ITU-T STIT-2012 Security in Telecommunications and Information Technology (Study Group 17)《信息技术和通讯安全(研究组17)》.pdf

1、Printed in SwitzerlandGeneva, 2012ISBN 978-92-61-14001-4Telecommunication Standardization Sector of ITUInternational Telecommunication UnionSecurity in Telecommunications and Information TechnologyAn overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunication

2、sITU-TITU-T2012*37139*Security in telecommunications and information technology An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications January 2012 ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever,

3、without the prior written permission of ITU. SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY Prefix i Foreword Malcolm Johnson Director ITU Telecommunication Standardization Bureau Until relatively recently, information and communication technology (ICT) security was mainly of concern to a

4、pplication areas such as banking, aerospace and defence. However, with the rapid and widespread growth in the use of data communications and, particularly the Internet, security is now a universal concern. The increased profile of ICT security may be attributed in part to widely-reported incidents s

5、uch as viruses, hackers and threats to personal privacy, but the reality is that, as computing and networking are now such an important part of daily life, the need for effective security measures to protect the ICT systems of governments, industry, commerce, critical infrastructures and individual

6、users is now imperative. Also, many countries now have data protection laws that require adherence to recognized standards of protection. To be truly effective, security must be considered at all stages of the system lifecycle, from inception and design through implementation, deployment and finally

7、, decommissioning. Failure to give adequate consideration to security at any of these stages can result in systems or data being compromised. Standards bodies have a vital role to play by promoting awareness of ICT security issues, by ensuring that security considerations are a fundamental part of s

8、pecifications, and by providing technical standards and guidance to help implementers and users to ensure communication systems and services are sufficiently robust to withstand cyber-attacks. ITU-T has long been active in ICT security work but the workload has recently grown quite dramatically in r

9、esponse to new and evolving threats and the demands of our members for standards to help counter these threats. This manual highlights some of the key elements of that work and provides an introduction to the extensive resources available from the ITU-T to help users address the ICT security challen

10、ges we face. Standardization is a key building block in constructing a global culture of cybersecurity. We can and will win the war against cyber-threats by building on the work of the thousands of dedicated individuals from public administrations, the private sector and academia, who come together,

11、 in organizations like the ITU, to develop security standards and guidelines for best practice. The work is not glamorous, or high profile, but it is nonetheless essential to safeguard our digital future. I would like to express my appreciation to the engineers of the ITU Telecommunication Standardi

12、zation Bureau who, in conjunction with experts from the ITU membership, have worked, and continue to work, so tirelessly to develop these standards and guidelines. I hope that you will find this manual helpful in gaining a better understanding of ICT security issues and the work of the ITU-T and I w

13、elcome feedback from readers for future editions. Malcolm Johnson Director Telecommunication Standardization Bureau, ITU SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY ii Acknowledgements Acknowledgements This manual was prepared with the contribution of numerous authors who either contri

14、buted to the generation of the relevant ITU-T Recommendations or participated in the ITU-T Study Group meetings, workshops and seminars. Credit should be given to the Rapporteurs, editors, and security coordinators of the ITU Study Groups, to Martin Euchner, SG 17 Advisor and Georges Sebek, the form

15、er SG 17 counsellor, and in particular to Herb Bertine, the former Chairman of the lead Study Group in ITU-T for work on telecommunications security and Mike Harrop, the former Rapporteur for the security project and chief editor of this manual. SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOL

16、OGY Executive Summary iii Executive Summary This manual provides a broad introduction to the ICT security work of the ITU-T and, more specifically, it summarizes how the ITU-T is responding to global cybersecurity challenges with Recommendations, guidance documents and outreach initiatives. It is pr

17、imarily directed towards those who have responsibility for, or an interest in, information and communications security and the related standards, as well as those who simply need to gain a better understanding of ICT security issues. The manual can be used in various ways according to the organizati

18、on, role and needs of the user. The introductory chapters provide an overview of the current key areas of the ITU-T security work together with a discussion of the basic requirements for the protection of ICT applications, services and information. The threats and vulnerabilities that drive security

19、 requirements are highlighted and the role of standards in meeting the requirements is examined. Some of the features that are needed to protect the various entities involved in providing, supporting and using information and communications technology and services are discussed. In addition, the imp

20、ortance of ICT security standards is explained and examples are given of how the ITU-T security work is evolving to meet security requirements. The generic security architectures for open systems and end-to-end communications are then introduced together with some examples of application-specific ar

21、chitectures. These architectures each establish a framework within which the multiple facets of security can be applied in a consistent manner. They also standardize the underlying concepts of security services and mechanisms and contribute to a standardized vocabulary for ICT security terms and bas

22、ic concepts. The general principles introduced in these architectures form the basis for many of the other standards on security services, mechanisms and protocols, some of which are discussed later in the text. Security management embraces many activities associated with controlling and protecting

23、access to system and network resources, event monitoring and reporting, policy and auditing, as well as managing the information related to these functions and activities. The topics of information security management, risk management and asset management are the focus of one section. Management act

24、ivities associated with securing the network infrastructure are discussed later in the text in a section that covers the need to secure the data used to monitor and control the telecommunications network as well as topics related to network management and common security management services. The Dir

25、ectory, and its role in supporting authentication and other security services, is explained along with some of the key areas that depend on Directory services. These include identity management, public-key infrastructures, telebiometrics (i.e. personal identification and authentication using biometr

26、ic devices in telecommunication environments) and privacy. The importance of protecting the Directory information base is also discussed. Some specific examples and approaches to network security are reviewed. These include the security requirements for Next Generation Networks and mobile communicat

