Telecommunication Security

1
Telecommunication Security
SOURCE ITU-T
TITLE ITU-T Security Standardization
AGENDA ITEM GTSC, agenda item 5.5
CONTACT Herb Bertine, hbertine_at_lucent.com
GSC11(06)_GTSC_07

• Herbert Bertine
• Chairman, ITU-T SG 17

2
High Level Security Drivers

• ITU Plenipotentiary Conference (PP-02)
• Intensify efforts on security
• World Telecommunications Standardization Assembly
  (WTSA-04)
• Security robustness of protocols
• Combating/Countering spam
• World Summit on the Information Society (WSIS-05)
• Cyber security

3
ITU-T Study Groups

• ITU-T work is divided up between Study Groups
  (SGs).
• SG 2 Operational aspects of service provision,
  networks and performance
• SG 4 Telecommunication management
• SG 5 Protection against electromagnetic
  environment effects
• SG 6 Outside Plant and related indoor
  installations
• SG 9 Integrated broadband cable networks and
  television and sound transmission
• SG 11 Signaling requirements and protocols
• SG 12 Performance and quality of service
• SG 13 Next Generation Networks
• SG 15 Optical and other transport networks
• SG 16 Multimedia services, systems and terminals
  
• SG 17 Security, languages and telecommunication
  software
• SG 19 Mobile Telecommunications Networks
• SG17 is the Lead Study Group on
  telecommunication security.

4
Overview of ITU-T Security StandardizationCollabo
ration is key factor
5
WP 2/17 Security Questions (2005-2008)
Q8/17
Telecom Systems Users
Telebiometrics Multimodal Model Fwk System
Mechanism Protection Procedure X.1081
TelecomSystems
Q5/17
Secure Communication Services Mobile Secure
Communications Home Network Security
Security Web Services X.1121, X.1122
Q7/17
SecurityManagement ISM Guideline for
Telecom Incident Management Risk
Assessment Methodology etc X.1051
SecurityArchitecture Framework Architecture,
Model, Concepts, Frameworks,etc X.800
seriesX.805
Q9/17
Cyber SecurityOverview of Cyber-securityVulner
ability Information Sharing Incident Handling
Operations
Q6/17
Countering spam Technical anti-spam measures
Q17/17
New
Q4/17
Communications System Security
Vision, Coordination, Roadmap, Compendia
6
Highlights of whats new since GSC-10

• Two new ITU-T Questions
• Q.15/13, NGN security
• Q.17/17, Countering spam by technical means
• 38 security Recommendations are under development
  in Study Group 17
• Other SGs are developing security Recommendations
  for specific technologies for example 5 on NGN
  security
• Focus Group on Security Baseline For Network
  Operators
• New Horizons for Security Standardization
  Workshop
• Security standards roadmap
• Cybersecurity web portal

7
Q.15/13 NGN Security

• Recognizing that security is one of the
  defining features of NGN, it is essential to put
  in place a set of standards that will guarantee,
  to the maximum degree possible, the security of
  the telecommunications infrastructure as PSTNs
  evolve to NGNs.
• The NGN Security studies must address
  and develop network architectures that
• - Provide for maximal network and end-user
  resource protection
• - Allow for highly-distributed intelligence
  end-to-end
• - Allow for co-existence of multiple
  networking technologies
• - Provide for end-to-end security mechanisms
• - Provide for security solutions that apply
  over multiple administrative domains

8
Q.17/17 Combating spam by technical means

• Spam has become a widespread problem
  causing a complex range of problems to users,
  service providers, and network operators around
  the globe. While spam was originally used to send
  unsolicited commercial messages, increasingly
  spam messages are being used to spread viruses,
  worms, and other malicious code that negatively
  impact the security and stability of the global
  telecommunication network. Spam may include the
  delivery of phishing and spyware. It is a global
  problem that requires a multifaceted,
  comprehensive approach.
• Study items to be considered include,
  but are not limited to
• - What risks does spam pose to the
  telecommunication network?
• - What technical factors associated with
  the telecommunication network contribute to the
  difficulty of identifying the sources of spam?
• - How can new technologies lead to
  opportunities to counter spam and enhance the
  security of the telecommunication network?
• - Do advanced telecommunication network
  technologies (for example, SMS, instant
  messaging, VoIP) offer unique opportunities for
  spam that require unique solutions?
• - What technical work is already being
  undertaken within the IETF, in other fora, and by
  private sector entities to address the problem of
  spam?
• - What telecommunication network
  standardization work, if any, is needed to
  effectively counter spam as it relates to the
  stability and robustness of the telecommunication
  network?

9
SG 17 Security Recommendations under development
(1/3)

• Summaries of all Study Group 17 Recommendations
  under development are available on the Study
  Group 17 web page at www.itu.int/itu-t/studygroup
  s/com17
• Communications Systems Security Project
• X.sbno, Security baseline for network operators
• Security Architecture and Framework
• X.805, Division of the security features between
  the network and the users
• X.805nsa, Network security certification based on
  ITU-T Recommendation X.805
• X.ngn-akm, Framework for authentication and key
  management for link layer security of NGN
• X.pak, Password-authenticated key exchange (PAK)
• X.spn, Framework for creation, storage,
  distribution and enforcement of security policies
  for networks

10
SG 17 Security Recommendations under development
(2/3)

• Cyber Security
• X.cso, Overview of cybersecurity
• X.sds, Guidelines for Internet Service Providers
  and End-users for Addressing the Risk of Spyware
  and Deceptive Software
• X.cvlm, Guidelines on Cybersecurity Vulnerability
  Life-cycle Management
• X.vds, A vendor-neutral framework for automatic
  checking of the presence of vulnerabilities
  information update
• Security Management
• X.1051 (R), Information security management
  guidelines for telecommunications based on
  ISO/IEC 27002
• X.rmg, Risk management guidelines for
  telecommunications
• X.sim, Security incident management guidelines
  for telecommunications
• Telebiometrics
• X.bip, BioAPI interworking protocol
• X.physiol, Telebiometrics related to human
  physiology
• X.tai, Telebiometrics authentication
  infrastructure
• X.tpp-1, A guideline of technical and managerial
  countermeasures for biometric data security
• X.tpp-2, A guideline for secure and efficient
  transmission of multi-modal biometric data
• X.tsm-1, General biometric authentication
  protocol and profile on telecommunication systems
• X.tsm-2, Profile of telecomunication device for
  Telebiometrics System Mechanism (TSM)

