ETSI TS 132 371-2018 Digital cellular telecommunications system (Phase 2+) (GSM) Universal Mobile Telecommunications System (UMTS) LTE Telecommunication management Security Managem.pdf

1、 ETSI TS 132 371 V15.0.0 (2018-07) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Telecommunication management; Security Management concept and requirements (3GPP TS 32.371 version 15.0.0 Release 15) TECHNICAL SPECIFICATION ETSI E

2、TSI TS 132 371 V15.0.0 (2018-07)13GPP TS 32.371 version 15.0.0 Release 15Reference RTS/TSGS-0532371vf00 Keywords GSM,LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non l

3、ucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of th

4、e present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific netw

5、ork drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find error

6、s in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm excep

7、t as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo

8、 are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owne

9、d by the GSM Association. ETSI ETSI TS 132 371 V15.0.0 (2018-07)23GPP TS 32.371 version 15.0.0 Release 15Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential IPRs

10、, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are avai

11、lable on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which ar

12、e, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conve

13、ys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by ETSI

14、 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, U

15、MTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ET

16、SI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 132 371 V15.0.0 (2018-07)33GPP TS 32.371 version 15.0.0 Release 15Contents Intellectual Property Rights 2g3Foreword . 2g3Mod

17、al verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 6g32 References 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 Security Management background . 9g34.1 Security domains 9g34.2 Security objectives . 10g34.3 Security threats . 10g34.4 Security Mechanis

18、ms and services . 10g34.5 TMN perspective regarding security threats. 11g35 Security Management context and architecture . 12g35.1 Context . 12g35.2 Architecture 12g36 Security threats in IRP context . 13g36.1 Security threats to IRPs 13g36.2 Mapping of Security requirements and Threats in IRP Conte

19、xt . 15g37 Security requirement of Itf-N . 16g3Annex A (informative): Protocols for IP Network Security to Support Itf-N . 18g3Annex B (informative): Firewalls for Network Security to Support Itf-N 27g3Annex C (informative): Change history . 28g3History 29g3ETSI ETSI TS 132 371 V15.0.0 (2018-07)43GP

20、P TS 32.371 version 15.0.0 Release 15Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the con

21、tents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved d

22、ocument under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction The present document is part of a TS

23、-family covering the 3rdGeneration Partnership Project; Technical Specification Group Services and System Aspects; Telecommunication management; as identified below: 32.371: “Security Management concept and requirements“. 32.372: “Security services for Integration Reference Points (IRP); Information

24、 Service (IS)“. 32.376: “Security services for Integration Reference Point (IRP); Solution Set (SS) definitions“. In 3GPP SA5 context, IRPs are introduced to address process interfaces at the Itf-N interface. The Itf-N interface is built up by a number of Integration Reference Points (IRPs) and a re

25、lated Name Convention, which realize the functional capabilities over this interface. The basic structure of the IRPs is defined in 3GPP TS 32.101 1 and 3GPP TS 32.102 2. IRP consists of IRPManager and IRPAgent. Usually there are three types of transaction between IRPManager and IRPAgent, which are

26、operation invocation, notification, and file transfer. However, there are different types of intentional threats against the transaction between IRPManagers and IRPAgents. All the threats are potential risks of damage or degradation of telecommunication services, which operators should take measures

27、 to reduce or eliminate to secure the telecommunication service, network, and data. By introducing Security Management, the present document describes security requirements to relieve the threats between IRPManagers and IRPAgents. As described in 3GPP TS 32.101 1, the architecture of Security Manage

28、ment is divided into two layers: Layer A - Application Layer Layer B - OAM Principles and high level requirements“. 2 3GPP TS 32.102: “Telecommunication management; Architecture“. 3 ITU-T Recommendation M.3016 (1998): “TMN security overview“. 4 3GPP TS 33.102: “3G Security; Security architecture“. 5

29、 ITU-T Recommendation X.800: “Security architecture for Open Systems Interconnection for CCITT applications“. 6 3GPP TS 32.150: “Telecommunication management; Integration Reference Point (IRP) Concept and definitions“. ETSI ETSI TS 132 371 V15.0.0 (2018-07)73GPP TS 32.371 version 15.0.0 Release 153

30、Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ITU-T Recommendation X.800 5, ITU-T Recommendation M.3016 3 and the following apply: access control: prevention of unauthorized use of a resource, including the prevention of us

31、e of a resource in an unauthorized manner, see ITU-T Recommendation X.800 5. accountability: property that ensures that the actions of an entity may be traced uniquely to the entity, see ITU-T Recommendation X.800 5. audit: See Security Audit. authentication: See data origin authentication and peer

32、element authentication, see ITU-T Recommendation X.800 5. authorization: granting of rights, which includes the granting of access based on access rights, see ITU-T. Recommendation X.800 5 availability: property of being accessible and useable upon demand by an authorized entity, see ITU-T. Recommen

33、dation X.800 5 confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processes, see ITU-T Recommendation X.800 5. credentials: data that is transferred to establish the claimed identity of an entity, see ITU-T Recommendation X.800 5.

