ImageVerifierCode 换一换
格式:PDF , 页数:17 ,大小:266.59KB ,
资源ID:541436      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-541436.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ATIS 1000024-2008 US Standard for Signaling Security C Security Roadmap.pdf)为本站会员(王申宇)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ATIS 1000024-2008 US Standard for Signaling Security C Security Roadmap.pdf

1、 TECHNICAL REPORT ATIS-1000024 US STANDARD FOR SIGNALING SECURITY SECURITY ROADMAP ATIS is the leading technical planning and standards development organization committed to the rapid development of global, market-driven standards for the information, entertainment and communications industry. More

2、than 250 companies actively formulate standards in ATIS 18 Committees, covering issues including: IPTV, Service Oriented Networks, Energy Efficiency, IP-Based and Wireless Technologies, Quality of Service, and Billing and Operational Support. In addition, numerous Incubators, Focus and Exploratory G

3、roups address emerging industry priorities including “Green”, IP Downloadable Security, Next Generation Carrier Interconnect, IPv6 and Convergence. ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a member and major U.S. contributor to the Internat

4、ional Telecommunication Union (ITU) Radio and Telecommunications Sectors, and a member of the Inter-American Telecommunication Commission (CITEL). For more information, please visit . Notice of Disclaimer 2) the management plane; and 3) the control plane, as illustrated in Figure 1 and as described

5、in ATIS-1000007.2006, Generic Signaling and Control Plane Security for Evolving Networks 1. AccessManagementInfrastructure SecurityApplication SecurityService SecurityEnd User PlaneControl PlaneManagement PlaneTHREATSVULNERABILITIESSecurity DimensionsATTACKSDataSecurityCommunicationSecurityIntegrity

6、AvailabilityPrivacyInterruptionFabricationInterceptionModificationAuthenticationNon-repudiationFigure 1 - Security Reference Model The standards included in this series focus on signaling and control plane security for evolving networks including the Next Generation Network (NGN). The requirements p

7、rovided in this series of standards should be treated as a minimum set of security requirements for signaling and control plane interconnection interfaces. Network providers and security administers are encouraged to take additional measures beyond those specified in these standards. Security of the

8、 user (bearer) and management planes are not within the scope of this series of standards. It is important that security measures be supported and implemented to protect all network assets including the signaling and control, user (bearer), and management planes. These signaling and control plane se

9、curity standards are intended to be used together with the other security standards and best practices specified by other ATIS committee (e.g., TMOC and PRQC) and other relevant standards development organizations (e.g., ITU-T and IETF) as applicable. It should be noted that there is the possibility

10、 of interrelationships between the various planes. Additional non-normative information on this and other security topics can be found in ATIS-0100014, Information and Communications Security for NGN Converged Services IP Networks and Infrastructure. ATIS-1000024 3 2 REFERENCES 1 ATIS-1000007.2006,

11、Generic Signaling and Control Plane Security for Evolving Networks.12 ATIS-1000019.2007, Network to Network (NNI) Standard for Signaling and Control Security for Evolving VoP Multimedia Networks.13 ATIS-1000012.2006, Signaling Systems No. 7 (SS7) - SS7 - Network and NNI Interconnection Security Requ

12、irements and Guidelines.14 ATIS-1000025.2008, US Standard for Signaling Security UNI Access and Signaling Standard.13 DEFINITIONS 3.1 Security: The process of minimizing the vulnerabilities of assets and resources, or the result of this process. 3.2 Security Administrator: An authority (a person or

13、a group of people) responsible for enforcing the security policy for a security domain. 4 ABBREVIATIONS, ACRONYMS, & SYMBOLS ATIS Alliance for Telecommunications Industry Solutions ITU-T International Telecommunications Union Telecommunications Sector IETF Internet Engineering Task Force IP Internet

14、 Protocol IPsec IP Security IKE Internet Key Exchange NRIC Network Reliability Interoperability Council NGN Next Generation Network NNI Network to Network Interface PRQC Network Performance, Reliability, and Quality of Service Committee PSTN Public Switched Telephone Network PTSC Packet Technologies

15、 and Systems Committee TMOC Telecom Management and Operations Committee TLS Transport Layer Security SIP Session Initiation Protocol SG Signaling Gateway SS7 Signaling Systems No. 7 _ 1This document is available from the Alliance for Telecommunications Industry Solutions (ATIS), 1200 G Street N.W.,