11
SG 17 Security Recommendations under development
(2/3)

• Secure Communication Services
• X.crs, Correlative reacting system in mobile
  network
• X.homesec-1, Framework of security technologies
  for home network
• X.homesec-2, Certificate profile for the device
  in the home network
• X.homesec-3, User authentication mechanisms for
  home network service
• X.msec-3, General security value added service
  (policy) for mobile data communication
• X.msec-4, Authentication architecture in mobile
  end-to-end data communication
• X.p2p-1, Requirements of security for
  peer-to-peer and peer-to-multi peer
  communications
• X.p2p-2, Security architecture and protocols for
  peer to peer network
• X.sap-1, Guideline on secure password-based
  authentication protocol with key exchange
• X.sap-2, Secure communication using TTP service
• X.websec-1, Security Assertion Markup Language
  (SAML) X.1141 now in AAP Last Call
• X.websec-2, eXtensible Access Control Markup
  Language (XACML) X.1142 now in AAP Last Call
• X.websec-3, Security architecture for message
  security in mobile web services
• Countering spam by technical means
• X.csreq, Requirement on countering spam
• X.fcs, Technical framework for countering email
  spam
• X.gcs, Guideline on countering email spam
• X.ocsip, Overview of countering spam for IP
  multimedia application

12
SG 13 Security Recommendations under development

• NGN Security
• Security Requirements for NGN Release 1
• Guidelines for NGN Security Release 1
• Authentication requirements for NGN Release 1
• AAA Service for Network Access to NGN
• Security considerations for Pseudowire (PWE)
  technology
• Continuation of the work originated in the
  ITU-T Focus Group on NGN

13
Focus Group Security Baseline for Network
Operators

• Established October 2005 by SG 17
• Objectives
• Define a security baseline against which network
  operators can assess their network and
  information security posture in terms of what
  security standards are available, which of these
  standards should be used to meet particular
  requirements, when they should be used, and how
  they should be applied
• Describe a network operators readiness and
  ability to collaborate with other entities
  (operators, users and law enforcement
  authorities) to counteract information security
  threats
• Provide meaningful criteria that can be used by
  network operators against which other network
  operators can be assessed, if required.
• Next Step
• Survey network operators by means of a
  questionnaire

14
New Horizons for Security Standardization Workshop

• Workshop held in Geneva 3-4 October 2005
• Objectives
• Provide an overview of key international security
  standardization activities
• Seek to identify primary security concerns and
  issues
• Determine which issues are amenable to a
  standards-based solution
• Identify which SDOs are are best equipped to do
  so and
• Consider how SDOs can collaborate to improve the
  timeliness and effectiveness of security
  standards and avoid duplication of effort.
• Results reported under following topics
• What are the crucial problems in ICT security
  standardization?
• Meta issues and need for a global framework
• Standards Requirements and Priorities
• Liaison and information sharing
• User issues
• Technology and threat issues
• Focus for future standardization work
• Process issues
• Follow-on issues
• Report available at www.itu.int/ITU-T/worksem/sec
  urity/200510/index.html

15
ICT Security Standards Roadmap

• Four Part Roadmap
• Part 1 contains information about organizations
  working on ICT security standards
• Part 2 is a database of existing security
  standards
• Presently includes ITU-T, ISO/IEC JTC1 and IETF
  standards
• Will be expanded to include other standards
• Part 3 will be a list of standards in development
• Part 4 will identify future needs and proposed
  new standards
• Publicly available under Special Projects and
  Issues at
• www.itu.int/ITU-T/studygroups/com17/index
• We invite you to use the Roadmap, provide
  feedback and help us develop it to meet your needs

16
The ITU Global Cybersecurity Gateway
LIVE at http//www.itu.int/cybersecurity Provides
an easy-to-use information resource on national,
regional and international cybersecurity-related
activities and initiatives worldwide.
17
Structure of the Cybersecurity Gateway

• The portal is geared towards four specific
  audiences Citizens Businesses
  Governments, International Organizations
• Database information collected within five main
  themes
• Information sharing of national approaches, good
  practices and guidelines
• Developing watch, warning and incident response
  capabilities
• Technical standards and industry solutions
• Harmonizing national legal approaches and
  international legal coordination and enforcement
  
• Privacy, data and consumer protection.
• Additional information resources on the following
  topics spam, spyware, phishing, scams and
  frauds, worms and viruses, denial of service
  attacks, etc.

18
(No Transcript)
19
Some useful web resources

• ITU-T Home page www.itu.int/itu-t
• Study Group 17 www.itu.int/itu-t/studygroups/com
  17
• LSG on Security http//www.itu.int/ITU-T/studygrou
  ps/com17/tel-security.html
• e-mail tsbsg17_at_itu.int
• Recommendations www.itu.int/ITU-T/publications/re
  cs.html
• ITU-T Lighthouse www.itu.int/ITU-T/lighthouse
• ITU-T Workshops www.itu.int/ITU-T/worksem
• Security Roadmap http//www.itu.int/ITU-T/studygr
  oups/com17/ict/index.html
• Cybersecurity Portal http//www.itu.int/cybersecu
  rity

20
Closing Observations

• Security is everybody's business
• Collaboration with other SDOs is necessary
• Security needs to be designed in upfront
• Security must be an ongoing effort
• Systematically addressing vulnerabilities
  (intrinsic properties of networks/systems) is
  keyso that protection can be provided
  independent of what the threats (which are
  constantly changing and may be unknown) may be
• X.805 is helpful here

