ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf

上传人:ideacase155 文档编号:433434 上传时间:2018-11-11 格式:PDF 页数:58 大小:346.82KB
下载 相关 举报
ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf_第1页
第1页 / 共58页
ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf_第2页
第2页 / 共58页
ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf_第3页
第3页 / 共58页
ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf_第4页
第4页 / 共58页
ANSI ATIS 0300276-2008 Operations Administration Maintenance and Provisioning Security Requirements for the Public Telecommunications Network A Baseline of Security Requirements fo.pdf_第5页
第5页 / 共58页
点击查看更多>>
资源描述

1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-0300276.2008 OPERATIONS, ADMINISTRATION, MAINTENANCE, AND PROVISIONING SECURITY REQUIREMENTS FOR THE PUBLIC TELECOMMUNICATIONS NETWORK: A BASELINE OF SECURITY REQUIREMENTS FOR THE MANAGEMENT PLANE ATIS is the leading technical planning and stan

2、dards development organization committed to the rapid development of global, market-driven standards for the information, entertainment and communications industry. More than 200 companies actively formulate standards in ATIS Committees, covering issues including: IPTV, Cloud Services, Energy Effici

3、ency, IP-Based and Wireless Technologies, Quality of Service, Billing and Operational Support, Emergency Services, Architectural Platforms and Emerging Networks. In addition, numerous Incubators, Focus and Exploratory Groups address evolving industry priorities including Smart Grid, Machine-to-Machi

4、ne, Networked Car, IP Downloadable Security, Policy Management and Network Optimization. ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunica

5、tions Sectors, and a member of the Inter-American Telecommunication Commission (CITEL). ATIS is accredited by the American National Standards Institute (ANSI). For more information, please visit . AMERICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the r

6、equirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial ag

7、reement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made towards their resolution. The use of American National Standards is completely voluntary; their existence does not in any

8、 respect preclude anyone, whether he has approved the standards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an in

9、terpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor w

10、hose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchas

11、ers of American National Standards may receive current information on all standards by calling or writing the American National Standards Institute. Notice of Disclaimer however, many new security challenges are introduced. Threats in the end-user plane now become threats to the management and contr

12、ol planes. The management plane now becomes accessible to the multitude of end-users, and many types of malicious activities become possible. The purpose of this standard is to recommend minimum baseline security mechanisms to help mitigate security risks in the management of telecommunications netw

13、orks. To provide a complete end-to-end solution, all security measures (e.g., access control, authentication) should be applied to each type of network activity (i.e., management plane activity, control plane activity, and end user plane activity) for the network infrastructure, network services, an

14、d network applications. This standard focuses specifically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the network infrastructure. As such, the standard addresses only one aspect of an overall end-to-end security solution, b

15、ut may be used as a starting point for subsequent standards addressing the security of “control” and “end user” planes, as appropriate. The requirements in this standard are applicable to NEs and MSs to be deployed in the future. For NEs in the network that do not meet all the mandatory security req

16、uirements, the overall security requirements at the network architecture design should be supported. This standard addresses security for NE, MS, and element management system (EMS) equipment, and does not specifically address security for other ATIS-0300276.2008 2 equipment such as customer premise

17、 equipment (e.g., voice over Internet Protocol IP telephones) or independent test gear. For such other equipment, all mandatory requirements in this standard should be considered objective recommendations. This standard has been used by the International Telecommunication Union Telecommunications Se

18、ctor (ITU-T) as the base to develop the M.3016.x series of Recommendations. ITU-T Recommendations M.3016.1, M.3016.2 and M.3016.3 specify the requirements, services, and mechanisms for the appropriate security of the management functions necessary to support the telecommunications infrastructure. Be

19、cause different administrations and organizations require varying levels of security support, ITU-T Recs. M.3016.1, M.3016.2 and M.3016.3 do not specify whether a requirement/service/mechanism is mandatory or optional. ITU-T Rec. M.3016.4 defines a profile proforma template to assist administrations

20、 and other national/international organizations to specify the mandatory and optional support of the requirements as well as value ranges, values, etc. to help implement their security policies. This standard requires all implementers to list the security requirements supported in their implementati

21、ons in terms of the requirements as enumerated by this standard. In addition, this standard suggests that for implementers with international interests, the ITU-T M.3016.x series of Recommendations may also be used to specify the security profiles of their implementations. If an implementer chooses

22、to provide such a dual specification of their security implementation, then a mapping between the requirements as enumerated by this standard and those enumerated by the ITU-T M.3016.x series should also be provided. Note that if this “dual specification” process becomes widely adopted, then this st

23、andard may be updated in the future to include the preferred mapping algorithm in order to reduce the possibility of different mapping algorithms being used by different implementers. 1.1 Framework and Model In the context of this standard, to secure something means to protect it (i.e., computers, n

24、etworks, data, or other resources) from unauthorized access, use, or activity. Loss of data, denial of service (DoS), theft of service, and loss of customer confidence are only some of the results of security incidents. System and network administrators need to protect systems and their component el

