Transcript Telecommunication Security

SOURCE:
ITU-T
TITLE:
ITU-T Security Standardization
AGENDA ITEM:
GTSC, agenda item 5.5
CONTACT:
Herb Bertine, [email protected]
GSC11(06)_GTSC_07
Telecommunication Security
Herbert Bertine
Chairman, ITU-T SG 17
GSC: Standardization Advancing
Global Communications
High Level Security Drivers
• ITU Plenipotentiary Conference (PP-02)
Intensify efforts on security
• World Telecommunications
Standardization Assembly (WTSA-04)
Security robustness of protocols
Combating/Countering spam
• World Summit on the Information Society
(WSIS-05)
Cyber security
GSC: Standardization Advancing Global Communications
ITU-T Study Groups
ITU-T work is divided up between Study Groups (SGs).
•
SG 2: Operational aspects of service provision, networks and performance
•
SG 4: Telecommunication management
•
SG 5: Protection against electromagnetic environment effects
•
SG 6 Outside Plant and related indoor installations
•
SG 9 Integrated broadband cable networks and television and sound
transmission
•
SG 11 Signaling requirements and protocols
•
SG 12 Performance and quality of service
•
SG 13 Next Generation Networks
•
SG 15: Optical and other transport networks
•
SG 16: Multimedia services, systems and terminals
•
SG 17: Security, languages and telecommunication software*
•
SG 19: Mobile Telecommunications Networks
*SG17 is the Lead Study Group on telecommunication security.
GSC: Standardization Advancing Global Communications
Overview of ITU-T Security
Standardization
Collaboration is key factor
GSC: Standardization Advancing Global Communications
WP 2/17 Security Questions (2005-2008)
Telecom
Systems Users
Telecom
Systems
*Multimodal Model Fwk
*System Mechanism
*Protection Procedure
*X.1081
Q8/17
Q5/17
Secure Communication Services
Q7/17
Security
Management
*ISM Guideline
for Telecom
*Incident
Management
*Risk
Assessment
Methodology
*etc…
*X.1051
Q4/17
Telebiometrics
*Mobile Secure Communications
*Home Network Security
*Security Web Services
Q9/17
*X.1121, X.1122
Cyber Security
Q6/17
*Overview of Cyber-security
*Vulnerability Information Sharing
* Incident Handling Operations
Countering spam
Q17/17
*Technical anti-spam measures
Security
Architecture
& Framework
*Architecture,
Model,
Concepts,
Frameworks,
*etc…
*X.800 series
*X.805
New
Communications System Security *Vision, Coordination, Roadmap, Compendia…
GSC: Standardization Advancing Global Communications
Highlights of what’s new
since GSC-10
 Two new ITU-T Questions:
– Q.15/13, NGN security
– Q.17/17, Countering spam by technical means
 38 security Recommendations are under development in
Study Group 17
 Other SGs are developing security Recommendations for
specific technologies – for example 5 on NGN security
 Focus Group on Security Baseline For Network Operators
 New Horizons for Security Standardization Workshop
 Security standards roadmap
 Cybersecurity web portal
GSC: Standardization Advancing Global Communications
Q.15/13 – NGN Security
Recognizing that security is one of the defining features of NGN, it is essential
to put in place a set of standards that will guarantee, to the maximum degree
possible, the security of the telecommunications infrastructure as PSTNs
evolve to NGNs.
The NGN Security studies must address and develop network architectures
that:
-
Provide for maximal network and end-user resource protection
Allow for highly-distributed intelligence end-to-end
Allow for co-existence of multiple networking technologies
Provide for end-to-end security mechanisms
Provide for security solutions that apply over multiple administrative domains
GSC: Standardization Advancing Global Communications
Q.17/17 – Combating spam
by technical means
Spam has become a widespread problem causing a complex range of problems to
users, service providers, and network operators around the globe. While spam was
originally used to send unsolicited commercial messages, increasingly spam messages
are being used to spread viruses, worms, and other malicious code that negatively
impact the security and stability of the global telecommunication network. Spam may
include the delivery of phishing and spyware. It is a global problem that requires a
multifaceted, comprehensive approach.
Study items to be considered include, but are not limited to:
- What risks does spam pose to the telecommunication network?
- What technical factors associated with the telecommunication network contribute to
the difficulty of identifying the sources of spam?
- How can new technologies lead to opportunities to counter spam and enhance the
security of the telecommunication network?
- Do advanced telecommunication network technologies (for example, SMS, instant
messaging, VoIP) offer unique opportunities for spam that require unique solutions?
- What technical work is already being undertaken within the IETF, in other fora, and
by private sector entities to address the problem of spam?
- What telecommunication network standardization work, if any, is needed to
effectively counter spam as it relates to the stability and robustness of the
telecommunication network?
GSC: Standardization Advancing Global Communications
SG 17 Security Recommendations
under development (1/3)
 Summaries of all Study Group 17 Recommendations
under development are available on the Study Group 17
web page at: www.itu.int/itu-t/studygroups/com17
Communications Systems Security Project
X.sbno, Security baseline for network operators
Security Architecture and Framework
X.805+, Division of the security features between the network and the users
X.805nsa, Network security certification based on ITU-T Recommendation X.805
X.ngn-akm, Framework for authentication and key management for link layer security of NGN
X.pak, Password-authenticated key exchange (PAK)
X.spn, Framework for creation, storage, distribution and enforcement of security policies for
networks
GSC: Standardization Advancing Global Communications
SG 17 Security Recommendations
under development (2/3)
Cyber Security
X.cso, Overview of cybersecurity
X.sds, Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware
and Deceptive Software
X.cvlm, Guidelines on Cybersecurity Vulnerability Life-cycle Management
X.vds, A vendor-neutral framework for automatic checking of the presence of vulnerabilities
information update
Security Management
X.1051 (R), Information security management guidelines for telecommunications based on ISO/IEC
27002
X.rmg, Risk management guidelines for telecommunications
X.sim, Security incident management guidelines for telecommunications
Telebiometrics
X.bip, BioAPI interworking protocol
X.physiol, Telebiometrics related to human physiology
X.tai, Telebiometrics authentication infrastructure
X.tpp-1, A guideline of technical and managerial countermeasures for biometric data security
X.tpp-2, A guideline for secure and efficient transmission of multi-modal biometric data
X.tsm-1, General biometric authentication protocol and profile on telecommunication systems
X.tsm-2, Profile of telecomunication device for Telebiometrics System Mechanism (TSM)
GSC: Standardization Advancing Global Communications
SG 17 Security Recommendations
under development (2/3)
Secure Communication Services
X.crs, Correlative reacting system in mobile network
X.homesec-1, Framework of security technologies for home network
X.homesec-2, Certificate profile for the device in the home network
X.homesec-3, User authentication mechanisms for home network service
X.msec-3, General security value added service (policy) for mobile data communication
X.msec-4, Authentication architecture in mobile end-to-end data communication
X.p2p-1, Requirements of security for peer-to-peer and peer-to-multi peer communications
X.p2p-2, Security architecture and protocols for peer to peer network
X.sap-1, Guideline on secure password-based authentication protocol with key exchange
X.sap-2, Secure communication using TTP service
X.websec-1, Security Assertion Markup Language (SAML) – X.1141 now in AAP Last Call
X.websec-2, eXtensible Access Control Markup Language (XACML) – X.1142 now in AAP Last Call
X.websec-3, Security architecture for message security in mobile web services
Countering spam by technical means
X.csreq, Requirement on countering spam
X.fcs, Technical framework for countering email spam
X.gcs, Guideline on countering email spam
X.ocsip, Overview of countering spam for IP multimedia application
X.tcs, Technical means for countering spam
GSC: Standardization Advancing Global Communications
SG 13 Security Recommendations
under development
NGN Security
• Security Requirements for NGN Release 1*
• Guidelines for NGN Security Release 1*
• Authentication requirements for NGN Release 1
• AAA Service for Network Access to NGN
• Security considerations for Pseudowire (PWE)
technology
* Continuation of the work originated in the ITU-T Focus Group on NGN
GSC: Standardization Advancing Global Communications
Focus Group: Security Baseline
for Network Operators
• Established October 2005 by SG 17
• Objectives:
– Define a security baseline against which network operators can assess
their network and information security posture in terms of what security
standards are available, which of these standards should be used to
meet particular requirements, when they should be used, and how they
should be applied
– Describe a network operator’s readiness and ability to collaborate with
other entities (operators, users and law enforcement authorities) to
counteract information security threats
– Provide meaningful criteria that can be used by network operators
against which other network operators can be assessed, if required.
