)

Multimedia Communications

(H-series)

Message Handling Systems (MHS) (X.400-series)

Televisions and Cable Systems (J-series)

Page 5: Telecommunication Security

Study Group 17: Security, languages and

telecommunication software

SG 17 is the Lead Study Group on telecommunication security - It is responsible for coordination of security across all study groups.

Subdivided into three Working Parties (WPs)

• WP1 - Open systems technologies;

• WP2 - Telecommunications security; and

• WP3 - Languages and telecommunications software

Most (but not all) security Questions are in WP2

Summaries of all draft new or revised Recommendations under development in SG 17 are available on the SG 17 web page at http://www.itu.int/itu-t/studygroups/com17

Page 6: Telecommunication Security

Cyber Security* Vulnerability information sharing…* Incident handling operations* Identity management

Secure Communication Services * Secure mobile communications * Home network security * Web services security

Q.6/17

Q.9/17

Q.7/17

Q.5/17

Communications System Security Project *Vision, Project, Roadmap, …

Q.4/17

Telebiometrics * Multimodal model framework* System mechanism* Protection procedure

Q.8/17

SecurityArchitectureand Framework

* Architecture,* Model,* Concepts, * Frameworks

SecurityManagement* ISMS-T* Incident management* Risk assessment methodology

TelecomSystems

Telecom Systems Users

Countering spam by technicalmeans* Technical anti-spam measures Q.

17/17

Working Party 2/17 Work Program

Page 7: Telecommunication Security

Examples of recently approved security Recommendations

M.3016.0, 1, 2, 3, 4

Security for the management plane: Overview, Security requirements, Security services, Security mechanism, Profile proforma

X.509 Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks

X.805 Security architecture for systems providing end-to-end communications

X.893 Information technology – Generic applications of ASN.1: Fast infoset security

X.1035 Password-authenticated key exchange (PAK) protocol

X.1051 Information security management system - Requirements for telecommunications (ISMS-T)

X.1081 The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometrics

X.1111 Framework for security technologies for home network

X.1121 Framework of security technologies for mobile end-to-end communications

X.1122 Guideline for implementing secure mobile systems based on PKI

X.1141 Security Assertion Markup Language (SAML 2.0)

X.1142 eXtensible Access Control Markup Language (XACML 2.0)

Y.2701 Security requirements for NGN release 1

Page 8: Telecommunication Security

Extract from current SG 17 security work program (~50 items total)

Q. Acronym Title or Subject

5 X.akm Framework for EAP-based authentication and key management

6 X.1205 Overview of cybersecurity

6 X.idmf Identity management framework

6 X.gopw Guideline on preventing worm spreading in a data communication network

7 X.1051 (Revised)

Information security management guidelines for telecommunications based on ISO/IEC 27002

7 X.rmg Risk management guidelines for telecommunications

8 X.bip BioAPI interworking protocol

8 X.tai Telebiometrics authentication infrastructure

9 X.homesec-2, 3, 4

Certificate profile for the device in the home network, User authentication mechanisms for home network service, Authorization framework for home network

9 X.msec-3 General security value added service (policy) for mobile data communication

9 X.p2p-1 Requirements of security for peer-to-peer and peer-to-multi peer communications

9 X.websec-3 Security architecture for message security in mobile web services

17 X.csreq Requirement on countering spam

17 X.fcsip Framework of countering IP multimedia spam

Page 9: Telecommunication Security

Study Group 13 - Question 15/13 NGN Security: work in progress

Y.IdMsec NGN identity management security

Y.NGN AAA AAA application for implementation of network and service security requirements over NGN

Y.NGN Authentication

NGN Authentication

Y.NGN Certificate Management

NGN certificate management

Y.SecMechanisms NGN Security mechanisms and procedures

Y.SecReqR2 Security requirements for NGN release 2

Page 10: Telecommunication Security

Specific Systems, Services, ApplicationsSecurity in ITU-T are developed bySG 2, 3, 4, 5, 6, 9, 11, 13, 15, 16, 19

Core Technology and Common SecurityTechniques in ITU-T are developedby SG 17

Security standardization Collaboration is key

JTC 1 SC 27, 37... IETF ATIS, ETSI, OASIS, etc.

Page 11: Telecommunication Security

Security standardization Collaboration is key

World Standards Cooperation (WSC) ISO, IEC, ITU

Global Standards Collaboration (GSC) Regional, National SDOs and ITU-T, ITU-R • exchange information between participating standards

organizations to facilitate collaboration and to support the ITU as the preeminent global telecommunication and radiocommunication standards development organization

• Resolution GSC-11/17 Cybersecurity

Security Standardization Exchange Network (SSEN)• an informal association of individual security practitioners with direct

experience of, or strong interest in, security standardization• facilitate the informal exchange of information on security-

standards-related matters to increase overall awareness of issues of common interest with the intention of helping to advance the development of needed standards and minimizing overlap and duplication of effort in security standards development

Page 12: Telecommunication Security

Security standardization Collaboration is key

ISO/IEC/ITU-T Strategic Advisory Group on Security (SAG-S)

Terms of Reference• To oversee standardization activities in ISO, IEC and ITU-T

relevant to the field of security• To provide advice and guidance to the ISO Technical

Management Board, the IEC Standardization Management Board and the ITU-T Telecommunication Standardization Advisory Group (TSAG) relative to the coordination of work relevant to security, and in particular to identify areas where new standardization initiatives may be warranted

• To monitor implementation of the SAG-S Recommendations International workshop on security topics planned in

conjunction with each SAG-S meeting• International Workshop on Transit Security, Washington DC, 4-5

October 2007 Security portal under development

Page 13: Telecommunication Security

Focus Group: Security Baseline for Network Operators (FG SBNO)

http://www.itu.int/ITU-T/studygroups/com17/sbno/index.html

Established October 2005 by SG 17 Objectives:

• Define a security baseline against which network operators can assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied

• Describe a network operator’s readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security threats

• Provide meaningful criteria that can be used by network operators against which other network operators can be assessed, if required

Achieved• Surveyed network operators by means of a questionnaire

Next step:• Develop text to be proposed to SG 17 for progressing as an ITU-T

publication

Page 14: Telecommunication Security

Established December 2006 by SG 17 The objectives of the FG IdM are

• to perform requirements analysis based on uses case scenarios, in order• to identify generic IdM framework components, so that• a standards gap analysis can be completed, in order• to identify new standards work and the bodies (ITU and other SDOs) that

should perform the work

Working Group structure• Ecosystem and Lexicon Working Group• Use Cases Working Group• Requirements Working Group• Framework Working Group

Aggressive schedule• Meetings held: February, April and May 2007; WG meeting June• Meetings planned: July and August 2007

Focus Group: Identity Management (FG IdM)

http://www.itu.int/ITU-T/studygroups/com17/fgidm/index.html

Page 15: Telecommunication Security

ICT Security Standards Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html

Part 1 contains information about organizations working on ICT security standards

Part 2 is the database of existing security standards Part 3 is a list of standards in development Part 4 identifies future needs and proposed new

standards Part 5 includes security best practices

European Network and Information Security Agency (ENISA) and the Network and Information Security Steering Group (NISSG) are collaborating with ITU-T in the development of the Roadmap

Page 16: Telecommunication Security

ICT Security Standards Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html

Part 2 currently includes ICT security standards from• ITU-T• ISO/IEC JTC 1• IETF• IEEE• ATIS• ETSI• OASIS

Data is available in a database format to allow searching by organization and topic and to allow organizations to manage their own data

We invite you to contribute content to the Roadmap, provide feedback and help us develop it to meet your needs

Page 17: Telecommunication Security

Other projects

Security in Telecommunications and Information Technology (ITU-T Security manual)• Overview of existing ITU-T Recommendations for secure

telecommunications• Third edition of June 2006 to be available in the six official

languages of the ITU• http://www.itu.int/ITU-T/publications/index.html

Security compendium• Catalogue of approved ITU-T Recommendations related to

telecommunication security• Extract of ITU-T approved security definitions• Summary of ITU-T Study Groups with security-related

activities• http://www.itu.int/ITU-T/studygroups/com17/tel-security.html

Page 18: Telecommunication Security

The ITU Global Cybersecurity GatewayThe ITU Global Cybersecurity Gateway

LIVE at: http://www.itu.int/cybersecurityProvides an easy-to-use information resource on national, regional and international cybersecurity-related activities and initiatives worldwide.

Page 19: Telecommunication Security

Observations

Security is everybody's business

Collaboration with other SDOs is necessary

Security needs to be designed in upfront

Security must be an ongoing effort

Systematically addressing vulnerabilities (intrinsic properties of networks/systems) is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be

Page 20: Telecommunication Security

Some useful web resources

ITU-T Home page http://www.itu.int/ITU-T

Study Group 17 http://www.itu.int/ITU-T/studygroups/com17

• e-mail: [email protected]

Recommendations http://www.itu.int/ITU-T/publications/recs.html

ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse

ITU-T Workshops http://www.itu.int/ITU-T/worksem

Page 21: Telecommunication Security

Supplemental Information on Security Work in ITU-T

Study Group 17 - Security, languages and telecommunication software

Study Group 4 - Telecommunication management

Study Group 11 – Signalling requirements and protocols

Study Group 13 - Next generation networks

Study Group 16 - Multimedia terminals, systems and applications

Page 22: Telecommunication Security

ITU-T SG 17 work on security Q.4/17 - Communications systems security project Q.5/17 - Security architecture and framework Q.6/17 - Cyber security Q.7/17 - Security management Q.8/17 - Telebiometrics Q.9/17 - Secure communication services Q.17/17 - Countering spam by technical means

Page 23: Telecommunication Security

ITU-T SG 17 Question 4Communications Systems Security Project

Overall Security Coordination ICT Security Standards Roadmap Security Compendium Focus Group on Security Baseline For Network

Operators ITU-T Security manual

Efforts of Q.4/17 are covered in the main part of the presentation

Page 24: Telecommunication Security

ITU-T SG 17 Question 5Security Architecture and Framework

Brief description of Q.5 Milestones Draft Recommendations under development

Page 25: Telecommunication Security

Brief description of Q.5/17

Motivation• The telecommunications and information technology industries are

seeking cost-effective comprehensive security solutions that could be applied to various types of networks, services and applications. To achieve such solutions in multi-vendor environment, network security should be designed around the standard security architectures and standard security technologies.

Major tasks• Development of a comprehensive set of Recommendations for

providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups.

• Maintenance and enhancements of Recommendations in the X.800 series:

X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816, X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843

Page 26: Telecommunication Security

Q.5/17 Milestones

ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-end Communications• Approved in 2003

ISO/IEC Standard 18028-2, Network security architecture• Developed in collaboration between ITU-T Q.5/17 and ISO/IEC

JTC 1 SC 27 WG 1. It is technically aligned with X.805

• Published in 2006

ITU-T Recommendation X.1035, Password-authenticated key exchange (PAK) protocol• Specifies a password-based protocol for authentication and key

exchange, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchange

• Approved in 2006

Page 27: Telecommunication Security

ITU-T Recommendation X.805

X.805_F3

Acc

ess

con

tro

l

Infrastructure security

Services security

End-user planeControl plane

Management plane

THREATS

VULNERABILITIES

8 Security dimensions

ATTACKS

Da

ta c

onfi

den

tia

lity

Co

mm

un

icat

ion

sec

uri

ty

Da

ta i

nte

gri

ty

Av

aila

bil

ity

Pri

vacy

Au

then

tica

tio

n

No

n-r

epu

dia

tion Destruction

Disclosure

Corruption

Removal

Interruption

Security layersApplications security

X.805 defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where the end-to-end security is a concern and independently of the network’s underlying technology.

