ATIS 1000024-2008 US Standard for Signaling Security C Security Roadmap.pdf

1、 TECHNICAL REPORT ATIS-1000024 US STANDARD FOR SIGNALING SECURITY SECURITY ROADMAP ATIS is the leading technical planning and standards development organization committed to the rapid development of global, market-driven standards for the information, entertainment and communications industry. More

2、than 250 companies actively formulate standards in ATIS 18 Committees, covering issues including: IPTV, Service Oriented Networks, Energy Efficiency, IP-Based and Wireless Technologies, Quality of Service, and Billing and Operational Support. In addition, numerous Incubators, Focus and Exploratory G

3、roups address emerging industry priorities including “Green”, IP Downloadable Security, Next Generation Carrier Interconnect, IPv6 and Convergence. ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a member and major U.S. contributor to the Internat

4、ional Telecommunication Union (ITU) Radio and Telecommunications Sectors, and a member of the Inter-American Telecommunication Commission (CITEL). For more information, please visit . Notice of Disclaimer 2) the management plane; and 3) the control plane, as illustrated in Figure 1 and as described

5、in ATIS-1000007.2006, Generic Signaling and Control Plane Security for Evolving Networks 1. AccessManagementInfrastructure SecurityApplication SecurityService SecurityEnd User PlaneControl PlaneManagement PlaneTHREATSVULNERABILITIESSecurity DimensionsATTACKSDataSecurityCommunicationSecurityIntegrity

6、AvailabilityPrivacyInterruptionFabricationInterceptionModificationAuthenticationNon-repudiationFigure 1 - Security Reference Model The standards included in this series focus on signaling and control plane security for evolving networks including the Next Generation Network (NGN). The requirements p

7、rovided in this series of standards should be treated as a minimum set of security requirements for signaling and control plane interconnection interfaces. Network providers and security administers are encouraged to take additional measures beyond those specified in these standards. Security of the

8、 user (bearer) and management planes are not within the scope of this series of standards. It is important that security measures be supported and implemented to protect all network assets including the signaling and control, user (bearer), and management planes. These signaling and control plane se

9、curity standards are intended to be used together with the other security standards and best practices specified by other ATIS committee (e.g., TMOC and PRQC) and other relevant standards development organizations (e.g., ITU-T and IETF) as applicable. It should be noted that there is the possibility

10、 of interrelationships between the various planes. Additional non-normative information on this and other security topics can be found in ATIS-0100014, Information and Communications Security for NGN Converged Services IP Networks and Infrastructure. ATIS-1000024 3 2 REFERENCES 1 ATIS-1000007.2006,

11、Generic Signaling and Control Plane Security for Evolving Networks.12 ATIS-1000019.2007, Network to Network (NNI) Standard for Signaling and Control Security for Evolving VoP Multimedia Networks.13 ATIS-1000012.2006, Signaling Systems No. 7 (SS7) - SS7 - Network and NNI Interconnection Security Requ

12、irements and Guidelines.14 ATIS-1000025.2008, US Standard for Signaling Security UNI Access and Signaling Standard.13 DEFINITIONS 3.1 Security: The process of minimizing the vulnerabilities of assets and resources, or the result of this process. 3.2 Security Administrator: An authority (a person or

13、a group of people) responsible for enforcing the security policy for a security domain. 4 ABBREVIATIONS, ACRONYMS, & SYMBOLS ATIS Alliance for Telecommunications Industry Solutions ITU-T International Telecommunications Union Telecommunications Sector IETF Internet Engineering Task Force IP Internet

14、 Protocol IPsec IP Security IKE Internet Key Exchange NRIC Network Reliability Interoperability Council NGN Next Generation Network NNI Network to Network Interface PRQC Network Performance, Reliability, and Quality of Service Committee PSTN Public Switched Telephone Network PTSC Packet Technologies

15、 and Systems Committee TMOC Telecom Management and Operations Committee TLS Transport Layer Security SIP Session Initiation Protocol SG Signaling Gateway SS7 Signaling Systems No. 7 _ 1This document is available from the Alliance for Telecommunications Industry Solutions (ATIS), 1200 G Street N.W.,

16、Suite 500, Washington, DC 20005. ATIS-1000024 4 UNI User to Network Interface VOP Voice Over Packet 5 GENERAL METHODOLOGY The general methodology is to specify requirements, conditional requirements, and objectives for security of the control and signaling network. In addition, best practices and gu