• Next Step
– Survey network operators by means of a questionnaire
GSC: Standardization Advancing Global Communications
New Horizons for Security
Standardization Workshop
• Workshop held in Geneva 3-4 October 2005
• Objectives
–
–
–
–
–
Provide an overview of key international security standardization activities;
Seek to identify primary security concerns and issues;
Determine which issues are amenable to a standards-based solution;
Identify which SDOs are are best equipped to do so; and
Consider how SDOs can collaborate to improve the timeliness and effectiveness of
security standards and avoid duplication of effort.
• Results reported under following topics:
–
–
–
–
–
–
–
–
–
What are the crucial problems in ICT security standardization?
Meta issues and need for a global framework;
Standards Requirements and Priorities;
Liaison and information sharing;
User issues;
Technology and threat issues;
Focus for future standardization work;
Process issues;
Follow-on issues
• Report available at www.itu.int/ITU-T/worksem/security/200510/index.html
GSC: Standardization Advancing Global Communications
ICT Security Standards Roadmap
• Four Part Roadmap
– Part 1 contains information about organizations
working on ICT security standards
– Part 2 is a database of existing security standards
• Presently includes ITU-T, ISO/IEC JTC1 and IETF standards
• Will be expanded to include other standards
– Part 3 will be a list of standards in development
– Part 4 will identify future needs and proposed new
standards
• Publicly available under Special Projects and Issues at:
– www.itu.int/ITU-T/studygroups/com17/index
• We invite you to use the Roadmap, provide feedback and
help us develop it to meet your needs
GSC: Standardization Advancing Global Communications
The ITU Global Cybersecurity Gateway
LIVE at: http://www.itu.int/cybersecurity
Provides an easy-to-use information resource on national, regional and
international cybersecurity-related activities and initiatives worldwide.
GSC: Standardization Advancing Global Communications
Structure of the Cybersecurity Gateway
 The portal is geared towards four specific audiences:
“Citizens”; “Businesses”; “Governments”,
“International Organizations”
 Database information collected within five main
themes:
1. Information sharing of national approaches, good practices and
guidelines;
2. Developing watch, warning and incident response capabilities;
3. Technical standards and industry solutions;
4. Harmonizing national legal approaches and international legal
coordination and enforcement;
5. Privacy, data and consumer protection.
 Additional information resources on the following
topics: spam, spyware, phishing, scams and frauds,
worms and viruses, denial of service attacks, etc.
GSC: Standardization Advancing Global Communications
GSC: Standardization Advancing Global Communications
Some useful web resources
•
ITU-T Home page
www.itu.int/itu-t
•
Study Group 17
www.itu.int/itu-t/studygroups/com17
•
LSG on Security
http://www.itu.int/ITU-T/studygroups/com17/tel-security.html
e-mail:
[email protected]
•
Recommendations
www.itu.int/ITU-T/publications/recs.html
•
ITU-T Lighthouse
www.itu.int/ITU-T/lighthouse
•
ITU-T Workshops
www.itu.int/ITU-T/worksem
•
Security Roadmap
http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
•
Cybersecurity Portal
http://www.itu.int/cybersecurity
GSC: Standardization Advancing Global Communications
Closing Observations
 Security is everybody's business
 Collaboration with other SDOs is necessary
 Security needs to be designed in upfront
 Security must be an ongoing effort
 Systematically addressing vulnerabilities
(intrinsic properties of networks/systems) is key
so that protection can be provided independent of
what the threats (which are constantly changing
and may be unknown) may be
—X.805 is helpful here
GSC: Standardization Advancing Global Communications
Additional details on security work
in ITU-T Study Groups:
- Study Group 17
- Study Group 4
- Study Group 9
- Study Group 13
- Study Group 16
- Study Group 19
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Work on Security
GSC: Standardization Advancing Global Communications
Study Group 17: Security, languages
and telecommunication software
• SG 17 is the Lead Study Group on telecommunication
security - It is responsible for coordination of security
across all Study Groups.
• Subdivided into three Working Parties (WPs)
– WP1 - Open systems technologies;
– WP2 - Telecommunications security; and
– WP3 - Languages and telecommunications software
• Most (but not all) security Questions are in WP2
• Summaries of all draft Recommendations under
development in SG 17 are available on the SG 17 web
page at www.itu.int/itu-t/studygroups/com17
GSC: Standardization Advancing Global Communications
Current SG 17 security-related Questions
Working Party 1:
•
1/17
End-to-end Multicast Communications with QoS
Managing Facility
•
2/17
Directory services, Directory systems, and publickey/attribute certificates
•
3/17
Open Systems Interconnection (OSI)
•
16/17
Internationalized Domain Names (IDN)
Working Party 2:
•
4/17
Communications Systems Security Project
•
5/17
Security Architecture and Framework
•
6/17
Cyber Security
•
7/17
Security Management
•
8/17
Telebiometrics
•
9/17
Secure Communication Services
•
17/17
Countering spam by technical means
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 4
Communications Systems Security
Project
• Security Workshop
• ICT Security Roadmap
• Focus Group on Security Baseline For
Network Operators
GSC: Standardization Advancing Global Communications
New Horizons for Security
Standardization Workshop
•
•
•
•
Workshop held in Geneva 3-4 October 2005
Hosted by ITU-T SG17 as part of security
coordination responsibility
ISO/IEC JTC1 played an important role in planning
the program and in providing speakers/panelists.
Speakers, panelists, chairs from:
–
–
–
–
–
ITU-T
ISO/IEC
IETF
Consortia – OASIS, 3GPP
Regional SDOs – ATIS, ETSI, RAIS
GSC: Standardization Advancing Global Communications
Workshop Objectives
• Provide an overview of key international security standardization
activities;
• Seek to find out from stakeholders (e.g., network operators, system
developers, manufacturers and end-users) their primary security
concerns and issues (including possible issues of adoption or
implementation of standards);
• Try to determine which issues are amenable to a standards-based
solution and how the SDOs can most effectively play a role in helping
address these issues;
• Identify which SDOs are already working on these issues or are best
equipped to do so; and
• Consider how SDOs can collaborate to improve the timeliness and
effectiveness of security standards and avoid duplication of effort.