Page 28: Telecommunication Security

Q.5/17 Draft Recommendations 1/2

Applications and further development of major concepts of ITU-T Recommendation X.805• X.805+, Division of the security features between the

network and the users Specifies division of security features between the networks and users. It provides guidance on applying concepts of the X.805 architecture to securing service provider’s, application provider’s networks and the end user’s equipment

• X.805nsa, Network security assessment/guidelines based on ITU-T Recommendation X.805 Provides a framework for network security assessment/guidelines based on ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications

Page 29: Telecommunication Security

Q.5/17 Draft Recommendations 2/2

Standardization in support of Authentication Security Dimension (defined in X.805)• X.akm, Framework for authentication and key management for

link layer security of NGN Establishes a framework for authentication and key management for securing the link layer. It also provides guidance on selection of the EAP methods.

Standardization of network security policies• X.spn, Framework for creation, storage, distribution, and

enforcement of security policies for networks

• Establishes security policies that are to drive security controls of a system or service. It also specifies a framework for creation, storage, distribution, and enforcement of policies for network security that can be applied to various environmental conditions and network devices.

Page 30: Telecommunication Security

ITU-T SG 17 Question 6Cyber Security

Motivation Objectives Scope Current area of focus Draft Recommendations under development

Page 31: Telecommunication Security

Q.6/17 Motivation

Network connectivity and ubiquitous access is central to today’s IT systems

Wide spread access and loose coupling of interconnected IT systems is a primary source of widespread vulnerability

Threats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the rise

Network protocols in use today were developed in an environment of trust

Most new investments and development is dedicated to building new functionality and not on securing that functionality

An understanding of cybersecurity is needed in order to build a foundation of knowledge that can aid in securing the networks of tomorrow

Page 32: Telecommunication Security

Q.6/17 Objectives

Perform actions in accordance with Lead Study Group (LSG) responsibility with the focus on Cybersecurity

Identify and develop standards required for addressing the challenges in Cybersecurity, within the scope of Q.6/17

Provide assistance to other ITU-T Study Groups in applying relevant cybersecurity Recommendations for specific security solutions. Review project-oriented security solutions for consistency

Maintain and update existing Recommendations within the scope of Q.6/17 (this includes E.409)

Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1 e.g., SC 6, SC 27 and SC 37), and consortia as appropriate

Provide awareness on new security technologies related to Cybersecurity

Provide an Identity Management Framework that defines the problem space, representative use case scenarios and requirements. This includes leveraging other on-going Identity Management activities

Collaborate with Next Generation Networks activities in ITU-T in the areas of Cybersecurity and Identity Management

Page 33: Telecommunication Security

Q.6/17 Scope

Definition of Cybersecurity

Security of Telecommunications Network Infrastructure

Security Knowledge and Awareness of Telecom Personnel and Users

Security Requirements for Design of New Communications Protocol and Systems

Communications relating to Cybersecurity

Security Processes – Life-cycle Processes relating to Incident and Vulnerability

Security of Identity in Telecommunication Network

Legal/Policy Considerations

Page 34: Telecommunication Security

Q.6/17 Current Area of Focus 1/2

Work with SG 2 on the definition and requirements of Cybersecurity Collaborate with Q5,7,9,17/17 and SG 2 in order to achieve better

understanding of various aspects of network security Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL and

other standardization bodies on Cybersecurity Work with OASIS on adopting the OASIS Common Alerting Protocol

V1.1 as an ITU-T Recommendation Work on framework for secure network operations to address how

telecommunications network providers secure their infrastructure and maintain secure operations

Work on Recommendation for standardization of vulnerability data definition

Work on network security management framework to address how telecommunications operators operate uniformly various kind of security functions

Study new Cybersecurity issues – How should ISPs deal with botnets, evaluating the output of appropriate bodies when available

Page 35: Telecommunication Security

Q.6/17 Current Area of Focus 2/2

Work on Recommendations on Identity Management (IdM) addressing the following areas:• An umbrella Recommendation that determines IdM security

requirements from ITU-T prospective• An umbrella Recommendation that defines a framework and

architecture(s) for IdM after identifying IdM security mechanisms that needs to be addressed

• An umbrella Recommendation that assesses security threats and vulnerabilities associated with IdM

• Collaborate with Q.15/13 on NGN IdM issues Develop guidelines on the protection of personal information and

privacy Call for contributions for the outstanding questions identified in the

revised scope Promote the wide adoption of IdM through the IdM Focus Group that

considers the challenges and issues associated with IdM across various SDO and consortia

Page 36: Telecommunication Security

Q.6/17 Draft Recommendations 1/5

1. Overview of Cybersecurity (X.1205, formerly X.cso)• Provides a definition for Cybersecurity and a taxonomy of security threats

from an operator point of view. Cybersecurity vulnerabilities and threats are presented and discussed at various network layers.

• Various Cybersecurity technologies that are available to remedy the threats include: Routers, Firewalls, Antivirus protection, Intrusion detection systems, Intrusion protection systems, Secure computing, Audit and Monitoring. Network protection principles such as defence in depth, access and identity management with application to Cybersecurity are discussed. Risk Management strategies and techniques are discussed including the value of training and education in protecting the network. A discussion of Cybersecurity Standards, Cybersecurity implementation issues and certification are presented.

2. A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update (X.vds)

• Provides a framework of automatic notification on vulnerability information. The key point of the framework is that it is a vendor-neutral framework. Once users register their software, updates on the vulnerabilities and patches of the registered software will automatically be made available to the users. Upon notification, users can then apply.

