1 / 20

ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications

ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications. IETF 63 meeting. Zachary Zeltsan, Bell Laboratories, Lucent Technologies Rapporteur of Question 5 SG 17 . Outline.

emily
Télécharger la présentation

ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T RecommendationX.805 Security Architecture for Systems Providing End-to-End Communications IETF 63 meeting Zachary Zeltsan, Bell Laboratories, Lucent Technologies Rapporteur of Question 5 SG 17

  2. Outline • Origin of the ITU-T Recommendation X.805 - Security Architecture for Systems Providing End-to-End Communications • Three main issues that X.805 addresses • Security Dimensions • Security Layers • Security Planes • ITU-T X.805 Security Architecture • ITU-T Recommendation X.805 as a base for security work in FGNGN Security Capability WG

  3. Origin of the ITU-T Recommendation X.805 • ITU-T Recommendation X.805 Security architecture for systems providing end‑to‑end communications had been developed by ITU-T SG 17 (ITU-T Lead Study Group on Telecommunication Security) and was published in October 2003. • The group has developed a set of the well-recognized Recommendations on security. Among them are X.800 Series of Recommendations on security and X.509 - Public-key and Attribute Certificate Frameworks.

  4. Three main issues that X.805 addresses • The security architecture addresses three essential issues: • What kind of protection is needed and against what threats? • What are the distinct types of network equipment and facility groupings that need to be protected? • What are the distinct types of network activities that need to be protected?

  5. X X ITU-T X.800 Threat Model(simplified)

  6. Eight Security Dimensions Address the Breadth of Network Vulnerabilities • Limit & control access to network elements, services & applications • Examples: password, ACL, firewall Access Control • Provide Proof of Identity • Examples: shared secret, PKI, digital signature, digital certificate Authentication • Prevent ability to deny that an activity on the network occurred • Examples: system logs, digital signatures Non-repudiation • Ensure confidentiality of data • Example: encryption Data Confidentiality • Ensure data is received as sent or retrieved as stored • Examples: MD5, digital signature, anti-virus software Communication Security • Ensure information only flows from source to destination • Examples: VPN, MPLS, L2TP Data Integrity Availability • Ensure network elements, services and application available to legitimate users • Examples: IDS/IPS, network redundancy, BC/DR • Ensure identification and network use is kept private • Examples: NAT, encryption Privacy Eight Security Dimensions applied to each Security Perspective (layer and plane)

  7. How the Security Dimensions Map to the Security Threats

  8. Security Layers • Concept of Security Layers represents hierarchical approach to securing a network • Mapping of the network equipment and facility groupings to Security Layers could be instrumental for determining how the network elements in upper layers can rely on protection that the lower layers provide.

  9. Applications Security Applications Security THREATS Destruction Services Security Services Security Corruption VULNERABILITIES VULNERABILITIES Removal Interruption Disclosure Vulnerabilities Can Exist In Each Layer Infrastructure Security Infrastructure Security ATTACKS Three Security Layers • 3 - Applications Security Layer: • Network-based applications accessed by end-users • Examples: • Web browsing • Directory assistance • Email • E-commerce • 2 - Services Security Layer: • Services Provided to End-Users • Examples: • Frame Relay, ATM, IP • Cellular, Wi-Fi, • VoIP, QoS, IM, Location services • Toll free call services • 1 - Infrastructure Security Layer: • Fundamental building blocks of networks services and applications • Examples: • Individual routers, switches, servers • Point-to-point WAN links • Ethernet links • Each Security Layer has unique vulnerabilities, threats • Infrastructure security enables services security enables applications security

  10. Example: Applying Security Layers to IP Networks • Applying Security Layers to IP Networks • Infrastructure Security Layer • Individual routers, servers • Communication links • Services Security Layer • Basic IP transport • IP support services (e.g., AAA, DNS, DHCP) • Value-added services: (e.g., VPN, VoIP, QoS) • Applications Security Layer • Basic applications (e.g. FTP, web access) • Fundamental applications (e.g., email) • High-end applications (e.g., e-commerce, e-training)

  11. Security Planes • Concept of Security Planes could be instrumental for ensuring that essential network activities are protected independently (e.g. compromise of security at the End-user Security Plane does not affect functions associated with the Management Security Plane). • Concept of Security Planes allows to identify potential network vulnerabilities that may occur when distinct network activities depend on the same security measures for protection.

