Professional Documents
Culture Documents
IETF 63 meeting
Outline
Origin of the ITU-T Recommendation X.805 - Security Architecture for Systems Providing End-to-End Communications Three main issues that X.805 addresses Security Dimensions Security Layers Security Planes ITU-T X.805 Security Architecture ITU-T Recommendation X.805 as a base for security work in FGNGN Security Capability WG
3. What are the distinct types of network activities that need to be protected?
X
5
Hn ch v iu khin vic truy nhp vo cc phn t mng, dch v v ng dng. V d: Mt khu, danh sch iu khin truy cp ACL, firewall Ngn chn kh nng ngi s dng no t chi hnh ng m h thc hin vo mng. V d: c ch ghi li s kin h thng, s dng ch k s.
Nhn thc ngi dng Chng minh trnh ph nhn Bo mt d liu m bo an ton Khi truyn d liu m bo tnh ton vn d liu
Nhn dng ngi s dng kim tra tnh ng n ca ngi s dng. V d: kho chia s, s dng h tng kho cng cng, ch k s, chng ch s.
m bo dng thng tin ch i t ngun n ch mong mun, cc im trung gian khng th truy nhp vo dng thng tin. V d: VPN, MPLS, L2TP
m bo cho ngi s dng hp l lun c th s dng cc phn t mng, cc dch v v cc ng dng V d: h thng pht hin / ngn nga truy nhp tri php (IDS / IPS)
m bo tnh kh dng
m bo rng d liu nhn c v c phc hi l ging vi d liu c gi i t ngun. V d: thut ton MD5, ch k s, phn mm chng Virus m bo tnh ring t cho nhn dng v vic s dng mng ca ngi s dng V d: NAT, s dng mt m
6
m bo tnh ring t
Authentication
Non-Repudiation
Availability
Privacy
Security Layers
Concept of Security Layers represents hierarchical approach to securing a network Mapping of the network equipment and facility groupings to Security Layers could be instrumental for determining how the network elements in upper layers can rely on protection that the lower layers provide.
Services Security
VULNERABILITIES
Infrastructure Security
Interruption
ATTACKS
Network-based applications accessed by end-users Examples: Web browsing Directory assistance Email E-commerce
Each Security Layer has unique vulnerabilities, threats Infrastructure security enables services security enables applications security
10
Security Planes
Concept of Security Planes could be instrumental for ensuring that essential network activities are protected independently (e.g. compromise of security at the Enduser Security Plane does not affect functions associated with the Management Security Plane). Concept of Security Planes allows to identify potential network vulnerabilities that may occur when distinct network activities depend on the same security measures for protection.
11
THREATS
Destruction
Services Security
VULNERABILITIES
Corruption
Removal
Disclosure
Interruption
Infrastructure Security
ATTACKS
End User Security
Security Planes
Security Planes represent the types of activities that occur on a network. Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) Each security perspective has unique vulnerabilities and threats 12
Protocols
BGP, OSPF, IS-IS, RIP, PIM SIP, RSVP, H.323, SS7. IKE, ICMP PKI, DNS, DHCP, SMTP
Mi e da
Ph hy
Cc l hng
C th tn ti mi lp, mi mt phng an ninh
Lm sai lch
Xa Lm l Lm gin on
Tn cng
Mt User Security End phng an ninh ngi dng Mt phngPlanes Security an ninh Mt phng an ninh iu khin Control/Signaling Security Mt phng an ninh qun l Management Security
14
Lp dch v
Module 4
Lp ng dng
Module 7
Module 2
Module 5
Module 8
Module 3
Module 6
Module 9
iu khin truy cp
Qun l mng: top row Dch v mng: middle column Module an ninh: Giao im lp vi mt phng
Bo mt d liu
Tnh rieng t
Provides a systematic, organized way for performing network security assessments and planning
15
Security Objectives
Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device. Authentication techniques may be required as part of Access Control.
Authentication
Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data. Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data. Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access) Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication. Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.
16
17
ITU-T Recommendation X.805 is a Base for Security work in FGNGN Security Capability WG
Guidelines for NGN security and X.805
NGN threat model (based on ITU-T X.800 and X.805 Recommendations) Security Dimensions and Mechanisms (based on ITU-T X.805)
Access control Authentication Non-repudiation Data confidentiality Communication security Data integrity Availability Privacy
18
Acronyms
AAA ACL BC Authentication, Authorization, Accounting Access Control List Business Continuity L2TP NAT PIM PKI POP QoS RIP RTP SIP Layer Two Tunneling Protocol Network Address Translation Protocol-Independent Multicast Public Key Infrastructure Post Office Protocol Quality of Service Routing Information Protocol Real-time Transport Protocol Session Initiation Protocol MPLS Multi-Protocol Label Switching OSPF Open Shortest Path First ATM Asynchronous Transfer Mod BGP Border Gateway Protocol DHCP Dynamic Host Configuration Protocol DNS DR Domain Name Service Disaster Recovery
FCAPS Fault-management, Configuration, Accounting, Performance, and Security FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IDS IKE IM IPS Intrusion Detection System Internet Key Exchange protocol Instant Messaging Intrusion Prevention System
SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SS7 TCP Signaling System 7 Transmission Control Protocol
IMAP Internet Message Access Protocol IPsec IP security (set of protocols) IS-IS Intermediate System-to-Intermediate System (routing protocol)
TLS
UDP VoIP VPN
19
Thank you!
20