ETSI TR 187 002-2011 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) TISPAN NGN Security (NGN SEC) Threat Vulnerability and Risk A_1.pdf

1、 ETSI TR 187 002 V3.1.1 (2011-04)Technical Report Telecommunications and Internet converged Services andProtocols for Advanced Networking (TISPAN);TISPAN NGN Security (NGN_SEC);Threat, Vulnerability and Risk AnalysisETSI ETSI TR 187 002 V3.1.1 (2011-04) 2Reference RTR/TISPAN-07037-NGN-R3 Keywords an

2、alysis, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the prese

3、nt document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case o

4、f dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and o

5、ther ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized

6、by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benef

7、it of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks reg

8、istered and owned by the GSM Association. ETSI ETSI TR 187 002 V3.1.1 (2011-04) 3Contents Intellectual Property Rights 9g3Foreword . 9g31 Scope 10g32 References 10g32.1 Normative references . 10g32.2 Informative references 10g33 Definitions and abbreviations . 15g33.1 Definitions 15g33.2 Abbreviatio

9、ns . 15g34 NGN-relevant Security Interfaces and Scenarios . 17g34.1 Security-relevant NGN Scenarios 17g34.1.1 Basic NGN scenario (ECN Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available o

10、n the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) w

11、hich are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). ETSI ETSI TR 187 002 V3.1.1 (2011-04) 10 1 Scope

12、 The present document presents the results of the Threat Vulnerability Risk Analysis (TVRA) for the NGN. The present document follows the method and proforma for carrying out a TVRA defined in TS 102 165-1 i.4 and incorporates material of the NGN threat and risk analysis herein. The present document

13、 identifies security-relevant interfaces in the NGN, identifies security-relevant scenarios for use in the NGN, analyses NGN in terms of security threats and risks by performing a security threat and risk analysis, and classifies the identified vulnerabilities and the associated risk presented to th

14、e NGN. This threat and risk analysis makes a number of assumptions that are believed to hold for typical deployment scenarios of the NGN. NOTE 1: Depending on the actual instantiation of the NGN some of the assumptions declared in the present document may not fully hold and this may alter the associ

15、ated risks. NOTE 2: Whilst the present document is a technical report it identifies requirements for future work. In all cases these requirements are considered indicative pending their ratification in formal ETSI Technical Specifications within the TISPAN Work Programme. 2 References References are

16、 either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents wh

17、ich are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following refer

18、enced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI EG 202 38

19、7: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method for application of Common Criteria to ETSI deliverables“. i.2 ETSI TS 181 005: “Telecommunications and Internet Converged Services and Protocols for Advanced Networkin

20、g (TISPAN); Service and Capability Requirements“. i.3 ISO/IEC 13335: “Information technology - Guidelines for the management of IT security“. i.4 ETSI TS 102 165-1 (V4.2.1): “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Par

21、t 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. ETSI ETSI TR 187 002 V3.1.1 (2011-04) 11 i.5 ETSI ES 282 004: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment Sub-System (NASS)“. i.

22、6 ETSI TS 187 001: “Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements“. i.7 ETSI TS 187 003: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Security Ar

23、chitecture“. i.8 ETSI TR 180 001: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Release 1; Release definition“. i.9 ETSI ES 282 002: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); PSTN/ISDN

24、 Emulation Sub-system (PES); Functional architecture“. i.10 ETSI ES 282 003: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Resource and Admission Control Sub-System (RACS): Functional Architecture“. i.11 ETSI ES 283 002: “Telecommunications and I

25、nternet converged Services and Protocols for Advanced Networking (TISPAN); H.248 Profile for controlling Access and Residential Gateways“. i.12 ETSI EN 383 001: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Interworking between Session Initiation

26、 Protocol (SIP) and Bearer Independent Call Control (BICC) Protocol or ISDN User Part (ISUP) ITU-T Recommendation Q.1912.5, modified“. i.13 ETSI TS 133 210: “ Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Se

27、curity (NDS); IP network layer security (3GPP TS 33.210 Release 10)“. i.14 AS/NZS 4360: “Risk Management“. i.15 Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive

28、). i.16 Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). i.17 ETSI ES 282 001: “Telecommunications

29、and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture“. i.18 IETF RFC 3261: “SIP: Session Initiation Protocol“. i.19 ETSI TS 133 203: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); 3G se

30、curity; Access security for IP-based services (3GPP TS 33.203 Release 7)“. i.20 ETSI TS 133 234: “Universal Mobile Telecommunications System (UMTS); 3G security; Wireless Local Area Network (WLAN) interworking security (3GPP TS 33.234 Release 6)“. i.21 ITU-T Recommendation H.248: “Gateway control pr

