ITU-T M 3410-2008 Guidelines and requirements for security management systems to support telecommunications management (Study Group 4)《支持电信管理的安全管理系统用导则和要求 研究组4》.pdf

1、 International Telecommunication Union ITU-T M.3410TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (08/2008) SERIES M: TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Telecommunications management network Guidelines and requirements for security management systems to support tele

2、communications management Recommendation ITU-T M.3410 ITU-T M-SERIES RECOMMENDATIONS TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Introduction and general principles of maintenance and maintenance organization M.10M.299 International transmission systems M.300M.559 Internation

3、al telephone circuits M.560M.759 Common channel signalling systems M.760M.799 International telegraph systems and phototelegraph transmission M.800M.899 International leased group and supergroup links M.900M.999 International leased circuits M.1000M.1099 Mobile telecommunication systems and services

4、 M.1100M.1199 International public telephone network M.1200M.1299 International data transmission systems M.1300M.1399 Designations and information exchange M.1400M.1999 International transport network M.2000M.2999 Telecommunications management network M.3000M.3599 Integrated services digital networ

5、ks M.3600M.3999 Common channel signalling systems M.4000M.4999 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T M.3410 (08/2008) i Recommendation ITU-T M.3410 Guidelines and requirements for security management systems to support telecommunications management Summar

6、y Recommendation ITU-T M.3410 describes a set of functions considered necessary for the management of security mechanisms deployed in current and next generation packet-oriented networks. A logical collection of management functionality used to perform “operations, administration, maintenance and pr

7、ovisioning“ (OAM Support servers (e.g., DNS b-IETF RFC 2181, DHCP b-IETF RFC 2131, NTP b-IETF RFC 1305, backup, and other infrastructure support services); Internetworking/transport components (e.g., multiplexers, switches, routers, transport gateways, application gateways, gateway controllers, pack

8、et-filters a.k.a. firewalls, content filters, access points, bridges, wired and wireless telephony devices and monitoring probes for QoS, and network activity, to name a few); End user host systems (e.g., laptop systems, desktop systems, workstations, printers, etc.); and Management systems (e.g., e

9、lement management, network management, service management, and business management systems). All of the above entities are referred to in this Recommendation as managed elements (MEs) from a security management perspective. The requirements specified in this Recommendation should be applicable to a

10、TSPs current infrastructure and also infrastructure evolution necessary for building their next generation networks (NGNs) (see ITU-T Y.2001 and ITU-T Y.2012). This Recommendation draws on an ATIS standard b-ATIS 0300074 as a major source of information and text. A key aspect of this Recommendation

11、is that it defines a logical architecture and set of functionality independent of physical implementation. Functionality is defined in terms of functional entities, their logical relationships as well as aggregation of functional entities (FEs) into functional groups (FGs). Deployment and implementa

12、tion of these FEs and FGs, within an infrastructure, can take many forms, such as centralized, hierarchical, distributed, or some combination of these. This Recommendation takes no stand as to the implementation of FEs and FGs in so far as implementation decisions do not have security-related ramifi

13、cations. The detailed description of the interactions between FGs is not described in this Recommendation. Annex A contains a normative proforma wherein specific SMS requirements are documented. Appendices I, II and III are informative and cover: Appendix I: The relationship between the SMS and the

14、security concepts covered in ITU-T X.800. Appendix II: The relationship between the SMS and other TSP management systems and frameworks. Appendix III: The structure and organization of NGN networks and their growing complexity. 2 Rec. ITU-T M.3410 (08/2008) 2 References The following ITU-T Recommend

15、ations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are theref

16、ore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-

17、alone document, the status of a Recommendation. ITU-T M.60 Recommendation ITU-T M.60 (1993), Maintenance terminology and definitions. ITU-T M.3010 Recommendation ITU-T M.3010 (2000), Principles for a telecommunications management network. ITU-T M.3016.0 Recommendation ITU-T M.3016.0 (2005), Security

18、 for the management plane: Overview. ITU-T M.3016.1 Recommendation ITU-T M.3016.1 (2005), Security for the management plane: Security requirements. ITU-T M.3016.2 Recommendation ITU-T M.3016.2 (2005), Security for the management plane: Security services. ITU-T M.3016.3 Recommendation ITU-T M.3016.3

