ITU-T M 3016 0-2005 Security for the management plane Overview (Study Group 4)《安全管理飞机 电信管理网概述研究组4》.pdf

1、 International Telecommunication Union ITU-T M.3016.0TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2005) SERIES M: TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Telecommunications management network Security for the management plane: Overview ITU-T Recommendation M.3016.0

2、 ITU-T M-SERIES RECOMMENDATIONS TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Introduction and general principles of maintenance and maintenance organization M.10M.299 International transmission systems M.300M.559 International telephone circuits M.560M.759 Common channel signa

3、lling systems M.760M.799 International telegraph systems and phototelegraph transmission M.800M.899 International leased group and supergroup links M.900M.999 International leased circuits M.1000M.1099 Mobile telecommunication systems and services M.1100M.1199 International public telephone network

4、M.1200M.1299 International data transmission systems M.1300M.1399 Designations and information exchange M.1400M.1999 International transport network M.2000M.2999 Telecommunications management network M.3000M.3599 Integrated services digital networks M.3600M.3999 Common channel signalling systems M.4

5、000M.4999 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. M.3016.0 (05/2005) i ITU-T Recommendation M.3016.0 Security for the management plane: Overview Summary This Recommendation provides an overview and framework that identifies security threats to a TMN and out

6、lines how available security services can be applied within the context of the TMN functional architecture. Source ITU-T Recommendation M.3016.0 was approved on 22 May 2005 by ITU-T Study Group 4 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. M.3016.0 (05/2005) FOREWORD The

7、International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recom

8、mendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The

9、approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Adminis

10、tration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compli

11、ance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is

12、 required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Int

13、ellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendatio

14、n. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2005 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of

15、 ITU. ITU-T Rec. M.3016.0 (05/2005) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 4 Abbreviations and acronyms 2 5 Rationale. 3 6 System description 3 6.1 Actors and roles 4 6.2 Security domains 5 7 Generic security objectives for TMN . 5 8 Legislation issues 6 9 Threats and risks. 6 1

16、0 Security requirements and services 7 10.1 Security requirements and corresponding services 8 10.2 Requirements on the management of security 12 10.3 Architectural requirements . 13 10.4 Security services and OSI layers 13 10.5 Security management . 15 Appendix I Functional classes and security sub

17、profiles . 16 I.1 Grouping of security measures. 16 I.2 Functional classes. 16 I.3 Security profiles 18 ITU-T Rec. M.3016.0 (05/2005) 1 ITU-T Recommendation M.3016.0 Security for the management plane: Overview 1 Scope This Recommendation provides an overview and framework that identifies security th

18、reats to a TMN and outlines how available security services can be applied within the context of the TMN functional architecture, as described in ITU-T Rec. M.3010. This Recommendation is generic in nature and does not identify or address the requirements for a specific TMN interface. This Recommend

19、ation does not seek to define new security services but uses existing security services defined in other ITU-T Recommendations and ISO Standards. This Recommendation is part of the M.3016.x series of ITU-T Recommendations intended to provide guidance and recommendations for securing the management p

20、lane of evolving networks: ITU-T Rec. M.3016.0 Security for the management plane: Overview. ITU-T Rec. M.3016.1 Security for the management plane: Security requirements. ITU-T Rec. M.3016.2 Security for the management plane: Security services. ITU-T Rec. M.3016.3 Security for the management plane: S

21、ecurity mechanism. ITU-T Rec. M.3016.4 Security for the management plane: Profile proforma. ITU-T Recs M.3016.1, M.3016.2 and M.3016.3 specify a set of requirements, services and mechanisms for the appropriate security of the management functions necessary to support the telecommunications infrastru

22、cture. Because different administrations and organizations require varying levels of security support, ITU-T Recs M.3016.1, M.3016.2 and M.3016.3 do not specify whether a requirement/service/mechanism is mandatory or optional. The proforma defined in ITU-T Rec. M.3016.4 is provided to assist organiz

23、ations, administrations and other national/international organizations, to specify the mandatory and optional support of the requirements as well as value ranges, values, etc. to help implement their security policies. 2 References The following ITU-T Recommendations and other references contain pro

24、visions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possi

25、bility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recomme

26、ndation. ITU-T Recommendation E.408 (2004), Telecommunication networks security requirements. ITU-T Recommendation M.3010 (2000), Principles for a telecommunications management network. ITU-T Recommendation M.3400 (2000), TMN management functions. ITU-T Recommendation X.509 (2000), Information techn

27、ology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. 2 ITU-T Rec. M.3016.0 (05/2005) ITU-T Recommendation X.741 (1995), Information technology Open Systems Interconnection Systems management: Objects and attributes for access control. ITU-T Recommendatio

28、n X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T Recommendation X.802 (1995), Information technology Lower layers security model. ITU-T Recommendation X.803 (1994), Information technology Open Systems Interconnection Upper layers security model. IT

29、U-T Recommendation X.810 (1995), Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T Recommendation X.812 (1995), Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ITU-T Recommenda