16、Suite 500, Washington, DC 20005. ATIS-1000024 4 UNI User to Network Interface VOP Voice Over Packet 5 GENERAL METHODOLOGY The general methodology is to specify requirements, conditional requirements, and objectives for security of the control and signaling network. In addition, best practices and gu

17、idelines to minimize security risks are specified. Requirements, Conditional Requirements, and Objectives are testable. Recommendations and best practices that are not testable are considered as guidelines and are not numbered. Requirements, Conditional Requirements, and Objectives are numbered in i

18、ncrements of 100. The Requirements, Conditional Requirements, and Objectives are highlighted in “tags” to facilitate requirements traceability. Each tag in the series of the security related documents has a label containing a unique number (e.g., ) where the alpha characters (e.g., REQ-SEC) identify

19、 the type of requirement (e.g., REQ) and the document (e.g., SEC), and the numeric characters (e.g., 00900) identify the specific requirement. The following terminology is used in this series of signaling and control plane security standards: Requirement: Feature or function that is necessary to mee

20、t the needs of a service provider. Failure to meet a requirement may cause application or service restrictions, result in improper functioning of the product, or hinder operations. A requirement is identified by the letters “REQ-SEC”. Conditional Requirement: Feature or function that is needed by so

21、me, but not all, service providers and, as such, is left for the individual service providers to choose. A conditional requirement is identified by the letters “CR-SEC”. Objective: Feature or function that is desirable and may be required by a service provider. An Objective represents a goal to be a

22、chieved. An Objective may be reclassified as a Requirement at some future date. An objective is identified by the letters “O-SEC” and includes the words it is desirable or it is an objective. 6 SIGNALING AND CONTROL PLANE SECURITY ROADMAP Figure 2 shows a high level organization of the signaling and

23、 control plane security standards described in this document. ATIS-1000024 5 ATIS-10000XX Signaling and Control Plane Security Roadmap ATIS-1000007: Generic Signaling and Control Plane Security for Evolving Networks ATIS-PP-1000012: Signaling Systems No. 7 (SS7) - SS7 - Network and NNI Interconnecti

24、on Security ATIS-10000XX: User to Network Interface (UNI) Standard for Signaling and Control Security Requirements for Evolving VoP/Multimedia Networks ATIS-1000019: Network to Network (NNI) Standard for Signaling and Control Security for Evolving VoP/Multimedia Networks This document Figure 2 - Sig

25、naling and Control Plane Security Road Map 6.1 ATIS-1000007.2006, Generic Signaling and Control Plane Security for Evolving Networks 6.2.1 Scope of ATIS-1000007.2006 ATIS-1000007.2006 1 addresses generic signaling and control plane security aspects of evolving telecommunications networks and is base

26、d on ITU-T Recommendation X.800, Security Architecture for Open Systems Interconnection for CCITT Applications, and Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications. It provides generic signaling and control plane security requirements and a general securit

27、y framework for evolving telecommunications networks. The concepts presented in this standard are intended for use by the other related standards which deal with specific signaling and control security areas. 6.2.2 Organization of ATIS-1000007.2006 1 INTRODUCTION, SCOPE, PURPOSE, & APPLICATION 1.1 I

28、NTRODUCTION 1.2 SCOPE 1.3 PURPOSE 1.4 RELATED DOCUMENTS 2 NORMATIVE REFERENCES 3 DEFINITIONS ATIS-1000024 6 4 ABBREVIATIONS & ACRONYMS 5 SECURITY ARCHITECTURE & METHODOLOGY 5.1 GENERAL ARCHITECTURE MODEL 5.2 SECURITY PLANES 5.2.1 End-User Security Plane 5.2.2 Signaling and Control Security Plane 5.2

29、.3 Management Plane Security 5.3 SECURITY DIMENSIONS 5.3.1 Access Control Security Dimension 5.3.2 Authentication Security Dimension 5.3.3 Non-repudiation 5.3.4 Data Confidentiality Security Dimension 5.3.5 Communication Security Dimension 5.3.6 Data Integrity Security Dimension 5.3.7 Availability S

30、ecurity Dimension 5.3.8 Privacy Security Dimension 5.4 SECURITY LAYERS 5.4.1 Infrastructure Security Layer 5.4.2 The Network Services Security Layer 5.4.3 The Applications Security Layer 5.5 APPLICATION OF SECURITY DIMENSIONS TO SECURITY LAYERS 5.5.1 Applying Security Dimensions to the Signaling and