Page 37: Telecommunication Security

Q.6/17 Draft Recommendations 2/5

3. Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software (X.sds)

• Provides guidelines for Internet Service Providers (ISP) and end-users for addressing the risks of spyware and deceptive software. The Recommendation promotes best practices around principles of clear notices, and users’ consents and controls for ISP web hosting services. The Recommendation also promotes best practices to end-users on the Internet to secure their computing devices and information against the risks of spyware and deceptive software.

4. Identity Management Framework (X.idmf)• Develops an Identity Management Framework that leverages the use

case scenarios as it applies to Telecommunications and includes non-Telecom applications when (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services). The framework enables service providers to provide entities with reliable, trusted and secure IdM services over distributed networks, through the appropriate use of authorization, authentication, access control mechanisms, and policy management mechanisms.

Page 38: Telecommunication Security

Q.6/17 Draft Recommendations 3/5

5. Identity Management Requirements (X.idmr)• Develops use case scenarios and requirements for the Identity

Management Framework Recommendation (X.idmf). The developed use cases cover Telecommunications and non-Telecom scenarios (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services).

6. Identity Management Security (X.idms)• Performs security analysis on the identity Management Framework as

developed in X.idmf. The Recommendation develops guidelines and best practice approach for ensuring that security is maintained when the Identity Management Framework is used as the vehicle for providing Telecommunications and non-Telecom IdM solutions.

Page 39: Telecommunication Security

Q.6/17 Draft Recommendations 4/5

7. Common Alerting Protocol (CAP v1.1), (X.1303, formerly X.cap)• Specifies the common alerting protocol (CAP) which is a simple but

general format for exchanging all-hazard emergency alerts and public warnings over all kinds of networks. CAP allows a consistent warning message to be disseminated simultaneously over many different warning systems, thus increasing warning effectiveness while simplifying the warning task. CAP also facilitates the detection of emerging patterns in local warnings of various kinds, such as might indicate an undetected hazard or hostile act. And CAP provides a template for effective warning messages based on best practices identified in academic research and real-world experience. This Recommendation is technically equivalent and compatible with the OASIS Common Alerting Protocol, v.1.1 standard.

8. ASN.1 specification for the Common Alerting Protocol (CAP v1.1), (X.1303.1, formerly X.cap2)

• The common alerting protocol (CAP) is specified in ITU-T Rec. X.1303, which is technically equivalent and compatible with the OASIS Common Alerting Protocol, V1.1 standard. This Recommendation provides an equivalent ASN.1 specification that permits a compact binary encoding and the use of ASN.1 as well as XSD tools for the generation and processing of CAP messages. This Recommendation enables existing systems, such as H.323 systems, to more readily encode, transport and decode CAP messages.

Page 40: Telecommunication Security

Q.6/17 Draft Recommendations 5/5

9. Privacy guideline for RFID (X.rfpg)• Recognizes that as RFID greatly facilitates the access and dispersion

of information pertaining specifically to the merchandise that individuals wear and/or carry; it creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation develops guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect the privacy rights of the general public within national policies.

• Network Security Management Framework (X.nsmf) • Defines the framework for security management to address how

telecom-operators can uniformly operate various kinds of security functions.

• Guideline on preventing worm spreading in a data communication network (X.gopw)

• Describes worm spreading patterns and scenarios in a data communication network. In addition, it specifies countermeasures to prevent from worm spreading. This Recommendation can be used as a guideline to network designers, network operator, and end users for preventing Worm spreading.

Page 41: Telecommunication Security

ITU-T SG 17 Question 7Security Management

Tasks

Plan on Recommendations

Revised Recommendation X.1051

Page 42: Telecommunication Security

Q.7/17 Tasks Information Security Management Guidelines for

telecommunications• (Existing X.1051, Information security management system –

Requirements for telecommunications (ISMS-T))• Maintain and revise Recommendation X.1051, “Information Security

Management Guidelines for telecommunications based on ISO/IEC27002”.

• Jointly develop a guideline of information security management with ISO/IEC JTC 1/SC 27 (ISO/IEC 27031 =.Recommendation X.1051).

Risk Management Methodology• Study and develop a methodology of risk management for

telecommunications in line with Recommendation X.1051.• Produce and consent a new ITU-T Recommendation for risk

management methodology. Incident Management

• Study and develop a handling and response procedure on security incidents for the telecommunications in line with Recommendation X.1051.

• Produce and consent a new ITU-T Recommendation for incident management methodology and procedures.

Page 43: Telecommunication Security

Q.7/17 plan on Recommendations

X.1050: To be proposed

X.1051: In revision process Information Security Management Guidelines for Telecommunications based on ISO/IEC 27002

X.1052: To be proposed

X.1053: To be proposed (Implementation Guide for Telecommunications)

X.1054: To be proposed (Measurements and metrics for Telecommunications)

X.1055: In the first stage of development Risk Management Guidelines for Telecommunications

X.1056: In the first stage of development Security Incident Management Guidelines for Telecommunications

X.1057: To be proposed (Identity Management for Telecommunications)

Page 44: Telecommunication Security

Security policy

Organising information security

Asset management

Human resources security

Physical & environmental security

Communications & operations management

Access control

Information systems acquisition, development and maintenance

Business continuity management

Compliance

Information security incident management

Revised X.1051

Information security management guidelines for Telecommunications (Revised X.1051)

Information Assetsfor Telecom

CONTROLCONTROL

Implementation guidance

Implementation guidance

Other information

Other information

ISO/IEC 17799 (2005)

CONTROLCONTROL

Implementation requirementsfor Telecom

Implementation requirementsfor Telecom

ISMS ProcessISMS Process

Existing X.1051(2004)