GSC: Standardization Advancing Global Communications
Workshop Results
• Excellent discussions, feedback and suggestions
• Documented in detail in the Workshop report
• Results are reported under following topics:
–
–
–
–
–
–
–
–
–
What are the crucial problems in ICT security standardization?
Meta issues and need for a global framework;
Standards Requirements and Priorities;
Liaison and information sharing;
User issues;
Technology and threat issues;
Focus for future standardization work;
Process issues;
Follow-on issues
• The report is available on-line at:
– www.itu.int/ITU-T/worksem/security/200510/index.html
GSC: Standardization Advancing Global Communications
ICT Security Standards Roadmap
(An SG 17 Work-in-progress)
• Part 1 contains information about organizations
working on ICT security standards
• Part 2 is database of existing security standards
• Part 3 will be a list of standards in development
• Part 4 will identify future needs and proposed new
standards
GSC: Standardization Advancing Global Communications
Roadmap access
• Part 2 includes ITU-T, ISO/IEC JTC1 and IETF
standards. It will be expanded to include other standards
(e.g. regional and consortia specifications).
• It will also be converted to a Database format to allow
searching and to allow organizations to manage their
own data
• Publicly available under Special Projects and Issues at:
– www.itu.int/ITU-T/studygroups/com17/index
• We invite you to use the Roadmap, provide feedback
and help us develop it to meet your needs
GSC: Standardization Advancing Global Communications
Other Q.4/17 projects
• Security in Telecommunications and Information
Technology – an overview of existing ITU-T
Recommendations for secure telecommunications.
www.itu.int/ITU-T/publications/index.html
• Security compendium:
• catalogue of approved ITU-T Recommendations
related to telecommunication security
• extract of ITU-T approved security definitions
• listing of ITU-T security related Questions
www.itu.int/ITU-T/studygroups/com17/tel-security.html
• We are in the process of establishing a Security
Experts Network (SEN) to maintain on-going
dialogue on key issues of security standardization.
GSC: Standardization Advancing Global Communications
Focus Group: Security Baseline
for Network Operators
• Established October 2005 by SG 17
• Objectives:
– Define a security baseline against which network operators can assess
their network and information security posture in terms of what security
standards are available, which of these standards should be used to
meet particular requirements, when they should be used, and how they
should be applied
– Describe a network operator’s readiness and ability to collaborate with
other entities (operators, users and law enforcement authorities) to
counteract information security threats
– Provide meaningful criteria that can be used by network operators
against which other network operators can be assessed, if required.
• Next Step
– Survey network operators by means of a questionnaire
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 5
Security Architecture and Framework
• Brief description of Q.5
• Milestones
• Draft Recommendations under development
GSC: Standardization Advancing Global Communications
Brief description of Q.5/17
• Motivation
– The telecommunications and information technology industries are
seeking cost-effective comprehensive security solutions that could
be applied to various types of networks, services and applications.
To achieve such solutions in multi-vendor environment, network
security should be designed around the standard security
architectures and standard security technologies.
• Major tasks
– Development of a comprehensive set of Recommendations for
providing standard security solutions for telecommunications in
collaboration with other Standards Development Organizations and
ITU-T Study Groups.
– Maintenance and enhancements of Recommendations in the X.800
series:
X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816,
X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843
GSC: Standardization Advancing Global Communications
Q.5/17 Milestones
• ITU-T Recommendation X.805, Security
Architecture for Systems Providing End-to-end
Communications, was published in 2003.
• ISO Standard 18028-2, Network security
architecture, was developed in collaboration
between ITU-T Q.5/17 and ISO/IEC JTC 1 SC
27 WG 1. The Standard is technically aligned
with X.805. It was published in 2006.
GSC: Standardization Advancing Global Communications
ITU-T Recommendation X.805
End-user plane
Control plane
Management plane
THREATS
Privacy
Destruction
Availability
Data integrity
Communication security
Data confidentiality
Non-repudiation
Infrastructure security
Authentication
Services security
VULNERABILITIES
Access control
Security layers
Applications security
Corruption
Removal
Disclosure
Interruption
ATTACKS
8 Security dimensions
X.805_F3
X.805 defines a network security architecture for providing
end-to-end network security. The architecture can be applied to
various kinds of networks where the end-to-end security is a
concern and independently of the network’s underlying
technology.
GSC:
Standardization Advancing Global Communications
Q.5/17 Draft Recommendations 1/2
• Applications and further development of major
concepts of ITU-T Recommendation X.805
– X.805+, Division of the security features between the
network and the users.
This Recommendation specifies division of security features
between the networks and users. It provides guidance on
applying concepts of the X.805 architecture to securing
service provider’s, application provider’s networks and the
end user’s equipment.
– X.805nsa, Network security certification based on ITU-T
Recommendation X.805.
This Recommendation describes the methodology, processes
and controls required for network security certification based
on ITU-T Recommendation X.805, Security Architecture for
Systems Providing End-to-End Communications.
GSC: Standardization Advancing Global Communications
Q.5/17 Draft Recommendations 2/2
• Standardization in support of Authentication Security
Dimension (defined in X.805)
– X.pak, Password-authenticated Key Exchange Protocol (PAK).
This Recommendation specifies a password-based protocol for
authentication and key exchange, which ensures mutual authentication
of both parties in the act of establishing a symmetric cryptographic key
via Diffie-Hellman exchange.
– X.ngn-akm, Framework for authentication and key management for link
layer security of NGN.
This Recommendation establishes a framework for authentication and
key management for securing the link layer of NGN. It also provides
guidance on selection of the EAP methods for NGN.
• Standardization of network security policies
– X.spn, Framework for creation, storage, distribution, and enforcement of
security policies for networks.
This Recommendation establishes security policies that are to drive
security controls of a system or service. It also specifies a framework for
creation, storage, distribution, and enforcement of policies for network
security that can be applied to various environmental conditions and
network devices.
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 6
Cyber Security
•
•
•
•
•
Motivation
Objectives
Scope
Current area of focus
Draft Recommendations under development
GSC: Standardization Advancing Global Communications
Q.6/17 Motivation
• Network connectivity and ubiquitous access is central to today’s
IT systems
• Wide spread access and loose coupling of interconnected IT
systems is a primary source of widespread vulnerability
• Threats such as: denial of service, theft of financial and personal
data, network failures and disruption of voice and data
telecommunications are on the rise
• Network protocols in use today were developed in an
environment of trust.
• Most new investments and development is dedicated to building
new functionality and not on securing that functionality
• An understanding of cybersecurity is needed in order to build a
foundation of knowledge that can aid in securing the networks of
tomorrow
GSC: Standardization Advancing Global Communications
Q.6/17 Objectives
• Perform actions in accordance with Lead Study Group (LSG)
responsibility with the focus on cybersecurity
• Work with Q.1 of SG 2 on a definition of Cybersecurity
• Identify and develop standards required for addressing the
challenges in cybersecurity, within the scope of Q.6/17
• Provide assistance to other ITU-T Study Groups in applying
relevant cybersecurity Recommendations for specific security
solutions. Review project-oriented security solutions for
consistency.
• Maintain and update existing Recommendations within the scope
of Q.6/17.
• Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1
eg. SC6, SC27 and SC37), and consortia as appropriate.