31、 Control Plane Infrastructure Layer 5.5.2 Apply Security Dimensions to the Signaling and Control Plane Network Services Layer 5.5.3 Applying Security Dimensions to the Signaling and Control Plane Applications Layer 5.6 SIGNALING NETWORK INTERCONNECTION MODEL 6 DESIGN GUIDELINES 7 SIGNALING AND CONTR

32、OL PLANE 7.1 SIGNALING AND CONTROL PLANE PROTOCOLS 7.2 SIGNALING AND CONTROL PLANE VULNERABILITIES 8 GENERAL SECURITY REQUIREMENTS 8.1 SECURITY PROTOCOL OVERVIEW 8.2 CRYPTOGRAPHIC ALGORITHMS & KEYS 8.2.1 Definitions 8.2.1.1 Symmetric Encryption 8.2.1.2 Asymmetric Encryption 8.2.1.3 Message Integrity

33、 8.2.2 Cryptographic Key Management 8.3 IPSEC AND IKE PROTOCOL REQUIREMENTS 8.3.1 IPsec Security Modes 8.3.2 IPsec Protocols 8.3.3 IPsec Encryption Algorithms 8.3.4 IPsec Implementation Authentication Algorithms 8.3.5 IPsec Implementation Selectors 8.3.6 Support for Internet Key Exchange (IKE) 8.3.7

34、 IKE Implementation Modes 8.3.8 IKE Implementation Encryption Algorithms 8.3.9 IKE Implementation Secure Hash Algorithms 8.3.10 IKE Implementation Authentication Methods ATIS-1000024 7 8.3.11 IKE Implementation Oakley groups 8.3.12 IKE Support of Perfect Forward Secrecy 8.3.13 Random number generato

35、rs for IPsec/IKE 8.4 TLS PROTOCOL REQUIREMENTS 8.4.1 TLS Encryption Algorithms 8.4.2 TLS Authentication Algorithms 8.4.3 Key Exchange Algorithms for TLS 8.4.4 Ciphersuites for TLS 8.4.5 Use of X.509 Certificates in TLS 8.4.6 TLS Authentication 8.4.7 Random number generators for TLS A SIGNALING & CON

36、TROL PLANE SECURITY BEST PRACTICES A.1 FIREWALLS A.2 OPERATING SYSTEM HARDENING A.3 VULNERABILITY ASSESSMENT A.4 INTRUSION DETECTION SYSTEMS B REFERENCES 6.3 ATIS-1000012.2006, Signaling Systems No. 7 (SS7) SS7 Network and NNI Interconnection Security Requirements and Guidelines 6.3.1 Scope of ATIS-

37、1000012.2006 ATIS-1000012.2006 3 addresses Signaling System No.7 (SS7) Network security, and SS7 network interconnection security. This includes security of an SS7 network interconnection to a multimedia signaling and control network such as SIP network and H.323 network. Specifically, this standard

38、 provides security requirements and guidelines to minimize security risks to the SS7 network and its interconnections. 6.3.2 Organization of ATIS-1000012.2006 0 INTRODUCTION 1 SCOPE, PURPOSE, & APPLICATION 1.1 SCOPE 1.2 PURPOSE 1.3 REQUIREMENTS, OBJECTIVES AND GUIDELINES 1.4 SECURITY THREATS 2 NORMA

39、TIVE REFERENCES 3 DEFINITIONS, ACRONYMS, & ABBREVIATIONS 3.1 DEFINITIONS 3.2 ACRONYMS & ABBREVIATIONS 4 SS7 SIGNALING NETWORK SECURITY NEEDS & SECURITY ARCHITECTURE 4.1 TRADITIONAL SS7 NETWORK 4.1.1 Overview ATIS-1000024 8 4.1.2 Functional Architecture 4.1.3 SS7 Protocols and Fundamental Security Ne

40、eds 4.1.3.1 Traditional SS7 Protocol Stack 4.1.3.2 Fundamental Security Needs 4.2 SECURITY ARCHITECTURE AND METHODOLOGY 5 GENERAL REQUIREMENTS & GUIDELINES 5.1 NETWORK DESIGN 5.2 SECURITY PLAN, POLICY & PRACTICES 5.3 NETWORK RELIABILITY INTEROPERABILITY COUNCIL (NRIC) BEST PRACTICES 5.4 DOCUMENTS AN