CONTROLCONTROL

Implementation guidance

for Telecom

Implementation guidance

for Telecom

Other information

Other information

Revised X.1051

Approach to develop the revised Recommendation X.1051

Page 45: Telecommunication Security

ITU-T SG 17 Question 8Telebiometrics

Objectives

Study areas on biometric processes

Recommendations

Page 46: Telecommunication Security

Q.8/17 Objectives

1) To define telebiometric multimodal model framework

2) To specify biometric authentication mechanism in open network

3) To provide protection procedures and countermeasures for telebiometric systems

Page 47: Telecommunication Security

Q.8/17 Study areas on Biometric Processes

BiometricSensors

X.1081X.Physiol

Safety conformity

Matching

Application

Yes/No

Score

NW

Extraction

NW

NW:Network

NW

NWDecision

NW

Storage

X.tai: Telebiometrics Authentication Infrastructure

X.bip: BioAPI Interworking Protocol

X.tsm: Telebiometrics System Mechanism

X.tpp: Telebiometrics Protection Procedure

Acquisition(capturing)

Page 48: Telecommunication Security

Q.8/17 Recommendations 1/3

1) X.1081, The telebiometric multimodal model framework – A

framework for the specification of security and safety aspects of telebiometricsDefines a telebiometric multimodal model that can be used as a framework for identifying and specifying aspects of telebiometrics, and for classifying biometric technologies used for identification (security aspects).

2) X.physiol, Telebiometrics related to human physiology

Gives names and symbols for quantities and units concerned with emissions from the human body that can be detected by a sensor, and with effects on the human body produced by the telebiometric devices in his environments.

3) X.tsm-1, General biometric authentication protocol and profile on telecommunication system

Defines communication mechanism and protocols of biometric authentication for unspecified end‑users and service providers on open network.

Page 49: Telecommunication Security

Q.8/17 Recommendations 2/3

4) X.tsm-2, Profile of telecomunication device for Telebiometrics System Mechanism (TSM)

Defines the requirements, security profiles of client terminals for biometric authentication over the open network.

5) X.tai, Telebiometrics authentication infrastructure Specifies a framework to implement biometric identity authentication with certificate issuance, management, usage and revocation.

6) X.bip, BioAPI interworking protocol

Common text of ITU-T and ISO/IEC JTC 1/SC 37. It specifies the syntax, semantics, and encodings of a set of messages ("BIP messages") that enable BioAPI-conforming application in telebiometric systems.

Page 50: Telecommunication Security

Q.8/17 Recommendations 3/3

7) X.tpp-1, A guideline of technical and managerial countermeasures for biometric data securityDefines weakness and threats in operating telebiometric systems and proposes a general guideline of security countermeasures from both technical and managerial perspectives.

8) X.tpp-2, A guideline for secure and efficient transmission of multi-modal biometric data

Defines threat characteristics of multi-modal biometric system, and provides cryptographic methods and network protocols for transmission of multi-modal biometric data.

Page 51: Telecommunication Security

ITU-T SG 17 Question 9Secure Communication Services

Focus Position of each topic Mobile security Home network security Web services security Secure applications services

Page 52: Telecommunication Security

Q.9/17 Focus

Develop a set of standards of secure application services, including• Mobile security Under study• Home network security Under study• Web services security Under study• Secure application services Under study• Privacy protection for RFID Under study• Multicast security Under study• Multimedia content protection To be studied

Page 53: Telecommunication Security

Position of each topic

Open Network

Application Server

Mobile Terminal

Home NetworkMobile Network

Mobile security

Web Services security

Home network security

Secure application services

Multicast security

Privacy protection for RFID

Page 54: Telecommunication Security

Q.9/17 - Mobile Security

X.1121, Framework of security technologies for mobile end-to-end data communications

• Approved 2004 X.1122, Guideline for implementing secure mobile systems based

on PKI• Approved 2004

X.msec-3, General security value added service (policy) for mobile data communication

• Develops general security service as value added service for secure mobile end-to-end data communication

X.msec-4, Authentication architecture in mobile end-to-end data communication

• Constructs generic authentication architecture for mobile data communication between mobile users and application servers

X.crs, Correlative reacting system in mobile network• Develops the generic architecture of a correlative reactive system to

protect the mobile terminal against Virus, worms, Trojan-Horses or other network attacks to both the mobile network and its mobile users

Page 55: Telecommunication Security

Q.9/17 - Home network security

X.1111, Framework for security technologies for home network• Framework of security technologies for home network • Define security threats and security requirements, security functions,

security function requirements for each entity in the network, and possible implementation layer

• Approved 2007

X.homesec-2, Certificate profile for the device in the home network• Device certificate profile for the home network • Develops framework of home network device certificate.

X.homesec-3, User authentication mechanisms for home network service• User authentication mechanisms for home network service. • Provides the user authentication mechanism in the home network, which

enables various authentication means such as password, certificate, biometrics and so on.

Page 56: Telecommunication Security

Q.9/17 - Web Services security

X.1141, Security Assertion Markup Language (SAML)• Adoption of OASIS SAML v2.0 into ITU-T Recommendation X.1141• Define XML-based framework for exchanging security information • The security information expressed in the form of assertions about

subjects, where a subject is an entity (either human or computer) that has an identity in some security domain

• Approved 2006 X.1142, eXtensible Access Control Markup Language

(XACML)• Adoption of OASIS XACML v2.0 into ITU-T Recommendation X.1142• Provides an XML vocabulary for expressing access control policies and

the syntax of the language and the rules for evaluating policies• Approved 2006

X.websec-3, Security architecture for message security in mobile Web Services • Develops a guideline on message security architecture and service

scenarios for securing messages for mobile Web Services

Page 57: Telecommunication Security

Q.9/17 - Secure applications services

X.sap-1, Guideline on strong password authentication protocols• Guideline on secure password-based authentication protocol with key

exchange • Defines a set of requirements for password-based protocol with key

exchange and a selection guideline by setting up criteria that can be used in choosing an optimum authentication protocol for each application.

