ITU-T M 3016 3-2005 Security for the management plane Security mechanism《管理飞机安全措施 安全机制研究组4》.pdf

1、 International Telecommunication Union ITU-T M.3016.3TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2005) SERIES M: TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Telecommunications management network Security for the management plane: Security mechanism ITU-T Recommendatio

2、n M.3016.3 ITU-T M-SERIES RECOMMENDATIONS TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Introduction and general principles of maintenance and maintenance organization M.10M.299 International transmission systems M.300M.559 International telephone circuits M.560M.759 Common cha

3、nnel signalling systems M.760M.799 International telegraph systems and phototelegraph transmission M.800M.899 International leased group and supergroup links M.900M.999 International leased circuits M.1000M.1099 Mobile telecommunication systems and services M.1100M.1199 International public telephon

4、e network M.1200M.1299 International data transmission systems M.1300M.1399 Designations and information exchange M.1400M.1999 International transport network M.2000M.2999 Telecommunications management network M.3000M.3599 Integrated services digital networks M.3600M.3999 Common channel signalling s

5、ystems M.4000M.4999 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. M.3016.3 (04/2005) i ITU-T Recommendation M.3016.3 Security for the management plane: Security mechanism Summary This Recommendation identifies the security mechanisms for the management plane in t

6、he Telecommunications management network. This Recommendation focuses specifically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the Telecommunication infrastructure. Source ITU-T Recommendation M.3016.3 was approved on 13 Apr

7、il 2005 by ITU-T Study Group 4 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. M.3016.3 (04/2005) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Se

8、ctor (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets eve

9、ry four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purvie

10、w, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is volunt

11、ary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the

12、negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve t

13、he use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommend

14、ation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2

15、005 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. M.3016.3 (04/2005) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 4 Abbreviations 2 5 Conventions 3 6 Security mechanisms 3 6.1 User a

16、uthentication. 4 6.2 Peer entity and data origin authentication 5 6.3 Access control 6 6.4 Data confidentiality 7 6.5 Data integrity 10 6.6 Audit trail 11 6.7 Key exchange . 12 6.8 Alarm reporting 12 6.9 Packet filtering 13 Appendix I IPsec, SSL/TLS and SSH security mechanisms 13 I.1 IPsec . 13 I.2

17、SSL/TLS. 14 I.3 SSH. 15 Appendix II 16 II.1 Objectives. 16 II.2 Network design considerations affecting packet filtering 16 II.3 Basic packet filtering 19 II.4 Enhanced packet filtering . 19 BIBLIOGRAPHY 20 iv ITU-T Rec. M.3016.3 (04/2005) Introduction Telecommunications is a critical infrastructure

18、 for global communication and economy. Appropriate security for the management functions controlling this infrastructure is essential. Many standards for Telecommunications network management security exist. However, compliance is low and implementations are inconsistent across the various telecommu

19、nications equipment and software components. This Recommendation identifies the security mechanisms to allow vendors, agencies, and service providers to implement a secure Telecommunications management infrastructure. Although the present set of security mechanisms represents the current understandi

20、ng of the state of the art, technologies will advance and conditions will change. To be successful, this Recommendation must evolve as conditions warrant. This Recommendation is intended as a foundation. Service providers may include additional security mechanisms to meet their specific needs over a

21、nd above those in this Recommendation. This Recommendation is part of the M.3016.x series of ITU-T Recommendations intended to provide guidance and recommendations for securing the management plane of evolving networks: ITU-T Rec. M.3016.0 Security for the management plane: Overview. ITU-T Rec. M.30

22、16.1 Security for the management plane: Security requirements. ITU-T Rec. M.3016.2 Security for the management plane: Security services. ITU-T Rec. M.3016.3 Security for the management plane: Security mechanism. ITU-T Rec. M.3016.4 Security for the management plane: Profile proforma. ITU-T Rec. M.30

23、16.3 (04/2005) 1 ITU-T Recommendation M.3016.3 Security for the management plane: Security mechanism 1 Scope ITU-T Recs M.3016.1-M.3016.3 specify a set of requirements, services and mechanisms for the appropriate security of the management functions necessary to support the telecommunications infras

24、tructure. Because different administrations and organizations require varying levels of security support, the ITU-T Recs M.3016.1-M.3016.3 do not specify whether a requirement/service/mechanism is mandatory or optional. This Recommendation identifies the security mechanisms for the management plane

25、in the Telecommunications management network. This Recommendation focuses specifically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the Telecommunication infrastructure. This Recommendation is generic in nature and does not i

26、dentify or address the security mechanisms for a specific Telecommunications Management Network (TMN) interface. The proforma defined in ITU-T Rec. M.3016.4 is provided to assist the organizations, administrations and other national/international organizations, in specifying the mandatory and option

27、al support of the requirements as well as value ranges, values etc., to help implement their security policies. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of

28、 publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list

29、 of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Recommendation G.8080/Y.1304 (2001), Architecture for the Automatically Switched Optical Net