• Provide awareness on new security technologies related to
cybersecurity
GSC: Standardization Advancing Global Communications
Q.6/17 Scope
• Definition of Cybersecurity
• Security of Telecommunications Network Infrastructure
• Security Knowledge and Awareness of Telecom
Personnel and Users
• Security Requirements for Design of New
Communications Protocol and Systems
• Communications relating to Cybersecurity
• Security Processes – Life-cycle Processes relating to
Incident and Vulnerability
• Security of Identity in Telecommunication Network
• Legal/Policy Considerations
GSC: Standardization Advancing Global Communications
Q.6/17 Current Area of Focus
• Work with SG 2 on the definition and requirements of
cybersecurity.
• Collaborate with Q5,7,9,17/17 and SG 2 in order to achieve
better understanding of various aspects of network security.
• Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL
and other standardization bodies on cybersecurity.
• Work on framework for secure network operations to address
how telecommunications network providers secure their
infrastructure and maintain secure operations.
• Work on Recommendation for standardization of vulnerability
data definition.
• Study new cybersecurity issues – How should ISPs deal with
botnets, evaluating the output of appropriate bodies when
available.
• Call for contributions for the outstanding questions identified
in the revised scope.
GSC: Standardization Advancing Global Communications
Q.6/17 Draft Recommendations 1/2
1.
Overview of Cybersecurity (X.cso)
–
This Recommendation provides a definition for Cybersecurity. The
Recommendation provides a taxonomy of security threats from an
operator point of view. Cybersecurity vulnerabilities and threats are
presented and discussed at various network layers.
–
Various Cybersecurity technologies that are available to remedy the
threats include: Routers, Firewalls, Antivirus protection, Intrusion
detection systems, Intrusion protection systems, Secure computing,
Audit and Monitoring. Network protection principles such as defence in
depth, access and identity management with application to
Cybersecurity are discussed. Risk Management strategies and
techniques are discussed including the value of training and education
in protecting the network. A discussion of Cybersecurity Standards,
Cybersecurity implementation issues and certification are presented.
2.
A vendor-neutral framework for automatic checking of the presence
of vulnerabilities information update (X.vds)
–
This Recommendation provides a framework of automatic notification
on vulnerability information. The key point of the framework is that it is
a vendor-neutral framework. Once users register their software,
updates on the vulnerabilities and patches of the registered software
will automatically be made available to the users. Upon notification,
users can then apply
GSC: Standardization Advancing Global Communications
Q.6/17 Draft Recommendations 2/2
3.
Guidelines for Internet Service Providers and End-users for
Addressing the Risk of Spyware and Deceptive Software
(X.sds)
–
4.
This Recommendation provides guidelines for Internet Service
Providers (ISP) and end-users for addressing the risks of spyware
and deceptive software. The Recommendation promotes best
practices around principles of clear notices, and users’ consents and
controls for ISP web hosting services. The Recommendation also
promotes best practices to end-users on the Internet to secure their
computing devices and information against the risks of spyware and
deceptive software
Guidelines on Cybersecurity Vulnerability Life-cycle
Management(X.cvlm)
–
The Recommendation provides a framework for the provision of
monitoring, discovering, responding and post-analysis of
vulnerabilities. Service providers can use this Recommendation to
complement their existing Information Security Management System
process in the aspect of regular vulnerability assessment,
vulnerability management, incident handling and incident
management.
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 7
Security Management Systems
•
•
•
•
Tasks
Recommendations planned
Revised X.1051
Approach for revised X.1051
GSC: Standardization Advancing Global Communications
Q.7/17 Tasks
•
Information Security Management Guidelines for telecommunications
(Existing X.1051, Information security management system –
Requirements for telecommunications (ISMS-T) )
・Maintain and revise Recommendation X.1051, “Information Security
Management Guidelines for telecommunications based on ISO/IEC27002”.
・Jointly develop a guideline of information security management with
ISO/IEC JTC 1/SC 27.
•
Risk Management Methodology
・Study and develop a methodology of risk management for
telecommunications in line with Recommendation X.1051.
・Produce and consent a new ITU-T Recommendation for risk management
methodology.
•
Incident Management
・Study and develop a handling and response procedure on security
incidents for the telecommunications in line with Recommendation X.1051.
・Produce and consent a new ITU-T Recommendation for incident
management methodology and procedures.
GSC: Standardization Advancing Global Communications
Recommendations planned in
Q.7/17 (Security Management)
X.1050: To be proposed
X.1051: In revision process
Information Security Management Guidelines for
Telecommunications based on ISO/IEC 27002
X.1052: To be proposed
X.1053: To be proposed
(Implementation Guide for Telecoms)
X.1054: To be proposed
(Measurements and metrics for Telecommunications)
X.1055 :In the first stage of development
Risk Management Guidelines for Telecommunications
X.1056: In the first stage of development
Security Incident Management Guidelines for Telecommunications
X.1057: To be proposed
(Identity Management for Telecoms)
GSC: Standardization Advancing Global Communications
Information security management guidelines
for Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security
Physical & environmental
security
Information Assets
for Telecom
Communications & operations
management
Access control
Information systems acquisition,
development and maintenance
Information security incident
management
Business continuity management
Compliance
GSC: Standardization
Advancing Global Communications
Q.7/17 Approach to develop
revised Recommendation X.1051
ISMS Process
CONTROL
Implementation
guidance
Other
information
ISO/IEC 17799
(2005) 27002
CONTROL
Implementation
guidance
for Telecom
CONTROL
Implementation
requirements
for Telecom
Other
information
Revised
X.1051
Existing
X.1051
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 8
Telebiometrics
• Objectives
• Study areas on Biometric Processes
• X.1081 and draft Recommendations under
development
GSC: Standardization Advancing Global Communications
Q.8/17 Objectives
1）To define telebiometric multimodal model framework
2）To specify biometric authentication mechanism in
open network
3）To provide protection procedures and
countermeasures for telebiometric systems
GSC: Standardization Advancing Global Communications
Q.8/17 Study areas on
Biometric Processes
X.tai: Telebiometrics Authentication Infrastructure
X.bip: BioAPI Interworking Protocol
X.1081
X.physiol
Safety conformity
X.tsm: Telebiometrics System Mechanism
X.tpp: Telebiometrics Protection Procedures
Storage
Biometric
Sensors
NW
Acquisition
(Capturing)
NW
Extraction
NW
Matching
Score
NW
NW:Network
Decision
NW
Yes/No
GSC: Standardization Advancing Global Communications
Application
Q.8/17 Recommendations 1/4
-
X.1081 – The telebiometric multimodal model
framework – A framework for the specification of
security and safety aspects of telebiometrics
This Recommendation defines a telebiometric multimodal model that
can be used as a framework for identifying and specifying aspects of
telebiometrics, and for classifying biometric technologies used for
identification (security aspects).
-
X.physiol – Telebiometrics related to human
physiology
This Recommendation gives names and symbols for quantities and
units concerned with emissions from the human body that can be
detected by a sensor, and with effects on the human body produced by
the telebiometric devices in his environments.
GSC: Standardization Advancing Global Communications
Q.8/17 Recommendations 2/4
-
X.tsm-1 – General biometric authentication protocol
and profile on telecommunication system
This Recommendation defines communication mechanism and
protocols of biometric authentication for unspecified end-users and
service providers on open network.