25、ements from users and from attackers. Although security is multifaceted (spanning operations, physical, communications, processing, and personnel), of concern here are security problems resulting from weaknesses inherent in commonly employed configurations and technology. A threat consists of, but i

26、s not limited to, disclosure, unauthorized use, change, and denial of service. Table 1 lists some security threats. Table 1 - Threats Threat Category*Examples of Threats Unauthorized Access Hacking Unauthorized system access to carry out attacks Theft of service Masquerade Session replay Session hij

27、acking Man-in-the-middle attacks Threats to System Integrity Unauthorized manipulation of system configuration files Unauthorized manipulation of system data Threats to Communication Integrity Unauthorized manipulation of data in transit Threats to Confidentiality Eavesdropping Session recording and

28、 disclosure Privacy violations ATIS-0300276.2008 3 Denial of Service (DoS) Transmission control protocol (TCP) SYN flood Malformed packet attacks Distributed DoS *Derived from T1.233-1993 (R1999), Operations, Administration, Maintenance, and ProvisioningSecurity Framework for Telecommunications Mana

29、gement Network Interfaces and International Organization of Standardization (ISO) 7498-2: 1989 Information Processing SystemsOpen Systems Interconnection Basic Reference ModelPart 2: Security Architecture.1These security threats may be minimized or mitigated within a network system or NE platform or

30、 application by inclusion of security services (as defined in ISO 7498-2:1989 Information Processing SystemsOpen Systems Interconnection Basic Reference ModelPart 2: Security Architecture) to enforce the following: Identification and AUTHENTICATION; Authorization and ACCESS CONTROL Level; Data Integ

31、rity; Privacy and Confidentiality; and Nonrepudiation. This standard addresses security for the management plane - that is, security features to ensure that the network can be administered and managed in a secure manner. Some vulnerability may still exist, even after following the recommendations co

32、ntained in this standard. The following risks are among those with the capability to compromise the management plane: Inappropriate actions by authorized users. These actions can be either malevolent or accidental. Security for the control plane (e.g., signaling, routing, naming, and discovery proto

33、cols) and the end-user plane. The effects of vulnerabilities in specific protocols. Malware (e.g., viruses, Trojan horses, worms, or other embedded code). Once malware successfully compromises any NE/MS, the malware may use the secure network communication links to transmit attacks to other NE/MS co

34、mponents. These attacks may continue until network managers detect the attack and take action to eliminate it. This standard is concerned with the security of management traffic, especially when it traverses networks mixed with end-user traffic. Figure 1 illustrates a reference model that is used to

35、 specify network management security solutions. This model is used to examine logical communication paths within the entire network, and quantify which protocols are used for communications on each path. Using this model, threats and vulnerabilities can be examined for each path, and appropriate sec

36、urity mechanisms can be applied. Multivendor NEs are shown at the bottom of the model in Figure 1. EMSs that provide specific management functions for the particular NE are illustrated above the NE. The network management system (NMS) itself is at the top of the model. The NMS provides overall manag

37、ement to the NE and EMS, and contains specific service and business management applications (e.g., configuration and billing 1A form for requesting historical ATIS documents can be found at , which should be emailed to . ATIS-0300276.2008 4 systems). Remote and local operators are also shown in the

38、model, and communication paths are shown with all other system elements. Network ManagementSystemNetwork ElementRemoteOperatorLocalOperatorNetwork ElementMulti-VendorNetwork Element2. NMS to NE1. NMS to EMS3. EMS to NE4. Remote Operatorto NMS5. Remote Operatorto EMS6. Remote Operatorto NE7. Local Op

39、eratorto NMS9. Local Operatorto NE8. Local Operatorto EMS10. NE to NE11. NE to Foreign NE2. NMS to NEElement ManagementSystemElement ManagementSystem12. EMS to EMSFigure 1 - Network management security reference model The Security Reference Model (Figure 1) may also be useful in correlating telecomm

40、unications management network (TMN)-defined interfaces to the security model. The TMN is defined in International Telecommunication Union Telecommunications Sector (ITU-T) Recommendation M.3010, Principles for a telecommunications management network. It is defined as an architecture for management,

41、including planning, provisioning, installation, maintenance, operations, and administration of telecommunications equipment, networks, and services. In the TMN standard, against which service providers have indicated they will standardize, it is identified that multiple network infrastructures and m

42、ultiple TMNs may exist. In fact, the management of NEs by their associated MSs in the typical service provider environment may traverse numerous data communications networks (DCN). This management traffic may need to negotiate several access control mechanisms (e.g., firewall devices or router acces

43、s lists, and/or network connections and interconnections) in order to get to the NE in question. NEs must traverse many of the same networks and interconnections for return traffic. As such, vendors should know and understand the possible latency issues and work towards delivering solutions to addre

44、ss those issues. ATIS-0300276.2008 5 1.2 Design Guidelines Table 2 presents design guideline objectives that attempt to satisfy the requirements in clause 5 to mitigate the threats proposed in Table 1. Table 2 - Design Guidelines Considered Guideline Description Isolation Insulation of management tr