17、idelines to minimize security risks are specified. Requirements, Conditional Requirements, and Objectives are testable. Recommendations and best practices that are not testable are considered as guidelines and are not numbered. Requirements, Conditional Requirements, and Objectives are numbered in i

18、ncrements of 100. The Requirements, Conditional Requirements, and Objectives are highlighted in “tags” to facilitate requirements traceability. Each tag in the series of the security related documents has a label containing a unique number (e.g., ) where the alpha characters (e.g., REQ-SEC) identify

19、 the type of requirement (e.g., REQ) and the document (e.g., SEC), and the numeric characters (e.g., 00900) identify the specific requirement. The following terminology is used in this series of signaling and control plane security standards: Requirement: Feature or function that is necessary to mee

20、t the needs of a service provider. Failure to meet a requirement may cause application or service restrictions, result in improper functioning of the product, or hinder operations. A requirement is identified by the letters “REQ-SEC”. Conditional Requirement: Feature or function that is needed by so

21、me, but not all, service providers and, as such, is left for the individual service providers to choose. A conditional requirement is identified by the letters “CR-SEC”. Objective: Feature or function that is desirable and may be required by a service provider. An Objective represents a goal to be a

22、chieved. An Objective may be reclassified as a Requirement at some future date. An objective is identified by the letters “O-SEC” and includes the words it is desirable or it is an objective. 6 SIGNALING AND CONTROL PLANE SECURITY ROADMAP Figure 2 shows a high level organization of the signaling and

23、 control plane security standards described in this document. ATIS-1000024 5 ATIS-10000XX Signaling and Control Plane Security Roadmap ATIS-1000007: Generic Signaling and Control Plane Security for Evolving Networks ATIS-PP-1000012: Signaling Systems No. 7 (SS7) - SS7 - Network and NNI Interconnecti

24、on Security ATIS-10000XX: User to Network Interface (UNI) Standard for Signaling and Control Security Requirements for Evolving VoP/Multimedia Networks ATIS-1000019: Network to Network (NNI) Standard for Signaling and Control Security for Evolving VoP/Multimedia Networks This document Figure 2 - Sig

25、naling and Control Plane Security Road Map 6.1 ATIS-1000007.2006, Generic Signaling and Control Plane Security for Evolving Networks 6.2.1 Scope of ATIS-1000007.2006 ATIS-1000007.2006 1 addresses generic signaling and control plane security aspects of evolving telecommunications networks and is base

26、d on ITU-T Recommendation X.800, Security Architecture for Open Systems Interconnection for CCITT Applications, and Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications. It provides generic signaling and control plane security requirements and a general securit

27、y framework for evolving telecommunications networks. The concepts presented in this standard are intended for use by the other related standards which deal with specific signaling and control security areas. 6.2.2 Organization of ATIS-1000007.2006 1 INTRODUCTION, SCOPE, PURPOSE, & APPLICATION 1.1 I

28、NTRODUCTION 1.2 SCOPE 1.3 PURPOSE 1.4 RELATED DOCUMENTS 2 NORMATIVE REFERENCES 3 DEFINITIONS ATIS-1000024 6 4 ABBREVIATIONS & ACRONYMS 5 SECURITY ARCHITECTURE & METHODOLOGY 5.1 GENERAL ARCHITECTURE MODEL 5.2 SECURITY PLANES 5.2.1 End-User Security Plane 5.2.2 Signaling and Control Security Plane 5.2

29、.3 Management Plane Security 5.3 SECURITY DIMENSIONS 5.3.1 Access Control Security Dimension 5.3.2 Authentication Security Dimension 5.3.3 Non-repudiation 5.3.4 Data Confidentiality Security Dimension 5.3.5 Communication Security Dimension 5.3.6 Data Integrity Security Dimension 5.3.7 Availability S

30、ecurity Dimension 5.3.8 Privacy Security Dimension 5.4 SECURITY LAYERS 5.4.1 Infrastructure Security Layer 5.4.2 The Network Services Security Layer 5.4.3 The Applications Security Layer 5.5 APPLICATION OF SECURITY DIMENSIONS TO SECURITY LAYERS 5.5.1 Applying Security Dimensions to the Signaling and