-
X.tsm-2 – Profile of telecomunication device for
Telebiometrics System Mechanism (TSM)
This Recommendation defines the requirements, security profiles of
client terminals for biometric authentication over the open network.
GSC: Standardization Advancing Global Communications
Q.8/17 Recommendations 3/4
-
X.tai – Telebiometrics authentication infrastructure
This Recommendation specifies a framework to implement biometric
identity authentication with certificate issuance, management, usage and
revocation.
-
X.bip – BioAPI interworking protocol
This Recommendation is common text of ITU-T and ISO/IEC JTC1
SC37. It specifies the syntax, semantics, and encodings of a set of
messages ("BIP messages") that enable BioAPI-conforming application
in telebiometric systems.
GSC: Standardization Advancing Global Communications
Q.8/17 Recommendations 4/4
-
X.tpp-1 – A guideline of technical and managerial
countermeasures for biometric data security
This Recommendation defines weakness and threats in operating
telebiometric systems and proposes a general guideline of security
countermeasures from both technical and managerial perspectives.
-
X.tpp-2 – A guideline for secure and efficient
transmission of multi-modal biometric data
This Recommendation defines threat characteristics of multi-modal
biometric system, and provides cryptographic methods and network
protocols for transmission of multi-modal biometric data.
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 9
Secure Communication Services
•
•
•
•
•
•
Focus
Position of each topic
Mobile security
Home network security
Web services security
Secure applications services
GSC: Standardization Advancing Global Communications
Q.9/17 Focus
• Develop a set of standards of secure
application services, including
– Mobile security Under study
– Home network security Under study
– Web Services security Under study
– Secure application services Under study
– Privacy protection for RFID and multimedia
content and digital Identity management To be
studied
GSC: Standardization Advancing Global Communications
Position of each topic
Web Services security
Application
Server
Mobile
Terminal
Mobile Network
Mobile security
Open Network
Home
Network
Home network
security
Secure application services
GSC: Standardization Advancing Global Communications
Q.9/17 - Mobile Security
• X.1121, Framework of security technologies for mobile end-to-end data
communications – Approved 2004
• X.1122, Guideline for implementing secure mobile systems based on PKI –
Approved 2004
• X.msec-3, General security value added service (policy) for mobile data
communication
– Develops general security service as value added service for
secure mobile end-to-end data communication.
• X.msec-4, Authentication architecture in mobile end-to-end data communication
– Constructs generic authentication architecture for mobile data
communication between mobile users and application servers.
• X.crs, Correlative reacting system in mobile network
– Develops the generic architecture of a correlative reactive system
to protect the mobile terminal against Virus, worms, TrojanHorses or other network attacks to both the mobile network and
its mobile users.
GSC: Standardization Advancing Global Communications
Q.9/17 - Home network security
• X.homesec-1, Framework for security technologies for home network
– Framework of security technologies for home network
– Define security threats and security requirements, security
functions, security function requirements for each entity in the
network, and possible implementation layer
• X.homesec-2, Certificate profile for the device in the home network
– Device certificate profile for the home network
– Develops framework of home network device certificate.
• X.homesec-3, User authentication mechanisms for home network service
– User authentication mechanisms for home network service.
– Provides the user authentication mechanism in the home network,
which enables various authentication means such as password,
certificate, biometrics and so on.
GSC: Standardization Advancing Global Communications
Q.9/17 - Web Services security
• X.websec-1, Security Assertion Markup Language (SAML)
– Security assertion markup language
– Adoption of OASIS SAML v2.0 into ITU-T Recommendation
X.1141 - Consented April 2006
– Define XML-based framework for exchanging security information.
– The security information expressed in the form of assertions about
subjects, where a subject is an entity (either human or computer)
that has an identity in some security domain.
• X.websec-2, eXtensible Access Control Markup Language (XACML)
– eXtensible Access Control Markup Language
– Adoption of OASIS XACML v2.0 into ITU-T Recommendation
X.1142 - Consented April 2006
– Provides an XML vocabulary for expressing access control
policies and the syntax of the language and the rules for
evaluating policies.
• X.websec-3, Security architecture for message security in mobile Web Services
– Develops a guideline on message security architecture and
service scenarios for securing messages for mobile Web Services.
GSC: Standardization Advancing Global Communications
Q.9/17 - Secure applications services
• X.sap-1, Guideline on strong password authentication protocols
– Guideline on secure password-based authentication protocol with key
exchange.
– Define a set of requirements for password-based protocol with key
exchange and a selection guideline by setting up criteria that can be used
in choosing an optimum authentication protocol for each application.
• X.sap-2, Secure communication using TTP service
– Secure end-to-end data communication techniques using TTP services
– Specifies secure end-to-end data communication techniques using TTP
services that are services defined in X.842 or other services.
• X.p2p-1, Anonymous authentication architecture in community communication
– Requirements of security for peer-to-peer and peer-to-multi peer
communications
– Investigates threat analysis for P2P and P2MP communication services
and describes security requirements for secure P2P and P2MP
communication services.
• X.p2p-2, Security architecture and protocols for peer to peer network
– Security architecture and protocols for peer to peer network
– Describes the security techniques and protocols in the P2P environment.
GSC: Standardization Advancing Global Communications
ITU-T SG 17 Question 17
Countering spam
by technical means
• Objectives
• Set of Recommendations
GSC: Standardization Advancing Global Communications
Q.17/17 Objectives
• The aim of this Question is to develop a set of
Recommendations on countering spam by technical
means for ITU-T, taking into account the need for
collaboration with ITU-T other Study Groups and
cooperation with other SDOs. The Question focuses
particularly on technical requirement, frameworks
and new technologies for countering spam.
Guidelines on countering spam by technical means
are also studied.
GSC: Standardization Advancing Global Communications
Q.17/17 Set of Recommendations
Requirement on countering spam
(X.csreq) Draft
Technical framework for countering
email spam (X.fcs) Draft
Framework Recommendations:
IP multimedia application area (TBD)
Technology Recommendations:
Technology Recommendations:
Technical means for countering
spam (X.tcs) TBD
Technical means for countering IP
multimedia spam (X.tcs) TBD
Overview of countering spam for IP
multimedia application (X.ocsip) Draft
Guideline on countering email
spam (X.gcs) Draft
Other SDOs
GSC: Standardization Advancing Global Communications
Q.17/17 Brief Summaries of draft
Recommendations under development 1/2
• X.csreq, Requirement on countering spam
This Recommendation provides the general characteristics of spam, elicits generic
objectives and provides an overview of the technical requirements on countering
spam. In addition, this Recommendation provides checklist to evaluate the solution
on countering spam.
• X.fcs, Technical framework for countering email spam
This Recommendation specifies the technical framework for network structure for
the countering spam. Functions inside the framework are defined. It also includes
the commonsensible characteristics of email spam, the universal rules of judgement
and the common methods of countering email spam.
GSC: Standardization Advancing Global Communications
Q.17/17 Brief Summaries of draft
Recommendations under development 2/2
• X.gcs, Guideline on countering email spam (X.gcs)
This Recommendation specifies technical issues on countering email spam. It
provides the current technical solutions and related activities from various SDOs
and relevant organizations on countering email spam. It will be used as a basis for
further development of technical Recommendations on countering email spam.