19、(2005), Security for the management plane: Security mechanism. ITU-T M.3016.4 Recommendation ITU-T M.3016.4 (2005), Security for the management plane: Profile proforma. ITU-T M.3050.2 Recommendation ITU-T M.3050.2 (2004), Enhanced Telecom Operations Map (eTOM) Process decompositions and descriptions

20、. ITU-T M.3060 Recommendation ITU-T M.3060/Y.2401 (2006), Principles for the management of Next Generation Networks. ITU-T X.500 Recommendation ITU-T X.500 (2005) | ISO/IEC 9594-1:2005, Information technology Open Systems Interconnection The Directory: Overview of concepts, models and services. ITU-

21、T X.509 Recommendation ITU-T X.509 (2000) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.700 Recommendation ITU-T X.700 (1992), Management framework for Open Systems Interconnection (OSI) for CCITT ap

22、plications. ITU-T X.733 Recommendation ITU-T X.733 (1992) | ISO/IEC 10164-4:1992, Information technology Open Systems Interconnection Systems Management: Alarm reporting function. ITU-T X.736 Recommendation ITU-T X.736 (1992) | ISO/IEC 10164-7:1992, Information technology Open Systems Interconnectio

23、n Systems Management; Security alarm reporting function. ITU-T X.800 Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications.

24、 Rec. ITU-T M.3410 (08/2008) 3 ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10181-2:1996, Information technology Open S

25、ystems Interconnection Security frameworks for open systems: Authentication framework. ITU-T X.812 Recommendation ITU-T X.812 (1995) | ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ITU-T X.816 Recommendation

26、ITU-T X.816 (1995) | ISO/IEC 10181-7:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Security audit and alarms framework. ITU-T Y.2001 Recommendation ITU-T Y.2001 (2004), General overview of NGN. ITU-T Y.2012 Recommendation ITU-T Y.2012 (2006), Functio

27、nal requirements and architecture of the NGN release 1. ISO/IEC 15408-1 ISO/IEC 15408-1:2005, Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IEC 27002 ISO/IEC 27002:2005, Information technology Security techniques Code of pr

28、actice for information security management. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access control: ITU-T X.800 3.1.2 access control list: ITU-T X.800 3.1.3 alarm: ITU-T X.733 3.1.4 active threat: ITU-T X.800 3.1.5 asymmetric au

29、thentication method: ITU-T X.811 3.1.6 audit trail, see security audit trail: ITU-T X.800 3.1.7 authenticated identity: ITU-T X.811 3.1.8 authentication: ITU-T X.800 3.1.9 authentication information: ITU-T X.800 3.1.10 authorization: ITU-T X.800 3.1.11 business management layer: ITU-T M.3010 3.1.12

30、ciphertext: ITU-T X.800 3.1.13 cleartext: ITU-T X.800 3.1.14 confidentiality: ITU-T X.800 3.1.15 control security plane: Clause 8.2 of ITU-T X.805 3.1.16 credentials: ITU-T X.800 4 Rec. ITU-T M.3410 (08/2008) 3.1.17 cryptanalysis: ITU-T X.800 3.1.18 cryptography: ITU-T X.800 3.1.19 data integrity: I

31、TU-T X.800 3.1.20 decipherment: ITU-T X.800 3.1.21 decryption: ITU-T X.800 3.1.22 denial of service: ITU-T X.800 3.1.23 digital signature: ITU-T X.800 3.1.24 element management layer: ITU-T M.3010 3.1.25 encipherment: ITU-T X.800 3.1.26 encryption: ITU-T X.800 3.1.27 end-to-end encipherment: ITU-T X

32、.800 3.1.28 end-user security plane: Clause 8.3 of ITU-T X.805 3.1.29 hash function: ITU-T X.810 3.1.30 initiator: ITU-T X.812 3.1.31 integrity: ITU-T X.800 3.1.32 key: ITU-T X.800 3.1.33 key management: ITU-T X.800 3.1.34 network element: ITU-T M.3010 3.1.35 network management layer: ITU-T M.3010 3

33、.1.36 managed element (ME): ITU-T M.60 3.1.37 managed resources: ITU-T M.60 3.1.38 management security plane: Clause 8.1 of ITU-T X.805 3.1.39 management system: ITU-T M.60 3.1.40 masquerade: ITU-T X.800 3.1.41 non-repudiation: ITU-T X.800 3.1.42 object: ITU-T M.60 3.1.43 one-way hash function: ITU-