21
Additional details on security work in ITU-T
Study Groups- Study Group 17- Study Group
4- Study Group 9- Study Group 13- Study
Group 16- Study Group 19
22

• ITU-T SG 17 Work on Security

23
Study Group 17 Security, languages and
telecommunication software

• SG 17 is the Lead Study Group on
  telecommunication security - It is responsible
  for coordination of security across all Study
  Groups.
• Subdivided into three Working Parties (WPs)
• WP1 - Open systems technologies
• WP2 - Telecommunications security and
• WP3 - Languages and telecommunications software
• Most (but not all) security Questions are in WP2
• Summaries of all draft Recommendations under
  development in SG 17 are available on the SG 17
  web page at www.itu.int/itu-t/studygroups/com17

24
Current SG 17 security-related Questions

• Working Party 1
• 1/17 End-to-end Multicast Communications with
  QoS Managing Facility
• 2/17 Directory services, Directory systems, and
  public- key/attribute certificates
• 3/17 Open Systems Interconnection (OSI)
• 16/17 Internationalized Domain Names (IDN)
• Working Party 2
• 4/17 Communications Systems Security Project
• 5/17 Security Architecture and Framework
• 6/17 Cyber Security
• 7/17 Security Management
• 8/17 Telebiometrics
• 9/17 Secure Communication Services
• 17/17   Countering spam by technical means

25

• ITU-T SG 17 Question 4Communications Systems
  Security Project
• Security Workshop
• ICT Security Roadmap
• Focus Group on Security Baseline For Network
  Operators

26
New Horizons for Security Standardization Workshop

• Workshop held in Geneva 3-4 October 2005
• Hosted by ITU-T SG17 as part of security
  coordination responsibility
• ISO/IEC JTC1 played an important role in planning
  the program and in providing speakers/panelists.
• Speakers, panelists, chairs from
• ITU-T
• ISO/IEC
• IETF
• Consortia OASIS, 3GPP
• Regional SDOs ATIS, ETSI, RAIS

27
Workshop Objectives

• Provide an overview of key international security
  standardization activities
• Seek to find out from stakeholders (e.g., network
  operators, system developers, manufacturers and
  end-users) their primary security concerns and
  issues (including possible issues of adoption or
  implementation of standards)
• Try to determine which issues are amenable to a
  standards-based solution and how the SDOs can
  most effectively play a role in helping address
  these issues
• Identify which SDOs are already working on these
  issues or are best equipped to do so and
• Consider how SDOs can collaborate to improve the
  timeliness and effectiveness of security
  standards and avoid duplication of effort.

28
Workshop Results

• Excellent discussions, feedback and suggestions
• Documented in detail in the Workshop report
• Results are reported under following topics
• What are the crucial problems in ICT security
  standardization?
• Meta issues and need for a global framework
• Standards Requirements and Priorities
• Liaison and information sharing
• User issues
• Technology and threat issues
• Focus for future standardization work
• Process issues
• Follow-on issues
• The report is available on-line at
• www.itu.int/ITU-T/worksem/security/200510/index.ht
  ml

29
ICT Security Standards Roadmap(An SG 17
Work-in-progress)

• Part 1 contains information about organizations
  working on ICT security standards
• Part 2 is database of existing security standards
• Part 3 will be a list of standards in development
• Part 4 will identify future needs and proposed
  new standards

30
Roadmap access

• Part 2 includes ITU-T, ISO/IEC JTC1 and IETF
  standards. It will be expanded to include other
  standards (e.g. regional and consortia
  specifications).
• It will also be converted to a Database format to
  allow searching and to allow organizations to
  manage their own data
• Publicly available under Special Projects and
  Issues at
• www.itu.int/ITU-T/studygroups/com17/index
• We invite you to use the Roadmap, provide
  feedback and help us develop it to meet your
  needs

31
Other Q.4/17 projects

• Security in Telecommunications and Information
  Technology an overview of existing ITU-T
  Recommendations for secure telecommunications.
• www.itu.int/ITU-T/publications/index.html
• Security compendium
• catalogue of approved ITU-T Recommendations
  related to telecommunication security
• extract of ITU-T approved security definitions
• listing of ITU-T security related Questions
• www.itu.int/ITU-T/studygroups/com17/tel-security.h
  tml
• We are in the process of establishing a Security
  Experts Network (SEN) to maintain on-going
  dialogue on key issues of security
  standardization.

32
Focus Group Security Baseline for Network
Operators

• Established October 2005 by SG 17
• Objectives
• Define a security baseline against which network
  operators can assess their network and
  information security posture in terms of what
  security standards are available, which of these
  standards should be used to meet particular
  requirements, when they should be used, and how
  they should be applied
• Describe a network operators readiness and
  ability to collaborate with other entities
  (operators, users and law enforcement
  authorities) to counteract information security
  threats
• Provide meaningful criteria that can be used by
  network operators against which other network
  operators can be assessed, if required.
• Next Step
• Survey network operators by means of a
  questionnaire

33

• ITU-T SG 17 Question 5Security Architecture and
  Framework
• Brief description of Q.5
• Milestones
• Draft Recommendations under development

34
Brief description of Q.5/17

• Motivation
• The telecommunications and information technology
  industries are seeking cost-effective
  comprehensive security solutions that could be
  applied to various types of networks, services
  and applications. To achieve such solutions in
  multi-vendor environment, network security should
  be designed around the standard security
  architectures and standard security technologies.
• Major tasks
• Development of a comprehensive set of
  Recommendations for providing standard security
  solutions for telecommunications in collaboration
  with other Standards Development Organizations
  and ITU-T Study Groups.
• Maintenance and enhancements of Recommendations
  in the X.800 series
• X.800, X.802, X.803, X.805, X.810, X.811,
  X.812, X.813, X.814, X.815, X.816, X.830, X.831,
  X.832, X.833, X.834, X.835, X.841, X.842 and
  X.843

35
Q.5/17 Milestones

• ITU-T Recommendation X.805, Security Architecture
  for Systems Providing End-to-end Communications,
  was published in 2003.
• ISO Standard 18028-2, Network security
  architecture, was developed in collaboration
  between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG
  1. The Standard is technically aligned with
  X.805. It was published in 2006.