  12. Security Layers Security Layers Applications Security Applications Security THREATS Services Security Services Security VULNERABILITIES VULNERABILITIES Vulnerabilities Can Exist In Each Layer and Plane Interruption Infrastructure Security Infrastructure Security ATTACKS End User Security End User Security Control/Signaling Security Control/Signaling Security Security Planes Security Planes Management Security Management Security Destruction Corruption Removal Disclosure Three Security Planes • 1 - End-User Security Plane: • Access and use of the network by the customers for various purposes: • Basic connectivity/transport • Value-added services (VPN, VoIP, etc.) • Access to network-based applications (e.g., email) • 3 - Management Security Plane: • The management and provisioning of network elements, services and applications • Support of the FCAPS functions • 2 - Control/Signaling Security Plane: • Activities that enable efficient functioning of the network • Machine-to-machine communications • Security Planes represent the types of activities that occur on a network. • Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) • Each security perspective has unique vulnerabilities and threats

  13. Management Security Plane Activities Protocols • Operations • Administration • Management • Provisioning • SNMP • Telnet • FTP • HTTP Control/Signaling Security Plane Activities Protocols • Update of routing/switching tables • Service initiation, control, and teardown • Application control • BGP, OSPF, IS-IS, RIP, PIM • SIP, RSVP, H.323, SS7. • IKE, ICMP • PKI, DNS, DHCP, SMTP End User Security Plane Activities Protocols • End-user data transfer • End-user – application interactions • HTTP, RTP, POP, IMAP • TCP, UDP, FTP • IPsec, TLS Example: Applying Security Planes to Network Protocols

  14. THREATS Destruction Corruption Removal Disclosure Interruption ATTACKS ITU-T X.805: Security Architecture for Systems Providing End-to-End Communications Security Layers Security Layers Applications Security Applications Security Data Integrity repudiation repudiation VULNERABILITIES Services Security Services Security Communication Security Communication Security Access Management Data Confidentiality Data Confidentiality Authentication Authentication Availability Availability Privacy Privacy Integrity Access Control Vulnerabilities Can Exist In Each Layer, Plane - - Non Non Infrastructure Security Infrastructure Security End User Security End User Security 8 Security Dimensions 8 Security Dimensions Control/Signaling Security Control/Signaling Security Security Planes Security Planes Management Security Management Security

  15. Modular Form of X.805 Access Control Communication Security • Management Network: top row • Network Services: middle column • Security Module: Layer & Plane Intersection Authentication Data Integrity Non-repudiation Availability Data Confidentiality Privacy The eight Security Dimensions Are Applied to Each Security Module Provides a systematic, organized way for performing network security assessments and planning

  16. Module 3 – Infrastructure Layer – End-User Plane www.lucent.com/security

  17. Summary: X.805 Provides a Holistic Approach to Network Security • Comprehensive, end-to-end network view of security • Applies to any network technology • Wireless, wireline, optical networks • Voice, data, video, converged networks • Applies to variety of networks • Service provider networks • Enterprise (service provider’s customer) networks • Government networks • Management/operations, administrative networks • Data center networks • Is aligned with other security ITU-T Recommendations and ISO standards

  18. ITU-T Recommendation X.805 is a Base for Security work in FGNGN Security Capability WG • Guidelines for NGN security and X.805 • NGN threat model (based on ITU-T X.800 and X.805 Recommendations) • Security Dimensions and Mechanisms (based on ITU-T X.805) • Access control • Authentication • Non-repudiation • Data confidentiality • Communication security • Data integrity • Availability • Privacy • NGN security requirements for Release 1 and X.805 • General considerations based on the concepts of X.805

  19. AAA Authentication, Authorization, Accounting ACL Access Control List ATM Asynchronous Transfer Mod BC Business Continuity BGP Border Gateway Protocol DHCP Dynamic Host Configuration Protocol DNS Domain Name Service DR Disaster Recovery FCAPS Fault-management, Configuration, Accounting, Performance, and Security FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IDS Intrusion Detection System IKE Internet Key Exchange protocol IM Instant Messaging IMAP Internet Message Access Protocol IPS Intrusion Prevention System IPsec IP security (set of protocols) IS-IS Intermediate System-to-Intermediate System (routing protocol) L2TP Layer Two Tunneling Protocol MPLS Multi-Protocol Label Switching NAT Network Address Translation OSPF Open Shortest Path First PIM Protocol-Independent Multicast PKI Public Key Infrastructure POP Post Office Protocol QoS Quality of Service RIP Routing Information Protocol RSVP Resource Reservation Setup Protocol RTP Real-time Transport Protocol SIP Session Initiation Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SS7 Signaling System 7 TCP Transmission Control Protocol TLS Transport Layer Security protocol UDP User Datagram Protocol VoIP Voice over IP VPN Virtual Private Network Acronyms

  20. Thank you!

More Related