31、 Control Plane Infrastructure Layer 5.5.2 Apply Security Dimensions to the Signaling and Control Plane Network Services Layer 5.5.3 Applying Security Dimensions to the Signaling and Control Plane Applications Layer 5.6 SIGNALING NETWORK INTERCONNECTION MODEL 6 DESIGN GUIDELINES 7 SIGNALING AND CONTR

32、OL PLANE 7.1 SIGNALING AND CONTROL PLANE PROTOCOLS 7.2 SIGNALING AND CONTROL PLANE VULNERABILITIES 8 GENERAL SECURITY REQUIREMENTS 8.1 SECURITY PROTOCOL OVERVIEW 8.2 CRYPTOGRAPHIC ALGORITHMS & KEYS 8.2.1 Definitions 8.2.1.1 Symmetric Encryption 8.2.1.2 Asymmetric Encryption 8.2.1.3 Message Integrity

33、 8.2.2 Cryptographic Key Management 8.3 IPSEC AND IKE PROTOCOL REQUIREMENTS 8.3.1 IPsec Security Modes 8.3.2 IPsec Protocols 8.3.3 IPsec Encryption Algorithms 8.3.4 IPsec Implementation Authentication Algorithms 8.3.5 IPsec Implementation Selectors 8.3.6 Support for Internet Key Exchange (IKE) 8.3.7

34、 IKE Implementation Modes 8.3.8 IKE Implementation Encryption Algorithms 8.3.9 IKE Implementation Secure Hash Algorithms 8.3.10 IKE Implementation Authentication Methods ATIS-1000024 7 8.3.11 IKE Implementation Oakley groups 8.3.12 IKE Support of Perfect Forward Secrecy 8.3.13 Random number generato

35、rs for IPsec/IKE 8.4 TLS PROTOCOL REQUIREMENTS 8.4.1 TLS Encryption Algorithms 8.4.2 TLS Authentication Algorithms 8.4.3 Key Exchange Algorithms for TLS 8.4.4 Ciphersuites for TLS 8.4.5 Use of X.509 Certificates in TLS 8.4.6 TLS Authentication 8.4.7 Random number generators for TLS A SIGNALING & CON

36、TROL PLANE SECURITY BEST PRACTICES A.1 FIREWALLS A.2 OPERATING SYSTEM HARDENING A.3 VULNERABILITY ASSESSMENT A.4 INTRUSION DETECTION SYSTEMS B REFERENCES 6.3 ATIS-1000012.2006, Signaling Systems No. 7 (SS7) SS7 Network and NNI Interconnection Security Requirements and Guidelines 6.3.1 Scope of ATIS-

37、1000012.2006 ATIS-1000012.2006 3 addresses Signaling System No.7 (SS7) Network security, and SS7 network interconnection security. This includes security of an SS7 network interconnection to a multimedia signaling and control network such as SIP network and H.323 network. Specifically, this standard

38、 provides security requirements and guidelines to minimize security risks to the SS7 network and its interconnections. 6.3.2 Organization of ATIS-1000012.2006 0 INTRODUCTION 1 SCOPE, PURPOSE, & APPLICATION 1.1 SCOPE 1.2 PURPOSE 1.3 REQUIREMENTS, OBJECTIVES AND GUIDELINES 1.4 SECURITY THREATS 2 NORMA

39、TIVE REFERENCES 3 DEFINITIONS, ACRONYMS, & ABBREVIATIONS 3.1 DEFINITIONS 3.2 ACRONYMS & ABBREVIATIONS 4 SS7 SIGNALING NETWORK SECURITY NEEDS & SECURITY ARCHITECTURE 4.1 TRADITIONAL SS7 NETWORK 4.1.1 Overview ATIS-1000024 8 4.1.2 Functional Architecture 4.1.3 SS7 Protocols and Fundamental Security Ne

40、eds 4.1.3.1 Traditional SS7 Protocol Stack 4.1.3.2 Fundamental Security Needs 4.2 SECURITY ARCHITECTURE AND METHODOLOGY 5 GENERAL REQUIREMENTS & GUIDELINES 5.1 NETWORK DESIGN 5.2 SECURITY PLAN, POLICY & PRACTICES 5.3 NETWORK RELIABILITY INTEROPERABILITY COUNCIL (NRIC) BEST PRACTICES 5.4 DOCUMENTS AN