36
ITU-T Recommendation X.805
X.805 defines a network security architecture for
providing end-to-end network security. The
architecture can be applied to various kinds of
networks where the end-to-end security is a
concern and independently of the networks
underlying technology.
37
Q.5/17 Draft Recommendations 1/2

• Applications and further development of major
  concepts of ITU-T Recommendation X.805
• X.805, Division of the security features between
  the network and the users. This Recommendation
  specifies division of security features between
  the networks and users. It provides guidance on
  applying concepts of the X.805 architecture to
  securing service providers, application
  providers networks and the end users equipment.
• X.805nsa, Network security certification based on
  ITU-T Recommendation X.805. This Recommendation
  describes the methodology, processes and controls
  required for network security certification based
  on ITU-T Recommendation X.805, Security
  Architecture for Systems Providing End-to-End
  Communications.

38
Q.5/17 Draft Recommendations 2/2

• Standardization in support of Authentication
  Security Dimension (defined in X.805)
• X.pak, Password-authenticated Key Exchange
  Protocol (PAK). This Recommendation specifies a
  password-based protocol for authentication and
  key exchange, which ensures mutual authentication
  of both parties in the act of establishing a
  symmetric cryptographic key via Diffie-Hellman
  exchange.
• X.ngn-akm, Framework for authentication and key
  management for link layer security of NGN. This
  Recommendation establishes a framework for
  authentication and key management for securing
  the link layer of NGN. It also provides guidance
  on selection of the EAP methods for NGN.
• Standardization of network security policies
• X.spn, Framework for creation, storage,
  distribution, and enforcement of security
  policies for networks. This Recommendation
  establishes security policies that are to drive
  security controls of a system or service. It also
  specifies a framework for creation, storage,
  distribution, and enforcement of policies for
  network security that can be applied to various
  environmental conditions and network devices.

39

• ITU-T SG 17 Question 6Cyber Security
• Motivation
• Objectives
• Scope
• Current area of focus
• Draft Recommendations under development

40
Q.6/17 Motivation

• Network connectivity and ubiquitous access is
  central to todays IT systems
• Wide spread access and loose coupling of
  interconnected IT systems is a primary source of
  widespread vulnerability
• Threats such as denial of service, theft of
  financial and personal data, network failures and
  disruption of voice and data telecommunications
  are on the rise
• Network protocols in use today were developed in
  an environment of trust.
• Most new investments and development is dedicated
  to building new functionality and not on securing
  that functionality
• An understanding of cybersecurity is needed in
  order to build a foundation of knowledge that
  can aid in securing the networks of tomorrow

41
Q.6/17 Objectives

• Perform actions in accordance with Lead Study
  Group (LSG) responsibility with the focus on
  cybersecurity
• Work with Q.1 of SG 2 on a definition of
  Cybersecurity
• Identify and develop standards required for
  addressing the challenges in cybersecurity,
  within the scope of Q.6/17
• Provide assistance to other ITU-T Study Groups in
  applying relevant cybersecurity Recommendations
  for specific security solutions. Review
  project-oriented security solutions for
  consistency.
• Maintain and update existing Recommendations
  within the scope of Q.6/17.
• Coordinate security activities with other ITU-T
  SGs, ISO/IEC JTC 1 eg. SC6, SC27 and SC37), and
  consortia as appropriate.
• Provide awareness on new security technologies
  related to cybersecurity

42
Q.6/17 Scope

• Definition of Cybersecurity
• Security of Telecommunications Network
  Infrastructure
• Security Knowledge and Awareness of Telecom
  Personnel and Users
• Security Requirements for Design of New
  Communications Protocol and Systems
• Communications relating to Cybersecurity
• Security Processes Life-cycle Processes
  relating to Incident and Vulnerability
• Security of Identity in Telecommunication Network
• Legal/Policy Considerations

43
Q.6/17 Current Area of Focus

• Work with SG 2 on the definition and requirements
  of cybersecurity.
• Collaborate with Q5,7,9,17/17 and SG 2 in order
  to achieve better understanding of various
  aspects of network security.
• Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C,
  APEC-TEL and other standardization bodies on
  cybersecurity.
• Work on framework for secure network operations
  to address how telecommunications network
  providers secure their infrastructure and
  maintain secure operations.
• Work on Recommendation for standardization of
  vulnerability data definition.
• Study new cybersecurity issues How should ISPs
  deal with botnets, evaluating the output of
  appropriate bodies when available.
• Call for contributions for the outstanding
  questions identified in the revised scope.

44
Q.6/17 Draft Recommendations 1/2

• Overview of Cybersecurity (X.cso)
• This Recommendation provides a definition for
  Cybersecurity. The Recommendation provides a
  taxonomy of security threats from an operator
  point of view. Cybersecurity vulnerabilities and
  threats are presented and discussed at various
  network layers.
• Various Cybersecurity technologies that are
  available to remedy the threats include Routers,
  Firewalls, Antivirus protection, Intrusion
  detection systems, Intrusion protection systems,
  Secure computing, Audit and Monitoring. Network
  protection principles such as defence in depth,
  access and identity management with application
  to Cybersecurity are discussed. Risk Management
  strategies and techniques are discussed including
  the value of training and education in protecting
  the network. A discussion of Cybersecurity
  Standards, Cybersecurity implementation issues
  and certification are presented.
• A vendor-neutral framework for automatic checking
  of the presence of vulnerabilities information
  update (X.vds)
• This Recommendation provides a framework of
  automatic notification on vulnerability
  information. The key point of the framework is
  that it is a vendor-neutral framework. Once users
  register their software, updates on the
  vulnerabilities and patches of the registered
  software will automatically be made available to
  the users. Upon notification, users can then apply