• X.ocsip, Overview of countering spam for IP multimedia application
This Recommendation specifies basic concepts, characteristics, and effects of spam
in IP multimedia applications such as IP Telephony, video on demand, IP TV,
instant messaging, multimedia conference, etc. It will provide basis and guideline
for developing further technical solutions on countering spam.
GSC: Standardization Advancing Global Communications
Security Work in other ITU-T Study Groups
•
•
•
•
•
SG 4 – Security of Management plane
SG 9 – IPCablecom
SG 13 – NGN security
SG 16 – Multimedia security
SG 19 – Security in IMT-2000
GSC: Standardization Advancing Global Communications
ITU-T SG 4 Work on Security
GSC: Standardization Advancing Global Communications
SG 4: Security of the Management
Plane (M.3016 series)
• Approved last year, the M.3016 series is viewed as a key
aspect of NGN Management; it is included
– in the NGN Management Roadmap issued by the NGNMFG
– In M.3060 on the Principles of NGN Management
• The M.3016 series consists of 5 parts:
–
–
–
–
–
M.3016.0: Overview
M.3016.1: Requirements
M.3016.2: Services
M.3016.3: Mechanisms
M.3016.4: Profile proforma
• The role of M.3016.4 is unique in that it provides a template
for other SDOs and forums to indicate for their membership
what parts of M.3016 are mandatory or optional
GSC: Standardization Advancing Global Communications
ITU-T SG 9 Work on Security
GSC: Standardization Advancing Global Communications
SG 9: IPCablecom Evolution
• Enhance cable’s existing IP service environment to
accelerate the convergence of voice, video, data, and
mobility
• Define an application agnostic architecture that allows
cable operators to rapidly innovate new services
• Provide a suite of Recommendations that define the
elements and interfaces needed to facilitate multi-vendor
interoperability
• Incorporate leading communications technologies from
the IETF and 3GPP IMS
GSC: Standardization Advancing Global Communications
SG 9: IPCablecom Evolution
OSS evolves to
support new clients
and services
New capabilities
added to support
additional clients
and services
Operational
Support Systems Policy Control
Provisioning, Management,
Security, Accounting
NAT Traversal
PSTN
PSTN
PSTN
Gateway
CMS
Managed IP
Network
IPCablecom
Network
Signaling Framework,
Subscriber Data
CMTS
Applications
Voice, Video, IM
Presence, Wireless
DOCSIS®
Telephony was the
first service
GSC: Standardization Advancing Global Communications
IPCablecom
expands to support
other services
SG 9: Targeted Applications
• Enhanced Cable Voice and Video IP Telephony
– Support for new media and client types (e.g., video telephony, soft
clients)
– Call treatment based on presence, device capability, identity
– Maintain support for cable telephony features enabled by current
IPCablecom Recommendations
• Fixed-mobile Convergence over Cable
– Support for dual mode cellular/WiFi handsets over DOCSIS
– Call handover between IPCablecom VoIP networks and cellular
networks
– Integrated features and call control between cellular and VoIP platforms
• Cable Cross-Platform Features
– Cross platform notification, messaging (e.g., Caller-ID on TV)
– Third-party call control features, such as ‘Click to dial’
GSC: Standardization Advancing Global Communications
SG 9: Design Approach
• Incorporate new IP communication technologies
– Focus on the Session Initiation Protocol (SIP) and supporting
protocols
– Leverage the 3GPP IMS as a service delivery platform
• Develop a modular and extensible architecture that
allows new services to be added without impacting the
core IPCablecom infrastructure
• Ensure backward compatibility with existing IPCablecom
Recommendations
• Support a wide variety of client devices
GSC: Standardization Advancing Global Communications
SG 9: IPCablecom Security
Requirements Under Consideration
• Support a range of authentication schemes
– UICCs (similar to SIM card)
– Digital Certificates (existing IPCablecom EMTAs)
– SIP digest (software clients)
• Support a range of secure signaling options
– IPsec
– TLS
– Disabled
•
•
•
•
Support secure configuration before registration
Support TLS for intra-domain security
Minimize changes to IMS
Reuse existing standards
GSC: Standardization Advancing Global Communications
SG 9: DOCSIS
Base Line Privacy Plus
• The primary goals of DOCSIS BPI+ are to provide
privacy of customer traffic, integrity of software
downloads, and prevent theft of service.
• DOCSIS BPI+ provides a number of tools to support
these goals:
– Traffic encryption for privacy/confidentiality.
– Secure Software Download to assure a valid CM image.
– Configuration file authentication to help secure the provisioning
process.
• Focus is on the link layer between the CMTS and CM.
Security outside the DOCSIS network is provided by
applications and other networks.
GSC: Standardization Advancing Global Communications
SG 9: DOCSIS BPI+
Security Algorithms
• A Cable Modem Terminations System (CMTS) authenticates
cable modems (CM) using X.509 certificates and RSA public key
cryptography.
• Subscriber Traffic encryption
– 3DES used for key exchange
– DES used for traffic encryption. AES being considered for future
DOCSIS versions.
• SW download image validation is performed using X.509
certificates and digital signatures using RSA public key
cryptography.
• Message integrity checks (MIC) with keyed MD5 hash used for
CM configuration file security.
GSC: Standardization Advancing Global Communications
ITU-T SG 13 Work on Security
GSC: Standardization Advancing Global Communications
SG 13: NGN Security Outline
•
•
•
•
•
•
Why NGN security?
The ITU-T work on NGN Security
Relationship to other SDOs
Output of the NGN Focus Group
Recent developments—starting the SG 13
Security work
Top NGN security issues that need resolution
Security is among the key differentiators of the NGN.
It is also among its biggest challenges!..
GSC: Standardization Advancing Global Communications
SG 13: Why Security?
(Threat examples)
• Subscriber’s
perspective
– Eavesdropping, theft
of PIN codes
– Tele-spam
– Identity theft
– Infection by viruses,
worms, and spyware
– Loss of privacy (call
patterns, location, etc.)
– Flooding attacks on
the end point
• Provider’s
perspective
– Theft of service
– Denial of service
– Disclosure of network
topology
– Non-audited
configuration changes
– Additional related
risks to the
PSTN…
In NGN, known IP security vulnerabilities can make PSTN vulnerable,
too!
GSC: Standardization Advancing Global Communications
SG 13: The ITU-T work on NGN
Security
• SG 13: Lead Study Group on the NGN
standardization. (Question 15/13 is responsible for
X.805-based NGN security)
• SG 17: Lead Study Group on Telecommunication
Security—the fundamental X.800 series, PKI, etc.
• SG 4: Lead Study Group on Telecommunication
Management—Management Plane security
• SG 11: Lead Study Group on signaling and
protocols—security of the Control and Signaling
planes
• SG 16: Lead Study Group on multimedia terminals,
systems and applications—Multimedia security
has concluded;
work
has moved to
GSC:FGNGN
Standardization
Advancing its
Global
Communications
SG 13
Collaboration of ITU-T with
other bodies on NGN security
Recommendations
ISO/IEC JTC1
SC 27, …
IETF
ITU-T
SG 13, 17,
4, 11, 16 …
ATIS
3GPP
ETSI
TISPAN
Fora
(such as
OASIS)
TIA
SG 13 is the Lead Study Group for NGN
SG 17 is the Lead Study Group for Security
GSC: Standardization Advancing Global Communications
3GPP2
SG 13: Question 15, NGN
security
• Question 15 (NGN security) of SG 13 – ITU-T lead study
group for NGN and satellite matters - will continue standards
work started by FGNGN WG 5.