X.sap-2, Secure communication using TTP service• Secure end-to-end data communication techniques using TTP services • Specifies secure end-to-end data communication techniques using TTP

services that are services defined in X.842 or other services X.p2p-1, Anonymous authentication architecture in community

communication• Requirements of security for peer-to-peer and peer-to-multi peer

communications • Investigates threat analysis for P2P and P2MP communication services and

describes security requirements for secure P2P and P2MP communication services

X.p2p-2, Security architecture and protocols for peer to peer network • Security architecture and protocols for peer to peer network • Describes the security techniques and protocols in the P2P environment

Page 58: Telecommunication Security

Q.9/17 – m-RFID security and Multicast security

X.rfidsec-1, Privacy protection framework for networked RFID services• New work item 2006 • Privacy infringements for networked RFID service environment• Requirements for privacy protection and privacy protection services

based on a user privacy policy profile

X.mcastsec-1, Security framework and requirement in the multicast environment• New work item 2007 • Requirements of security for multicast communications • Investigates threat analysis for multicast communications services and

describes security requirements for multicast communications services

Page 59: Telecommunication Security

ITU-T SG 17 Question 17Countering Spam by Technical

Means

Objectives

Recommendations

Page 60: Telecommunication Security

Q.17/17 Objectives

The aim of this Question is to develop a set of Recommendations on countering spam by technical means for ITU-T, taking into account the need for collaboration with ITU-T other Study Groups and cooperation with other SDOs. The Question focuses particularly on technical requirement, frameworks and new technologies for countering spam. Guidelines on countering spam by technical means are also studied.

Page 61: Telecommunication Security

Guideline on countering email spam (X.gcs) Draft

Framework Recommendations:

IP multimedia application area TBD

Technical framework for countering email spam (X.fcs) Draft

Overview of countering spam for IP multimedia application (X.ocsip) Draft

Technology Recommendations:

Technical means for countering spam (X.tcs) TBD

Other SDOs

Requirement on countering spam (X.csreq) Draft

Technology Recommendations:

Technical means for countering IP multimedia spam (X.tcs) TBD

Q.17/17 Set of Recommendations

Page 62: Telecommunication Security

Q.17/17 Brief Summaries of draft Recommendations 1/3

X.gcs, Guideline on countering email spam Specifies technical issues on countering e-mail spam. It provides the current

technical solutions and related activities from various SDOs and relevant organizations on countering e-mail spam. The purpose of the Recommendation is to provide useful information to the users who want to find technical solutions on countering e-mail spam and it will be used as a basis for further development of technical Recommendations on countering email spam.

X.ocsip, Overview of countering spam for IP multimedia applications

Specifie basic concepts, characteristics, and effects of spam in IP multimedia applications such as IP telephony, video on demand, IPTV, instant messaging, multimedia conference, etc. It will provide technical issues, requirements for technical solutions, and various activities on countering spam for IP multimedia applications. It will provide basis and guideline for developing further technical solutions on countering spam.

Page 63: Telecommunication Security

X.csreq, Requirement on countering spam Requirements on countering spam are clarified in this Recommendation.

There are many types of spam, such as email spam, mobile messaging spam and IP multimedia spam. Various types of spam may have both common and specific requirements on countering it. For one type of spam, the requirement in different entities should also be clarified.

X.fcs, Technical framework for countering email spam Specifies the technical framework for network structure for countering spam.

Functions inside the framework are defined. It also provides universal rules of distinguishing spam from other emails and the common methods of countering email spam.

X.tcs, Technical means for countering spam Communication network is evolving, more services are emerging, and

capability of spammers is stronger. Moreover, no single technical means has perfect performances on countering spam currently. It may be necessary to propose new technical countermeasures.

Q.17/17 Brief Summaries of draft Recommendations 2/3

Page 64: Telecommunication Security

X.fcsip, Framework of countering IP multimedia spam Specifies general architecture of countering spam system on IP multimedia

applications such as IP telephony, instant messaging, multimedia conference, etc. It will provide functional blocks of necessary network entities to counter spam and their functionalities, and describe interfaces among the entities. To build secure session against spam attack, User Terminals and edge service entities such as proxy server or application servers will be extended to have spam control functions. Shown are interfaces between these extended peer entities, and interfaces with other network entities which can involve for countering spam.

X.tcs-1, Interactive countering spam gateway system Specifies interactive countering spam gateway system as a technical mean

for countering various types of spam. The gateway system enables spam notification from receiver’s gateway to sender’s gateway, prevents spam traffic from going across the network. This specification defines architecture for the countering spam gateway system, describes basic entities, protocols and functions, provides mechanisms for spam detection, countering spam information sharing, and countering spam actions of the gateway systems.

Q.17/17 Brief Summaries of draft Recommendations 3/3

Page 65: Telecommunication Security

ITU-T SG 4 work on security

Page 66: Telecommunication Security

SG 4: Security Management Systems

To complement the M.3016 series on Security of the Management Plane which is focused on interfaces, SG 4 has initiated new work on Security Management Systems (SMS). It is viewed as a key addition to support NGN Management.