45
Q.6/17 Draft Recommendations 2/2

• Guidelines for Internet Service Providers and
  End-users for Addressing the Risk of Spyware and
  Deceptive Software (X.sds)
• This Recommendation provides guidelines for
  Internet Service Providers (ISP) and end-users
  for addressing the risks of spyware and deceptive
  software. The Recommendation promotes best
  practices around principles of clear notices, and
  users consents and controls for ISP web hosting
  services. The Recommendation also promotes best
  practices to end-users on the Internet to secure
  their computing devices and information against
  the risks of spyware and deceptive software
• Guidelines on Cybersecurity Vulnerability
  Life-cycle Management(X.cvlm)
• The Recommendation provides a framework for the
  provision of monitoring, discovering, responding
  and post-analysis of vulnerabilities. Service
  providers can use this Recommendation to
  complement their existing Information Security
  Management System process in the aspect of
  regular vulnerability assessment, vulnerability
  management, incident handling and incident
  management.

46

• ITU-T SG 17 Question 7Security Management
  Systems
• Tasks
• Recommendations planned
• Revised X.1051
• Approach for revised X.1051

47
Q.7/17 Tasks

• Information Security Management Guidelines for
  telecommunications (Existing X.1051,
  Information security management system
  Requirements for telecommunications (ISMS-T) )
  Maintain and revise Recommendation X.1051,
  Information Security Management Guidelines for
  telecommunications based on ISO/IEC27002.Jointl
  y develop a guideline of information security
  management with ISO/IEC JTC 1/SC 27.
• Risk Management MethodologyStudy and develop a
  methodology of risk management for
  telecommunications in line with Recommendation
  X.1051.Produce and consent a new ITU-T
  Recommendation for risk management methodology.
• Incident ManagementStudy and develop a handling
  and response procedure on security incidents for
  the telecommunications in line with
  Recommendation X.1051.Produce and consent a new
  ITU-T Recommendation for incident management
  methodology and procedures.

48
Recommendations planned in Q.7/17 (Security
Management)

• X.1050 To be proposed
• X.1051 In revision process Information Security
  Management Guidelines for Telecommunications
  based on ISO/IEC 27002
• X.1052 To be proposed
• X.1053 To be proposed (Implementation Guide for
  Telecoms)
• X.1054 To be proposed (Measurements and metrics
  for Telecommunications)
• X.1055 In the first stage of development Risk
  Management Guidelines for Telecommunications
• X.1056 In the first stage of development
  Security Incident Management Guidelines for
  Telecommunications
• X.1057 To be proposed (Identity Management for
  Telecoms)

49
Information security management guidelines for
Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security
Physical environmental security
Communications operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Compliance
50
Q.7/17 Approach to develop revised
Recommendation X.1051
27002
51

• ITU-T SG 17 Question 8Telebiometrics
• Objectives
• Study areas on Biometric Processes
• X.1081 and draft Recommendations under development

52
Q.8/17 Objectives

• 1)To define telebiometric multimodal model
  framework
• 2)To specify biometric authentication mechanism
  in open network
• 3)To provide protection procedures and
  countermeasures for telebiometric systems

53
Q.8/17 Study areas on Biometric Processes
54
Q.8/17 Recommendations 1/4

• X.1081 The telebiometric multimodal model
  framework A framework for the specification of
  security and safety aspects of telebiometrics
• This Recommendation defines a telebiometric
  multimodal model that can be used as a framework
  for identifying and specifying aspects of
  telebiometrics, and for classifying biometric
  technologies used for identification (security
  aspects).
• X.physiol Telebiometrics related to human
  physiology
• This Recommendation gives names and symbols for
  quantities and units concerned with emissions
  from the human body that can be detected by a
  sensor, and with effects on the human body
  produced by the telebiometric devices in his
  environments.

55
Q.8/17 Recommendations 2/4

• X.tsm-1 General biometric authentication
  protocol and profile on telecommunication system
• This Recommendation defines communication
  mechanism and protocols of biometric
  authentication for unspecified end-users and
  service providers on open network.
• X.tsm-2 Profile of telecomunication device for
  Telebiometrics System Mechanism (TSM)
• This Recommendation defines the requirements,
  security profiles of client terminals for
  biometric authentication over the open network.

56
Q.8/17 Recommendations 3/4

• X.tai Telebiometrics authentication
  infrastructure
• This Recommendation specifies a framework to
  implement biometric identity authentication with
  certificate issuance, management, usage and
  revocation.
• X.bip BioAPI interworking protocol
• This Recommendation is common text of ITU-T and
  ISO/IEC JTC1 SC37. It specifies the syntax,
  semantics, and encodings of a set of messages
  ("BIP messages") that enable BioAPI-conforming
  application in telebiometric systems.

57
Q.8/17 Recommendations 4/4

• X.tpp-1 A guideline of technical and managerial
  countermeasures for biometric data security
• This Recommendation defines weakness and
  threats in operating telebiometric systems and
  proposes a general guideline of security
  countermeasures from both technical and
  managerial perspectives.
• X.tpp-2 A guideline for secure and efficient
  transmission of multi-modal biometric data
• This Recommendation defines threat
  characteristics of multi-modal biometric system,
  and provides cryptographic methods and network
  protocols for transmission of multi-modal
  biometric data.