45、affic from customer traffic. Effective Security Policies Requirements and supporting architectures must allow for policies that are definable, flexible, enforceable, auditable, verifiable, reliable, and usable. Strong AUTHENTICATION, Authorization, and Accounting (AAA) Two-factor and cryptographical

46、ly secure AAA. Highest Benefit for a Given Cost Improve security by implementing security mechanisms that have widely available implementations and widespread deployment, so that use histories allow security mechanisms to be reviewed. Path for Improvement Consider next steps for enhancing and improv

47、ing network management security to further satisfy given requirements with evolving technology and mechanisms, or to satisfy newly defined security requirements. Technical Feasibility Requirements shall be satisfied with products, solutions, and/or technologies available today. Housekeeping Requirem

48、ents should be consistent with standard operating procedures of well-run network management operations. Open Standards Use ideas and concepts that are already standardized (e.g., IP security IPsec, digital signatures). All aspects of the open standards should be addressed including system, protocols

49、, modes, algorithm, option, key size, and encoding. 1.3 Applicability of this standard to the TMN This standard applies to the entirety of the TMN covering both circuit-based NEs and packet-based NEs. Circuit-based NEs provide multiple logical interfaces between switches, transmission elements, signaling elements, and other special-purpose elements that are designed and developed to support traditional telephony services. The packet-based NE model has migrated from the centralized system where all functions were hosted on one platform to a more distributed

展开阅读全文
相关资源
  • ANSI Z97 1-2009 American National Standard for Safety Glazing Materials used in Buildings - Safety Performance Specifications and Methods of Test《建筑物中窗用玻璃材料安全性用.pdfANSI Z97 1-2009 American National Standard for Safety Glazing Materials used in Buildings - Safety Performance Specifications and Methods of Test《建筑物中窗用玻璃材料安全性用.pdf
  • ANSI Z97 1 ERTA-2010 Re ANSI Z97 1 - 2009 Errata《修订版 美国国家标准学会Z97 1-2009标准的勘误表》.pdfANSI Z97 1 ERTA-2010 Re ANSI Z97 1 - 2009 Errata《修订版 美国国家标准学会Z97 1-2009标准的勘误表》.pdf
  • ANSI Z21 40 2a-1997 Gas-Fired Work Activated Air-Conditioning and Heat Pump Appliances (Same as CGA 2 92a)《燃气、工作激活空气调节和热泵器具(同 CGA 2 92a)》.pdfANSI Z21 40 2a-1997 Gas-Fired Work Activated Air-Conditioning and Heat Pump Appliances (Same as CGA 2 92a)《燃气、工作激活空气调节和热泵器具(同 CGA 2 92a)》.pdf
  • ANSI Z124 9-2004 American National Standard for Plastic Urinal Fixtures《塑料小便器用美国国家标准》.pdfANSI Z124 9-2004 American National Standard for Plastic Urinal Fixtures《塑料小便器用美国国家标准》.pdf
  • ANSI Z124 4-2006 American National Standard for Plastic Water Closet Bowls and Tanks《塑料抽水马桶和水箱用美国国家标准》.pdfANSI Z124 4-2006 American National Standard for Plastic Water Closet Bowls and Tanks《塑料抽水马桶和水箱用美国国家标准》.pdf
  • ANSI Z124 3-2005 American National Standard for Plastic Lavatories《塑料洗脸盆用美国国家标准》.pdfANSI Z124 3-2005 American National Standard for Plastic Lavatories《塑料洗脸盆用美国国家标准》.pdf
  • ANSI T1 659-1996 Telecommunications - Mobility Management Application Protocol (MMAP) RCF-RACF Operations《电信 可移动管理应用协议(MMAP) RCF-RACF操作》.pdfANSI T1 659-1996 Telecommunications - Mobility Management Application Protocol (MMAP) RCF-RACF Operations《电信 可移动管理应用协议(MMAP) RCF-RACF操作》.pdf
  • ANSI T1 651-1996 Telecommunications – Mobility Management Application Protocol (MMAP)《电信 可移动性管理应用协议》.pdfANSI T1 651-1996 Telecommunications – Mobility Management Application Protocol (MMAP)《电信 可移动性管理应用协议》.pdf
  • ANSI T1 609-1999 Interworking between the ISDN User-Network Interface Protocol and the Signalling System Number 7 ISDN User Part《电信 ISDN用户间网络接口协议和7号信令系统ISDN用户部分.pdfANSI T1 609-1999 Interworking between the ISDN User-Network Interface Protocol and the Signalling System Number 7 ISDN User Part《电信 ISDN用户间网络接口协议和7号信令系统ISDN用户部分.pdf
  • ANSI T1 605-1991 Integrated Services Digital Network (ISDN) - Basic Access Interface for S and T Reference Points (Layer 1 Specification)《综合服务数字网络(ISDN) S和T基准点的.pdfANSI T1 605-1991 Integrated Services Digital Network (ISDN) - Basic Access Interface for S and T Reference Points (Layer 1 Specification)《综合服务数字网络(ISDN) S和T基准点的.pdf
  • 猜你喜欢
    相关搜索

    当前位置:首页 > 标准规范 > 国际标准 > ANSI

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1