27、ions networks which are in transition from a single technology (such as CDMA or GSM) to mobility across heterogeneous platforms using the Internet protocol. Also included in this section is an examination of security provisions for home networks, cable television and ubiquitous sensor networks. A ne

28、w section on cybersecurity and incident response has been added to this edition of the manual. Effective response to cyber-attacks is dependent on understanding the source and nature of the attack and on sharing information with monitoring agencies. This section discusses the development of a framew

29、ork for sharing cybersecurity-related information and requirements for detecting, protecting against, mitigating the effects of, and recovering from cyber-attacks. SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY iv Executive Summary The security needs of a number of application areas are e

30、xamined with particular emphasis on the security features that are defined in ITU-T Recommendations. Topics discussed include voice over internet protocol (VOIP), internet protocol television (IPTV) and web services. Also included in this section is the topic of identification tags (including RFID t

31、ags) which are widely deployed but which are also the subject of growing concern over the risk of privacy infringement. Technical measures for countering common network threats such as spam, malicious code and spyware are presented and a discussion is included on the importance of timely notificatio

32、n and dissemination of software updates and the need for organization and consistency in handling security incidents. In conclusion, there is a short section on possible future directions of ICT security standardization work. A review of sources of additional information is included at the end of th

33、e text along with Annexes on definitions and acronyms used in the manual, a summary of security-related Study Groups and a complete listing of Recommendations referenced in this manual. In the electronic version of the text, links are included throughout the text to some of the key ITU-T security re

34、sources and outreach information. SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY Introduction v Introduction to the 5th edition Since the first edition of the manual was published in 2003, the ITU-T has embarked on many new areas of work and great many new Recommendations have been comple

35、ted and published. In addition, the Study Groups themselves were restructured following the World Telecommunication Standardization Assembly (WTSA) 2008. Since publication of the 4thedition of the manual, the work has continued to expand and the number of security-related Recommendations has grown i

36、n response to continued demand for standardized solutions to counter evolving threats to ICT security. Once again, the editors have faced the challenge of presenting a representative cross-section of the work in a limited amount of space. For the 4thedition of this manual, the structure and contents

37、 were revised significantly and guiding principles were established for the text. These guiding principles have also been followed for this edition and the structure and format developed for the 4th edition are largely unchanged. The guiding principles, which were developed after consultation with I

38、TU-T members are as follows: The publication should appeal to a wide audience and should try to avoid complex terminology and terms that are likely to be understood only within specialized domains; The text should complement, not duplicate, existing material available in other forms (e.g. Recommenda

39、tions); The text should be developed to accommodate publication both as a stand-alone, printed document and as an electronic document; The text should employ web links to Recommendations and other sources of publicly-available material as much as possible. Detailed information, over and above that n

40、eeded to fulfil the basic objectives should be referenced by web links; and To the greatest extent possible, the text should focus on work that has been completed and published, rather than work that is planned or in progress. In keeping with these objectives, the manual does not attempt to cover al

41、l the ITU-T security work that has either been completed or is underway. Instead, it focuses on key selected topics and accomplishments and provides web links to additional information. The manual is published in hard copy and in electronic format. For readers using an electronic version of the text

42、, direct hyperlinks are provided to the listed Recommendations and to other on-line documentation. For readers using a hard copy of the text, all referenced Recommendations are listed in Annex D. These can be accessed on line at: www.itu.int/rec/T-REC/en. Note: This manual is purely illustrative. It

43、 has no normative character and does not supersede the ITU-T Recommendations referenced herein. SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY Contents vii Table of Contents Page Foreword . i Acknowledgements ii Executive Summary iii Introduction to the 5th edition v 1 How to use this Sec

44、urity Manual . 3 2 Overview of ITU-T security activities . 7 2.1 Reference and outreach documentation . 7 2.2 Overview of major security topics and Recommendations 7 3 Security requirements . 13 3.1 Threats, risks and vulnerabilities . 13 3.2 General security objectives for ICT networks . 15 3.3 Rat

45、ionale for security standards . 15 3.4 Evolution of ITU-T security standards 15 3.5 Personnel and physical security requirements . 17 4 Security architectures . 21 4.1 The open systems security architecture and related standards . 21 4.2 Security services 22 4.3 Security architecture for systems pro

46、viding end-to-end communications . 23 4.4 Implementation guidance . 25 4.5 Some application-specific architectures . 25 4.6 Architecture for external relationships . 28 4.7 Other network security architectures and models 29 5 Aspects of security management 33 5.1 Information security management . 33

47、 5.2 Information security management framework . 34 5.3 Risk management 35 5.5 Asset management . 36 6 Authentication and the role of the Directory 41 6.1 Protection of Directory information 41 6.2 Strong authentication: public-key security mechanisms . 43 6.3 Authentication guidelines 48 6.4 Identi

48、ty management . 50 6.5 Telebiometrics . 51 SECURITY IN TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY vii Contents Page 7 Securing the network infrastructure . 57 7.1 The telecommunications management network (TMN) 57 7.2 Network management architecture 57 7.3 Securing the infrastructure elements of

49、a network 58 7.4 Securing monitoring and control activities 59 7.5 Securing network operation activities and management applications . 60 7.6 Common security management services . 61 8 Some specific approaches to network security 67 8.1 Next Generation Network (NGN) security 67 8.2 Mobile communications security . 68 8.3 Security for home networks . 73 8.4 IPCablecom . 76 8.5 IPCablecom2 . 78 8.6 Ubiquitous sensor networks . 80 9. Cybersecurity and incident response 87 9.1 Cybersecurity information sharing and exchange . 87 9.2 Incident handling . 90 10 Applicati