58

• ITU-T SG 17 Question 9
• Secure Communication Services
• Focus
• Position of each topic
• Mobile security
• Home network security
• Web services security
• Secure applications services

59
Q.9/17 Focus

• Develop a set of standards of secure application
  services, including
• Mobile security Under study
• Home network security Under study
• Web Services security Under study
• Secure application services Under study
• Privacy protection for RFID and multimedia
  content and digital Identity management To be
  studied

60
Position of each topic
Web Services security
Application Server
Home Network
Mobile Terminal
Open Network
Mobile Network
Home network security
Mobile security
Secure application services
61
Q.9/17 - Mobile Security

• X.1121, Framework of security technologies for
  mobile end-to-end data communications Approved
  2004
• X.1122, Guideline for implementing secure mobile
  systems based on PKI Approved 2004
• X.msec-3, General security value added service
  (policy) for mobile data communication
• Develops general security service as value added
  service for secure mobile end-to-end data
  communication.
• X.msec-4, Authentication architecture in mobile
  end-to-end data communication
• Constructs generic authentication architecture
  for mobile data communication between mobile
  users and application servers.
• X.crs, Correlative reacting system in mobile
  network
• Develops the generic architecture of a
  correlative reactive system to protect the mobile
  terminal against Virus, worms, Trojan-Horses or
  other network attacks to both the mobile network
  and its mobile users.

62
Q.9/17 - Home network security

• X.homesec-1, Framework for security technologies
  for home network
• Framework of security technologies for home
  network
• Define security threats and security
  requirements, security functions, security
  function requirements for each entity in the
  network, and possible implementation layer
• X.homesec-2, Certificate profile for the device
  in the home network
• Device certificate profile for the home network
• Develops framework of home network device
  certificate.
• X.homesec-3, User authentication mechanisms for
  home network service
• User authentication mechanisms for home network
  service.
• Provides the user authentication mechanism in the
  home network, which enables various
  authentication means such as password,
  certificate, biometrics and so on.

63
Q.9/17 - Web Services security

• X.websec-1, Security Assertion Markup Language
  (SAML)
• Security assertion markup language
• Adoption of OASIS SAML v2.0 into ITU-T
  Recommendation X.1141 - Consented April 2006
• Define XML-based framework for exchanging
  security information.
• The security information expressed in the form of
  assertions about subjects, where a subject is an
  entity (either human or computer) that has an
  identity in some security domain.
• X.websec-2, eXtensible Access Control Markup
  Language (XACML)
• eXtensible Access Control Markup Language
• Adoption of OASIS XACML v2.0 into ITU-T
  Recommendation X.1142 - Consented April 2006
• Provides an XML vocabulary for expressing access
  control policies and the syntax of the language
  and the rules for evaluating policies.
• X.websec-3, Security architecture for message
  security in mobile Web Services
• Develops a guideline on message security
  architecture and service scenarios for securing
  messages for mobile Web Services.

64
Q.9/17 - Secure applications services

• X.sap-1, Guideline on strong password
  authentication protocols
• Guideline on secure password-based authentication
  protocol with key exchange.
• Define a set of requirements for password-based
  protocol with key exchange and a selection
  guideline by setting up criteria that can be used
  in choosing an optimum authentication protocol
  for each application.
• X.sap-2, Secure communication using TTP service
• Secure end-to-end data communication techniques
  using TTP services
• Specifies secure end-to-end data communication
  techniques using TTP services that are services
  defined in X.842 or other services.
• X.p2p-1, Anonymous authentication architecture in
  community communication
• Requirements of security for peer-to-peer and
  peer-to-multi peer communications
• Investigates threat analysis for P2P and P2MP
  communication services and describes security
  requirements for secure P2P and P2MP
  communication services.
• X.p2p-2, Security architecture and protocols for
  peer to peer network
• Security architecture and protocols for peer to
  peer network
• Describes the security techniques and protocols
  in the P2P environment.

65

• ITU-T SG 17 Question 17
• Countering spam by technical means
• Objectives
• Set of Recommendations

66
Q.17/17 Objectives

• The aim of this Question is to develop a set of
  Recommendations on countering spam by technical
  means for ITU-T, taking into account the need for
  collaboration with ITU-T other Study Groups and
  cooperation with other SDOs. The Question focuses
  particularly on technical requirement, frameworks
  and new technologies for countering spam.
  Guidelines on countering spam by technical means
  are also studied.

67
Q.17/17 Set of Recommendations
68
Q.17/17 Brief Summaries of draft Recommendations
under development 1/2

• X.csreq, Requirement on countering spamThis
  Recommendation provides the general
  characteristics of spam, elicits generic
  objectives and provides an overview of the
  technical requirements on countering spam. In
  addition, this Recommendation provides checklist
  to evaluate the solution on countering spam.
• X.fcs, Technical framework for countering email
  spam
• This Recommendation specifies the technical
  framework for network structure for the
  countering spam. Functions inside the framework
  are defined. It also includes the commonsensible
  characteristics of email spam, the universal
  rules of judgement and the common methods of
  countering email spam.

69
Q.17/17 Brief Summaries of draft Recommendations
under development 2/2

• X.gcs, Guideline on countering email spam
  (X.gcs)
• This Recommendation specifies technical
  issues on countering email spam. It provides the
  current technical solutions and related
  activities from various SDOs and relevant
  organizations on countering email spam. It will
  be used as a basis for further development of
  technical Recommendations on countering email
  spam.
• X.ocsip, Overview of countering spam for IP
  multimedia applicationThis Recommendation
  specifies basic concepts, characteristics, and
  effects of spam in IP multimedia applications
  such as IP Telephony, video on demand, IP TV,
  instant messaging, multimedia conference, etc. It
  will provide basis and guideline for developing
  further technical solutions on countering spam.