• Q.15/13 major tasks are:
– Lead the NGN-specific security project-level issues within SG 13
and with other Study Groups. Recognizing SG 17’s overall role as
the Lead Study Group for Telecommunication Security, advise and
assist SG 17 on NGN security coordination issues.
– Apply the X.805 Security architecture for systems providing end-toend communication within the context of an NGN environment
– Ensure that
• the developed NGN architecture is consistent with accepted
security principles
• Ensure that AAA principles are integrated as required
throughout the NGN
GSC: Standardization Advancing Global Communications
SG 13: FGNGN output:
Security Requirements for NGN
Release 1 (highlights)
• Security requirements for
the Service Stratum
– IMS security
– Transport domain to NGN
core network interface
– Open service platforms and
applications security
– VoIP
– Emergency
Telecommunication Services
and Telecommunications for
Disaster Relief
• Security requirements for
the Transport Stratum
– NGN customer network
domain
– Customer network to IPConnectivity Access Network
(IP-CAN) interface
– Core network functions
– NGN customer network to
NGN customer network
interface
GSC: Standardization Advancing Global Communications
SG 13: FGNGN output:
Guidelines for NGN Security
Release 1 (highlights)
• General
– General principles and
guidelines for building
secure Next Generation
Networks
– Detailed examination of
IMS access security and
NAT and firewall traversal
– NGN Security Models
– Security Associations
model for NGN
• Security of the NGN
subsystems
– IP-Connectivity Access Network
– IMS Network domain and IMSto-non-IMS network security
– IMS access
– Framework for open platform for
services and applications in NGN
– Emergency Telecommunications
Service (ETS) and
Telecommunications for Disaster
Relief (TDR) Security
– Overview of the existing standard
solutions related to NAT and
firewall traversal
GSC: Standardization Advancing Global Communications
SG 13: Focus of the current
work of Question 15,
NGN security
•
•
•
•
•
Security Requirements for NGN Release 1
Authentication requirements for NGN Release 1
AAA Service for Network Access to NGN
Guidelines for NGN Security Release 1
Security considerations for Pseudowire (PWE)
technology
At the heart of securing network protocols, the biggest
challenge is authentication.
GSC: Standardization Advancing Global Communications
SG 13: Major Issues for NGN
Security Standardization
• Key distribution (for end-users and network elements) and
Public Key Infrastructure
• “Network privacy”—topology hiding and NAT/Firewall traversal
for real-time applications
• Convergence with IT security
• Management of security functions (e.g., policy)
• Guidelines on the implementation of the IETF protocols (e.g.,
IPsec options)
• Security for supporting access: DSL, WLAN, and cable
access scenarios
• Guidelines for handling 3GPP vs. 3GPP2 differences in IMS
Security
Both—network assets and network traffic—must be protected.
Proper management procedures will help prevent attacks from within.
GSC: Standardization Advancing Global Communications
SG 13: NGN Architecture
Third Party Applications
Service Stratum
Application/Service
Functions
ApplicationSupport
Functions
S. User
Profile
Functions
Other Multimedia Service
Components …
Service
Control
Functions
Streaming Service
Component
IP Multimedia
Component
IP Multimedia
&PSTN/ISDN
Simulation
Service Component
Legacy
Terminals
Legacy
Terminals
GW
GW
T.User
User
Profile
Profile
Functions
Functions
Customer
Networks
Access
Network
Access Transport
Functions
Functions
NGN
Terminals
End-User
Functions
Network
Attachment
Network
Access
Control Functions
Attachment
Functions
(NACF)
NAAF
Edge
Functions
Resource and Admission
Control Functions
(RACF)
Core
Core Transport
transport
Functions
Functions
Transport Stratum
*
Note: Gateway (GW) may exist in either Transport Stratum
or End-User Functions.
GSC: Standardization Advancing Global Communications
Other Networks
PSTN / ISDN Emulation
Service Component
ITU-T SG 16 Work on Security
GSC: Standardization Advancing Global Communications
Question 25/16
“Multimedia Security in
Next-Generation Networks”
(NGN-MM-SEC)
•
•
•
•
Study Group 16 concentrates on Multimedia
systems.
Q.25/16 focuses on the application-security issues
of MM applications in next generation networks
Standardizes Multimedia Security
So far Q.25 has been standardizing MM-security for
the “1st generation MM/pre-NGN?-systems”:
–
H.323/H.248-based systems.
GSC: Standardization Advancing Global Communications
Evolution of H.235
Core Security
Framework
Engineering
1st Deployment
Improvement and Additions
Consolidation
H.235V3
+ Annex I
H.235V3
Amd1
H.235V3
Amd1
+ Annex H
H.235 Annex G
H.235V2
Security
Profiles
Annex D
Initial
Draft
H.235V1
Annex E
approved
started
1997
1998
Annex F
Annex E
H.530
approved
consent
H.323V5
H.323V4
H.323V2
1996
Annex D
1999
2000
2001
2002
2003
2004
=> 2005
GSC: Standardization Advancing Global Communications
H.235 V4 Subseries
Recommendations
•
•
Major restructuring of H.235v3 Amd1 and
annexes in stand-alone subseries
Recommendations
H.235.x subseries specify scenario-specific MMsecurity procedures as H.235-profiles for H.323
•
Some new parts added
•
•
Some enhancements and extensions
Incorporated corrections
•
Approved in Sept. 2005
GSC: Standardization Advancing Global Communications
H.323 Security
Recommendations (1)
•
H.235.0 “Security framework for H-series (H.323
and other H.245-based) multimedia systems”
 Overview of H.235.x subseries and common
procedures with baseline text
•
H.235.1 "Baseline Security Profile”
 Authentication & integrity for H.225.0 signaling using
shared secrets
•
H.235.2 "Signature Security Profile”
 Authentication & integrity for H.225.0 signaling using
X.509 digital certificates and signatures
GSC: Standardization Advancing Global Communications
H.323 Security
Recommendations (2)
•
 Authentication & integrity for H.225.0 signaling
using an optimized combination of X.509 digital
certificates, signatures and shared secret key
management;
specification of an optional proxy-based security
processor
enhanced
•
extended
H.235.3 "Hybrid Security Profile"
H.235.4 "Direct and Selective Routed Call
Security"
 Key management procedures in corporate and in
interdomain environments to obtain key material
for securing H.225.0 call signaling in GK directrouted/selective routed scenarios
GSC: Standardization Advancing Global Communications
H.323 Security
Recommendations (3)
•
enhanced
H.235.5 "Framework for secure
authentication in RAS using weak shared
secrets"
 Secured password (using EKE/SPEKE approach)
in combination with Diffie-Hellman key agreement
for stronger authentication during H.225.0
signaling
•
modified
H.235.6 "Voice encryption profile with native
H.235/H.245 key management"
 Key management and encryption mechanisms for
RTP
GSC: Standardization Advancing Global Communications
H.323 Security
Recommendations (4)
•
H.235.7 "Usage of the MIKEY Key Management
Protocol for the Secure Real Time Transport
Protocol (SRTP) within H.235"
 Usage of the MIKEY key management for SRTP
•
H.235.8 "Key Exchange for SRTP using secure
Signalling Channels"
 SRTP keying parameter transport over secured
signaling channels (IPsec, TLS, CMS)
•
H.235.9 "Security Gateway Support for H.323"
 Discovery of H.323 Security Gateways
(SG = H.323 NAT/FW ALG) and key management for
H.225.0 signaling
GSC: Standardization Advancing Global Communications
Other SG16 MM-SEC Results
•
H.350.2 (2003) “H.350.2 Directory
Services Architecture for H.235”
 An LDAP schema to represent H.235 elements (PWs,
certificates, ID information)
•
H.530 (Revision 2003) “Symmetric security
procedures for H.323 mobility in H.510”
 Authentication, access control and key management
in mobile H.323-based corporate networks
GSC: Standardization Advancing Global Communications
Q.5/16 (H.300 NAT/FW
Traversal) Results (1)
•
H.460.18 “Traversal of H.323 signalling across
FWs and NATs”
 H.323 protocol enhancements and new client/server
proxies to allow H.323 signalling protocols traverse
NATs & FWs;
H.323 endpoints can remain unchanged
•
H.460.19 “NAT & FW traversal procedures for
RTP in H.323 systems”
 uses multiplexed RTP media mode and symmetric
RTP in conjunction with H.460.18 as a short-term
solution
GSC: Standardization Advancing Global Communications
More Q.5/16 Results (2)
•
Technical Paper “Requirements for Network
Address Translator and Firewall Traversal of
H.323 Multimedia Systems”
 Documentation of scenarios and requirements for
NAT & FW traversal in H.323
•
Technical Paper “Firewall and NAT traversal
Problems in H.323 Systems”
 An analysis of scenarios and various problems
encountered by H.323 around NAT & FW traversal
GSC: Standardization Advancing Global Communications
New Q.25/16 items
under current study (1)
•
Draft H.460.spn “Security protocol negotiation”
°
•
Goal: Negotiate security protocols
(IPsec or TLS) for H.323 signaling)
(Draft) H.FSIC “Federated Architecture for
Secure Internet Conferencing”
°
Goal: Define a generic protocol independent
security profile for globally scalable security
conferencing using trust federations.