31、otocol“. i.22 ETSI TR 102 055: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); ENUM scenarios for user and infrastructure ENUM“. i.23 ETSI TR 102 420: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN

32、); Review of activity on security“. i.24 IETF RFC 2535: “Domain Name System Security Extensions“. ETSI ETSI TR 187 002 V3.1.1 (2011-04) 12 i.25 IETF RFC 3761: “The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)“. i.26 IETF RFC 3403: “Dynamic

33、 Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database“. i.27 IETF RFC 2915: “The Naming Authority Pointer (NAPTR) DNS Resource Record“. i.28 Draft-ietf-dnsext-dnssec-protocol-06 (2004): “Protocol Modifications for the DNS Security Extensions“. i.29 Draft-ietf-dnsext-d

34、nssec-records-08 (2004): “Resource Records for DNS Security Extensions“. i.30 Draft-ietf-dnsext-dnssec-intro-11 (2004): “DNS Security Introduction and Requirements“. i.31 ISO/IEC 15408-2: “Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functiona

35、l requirements“. i.32 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. NOTE: When referring to all parts of ISO/IEC 15408 the reference above is used. i.33 3GPP TR 33.803: “3rd Generation Partnership Project; Technical Specification Group Services

36、and System Aspects; Coexistence between TISPAN and 3GPP authentication schemes (Release 7)“. i.34 ETSI TR 187 011: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Application of ISO-15408-2 requirements to ETSI standards - guide, meth

37、od and application with examples“. i.35 ETSI TS 183 017: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Resource and Admission Control: DIAMETER protocol for session based policy set-up information exchange between the Application Function (AF) an

38、d the Service Policy Decision Function (SPDF); Protocol Specification“. i.36 IETF RFC 1631: “The IP Network Address Translator (NAT)“. i.37 IETF RFC 1918: “Address Allocation for Private Internets“. i.38 IETF RFC 3489: “STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address

39、Translators (NATs)“. i.39 IETF draft, draft-ietf-behave-rfc3489bis-13 (November 2007): “STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)“. i.40 IETF draft, draft-ietf-mmusic-ice-19 (October 2007): “Interactive Connectivity Establishment (ICE): A Meth

40、odology for Network Address Translator (NAT) Traversal for Offer/Answer Protocols“. i.41 IETF draft, draft-behave-turn-02 (February 2006): “Obtaining Relay Addresses from Simple Traversal of UDP Through NAT (STUN)“. i.42 ETSI TR 187 009: “Telecommunications and Internet Converged Services and Protoc

41、ols for Advanced Networking (TISPAN); Feasibility study of prevention of unsolicited communication in the NGN“. i.43 ETSI SR 002 211: “Electronic communications networks and services; Candidate list of standards and/or specifications in accordance with Article 17 of Directive 2002/21/EC“. i.44 ETSI

42、TS 181 016: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Service Layer Requirements to integrate NGN services and IPTV“. ETSI ETSI TR 187 002 V3.1.1 (2011-04) 13 i.45 Directive 95/46/EC Of The European Parliament And Of The Council of 24 October

43、 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. i.46 ETSI TS 185 006 (V2.3.1): “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Devices architecture and Reference

44、Points“. i.47 ETSI TS 185 010: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Premises Networks: Protocol Specification (Stage 3)“. i.48 ETSI TS 184 002: “Telecommunications and Internet converged Services and Protocols for Advanced Netwo

45、rking (TISPAN); Identifiers (IDs) for NGN“. i.49 ETSI ES 283 003: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP) Stage 3 3GPP TS

46、24.229 Release 7, modified“. i.50 Void. i.51 UK Home Office; R.V.Clark, “Hot Products: understanding, anticipating and reducing demand for stolen goods“, ISBN 1-84082-278-3. i.52 ETSI TR 187 002 (V1.2.2): “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISP

47、AN);TISPAN NGN Security (NGN-SEC);Threat, Vulnerability and Risk Analysis“. i.53 IEEE 802.11 (2007): “Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements: Part 11: Wireless LAN Medium Access

48、Control (MAC) and Physical Layer (PHY) specifications“. i.54 Void. i.55 ETSI TS 187 016: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Identity Protection (Protection Profile)“. i.56 ETSI EN 300 392-7: “Terrestrial Trunked Radio (TE

49、TRA); Voice plus Data (V+D); Part 7: Security“. i.57 ISO/IEC 15408-2: “ Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements“. i.58 ETSI TR 121 905: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Vocabulary for 3GPP Specifications (3GPP TR 21.905)“. i.59 ISO/IEC 7498-2: “ Information processing systems - Open Sys