Based on equivalent work in ATIS TMOC, M.sec-mgmt-sys is expected to – Draw on security concepts from X.800 and X.805 – Describe the logical SMS architecture to be realized in one or

more physical systems– Describe the managed network elements supported by SMS– Specify the SMS functional requirements

As with the M.3016 series, a proforma will be provided as a template for other SDOs and forums to indicate for their membership what parts of M.sec-mgmt-sys are mandatory or optional

Page 67: Telecommunication Security

ITU-T SG 11 work on security

Page 68: Telecommunication Security

SG 11: Security signaling protocol draft Recommendation in progress

Draft Recommendation Q.3201 (formerly Q.NGN-nacf-sec), EAP-based security signaling protocol architecture for network attachment• Describes the security signalling requirements and protocol

architecture for supporting access security aspect of network attachment in NGN environment. Basic threats and security requirements for the attachment of NGN access networks are analyzed, and a model of an EAP-based security signalling protocol architecture accommodating heterogeneous multi-links in NGN access environment is presented. Based on it, three feasible scenarios for authentication signalling in NGN network

attachment control function are developed.

Page 69: Telecommunication Security

ITU-T SG 13 work on security Q.15/13 All SG 13 Recommendations have a section on

security

Page 70: Telecommunication Security

Q.15/13 NGN Security

Y.2701, Security requirements for NGN release 1 Y.NGN Authentication Y.NGN Security Mechanisms, NGN Security

Mechanisms and Procedures Y.NGN, Certificate Management Y.NGN AAA, The Application of AAA Service for

network access control in UNI and ANI over NGN Y. IdMsec, NGN Identity Management Security

Page 71: Telecommunication Security

Y.2701, Security requirements for NGN release 1 (pre-published)

Provides security requirements for Next Generation Networks (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs) by applying ITU-T Recommendation X.805, Security architecture for systems providing end-to-end communications to ITU-T Recommendation Y.2201, NGN release 1 requirements and ITU-T Recommendation Y.2012, Functional requirements and architecture of the NGN.

Specifies a trust model that is based on network elements (physical boxes) that support the functional entities defined in ITU-T Recommendation Y.2012.

Specifies requirements, which should be treated as a minimum set of security requirements. The NGN network providers are encouraged to take additional measures beyond those specified in the Recommendations for NGN security.

Page 72: Telecommunication Security

Y.NGN Authentication 1/2 Specifies authentication and authorization requirements for

Next Generation Networks (NGNs) based on the ITU-T NGN release 1 Requirements and NGN Architecture (FRA). This includes requirements for one-way and mutual authentication and authorization across the User-to-Network Interface (UNI), the Network-to-Network Interface (NNI) and the Application-to-Network Interface (ANI). The scope of this Recommendation covers:

• Authentication and authorization of users for network access (e.g., authentication and authorization of an end user device, a home network gateway, or an enterprise gateway to obtain access or attachment to the network)

• Service provider authentication and authorization of users for access to a service/application (e.g., authentication and authorization of an user, a device or a combined user/device where the authentication and authorization applies to NGN service/application access)

Page 73: Telecommunication Security

Y.NGN Authentication 2/2

• Service provider authentication and authorization of users for access to a specific service/application (e.g., ETS and TDR- specific authentication and authorization)

• User authentication and authorization of a network (e.g., user authenticating the identity of the NGN network or of the service provider)

• User peer-to-peer authentication and authorization (e.g., authentication and authorization of the called user (or terminating entity), authentication and authorization of the originating entity, or data origin authentication as network functions)

• Mutual network authentication and authorization (e.g., authentication and authorization across NNI interface at the transport level, or service/application level)

• Authentication and authorization of a 3rd party service/application Provider

• Use of a 3rd party authentication and authorization service

Page 74: Telecommunication Security

Y.NGN Security Mechanisms, NGN Security Mechanisms and

Procedures

Describes specific security mechanisms that should be used to realize the requirements of Y.2701, Security Requirements for NGN release 1. It covers the following security subjects:• Identification and authentication• Media security• Audit trail, trapping, and logging systems• Transport security for signalling and OAMP (Operations,

Administration, Maintenance, and Provisioning)

• CPE (Customer Premises Equipment) provisioning

Page 75: Telecommunication Security

Y.NGN, Certificate Management

Defines procedures for managing the X.509 certificates used for providing NGN security

Specifies the use of X.509 certificates for authentication of the NGN network elements based on policy and business agreements

Page 76: Telecommunication Security

Y.NGN AAA, The Application of AAA Service for network access control in UNI and ANI over NGN

Specifies the authentication and authorization procedures for the NGN. It is based on the principles established in ITU-T Recommendations Y.2701, Security requirements for NGN release 1 and Y.2012, Functional requirements and architecture of the NGN. Y.NGN AAA provides recommendations on authentication and authorization across the User-to-Network Interface (UNI) and the Application-to-Network Interface (ANI)

Page 77: Telecommunication Security

Y.IdMsec, NGN Identity Management Security

Describes the fundamental concepts associated with NGN Identity Management

Provides a framework for Identity Management that is based on the NGN Functional Requirements and Architecture (FRA) release 2. This IdM framework is applicable to all NGN entities (e.g., service providers, network providers, network elements, users and user’s equipment)

Outlines the threats and risks to Identity Management within an NGN environment

Describes trust models for Identity Management within an NGN environment

Specifies security objectives and requirements for NGN Identity Management

Page 78: Telecommunication Security

Q.15/13’s Major Contributions on Security to the Work of other Questions and Study Groups

Q.15/13 led the development of the Security Considerations and Requirements section of ITU-T Recommendation Y.2111, Resource and admission control functions in Next Generation Networks (Y.2111 was developed by Q.4/13)

Q.15/13 participated to the development of the ITU-T Recommendation EAP-Based Security Signaling Protocol Architecture for Network Attachment (the Recommendation is being developed by Q.7/11)

Page 79: Telecommunication Security

ITU-T SG 16 Work on Security

Page 80: Telecommunication Security

Q.25/16 “Multimedia Security inNext-Generation Networks”

(NGN-MM-SEC)