30、tion X.813 (1996), Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework. ITU-T Recommendation X.814 (1995), Information technology Open Systems Interconnection Security frameworks for open systems: Confidentiality framework. ITU-T Recomm

31、endation X.815 (1995), Information technology Open Systems Interconnection Security frameworks for open systems: Integrity framework. ITU-T Recommendation X.816 (1995), Information technology Open Systems Interconnection Security frameworks for open systems: Security audit and alarms framework. ISO/

32、IEC 9979:1999, Information technology Security techniques Procedures for the registration of cryptographic algorithms. 3 Definitions This Recommendation does not define any new terms. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: CCITT International Telegraph and

33、 Telephone Consultative Committee DCN Data Communication Network FC Functional classes ISO International Organization for Standardization ITU-T International Telecommunication Union Telecommunication Standardization Sector LLA Logical Layered Architecture MF Mediation Function NEF Network Element Fu

34、nction OSF Operation System Function OSI Open System Interconnection PIN Personal Identification Number TF Transformation Function ITU-T Rec. M.3016.0 (05/2005) 3 TMN Telecommunications Management Network TTP Trusted Third Party WSF WorkStation Function 5 Rationale The requirement for security in TM

35、N has originated from different sources: Customers/subscribers need confidence in the network and the services offered, including correct billing. The Public Community/Authorities demand security by Directives and Legislation, in order to ensure availability of services and privacy protection. Netwo

36、rk Operators/Service Providers themselves need security to safeguard their operation and business interests, and to meet their obligations to the customers and the public. A TMN is intended to manage the underlying telecommunications network; therefore, the security of the TMN is essential to the pr

37、oper functioning of the telecommunications network. Furthermore, the telecommunications network may incorporate security features that need to be managed by the TMN. ITU-T Rec. M.3400 enumerates those security management functions. TMN Security Standards should preferably be based upon international

38、ly agreed security standards as it is beneficial to reuse rather than create new ones. The provisioning and usage of security services and mechanisms can be quite expensive relative to the value of the transactions being protected. It is, therefore, important to be able to customize the security pro

39、vided to the TMN transactions being protected. The security services and mechanisms that are used for securing TMN transactions should be provided in a way that allows such customization. Due to the large number of possible combinations of security features, it is desirable to have security profiles

40、 (see Appendix I) that cover a broad range of TMN security applications. Standardization will facilitate reuse of solutions and products, meaning that security can be introduced faster and at lower cost. Important benefits of standardized solutions for vendors and users of the systems alike are the

41、economy of scale in product development and component interoperation within a TMN system with regard to security. It is necessary to provide security services and mechanisms to protect TMN transactions among TMN entities (as defined in ITU-T Rec. M.3010) against malicious attacks such as eavesdroppi

42、ng, spoofing, tampering with messages (modification, delay, deletion, insertion, replay, re-routing, misrouting, or re-ordering of messages), repudiation or forgery. Protection includes prevention, detection and recovery from attacks, as well as management of security-related information. Standards

43、should cover both intra-domain (Q and F) and inter-domain (X) interfaces. 6 System description The objective of this Recommendation is an abstraction which makes it possible to avoid the many implementation details and to agree upon results that may be useful when later mapped on to specific impleme

44、ntations. The TMN is described in terms of a functional architecture, an information architecture and a physical architecture (ITU-T Rec. M.3010). It is recognized in ITU-T Rec. M.3010 that TMN building blocks may support other interfaces in addition to those of Q, X and F. Similarly, the physical e

45、quipment may have other functionality in addition to that associated with information received via Q, X and F. These additional interfaces 4 ITU-T Rec. M.3016.0 (05/2005) and related functionality are outside the scope of the TMN and, therefore, outside the scope of TMN security standardization. M.3

46、016.0_F6.1OSFNEFWSFqfqgTFOSFNEFWSFqqfqmgTMN TMNxFigure 1/M.3016.0 TMN functional architecture 6.1 Actors and roles For the purpose of TMN security standardization, only technical security will be considered, which means that the relevant actors to consider are TMN users. A TMN user is a person or pr

47、ocess applying TMN Management Services for the purpose of fulfilling management operations. TMN users can further be categorized dependent on whether they belong to the organization running the TMN (internal users) or whether they access the TMN as external users. Each time a TMN user accesses a Man

48、agement Service, the TMN user will take on a role. In some cases there will be a one-to-one relationship between a TMN user and a role, i.e., the TMN user will always stay in the same role. In other cases, there will be a one-to-many relationship between a specific TMN user and the possible roles th

49、e TMN user can play. The following gives a high-level classification of some common roles: Network Operators (private or public); Service Providers (Bearer Service Providers or Value Added Service Providers); Service Subscribers/Service Customers; Service End Users; Equipment/Software Vendors; Trusted Third Party (that is, a third party who is trusted by both parties and operates in accordance with relevant national laws and regulations to provide certification, authentic