41、D SPECIFICATION SAFEGUARD 5.5 MANAGEMENT PLANE SECURITY 5.6 SECURITY MANAGEMENT SYSTEM 6 INFRASTRUCTURE LAYER6.1 ACCESS CONTROL 6.1.1 SS7 Network Element Access 6.1.2 SS7 Network Design 6.1.3 Physical Security 6.2 AVAILABILITY 6.2.1 Security Arrangements and Diversity/Redundancy 6.3 CAPACITY ENGINEE

42、RING GUIDELINES 7 NETWORK SERVICES LAYER7.1 ACCESS AND AUTHENTICATION 7.1.1 SS7 Message Screening 7.2 DATA CONFIDENTIALITY 7.3 PRIVACY 7.4 DATA INTEGRITY 7.5 AVAILABILITY 7.5.1 Security Arrangements and Diversity/Redundancy 8 APPLICATION LAYER 8.1 DATA CONFIDENTIALITY 8.1.1 SS7 Upper Layer Security

43、Capability 8.2 PRIVACY 9 NETWORK INTERCONNECTION 9.1 GENERAL OBJECTIVE AND MODEL FOR SIGNALING NETWORK INTERCONNECTION SECURITY 9.2 TRADITIONAL SS7 NETWORK TO TRADITIONAL SS7 NETWORK INTERCONNECTION 9.2.1 Reference Architecture 9.2.2 General Requirements and Guidelines. 9.2.3 Infrastructure Layer 9.

44、2.3.1 Access and Authentication 9.2.3.2 Availability 9.2.4 Network Services Layer 9.2.4.1 Access and Authentication 9.2.4.1.1 SS7 Message Screening 9.2.4.1.2 MTP Layer Screening 9.2.4.1.3 SCCP Layer Screening 9.2.4.1.4 ISUP Screening 9.2.4.1.5 TCAP Screening 9.2.4.2 Message Monitoring ATIS-1000024 9

45、 9.2.4.3 Data Confidentiality 9.2.4.4 Privacy 9.2.4.5 Data Integrity 9.2.4.6 Availability 9.2.5 Application Layer 9.2.5.1 Data Confidentiality 9.3 TRADITIONAL SS7 NETWORK TO IP-BASED SIGNALING NETWORK INTERCONNECTION 9.3.1 SS7 and IP-based Signaling Network Interconnection Via SG Providing Transport

46、 Protocol Interworking 9.3.1.1 Reference Architecture 9.3.1.2 General Requirements and Guidelines 9.3.1.2.1 Network Design 9.3.1.2.2 Security Plan, Policy and Practices 9.3.1.2.3 Network Reliability Interoperability Council (NRIC) Best Practices 9.3.1.2.4 Documentation & Specification Safeguard 9.3.

47、1.3 Infrastructure Layer 9.3.1.3.1 Access and Authentication Control 9.3.1.3.1.1 Network Element Access 9.3.1.3.1.2 Physical Security 9.3.1.3.2 Availability 9.3.1.3.2.1 Security Arrangements and Diversity/Redundancy 9.3.1.4 Network Services Layer 9.3.1.4.1 Access and Authentication 9.3.1.4.1.1 SS7 M

48、essage Screening 9.3.1.4.1.2 MTP Layer Screening 9.3.1.4.1.3 SCCP Layer Screening 9.3.1.4.1.4 ISUP Layer Screening 9.3.1.4.1.5 TCAP Layer Screening 9.3.1.4.1.6 Packet Screening 9.3.1.4.1.6.1 IP Layer Screening 9.3.1.4.1.6.2 Transport Layer Screening (SCTP) 9.3.1.4.1.6.3 Adaptation Layer (SUA, M3UA,

49、M2UA and M2PA) Screening 9.3.1.4.2 Message Monitoring Capabilities 9.3.1.4.2 Data Confidentiality 9.3.1.4.3 Privacy 9.3.1.4.4 Data Integrity 9.3.1.4.5 Availability 9.3.2 SS7 Network Interconnection to IP-based Signaling Network Via SG/PSTN Gateway Node Providing Call Control Protocol Interworking. 9.3.2.1 General Requirements 9.3.2.1.1 Network Design 9.3.2.1.2 Security Plan, Policy, & Practices 9.3.2.1.3 Network Reliability Interoperability Council (NRIC) Best Practices 9.3.2.1.4 Documentation and Specification Safeguard 9.3.2.2 Infrastruc