ImageVerifierCode 换一换
格式:PDF , 页数:50 ,大小:318.26KB ,
资源ID:804466      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-804466.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T X 1036-2007 Framework for creation storage distribution and enforcement of policies for network security (Study Group 17)《网络安全政策的创建 储存 分配和执行的框架 17号研究组》.pdf)为本站会员(towelfact221)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T X 1036-2007 Framework for creation storage distribution and enforcement of policies for network security (Study Group 17)《网络安全政策的创建 储存 分配和执行的框架 17号研究组》.pdf

1、 International Telecommunication Union ITU-T X.1036TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Framework for creation, storage, distribution and enforcement of policies for network security ITU-

2、T Recommendation X.1036 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arran

3、gements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270

4、X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.60

5、0X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Mana

6、gement Information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.

7、900X.999 TELECOMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1036 (11/2007) i ITU-T Recommendation X.1036 Framework for creation, storage, distribution and enforcement of policies for network security Summary ITU-T Recommendation X.1

8、036 establishes a set of network security policies that will drive the security controls of a system or a service. It also specifies the framework for the creation, storage, distribution and enforcement of policies for network security that can be applied to various network conditions and devices. S

9、ource ITU-T Recommendation X.1036 was approved on 13 November 2007 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1036 (11/2007) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of teleco

10、mmunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecomm

11、unications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the proc

12、edure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a tele

13、communication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of th

14、ese mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS IT

15、U draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU memb

16、ers or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may no

17、t represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1036

18、 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Terms and definitions . 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation. 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Network security policy 3 6.1 Attack detection policy. 4 6.2 Access control policy . 4 6.3 Ale

19、rt control policy. 4 6.4 Traffic control policy 4 6.5 Routing control policy 4 7 Network security policy information model. 4 7.1 Class definitions of NSPIM 4 7.2 The class hierarchy of NSPIM . 28 7.3 Association and aggregation of NSPIM. 30 7.4 Relation of Classes . 32 8 Network security policy fra

20、mework . 33 8.1 Creation of policies. 34 8.2 Storage of policies 35 8.3 Distribution of policies. 36 8.4 Enforcement of policies 37 8.5 An example of policy conversion and distribution. 38 Bibliography. 41 ITU-T Rec. X.1036 (11/2007) 1 ITU-T Recommendation X.1036 Framework for creation, storage, dis

21、tribution and enforcement of policies for network security 1 Scope Most of current security research has been devoted to the development of security systems such as IDS (intrusion detection system) or firewall. Note, however, that those systems that are currently available are not generally interope

22、rable because each system has its own special functionality and control mechanism. This proves to be greatly bothersome to operators who have to control one or more networks including several security systems. As such, controlling different security systems effectively or easily managing them in a u

23、nified manner has become a hot issue. This Recommendation defines the network security policy information model (NSPIM) extended on the basis of policy core information model (PCIM) and PCIM extension (PCIMe) of IETF in representing several policies used in the policy-based network security system.

24、NSPIM is highlighted as a solution for effectively controlling various network devices. NSPIM delivers consistent, unified, and an understandable view of a network without the implementation details. Such benefit of NSPIM is enhanced as the network grows increasingly complex and offers more services

25、. To model the interaction between network elements, services, and clients of the network, the flexible and extensible information model for security policy is required for the design of each component of NSPIM. Management, signalling/control, and user planes as defined in ITU-T X.805 can be used to

26、 determine the necessary controls needed to support a security policy. The scope of this Recommendation covers the establishment of a set of security policies for protecting the network and proposal of a network security policy framework that creates, stores, distributes and executes these network s

27、ecurity policies. The network security policy information model is also introduced to represent the security policies used for intrusion detection and response in several modules in the network security system. 2 References The following ITU-T Recommendations and other references contain provisions

28、which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility o

29、f applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation.

30、 ITU-T X.800 ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.805 ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.810 ITU-T Recommendation X.810 (1995) | ISO/IEC

31、 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.812 ITU-T Recommendation X.812 (1995) | ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework.