70

• Security Work in other ITU-T Study Groups
• SG 4 Security of Management plane
• SG 9 IPCablecom
• SG 13 NGN security
• SG 16 Multimedia security
• SG 19 Security in IMT-2000

71

• ITU-T SG 4 Work on Security

72
SG 4 Security of the Management Plane (M.3016
series)

• Approved last year, the M.3016 series is viewed
  as a key aspect of NGN Management it is included
• in the NGN Management Roadmap issued by the
  NGNMFG
• In M.3060 on the Principles of NGN Management
• The M.3016 series consists of 5 parts
• M.3016.0 Overview
• M.3016.1 Requirements
• M.3016.2 Services
• M.3016.3 Mechanisms
• M.3016.4 Profile proforma
• The role of M.3016.4 is unique in that it
  provides a template for other SDOs and forums to
  indicate for their membership what parts of
  M.3016 are mandatory or optional

73

• ITU-T SG 9 Work on Security

74
SG 9 IPCablecom Evolution

• Enhance cables existing IP service environment
  to accelerate the convergence of voice, video,
  data, and mobility
• Define an application agnostic architecture that
  allows cable operators to rapidly innovate new
  services
• Provide a suite of Recommendations that define
  the elements and interfaces needed to facilitate
  multi-vendor interoperability
• Incorporate leading communications technologies
  from the IETF and 3GPP IMS

75
SG 9 IPCablecom Evolution
76
SG 9 Targeted Applications

• Enhanced Cable Voice and Video IP Telephony
• Support for new media and client types (e.g.,
  video telephony, soft clients)
• Call treatment based on presence, device
  capability, identity
• Maintain support for cable telephony features
  enabled by current IPCablecom Recommendations
• Fixed-mobile Convergence over Cable
• Support for dual mode cellular/WiFi handsets over
  DOCSIS
• Call handover between IPCablecom VoIP networks
  and cellular networks
• Integrated features and call control between
  cellular and VoIP platforms
• Cable Cross-Platform Features
• Cross platform notification, messaging (e.g.,
  Caller-ID on TV)
• Third-party call control features, such as Click
  to dial

77
SG 9 Design Approach

• Incorporate new IP communication technologies
• Focus on the Session Initiation Protocol (SIP)
  and supporting protocols
• Leverage the 3GPP IMS as a service delivery
  platform
• Develop a modular and extensible architecture
  that allows new services to be added without
  impacting the core IPCablecom infrastructure
• Ensure backward compatibility with existing
  IPCablecom Recommendations
• Support a wide variety of client devices

78
SG 9 IPCablecom Security Requirements Under
Consideration

• Support a range of authentication schemes
• UICCs (similar to SIM card)
• Digital Certificates (existing IPCablecom EMTAs)
• SIP digest (software clients)
• Support a range of secure signaling options
• IPsec
• TLS
• Disabled
• Support secure configuration before registration
• Support TLS for intra-domain security
• Minimize changes to IMS
• Reuse existing standards

79
SG 9 DOCSIS Base Line Privacy Plus

• The primary goals of DOCSIS BPI are to provide
  privacy of customer traffic, integrity of
  software downloads, and prevent theft of service.
• DOCSIS BPI provides a number of tools to support
  these goals
• Traffic encryption for privacy/confidentiality.
• Secure Software Download to assure a valid CM
  image.
• Configuration file authentication to help secure
  the provisioning process.
• Focus is on the link layer between the CMTS and
  CM. Security outside the DOCSIS network is
  provided by applications and other networks.

80
SG 9 DOCSIS BPI Security Algorithms

• A Cable Modem Terminations System (CMTS)
  authenticates cable modems (CM) using X.509
  certificates and RSA public key cryptography.
• Subscriber Traffic encryption
• 3DES used for key exchange
• DES used for traffic encryption. AES being
  considered for future DOCSIS versions.
• SW download image validation is performed using
  X.509 certificates and digital signatures using
  RSA public key cryptography.
• Message integrity checks (MIC) with keyed MD5
  hash used for CM configuration file security.

81

• ITU-T SG 13 Work on Security

82
SG 13 NGN Security Outline

• Why NGN security?
• The ITU-T work on NGN Security
• Relationship to other SDOs
• Output of the NGN Focus Group
• Recent developmentsstarting the SG 13 Security
  work
• Top NGN security issues that need resolution

Security is among the key differentiators of the
NGN. It is also among its biggest challenges!..
83
SG 13 Why Security?(Threat examples)

• Providers perspective
• Theft of service
• Denial of service
• Disclosure of network topology
• Non-audited configuration changes
• Additional related risks to the PSTN

• Subscribers perspective
• Eavesdropping, theft of PIN codes
• Tele-spam
• Identity theft
• Infection by viruses, worms, and spyware
• Loss of privacy (call patterns, location, etc.)
• Flooding attacks on the end point

In NGN, known IP security vulnerabilities can
make PSTN vulnerable, too!
84
SG 13 The ITU-T work on NGN Security

• SG 13 Lead Study Group on the NGN
  standardization. (Question 15/13 is responsible
  for X.805-based NGN security)
• SG 17 Lead Study Group on Telecommunication
  Securitythe fundamental X.800 series, PKI, etc.
• SG 4 Lead Study Group on Telecommunication
  ManagementManagement Plane security
• SG 11 Lead Study Group on signaling and
  protocolssecurity of the Control and Signaling
  planes
• SG 16 Lead Study Group on multimedia terminals,
  systems and applicationsMultimedia security

FGNGN has concluded its work has moved to SG 13
85
Collaboration of ITU-T with other bodies on NGN
security Recommendations
ATIS
ISO/IEC JTC1 SC 27,
ITU-T SG 13, 17, 4, 11, 16
IETF
3GPP
3GPP2
Fora (such as OASIS)
ETSI TISPAN
TIA
SG 13 is the Lead Study Group for NGN SG 17 is
the Lead Study Group for Security
86
SG 13 Question 15, NGN security

• Question 15 (NGN security) of SG 13 ITU-T lead
  study group for NGN and satellite matters - will
  continue standards work started by FGNGN WG 5.
• Q.15/13 major tasks are
• Lead the NGN-specific security project-level
  issues within SG 13 and with other Study Groups.
  Recognizing SG 17s overall role as the Lead
  Study Group for Telecommunication Security,
  advise and assist SG 17 on NGN security
  coordination issues.
• Apply the X.805 Security architecture for systems
  providing end-to-end communication within the
  context of an NGN environment
• Ensure that
• the developed NGN architecture is consistent with
  accepted security principles
• Ensure that AAA principles are integrated as
  required throughout the NGN