GSC: Standardization Advancing Global Communications
New Q.25/16 items
under current study (2)
•
Study Anti-DDoS (Denial-of-Service)
countermeasures for (H.323-based) NAT/FW
proxy and MM applications
•
Security for MM-QoS (H.mmqos.security)
•
MM security aspects of Vision H.325
“Next-generation Multimedia Terminals and
Systems”
°
Goal: MM-security for H.325,
MM security for Audiovisual on Demand services,
Multimedia Conferencing, Distant learning,...
GSC: Standardization Advancing Global Communications
New Q.25/16 items
under current study (3)
•
Study Multimedia-Security aspects of
Digital Rights Management (MM-DRM)
– What does MM-DRM mean?
– Understand DRM security needs for MM
content of MM applications (e.g. IPTV,…)
– Contributions are solicited.
– Which other groups are active/interested in
this area?
GSC: Standardization Advancing Global Communications
Ongoing Q.5/16 work items
•
Draft H.proxy
°
Goal: Specify signaling & media client/server
proxies connected with a (UDP) tunneling
protocol for H.323 NAT & FW traversal
GSC: Standardization Advancing Global Communications
SG 16: Summary
•
Multimedia systems and applications as
being studied by SG16 face important
security challenges:
–
MM-security and NAT/FW traversal
•
Q.25/16 and Q.5/16 are addressing these
issues and have provided various
Recommendations
•
The work continues in the scope of
NGN-Multimedia Security.
GSC: Standardization Advancing Global Communications
ITU-T SG 19 Work on Security
GSC: Standardization Advancing Global Communications
Security Work in SG 19 (1/3)
• Q.1/19 Service and network capability requirements
and network architecture
– PDNR Q.FNAB “Functional Network Architecture for Systems
Beyond IMT-2000” has included security requirements from the
beginning, building on existing material in related domains
• Q.2/19 Mobility management
– Security is included as a fundamental component of the analysis
mobility management mechanisms in Q-series Supplement 47
“Technical Report on NNI Mobility Management Requirements”
– Currently progressing, on the same basis and jointly with Q.6/13:
•
•
•
•
Rec.MMR Mobility Management Requirements (Stage 1)
Rec.MMF Mobility Management Framework (Stage 2)
Rec.LMF Location Mobility Management Framework (Stage 2)
Rec.HMF Handover Management Framework (Stage 2)
GSC: Standardization Advancing Global Communications
Security Work in SG 19 (2/3)
• Q.3/19 Identification of existing and evolving IMT2000 systems
– Q.1741 and Q.1742 series of Recommendations include
security as a key aspect of its referencing
Recommendations for IMT-2000 (3G) Family Members
identified in its Q.1741.x (3GPP) and Q.1742.x (3GPP2)
series Recommendations, including:
•
•
•
•
an evaluation of perceived threats
a list of security requirements to address the threats
security objectives and principles
a defined security architecture (i.e., security features and
mechanisms)
• cryptographic algorithm requirements
• lawful interception requirements
• lawful interception architecture and functions
– Additional information in backup charts
GSC: Standardization Advancing Global Communications
Security in SG 19 Work (3/3)
• Q.4/19 Preparation of a handbook on IMT2000
– Next edition of “Handbook of evolving IMT2000 Systems (Core Network Aspects)” in
progress includes a new chapter “Safety and
security issues for IMT-2000”
• Q.5/19 Convergence of evolving IMT-2000
networks with evolving fixed networks
– Includes security consideration for such areas
as user identification and authentication,
including IMS security (see Q.3/19)
GSC: Standardization Advancing Global Communications
ITU-T SSG & SG 19
Rec. Q.1741-series
• Q.1741.1 IMT-2000 references to release 1999 of
GSM evolved UMTS core network with UTRAN
access network
• Q.1741.2 IMT-2000 references to release 4 ...
• Q.1741.3 IMT-2000 references to release 5 ...
• Q.1741.4 IMT-2000 references to release 6 ...
– Includes references to the 3GPP security specifications as TS
22.101: Service aspects; Service principles, TS 33.102: Security
Architecture, TS 33.106: Lawful interception requirements, TS
33.107: Lawful interception Architecture and Functions, TS 33.108:
Handover interface for Lawful Interception (LI), TS 33.200: Network
Domain Security – MAP, TS 33.203: Access security for IP-based
services, TS 33.210: Security; Network Domain Security (NDS); IP
network layer security, TS 35.205, .206, .207, .208 and .909:
Specification of the MILENAGE Algorithm Set
GSC: Standardization Advancing Global Communications
ITU-T SSG & SG 19
Rec. Q.1742-series
• Q.1742.1 IMT-2000 references to ANSI-41 evolved
core network with cdma2000 access network
• Q.1742.2 IMT-2000 references (...as of 11 July 2002)
to ...
• Q.1742.3 IMT-2000 references (...as of 30 June
2003) to ...
• Q.1742.4 IMT-2000 references (...as of 30 June
2004) to ...
– “The 3GPP2 Steering Committee found that the Packet Data
Surveillance Feature (also known as Packet Data Intercept, Legal
Surveillance, Lawful Surveillance, or Electronic Surveillance) was
regional in nature and should be left to the appropriate SDOs to
develop, with 3GPP2 consulting as requested.”
GSC: Standardization Advancing Global Communications