Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU-T Recommendation X

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "ITU-T Recommendation X"— Presentation transcript:

1 ITU-T Recommendation X
ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications IETF 63 meeting Zachary Zeltsan, Bell Laboratories, Lucent Technologies Rapporteur of Question 5 SG 17

2 Outline Origin of the ITU-T Recommendation X Security Architecture for Systems Providing End-to-End Communications Three main issues that X.805 addresses Security Dimensions Security Layers Security Planes ITU-T X.805 Security Architecture ITU-T Recommendation X.805 as a base for security work in FGNGN Security Capability WG

3 Origin of the ITU-T Recommendation X.805
ITU-T Recommendation X.805 Security architecture for systems providing end‑to‑end communications had been developed by ITU-T SG 17 (ITU-T Lead Study Group on Telecommunication Security) and was published in October 2003. The group has developed a set of the well-recognized Recommendations on security. Among them are X.800 Series of Recommendations on security and X Public-key and Attribute Certificate Frameworks.

4 Three main issues that X.805 addresses
The security architecture addresses three essential issues: What kind of protection is needed and against what threats? What are the distinct types of network equipment and facility groupings that need to be protected? What are the distinct types of network activities that need to be protected?

5 ITU-T X.800 Threat Model (simplified)
1 - Destruction (an attack on availability): Destruction of information and/or network resources 2 - Corruption (an attack on integrity): Unauthorized tampering with an asset 3 - Removal (an attack on availability): Theft, removal or loss of information and/or other resources 4 - Disclosure (an attack on confidentiality): Unauthorized access to an asset 5 - Interruption (an attack on availability): Interruption of services. Network becomes unavailable or unusable X X

6 Communication Security
Eight Security Dimensions Address the Breadth of Network Vulnerabilities Limit & control access to network elements, services & applications Examples: password, ACL, firewall Access Control Provide Proof of Identity Examples: shared secret, PKI, digital signature, digital certificate Authentication Prevent ability to deny that an activity on the network occurred Examples: system logs, digital signatures Non-repudiation Ensure confidentiality of data Example: encryption Data Confidentiality Ensure data is received as sent or retrieved as stored Examples: MD5, digital signature, anti-virus software Communication Security Ensure information only flows from source to destination Examples: VPN, MPLS, L2TP Data Integrity Availability Ensure network elements, services and application available to legitimate users Examples: IDS/IPS, network redundancy, BC/DR Ensure identification and network use is kept private Examples: NAT, encryption Privacy Eight Security Dimensions applied to each Security Perspective (layer and plane)

7 How the Security Dimensions Map to the Security Threats
X.800 Security Threats Destruction Corruption Removal Disclosure Interruption Access Control Authentication Non-Repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy

8 Security Layers Concept of Security Layers represents hierarchical approach to securing a network Mapping of the network equipment and facility groupings to Security Layers could be instrumental for determining how the network elements in upper layers can rely on protection that the lower layers provide.

9 Vulnerabilities Can Exist
Three Security Layers Infrastructure Security Applications Security Services Security THREATS VULNERABILITIES ATTACKS Destruction Disclosure Corruption Removal Interruption Vulnerabilities Can Exist In Each Layer 3 - Applications Security Layer: Network-based applications accessed by end-users Examples: Web browsing Directory assistance E-commerce 1 - Infrastructure Security Layer: Fundamental building blocks of networks services and applications Examples: Individual routers, switches, servers Point-to-point WAN links Ethernet links 2 - Services Security Layer: Services Provided to End-Users Examples: Frame Relay, ATM, IP Cellular, Wi-Fi, VoIP, QoS, IM, Location services Toll free call services Each Security Layer has unique vulnerabilities, threats Infrastructure security enables services security enables applications security

10 Example: Applying Security Layers to IP Networks
Infrastructure Security Layer Individual routers, servers Communication links Services Security Layer Basic IP transport IP support services (e.g., AAA, DNS, DHCP) Value-added services: (e.g., VPN, VoIP, QoS) Applications Security Layer Basic applications (e.g. FTP, web access) Fundamental applications (e.g., ) High-end applications (e.g., e-commerce, e-training)

11 Security Planes Concept of Security Planes could be instrumental for ensuring that essential network activities are protected independently (e.g. compromise of security at the End-user Security Plane does not affect functions associated with the Management Security Plane). Concept of Security Planes allows to identify potential network vulnerabilities that may occur when distinct network activities depend on the same security measures for protection.