87
SG 13 FGNGN output Security Requirements for
NGN Release 1 (highlights)

• Security requirements for the Transport Stratum
• NGN customer network domain
• Customer network to IP-Connectivity Access
  Network (IP-CAN) interface
• Core network functions
• NGN customer network to NGN customer network
  interface

• Security requirements for the Service Stratum
• IMS security
• Transport domain to NGN core network interface
• Open service platforms and applications security
• VoIP
• Emergency Telecommunication Services and
  Telecommunications for Disaster Relief

88
SG 13 FGNGN output Guidelines for NGN Security
Release 1 (highlights)

• General
• General principles and guidelines for building
  secure Next Generation Networks
• Detailed examination of IMS access security and
  NAT and firewall traversal
• NGN Security Models
• Security Associations model for NGN

• Security of the NGN subsystems
• IP-Connectivity Access Network
• IMS Network domain and IMS-to-non-IMS network
  security
• IMS access
• Framework for open platform for services and
  applications in NGN
• Emergency Telecommunications Service (ETS) and
  Telecommunications for Disaster Relief (TDR)
  Security
• Overview of the existing standard solutions
  related to NAT and firewall traversal

89
SG 13 Focus of the current work of Question 15,
NGN security

• Security Requirements for NGN Release 1
• Authentication requirements for NGN Release 1
• AAA Service for Network Access to NGN
• Guidelines for NGN Security Release 1
• Security considerations for Pseudowire (PWE)
  technology

At the heart of securing network protocols, the
biggest challenge is authentication.
90
SG 13 Major Issues for NGN Security
Standardization

• Key distribution (for end-users and network
  elements) and Public Key Infrastructure
• Network privacytopology hiding and
  NAT/Firewall traversal for real-time applications
• Convergence with IT security
• Management of security functions (e.g., policy)
• Guidelines on the implementation of the IETF
  protocols (e.g., IPsec options)
• Security for supporting access DSL, WLAN, and
  cable access scenarios
• Guidelines for handling 3GPP vs. 3GPP2
  differences in IMS Security

Bothnetwork assets and network trafficmust be
protected. Proper management procedures will help
prevent attacks from within.
91
SG 13 NGN Architecture
92

• ITU-T SG 16 Work on Security

93
Question 25/16 Multimedia Security
inNext-Generation Networks (NGN-MM-SEC)

• Study Group 16 concentrates on Multimedia
  systems.
• Q.25/16 focuses on the application-security
  issues of MM applications in next generation
  networks
• Standardizes Multimedia Security
• So far Q.25 has been standardizing MM-security
  for the 1st generation MM/pre-NGN?-systems
• H.323/H.248-based systems.

94
Evolution of H.235
Improvement and Additions
Consolidation
1st Deployment
Core SecurityFrameworkEngineering
H.235V3 Amd1 Annex H
H.235V3 Amd1
H.235V3 Annex I
H.235 Annex G
H.235V2 Annex D Annex E approved
Security Profiles Annex D Annex E started
Annex F H.530 consent
H.235V1 approved
Initial Draft
H.323V5
H.323V2
H.323V4
1997
1998
1999
2000
2001
2002
2003
2004
1996
gt 2005
95
H.235 V4 Subseries Recommendations

• Major restructuring of H.235v3 Amd1 and annexes
  in stand-alone subseries Recommendations
• H.235.x subseries specify scenario-specific
  MM-security procedures as H.235-profiles for
  H.323
• Some new parts added
• Some enhancements and extensions
• Incorporated corrections
• Approved in Sept. 2005

96
H.323 Security Recommendations (1)

• H.235.0 Security framework for H-series (H.323
  and other H.245-based) multimedia systems
• Overview of H.235.x subseries and common
  procedures with baseline text
• H.235.1 "Baseline Security Profile
• Authentication integrity for H.225.0 signaling
  using shared secrets
• H.235.2 "Signature Security Profile
• Authentication integrity for H.225.0 signaling
  using X.509 digital certificates and signatures

97
H.323 Security Recommendations (2)

• H.235.3 "Hybrid Security Profile"
• Authentication integrity for H.225.0 signaling
  using an optimized combination of X.509 digital
  certificates, signatures and shared secret key
  managementspecification of an optional
  proxy-based security processor
• H.235.4 "Direct and Selective Routed Call
  Security"
• Key management procedures in corporate and in
  interdomain environments to obtain key material
  for securing H.225.0 call signaling in GK
  direct-routed/selective routed scenarios

enhanced
extended
98
H.323 Security Recommendations (3)

• H.235.5 "Framework for secure authentication in
  RAS using weak shared secrets"
• Secured password (using EKE/SPEKE approach) in
  combination with Diffie-Hellman key agreement for
  stronger authentication during H.225.0 signaling
• H.235.6 "Voice encryption profile with native
  H.235/H.245 key management"
• Key management and encryption mechanisms for RTP

enhanced
modified
99
H.323 Security Recommendations (4)

• H.235.7 "Usage of the MIKEY Key Management
  Protocol for the Secure Real Time Transport
  Protocol (SRTP) within H.235"
• Usage of the MIKEY key management for SRTP
• H.235.8 "Key Exchange for SRTP using secure
  Signalling Channels"
• SRTP keying parameter transport over secured
  signaling channels (IPsec, TLS, CMS)
• H.235.9 "Security Gateway Support for H.323"
• Discovery of H.323 Security Gateways(SG H.323
  NAT/FW ALG) and key management for H.225.0
  signaling

100
Other SG16 MM-SEC Results

• H.350.2 (2003) H.350.2 Directory Services
  Architecture for H.235
• An LDAP schema to represent H.235 elements (PWs,
  certificates, ID infor