41、D SPECIFICATION SAFEGUARD 5.5 MANAGEMENT PLANE SECURITY 5.6 SECURITY MANAGEMENT SYSTEM 6 INFRASTRUCTURE LAYER6.1 ACCESS CONTROL 6.1.1 SS7 Network Element Access 6.1.2 SS7 Network Design 6.1.3 Physical Security 6.2 AVAILABILITY 6.2.1 Security Arrangements and Diversity/Redundancy 6.3 CAPACITY ENGINEE

42、RING GUIDELINES 7 NETWORK SERVICES LAYER7.1 ACCESS AND AUTHENTICATION 7.1.1 SS7 Message Screening 7.2 DATA CONFIDENTIALITY 7.3 PRIVACY 7.4 DATA INTEGRITY 7.5 AVAILABILITY 7.5.1 Security Arrangements and Diversity/Redundancy 8 APPLICATION LAYER 8.1 DATA CONFIDENTIALITY 8.1.1 SS7 Upper Layer Security

43、Capability 8.2 PRIVACY 9 NETWORK INTERCONNECTION 9.1 GENERAL OBJECTIVE AND MODEL FOR SIGNALING NETWORK INTERCONNECTION SECURITY 9.2 TRADITIONAL SS7 NETWORK TO TRADITIONAL SS7 NETWORK INTERCONNECTION 9.2.1 Reference Architecture 9.2.2 General Requirements and Guidelines. 9.2.3 Infrastructure Layer 9.

44、2.3.1 Access and Authentication 9.2.3.2 Availability 9.2.4 Network Services Layer 9.2.4.1 Access and Authentication 9.2.4.1.1 SS7 Message Screening 9.2.4.1.2 MTP Layer Screening 9.2.4.1.3 SCCP Layer Screening 9.2.4.1.4 ISUP Screening 9.2.4.1.5 TCAP Screening 9.2.4.2 Message Monitoring ATIS-1000024 9

45、 9.2.4.3 Data Confidentiality 9.2.4.4 Privacy 9.2.4.5 Data Integrity 9.2.4.6 Availability 9.2.5 Application Layer 9.2.5.1 Data Confidentiality 9.3 TRADITIONAL SS7 NETWORK TO IP-BASED SIGNALING NETWORK INTERCONNECTION 9.3.1 SS7 and IP-based Signaling Network Interconnection Via SG Providing Transport

46、 Protocol Interworking 9.3.1.1 Reference Architecture 9.3.1.2 General Requirements and Guidelines 9.3.1.2.1 Network Design 9.3.1.2.2 Security Plan, Policy and Practices 9.3.1.2.3 Network Reliability Interoperability Council (NRIC) Best Practices 9.3.1.2.4 Documentation & Specification Safeguard 9.3.

47、1.3 Infrastructure Layer 9.3.1.3.1 Access and Authentication Control 9.3.1.3.1.1 Network Element Access 9.3.1.3.1.2 Physical Security 9.3.1.3.2 Availability 9.3.1.3.2.1 Security Arrangements and Diversity/Redundancy 9.3.1.4 Network Services Layer 9.3.1.4.1 Access and Authentication 9.3.1.4.1.1 SS7 M

48、essage Screening 9.3.1.4.1.2 MTP Layer Screening 9.3.1.4.1.3 SCCP Layer Screening 9.3.1.4.1.4 ISUP Layer Screening 9.3.1.4.1.5 TCAP Layer Screening 9.3.1.4.1.6 Packet Screening 9.3.1.4.1.6.1 IP Layer Screening 9.3.1.4.1.6.2 Transport Layer Screening (SCTP) 9.3.1.4.1.6.3 Adaptation Layer (SUA, M3UA,

49、M2UA and M2PA) Screening 9.3.1.4.2 Message Monitoring Capabilities 9.3.1.4.2 Data Confidentiality 9.3.1.4.3 Privacy 9.3.1.4.4 Data Integrity 9.3.1.4.5 Availability 9.3.2 SS7 Network Interconnection to IP-based Signaling Network Via SG/PSTN Gateway Node Providing Call Control Protocol Interworking. 9.3.2.1 General Requirements 9.3.2.1.1 Network Design 9.3.2.1.2 Security Plan, Policy, & Practices 9.3.2.1.3 Network Reliability Interoperability Council (NRIC) Best Practices 9.3.2.1.4 Documentation and Specification Safeguard 9.3.2.2 Infrastruc

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1