32、 2 ITU-T Rec. X.1036 (11/2007) IETF RFC 3060 IETF RFC 3060 (2001), Policy Core Information Model Version 1 Specification, IEFT RFC 3460 IETF RFC 3460 (2003), Policy Core Information Model (PCIM) Extensions, 3 Terms and definitions 3.1 Terms defined elsewhere This Recommendation uses the following te

33、rms defined elsewhere: 3.1.1 associations: IETF RFC 3060 3.1.2 aggregations: IETF RFC 3060 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 action: This operation is governed by a policy rule. Any action evaluated to be TRUE based on a rule is triggered

34、. 3.2.2 attack: An attack may either be a known attack or an unknown attack. The known attack means that the pattern or packet for attack is opened. Although the pattern or packet for attack is not opened for the unknown attack, it refers to the behaviour related to worsening network situation. 3.2.

35、3 condition: This is an expression of a condition type; its values are used to specify a constraint within a policy rule. A given condition can be negated using the NOT operator. 3.2.4 information model: This is an abstraction and representation of the entities in a managed environment as well as th

36、eir properties, attributes and operations, and way of relating to each other. It is independent of any specific repository, application, protocol or platform. 3.2.5 policy: A policy defines one or more rules. Each rule binds one or more actions to sets of conditions describing by whom (users), for w

37、hat (systems, applications), and under what circumstances (time, day of the week, date) the actions may be triggered. 3.2.6 policy conflict: It defines the actions of two rules contradicting each other. The entity implementing the policy will not be able to determine which action to perform. To prev

38、ent this situation, the implementers of policy systems must provide conflict detection and avoidance or resolution mechanisms. 3.2.7 role: This is a string characterizing a particular function of a network element or an interface that can be used to identify particular behaviours associated with the

39、 element. It is a selector for policy rules to determine the applicability of the rule to a particular network element. Roles abstract the capabilities and/or use of network devices and resources. 3.2.8 rule: This is a policy component that binds an action to the conditions governing whether or not

40、the action is performed. When controlling network resources, the action is usually intended to provide a service. The following is a simplified expression for a rule: IF condition, THEN action. 4 Abreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CIM Common

41、Information Model COPS Common Open Policy Service DMTF Distributed Management Task Force ITU-T Rec. X.1036 (11/2007) 3 ICMP Internet Control Message Protocol IDS Intrusion Detection System LDAP Lightweight Directory Access Protocol NSPIM Network Security Policy Information Model PBNM Policy-Based Ne

42、twork Management PCIM Policy Core Information Model PCIMe PCIM extension PDU Policy Decision Unit PEP Policy Enforcement Point PES Policy Enforcement System PIB Policy Information Base PMU Policy Management Unit PR Policy Repository 5 Conventions None. 6 Network security policy The network service a

43、nd system can be protected by monitoring known attacks blocking harmful packets and limiting traffic congestion. Security policies play an important role in enabling intrusion detection and automated responses. Depending on the role, the network security policy is divided into 5 sub-policies, each o

44、f which is expressed as condition/action pairs. This can be generated by administrators or security managers and enforced by the security agents. The condition attribute and action classified according to the types of policies are shown in Table 1. Table 1 Network security policies Name Condition at

45、tribute Action Attack Detection Policy Packet Header Fields, Packet Payload Fields Alert Drop Access Control Policy Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, Direction, TCP 6 Flags, ICMP Type, ICMP Code Permit Deny Alert Control Policy Source IP Address, Des

46、tination IP Address, Source Port, Destination Port, Protocol, Attack ID Filtering Sampling Traffic Control Policy Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, Direction Forward Rate Limit Routing Control Policy Destination IP Address Drop Attack Detection Polic

47、y can be used to detect and mitigate the known attacks. The access control policy, traffic control policy and routing control policy can be used to detect and mitigate the unknown attacks. 4 ITU-T Rec. X.1036 (11/2007) 6.1 Attack detection policy In detecting known attacks, the attack detection poli

48、cy can refer to the attack detection rules from intrusion detection systems. The monitoring device drops a packet and/or sends an alert to the policy server after comparing the packet with the pattern defined in the attack detection rule. 6.2 Access control policy The access control policy decides o

49、n permission or denial for incoming packets to a firewall or a router in accordance with the value of packet header fields. 6.3 Alert control policy The alert control policy controls the transmission of alerts from IDS. This policy allows a policy enforcement system to send the sample of alerts or to filter alerts. 6.4 Traffic control policy The traffic control policy prescribes the control against excessive traffic in a router or a traffic control device. This policy limits network traffic and helps increase network perform

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1