34、T X.810 3.1.44 operations system: ITU-T M.3010 3.1.45 passive threat: ITU-T X.800 3.1.46 password: ITU-T X.800 3.1.47 peer-entity authentication: ITU-T X.800 3.1.48 physical security: ITU-T X.800 3.1.49 privacy: ITU-T X.800 3.1.50 private key: ITU-T X.810 3.1.51 public key: ITU-T X.810 3.1.52 public

35、-key certificate: ITU-T X.509 3.1.53 repudiation: ITU-T X.800 Rec. ITU-T M.3410 (08/2008) 5 3.1.54 risk: ISO/IEC 27002 3.1.55 role: ISO/IEC 15408-1 3.1.56 secret key: ITU-T X.810 3.1.57 security alarm: ITU-T X.736 3.1.58 security audit: ITU-T X.800 3.1.59 security audit record: ITU-T X.816 3.1.60 se

36、curity audit trail: ITU-T X.800 3.1.61 security certificate: ITU-T X.810 3.1.62 security management information base (SMIB): ITU-T X.700 3.1.63 security policy: ITU-T X.800 3.1.64 security-related event: ITU-T X.736 3.1.65 service management layer (SML): ITU-T M.3010 3.1.66 service management layer

37、operations system function block (S-OSF): ITU-T M.3010 3.1.67 signature: ITU-T X.800 3.1.68 stratum/strata: ITU-T Y.2012 3.1.69 subject: ISO/IEC 15408-1 3.1.70 symmetric authentication method: ITU-T X.811 3.1.71 target: ITU-T X.812 3.1.72 threat: ITU-T X.800 3.1.73 trust: ITU-T X.810 3.1.74 trusted

38、third party: ITU-T X.810 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 application security administrator: An application security administrator is an individual who has responsibility for the administration of those attributes and capabilities of an

39、 application (sub-) system related to security of the application (e.g., application administrative and user accounts and authorizations). 3.2.2 application system administrator: An application system administrator is an individual who has responsibility for the administration of all non-security-re

40、lated attributes and capabilities of an application (sub-) system (e.g., application features, capabilities, configuration parameters and monitoring of the application). 3.2.3 business management system (BMS): A business management system is a business management layer ITU-T M.3010 operations system

41、. 3.2.4 element management system (EMS): An element management system is an element management layer ITU-T M.3010 operations system. 3.2.5 functional entity (FE): A functional entity is a cluster of functionality (sub-functions) that are viewed as a single entity from the point of view of the end-to

42、-end functional architecture. 3.2.6 functional group (FG): A functional group is a cluster of functional entities grouped (and named) solely for convenience and architectural clarity. 6 Rec. ITU-T M.3410 (08/2008) 3.2.7 managed element operator(s): A managed element operator is an individual who has

43、 responsibility to perform specified tasks/activities on a managed element that are administrative in nature (e.g., backup, patching, surveillance, etc.). 3.2.8 managed element security administrator: A managed element security administrator is an individual who has responsibility for the administra

44、tion of those attributes and capabilities of a managed element related to security of the managed element, regardless of what applications execute on the managed element (e.g., managed element administrative and user accounts and authorizations). 3.2.9 managed element system administrator: A managed

45、 element system administrator is an individual who has responsibility for the administration of all non-security-related attributes and capabilities of a managed element (e.g., managed element features, capabilities, configuration parameters and monitoring of the managed element). 3.2.10 network man

46、agement system (NMS): A network management system is a network management layer ITU-T M.3010 operations system. 3.2.11 role: The description of an individuals sphere of responsibility. NOTE It may be used for enforcing access control in accordance with the principle of least privilege (see: managed

47、element operator(s), managed element system administrator, managed element security administrator, application system administrator, application security administrator above). 3.2.12 security administrator: An authority (a person or group of people) responsible for implementing the security policy f

48、or a security domain. 3.2.13 security event: A security-related event ITU-T X.736. 3.2.14 security management system (SMS): A logical collection of management functionality used to perform “operations, administration, maintenance and provisioning“ (OAM and 2) administrator accounts for MEs. Rec. ITU

49、-T M.3410 (08/2008) 17 FEs within administrator account management FG interact with deployed transport, signalling and control, application service delivery and management MEs, as defined in ITU-T Y.2012, as well as non-NGN MEs. SEC-6: The administrator account management FG should communicate with other SMS