Study Group 16 concentrates on multimedia systems. Q.25/16 focuses on the application-security issues of

MM applications in next generation networks Standardizes multimedia security So far Q.25/16 has been standardizing MM-security for

the “1st generation MM/pre-NGN-systems”:• H.323/H.248-based systems• H.235 sub-series Recommendations provide a framework and a

set of requirements for multimedia systems

Page 81: Telecommunication Security

Evolution of H.235

1997 1998 1999 2000 2001 2002

Initial Draft

H.323V2 H.323V4

H.235V1approved

Core SecurityFrameworkEngineering

Consolidation Improvement and Additions1st Deployment

2003

H.235V2

Annex D

Annex E

approved

Annex FH.530

consent

H.235V3+

Annex I

Security ProfilesAnnex DAnnex Estarted

2004

H.235V3 Amd1 + Annex H

H.235V3 Amd1

H.235 Annex G

H.323V5

1996 2005

H.235V4H.235.0

~H.235.9

approved

Reorganization

H.323V1 H.323V6

2006

Page 82: Telecommunication Security

H.235 V4 sub-series Recommendations

Major restructuring of H.235v3 Amd.1 and annexes in stand-alone sub-series Recommendations

H.235.x sub-series specify scenario-specific MM-security procedures as H.235-profiles for H.323

Some new parts added Some enhancements and extensions Incorporated corrections Approved in September 2005

Page 83: Telecommunication Security

H.323 Security Recommendations 1/4

H.235.0, Security framework for H-series (H.323 and other H.245-based) multimedia systems

Overview of H.235.x sub-series and common procedures with baseline text

H.235.1, Baseline Security Profile Authentication & integrity for H.225.0 signaling using shared

secrets

H.235.2, Signature Security Profile Authentication & integrity for H.225.0 signaling using X.509

digital certificates and signatures

Page 84: Telecommunication Security

H.323 Security Recommendations 2/4

H.235.3, Hybrid Security Profile Authentication & integrity for H.225.0 signaling using an

optimized combination of X.509 digital certificates, signatures and shared secret key management;specification of an optional proxy-based security processor

H.235.4, Direct and Selective Routed Call Security Key management procedures in corporate and in interdomain

environments to obtain key material for securing H.225.0 call signaling in GK direct-routed/selective routed scenarios

enhanced

extended

Page 85: Telecommunication Security

H.323 Security Recommendations 3/4

H.235.5, Framework for secure authentication in RAS using weak shared secrets

Secured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H.225.0 signaling

H.235.6, Voice encryption profile with native H.235/H.245 key management

Key management and encryption mechanisms for RTP

enhanced

modified

Page 86: Telecommunication Security

H.323 Security Recommendations 4/4

H.235.7, Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235

Usage of the MIKEY key management for SRTP

H.235.8, Key Exchange for SRTP using secure Signalling Channels

SRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS)

H.235.9, Security Gateway Support for H.323 Discovery of H.323 Security Gateways

(SG = H.323 NAT/FW ALG) and key management for H.225.0 signaling

NEW

NEW

Page 87: Telecommunication Security

Other SG16 MM-SEC Results

H.350.2 (2003), H.350.2 Directory Services Architecture for H.235

An LDAP schema to represent H.235 elements (PWs, certificates, ID information)

H.530 (Revision 2003), Symmetric security procedures for H.323 mobility in H.510

Authentication, access control and key management in mobile H.323-based corporate networks

Draft H.460.22 (Jan. 2007), Security protocol negotiation Negotiate security protocols (IPsec or TLS or others) for

H.323 signaling

Page 88: Telecommunication Security

Q.5/16 (H.300 NAT/FW Traversal) Results 1/2

H.460.18 (Sep. 2005), Traversal of H.323 signalling across FWs and NATs

H.323 protocol enhancements and new client/server proxies to allow H.323 signalling protocols traverse NATs & FWs;H.323 endpoints can remain unchanged

H.460.19 (Sep. 2005), NAT & FW traversal procedures for RTP in H.323 systems

Uses multiplexed RTP media mode and symmetric RTP in conjunction with H.460.18 as a short-term solution

Page 89: Telecommunication Security

More Q.5/16 Results 2/2

Technical Paper (2005), Requirements for Network Address Translator and Firewall Traversal of H.323 Multimedia Systems

Documentation of scenarios and requirements for NAT & FW traversal in H.323

Technical Paper (2005), Firewall and NAT traversal Problems in H.323 Systems

An analysis of scenarios and various problems encountered by H.323 around NAT & FW traversal

Page 90: Telecommunication Security

New Q.25/16 itemsunder current study 1/2

Study Anti-DDoS (Denial-of-Service) countermeasures for (H.323-based) NAT/FW proxy and MM applications

Security for MM-QoS (H.mmqos.security)

MM security aspects of Vision “H.325”Advanced Multimedia Systems (AMS)

Goal: MM-security for “H.325”,MM security for Audiovisual on Demand services, Multimedia Conferencing, Distant learning,..

Page 91: Telecommunication Security

New Q.25/16 itemsunder current study

Study Multimedia-Security aspects of Digital Rights Management (MM-DRM)

• What does MM-DRM mean?• Understand DRM security needs for MM content of MM

applications (e.g. IPTV,…)• Contributions are solicited• Which other groups are active/interested in this area?

Draft H.proxy Goal: Specify proxy-aided NAT/firewall traversal mechanism

as a NAT traversal solution for H.323 multimedia systems Intended for Consent in July 2007

Page 92: Telecommunication Security

SG 16: Summary

Multimedia systems and applications as being studied by SG 16 face important security challenges:

• MM-security and NAT/FW traversal

Q.25/16 and Q.5/16 are addressing these issues and have provided various Recommendations

The work continues in the scope ofNGN-Multimedia Security