30、work (ASON), plus Amendment 2 (2005). ITU-T Recommendation M.3010 (2000), Principles for a telecommunications management network. ITU-T Recommendation M.3016.0 (2005), Security for the management plane: Overview. ITU-T Recommendation M.3016.2 (2005), Security for the management plane: Security servi

31、ces. ITU-T Recommendation M.3016.3 (2005), Security for the management plane: Security mechanism. ITU-T Recommendation M.3016.4 (2005), Security for the management plane: Profile proforma. ITU-T Recommendation X.509 (2000), Information technology Open Systems Interconnection: The Directory: Public-k

32、ey and attribute certificate frameworks, plus Corrigendum 1 (2001), Corrigendum 2 (2002), and Corrigendum 3 (2004). ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT Applications, plus Amendment 1 (1996). 2 ITU-T Rec. M.3016.3 (04/2005) ITU-T Recomme

33、ndation X.805 (2003), Security architecture for systems providing end-to-end communications. 3 Definitions This Recommendation does not define any new terms. 4 Abbreviations This Recommendation uses the following abbreviations: CORBA Common Object Request Broker Architecture DoS Denial of Service EM

34、S Element Management System FTP File Transfer Protocol HTTP Hypertext Transfer Protocol IETF Internet Engineering Task Force IP Internet Protocol IPSec Internet Protocol Security ISO/IEC International Organization for Standardization/International Electrotechnical Commission ITU-T International Tele

35、communication Union Telecommunication Standardization Sector MS Management System; any EMS, NMS, or OSS1NE Network Element NE/MS NE or MS NMS Network Management System NTP Network Time Protocol NTPv3 NTP version 3 OAM SER for service; MEC for mechanism. 6 Security mechanisms This clause contains the

36、 specific security mechanisms for operations, administration, maintenance, and provisioning (OAM other possible services (e.g., detection of denial of service) are left out. Table 1/M.3016.3 Mapping of security requirements and security services Security functional requirement Security service Verif

37、ication of identities user authentication peer entity authentication data origin authentication Controlled access and authorization access control Protection of confidentiality stored data access control confidentiality Protection of confidentiality transferred data confidentiality Protection of dat

38、a integrity stored data access control Protection of data integrity transferred data integrity Accountability non-repudiation Activity logging audit trail Security alarm reporting security alarm Security audit audit trail Protection of the DCN packet inspection 4 ITU-T Rec. M.3016.3 (04/2005) Table

39、2 below outlines the organization of this clause: Table 2/M.3016.3 Organization of this clause Clause Contents 6.1 Discusses authentication security mechanisms including user authentication, peer entity authentication. 6.2 Discusses data origin authentication. 6.3 Discusses access control security m

40、echanisms. 6.4 Discusses data confidentiality security mechanisms. 6.5 Discusses data integrity security mechanisms. 6.6 Discusses audit trail security mechanisms. 6.1 User authentication User authentication is the act of verifying a claimed identity of a person. User authentication may be based on

41、security mechanisms which include: User ID and password combination (with suitably complex passwords) where the password may be a one time password (e.g., SecureID). Multi-factor authentication. Single sign-on authentication. A discussion of user authentication security mechanisms is given in this c

42、lause. 6.1.1 User ID and Passwords authentication User ID and static passwords may be used for user authentication. User authentication involves proving the true identity of the legitimate system user and preventing masquerading by illegitimate imposters. With proper authentication, it is possible t

43、o track activities and apply access control to restrict users to pre-authorized activities or roles as discussed in 6.2. User ID and password authentication involves assigning a unique User ID to each user, and then assigning a suitably complex secret password which is used in combination with the U

44、ser ID to prove identity. Passwords should contain enough characters and other randomness to prevent guessing by persons or by machine automated techniques. Examples of characteristics of complex passwords may include such requirements as the following: MEC 1: Passwords may be required to be a minim

45、um number of characters long (e.g., eight characters). MEC 2: Passwords may be prevented containing certain characters. MEC 2a: Passwords may be prevented from including a repeat or the reverse of the associated user ID. MEC 2b: Passwords may be required not to contain a set of configured character

46、sequences anywhere within them (e.g., words from a dictionary or product names). MEC 3: Passwords may be required to have no more than a certain number of the same characters used consecutively. MEC 4: Passwords may be required to contain at least a certain number of lower case and/or upper case alp

47、ha characters. MEC 5: Passwords may be required to contain at least a certain number of numeric characters. ITU-T Rec. M.3016.3 (04/2005) 5 MEC 6: Passwords may be required to contain at least a certain number of special characters. Administration of passwords is also very important to ensure a secu

48、re authentication system. For example the following password system administration capabilities may be desired: MEC 7: The password administration system may require the entry of the old password to prevent another user from changing a logged-on users password without their knowledge. MEC 8: The sys

49、tem may automatically check to ensure that each new login password differs from the previous password. (Because passwords are typically stored via one-way encryption, the entry of the old password may also be required to allow the system to determine the degree of difference between the old and new passwords2). MEC 9: The system may support a password history list to prevent password reuse. MEC 10: The system may enforce the changing of passwords after certain time intervals. MEC 11: After a certain number of invalid pa