12 Three Security Planes 1 - End-User Security Plane:
Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security VULNERABILITIES Security Layers Security Planes Vulnerabilities Can Exist In Each Layer and Plane THREATS ATTACKS Destruction Disclosure Corruption Removal Interruption 1 - End-User Security Plane: Access and use of the network by the customers for various purposes: Basic connectivity/transport Value-added services (VPN, VoIP, etc.) Access to network-based applications (e.g., ) 3 - Management Security Plane: The management and provisioning of network elements, services and applications Support of the FCAPS functions 2 - Control/Signaling Security Plane: Activities that enable efficient functioning of the network Machine-to-machine communications Security Planes represent the types of activities that occur on a network. Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) Each security perspective has unique vulnerabilities and threats

13 Example: Applying Security Planes to Network Protocols
End User Security Plane Activities End-user data transfer End-user – application interactions Protocols HTTP, RTP, POP, IMAP TCP, UDP, FTP IPsec, TLS Control/Signaling Security Plane Activities Update of routing/switching tables Service initiation, control, and teardown Application control Protocols BGP, OSPF, IS-IS, RIP, PIM SIP, RSVP, H.323, SS7. IKE, ICMP PKI, DNS, DHCP, SMTP Management Security Plane Operations Administration Management Provisioning Activities Protocols SNMP Telnet FTP HTTP

14 ITU-T X.805: Security Architecture for Systems Providing End-to-End Communications
Security Layers Security Layers THREATS Applications Security Applications Security Destruction Disclosure Corruption Removal Interruption VULNERABILITIES Services Security Services Security repudiation repudiation Data Integrity Access Management Authentication Authentication Data Confidentiality Data Confidentiality Communication Security Communication Security Integrity Availability Availability Privacy Privacy Access Control Vulnerabilities Can Exist In Each Layer, Plane - - Non Non ATTACKS Infrastructure Security Infrastructure Security End User Security End User Security Security Planes Security Planes Control/Signaling Security Control/Signaling Security 8 Security Dimensions 8 Security Dimensions Management Security Management Security

15 The eight Security Dimensions Are Applied to Each Security Module
Modular Form of X.805 Infrastructure Layer Services Layer Applications Layer Management Plane Module one Module four Module seven Control/Signaling Plane Module two Module five Module eight User Plane Module three Module six Module Nine Access Control Communication Security Management Network: top row Network Services: middle column Security Module: Layer & Plane Intersection Authentication Data Integrity Non-repudiation Availability Data Confidentiality Privacy The eight Security Dimensions Are Applied to Each Security Module Provides a systematic, organized way for performing network security assessments and planning

16 Module 3 – Infrastructure Layer – End-User Plane
Security Dimension Security Objectives Access Control Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Authentication Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device. Authentication techniques may be required as part of Access Control. Non-Repudiation Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data. Data Confidentiality Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data. Communication Security Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access) Data Integrity Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication. Availability Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Privacy Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.

17 Summary: X.805 Provides a Holistic Approach to Network Security
Comprehensive, end-to-end network view of security Applies to any network technology Wireless, wireline, optical networks Voice, data, video, converged networks Applies to variety of networks Service provider networks Enterprise (service provider’s customer) networks Government networks Management/operations, administrative networks Data center networks Is aligned with other security ITU-T Recommendations and ISO standards

18 NGN security requirements for Release 1 and X.805
ITU-T Recommendation X.805 is a Base for Security work in FGNGN Security Capability WG Guidelines for NGN security and X.805 NGN threat model (based on ITU-T X.800 and X.805 Recommendations) Security Dimensions and Mechanisms (based on ITU-T X.805) Access control Authentication Non-repudiation Data confidentiality Communication security Data integrity Availability Privacy NGN security requirements for Release 1 and X.805 General considerations based on the concepts of X.805

19 Acronyms AAA Authentication, Authorization, Accounting
ACL Access Control List ATM Asynchronous Transfer Mod BC Business Continuity BGP Border Gateway Protocol DHCP Dynamic Host Configuration Protocol DNS Domain Name Service DR Disaster Recovery FCAPS Fault-management, Configuration, Accounting, Performance, and Security FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IDS Intrusion Detection System IKE Internet Key Exchange protocol IM Instant Messaging IMAP Internet Message Access Protocol IPS Intrusion Prevention System IPsec IP security (set of protocols) IS-IS Intermediate System-to-Intermediate System (routing protocol) L2TP Layer Two Tunneling Protocol MPLS Multi-Protocol Label Switching NAT Network Address Translation OSPF Open Shortest Path First PIM Protocol-Independent Multicast PKI Public Key Infrastructure POP Post Office Protocol QoS Quality of Service RIP Routing Information Protocol RSVP Resource Reservation Setup Protocol RTP Real-time Transport Protocol SIP Session Initiation Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SS7 Signaling System 7 TCP Transmission Control Protocol TLS Transport Layer Security protocol UDP User Datagram Protocol VoIP Voice over IP VPN Virtual Private Network

20 Thank you!

Download ppt "ITU-T Recommendation X"

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Bell Labs Network Security Model

Bell Labs Network Security Model
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Data Networking Fundamentals Unit 7 7/2/2015 1 Modified by: Brierley.

Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Similar presentations

Ads by Google