34、cryptography: discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized us, see ITU-T Recommendation X.800 5. data integrity: property that data has not been al

35、tered or destroyed in an unauthorized manner, see ITU-T Recommendation X.800 5. data origin authentication: corroboration that the source of data received is as claimed, see ITU-T Recommendation X.800 5. denial of service: prevention of authorized access to resources or the delaying of time-critical

36、 operations, see ITU-T Recommendation X.800 5. digital signature: data appended to, or a cryptographic transformation (see cryptography) of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient, see I

37、TU-T Recommendation X.800 5. eavesdropping: breach of confidentiality by monitoring communication, see ITU-T Recommendation M.3016 3. forgery: entity fabricates information and claims that such information was received from another entity or sent to another entity, see ITU-T Recommendation M.3016 3.

38、 Integration Reference Point (IRP): See 3GPP TS 32.150 6. IRPAgent: See 3GPP TS 32.150 6. IRPManager: See 3GPP TS 32.150 6. loss or corruption of information: integrity of data transferred is compromised by unauthorized deletion, insertion, modification, re-ordering, replay or delay, see ITU-T Recom

39、mendation M.3016 3. Operations System (OS): indicates a generic management system, independent of its location level within the management hierarchy. masquerade: pretence by an entity to be a different entity, see ITU-T Recommendation X.800 5. ETSI ETSI TS 132 371 V15.0.0 (2018-07)83GPP TS 32.371 ve

40、rsion 15.0.0 Release 15password: confidential authentication information, usually composed of a string of characters, see ITU-T Recommendation X.800 5. Peer Entity Authentication: The corroboration that a peer entity in an association is the one claimed, see ITU-T Recommendation X.800 5. repudiation

41、: denial by one of the entities involved in a communication of having participated in all or part of the communication, see ITU-T Recommendation X.800 5. security audit: independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure co

42、mpliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures, see ITU-T Recommendation X.800 5. threat: potential violation of security, see ITU-T Recommendation X.800 5. unauthorized access: ent

43、ity attempts to access data in violation of the security policy in force, see ITU-T Recommendation M.3016 3. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: CM Configuration Management CS Communication SurveillanceDCN Data Communication Network EM Eleme

44、nt Manager EP Entry Point FT File TransferIRP Integration Reference Point IS Information Service (see 3GPP TS 32.101 1) ITU-T International Telecommunication Union - Telecommunication standardization sector NE Network Element NL Notification LogNM Network Manager NRM Network Resource Model OAM - The

45、 set of security features that secure access to mobile stations; - The set of security features that enable applications in the user and in the provider domain to securely exchange messages. The Network domain provides the set of security features that enable nodes in the provider domain to securely

46、 exchange signalling data, and protect against attacks on the wireline network. This domain covers protection of the network, network elements and all internal (control and signalling) traffic against security threats. The network elements can belong to a single operator (intra-operator) or to diffe

47、rent operators (inter-operator). The OAM - Installation of security mechanisms; - Key management (management part); - Establishment of identities, keys, access control information, etc.; - Management of security audit trail and security alarms. Using the above partitioned view, the scope of the pres

48、ent document is focused on security requirements of the OAM - Data integrity; - Accountability; - Availability; 4.3 Security threats A security threat is defined by ITU-T Recommendation M.3016 3 as a potential violation of security that can be directed at one of the four basic security objectives (s

49、ee subclause 4.2). ITU-T Recommendation X.800 5 defines the following security threats: - Masquerade. - Eavesdropping. - Unauthorized access. - Loss or corruption of information. - Repudiation. - Forgery. - Denial of service. NOTE: In contemporary network security jargon, “denial of service“ is most often used to describe a class of attacks that are intended to subvert the delivery of service. In this context the “denial of service“ threat can be best described as “denial of service delivery“. 4.4 Secu