1、 ETSI TR 103 421 V1.1.1 (2017-04) CYBER; Network Gateway Cyber Defence TECHNICAL REPORT ETSI ETSI TR 103 421 V1.1.1 (2017-04) 2 Reference DTR/CYBER-0015 Keywords cyber security, information assurance, privacy ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00
2、 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic
3、versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document
4、 is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is
5、available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or
6、 by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all
7、media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizat
8、ional Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 421 V1.1.1 (2017-04) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Executive summary 5g3Introduction 6g31 Scope 7g32 References 7g32.1 Normative re
9、ferences . 7g32.2 Informative references 7g33 Definitions and abbreviations . 9g33.1 Definitions 9g33.2 Abbreviations . 9g34 Network gateway cyber defence ecosystem: activities and use cases 11g34.1 Introduction - the gateway as a protection element 11g34.2 Network gateway cyber defence related stan
10、dards activities . 12g34.3 Network gateway cyber defence business and compliance obligation use cases . 12g34.3.1 Cyber security use cases . 12g34.3.2 Network management use cases . 13g34.3.3 Device and application management - discovery and health attestation use cases . 13g34.3.4 Industry specific
11、ations and agreement use cases 14g34.3.5 Lawful interception and retained data use cases . 14g34.3.6 Intellectual property protection use cases . 14g34.3.7 End user privacy and protection of minors . 14g34.3.8 Resilience and security of communication infrastructure, networks and services 15g35 Netwo
12、rk gateway cyber defence technical requirements . 15g35.1 Introduction 15g35.2 Secure and controlled exposure of traffic observables . 15g35.3 Sufficient observable information for acquisition and analysis for defence measures . 16g35.4 Ability to institute defence measures as part of gateway manage
13、ment 17g36 New challenges and mechanisms for gateway cyber defence 17g36.1 Introduction 17g36.2 Challenges 17g36.2.1 Virtualization implementations . 17g36.2.2 5G mobile systems 18g36.2.3 Autonomous Internet of Things (IoT) deployments . 18g36.2.4 Over The Top (OTT) services. 19g36.2.5 Widespread us
14、e of TLS as part of “Encrypt Everything“ initiatives . 19g36.3 New and modified middlebox security protocol techniques 20g36.3.1 Introduction. 20g36.3.2 Multi-Context Transport Layer Security (mcTLS) . 20g36.3.3 Other new protocol and structured expression platforms for middlebox security 22g37 Reco
15、mmendations 25g37.1 Introduction 25g37.2 Control at the gateway 25g37.3 Observable availability at the gateway . 26g37.4 Adoption of a common Middlebox Security Protocol, profiles and guidelines 27g37.5 Specification of a new out-of-band secure channel between endpoint and gateway, and protocols for
16、 a set of observables . 27g37.6 Encouraging use of gateway cyber defence capabilities 28g3ETSI ETSI TR 103 421 V1.1.1 (2017-04) 4 Annex A: Bibliography 29g3History 30g3ETSI ETSI TR 103 421 V1.1.1 (2017-04) 5 Intellectual Property Rights Essential patents IPRs essential or potentially essential to th
17、e present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI
18、 in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the exist
19、ence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI cla
20、ims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations a
21、ssociated with those trademarks. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as descri
22、bed in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The present document provides an overview and recommendations concerning cyber defence capab
23、ilities at network gateways. The capabilities are implemented using what are usually referred to as “middleboxes“ that may be integrated into traffic routers that typically exist at boundaries between networks. Network gateways are critically important points for implementing cyber defence in conjun
24、ction with other essential functions. The present document notes that network gateway cyber defence related standards activities have increased significantly because of an array of use cases combined with the rapidly increasing encryption of traffic occurring between end points where network applica
25、tion servers are interacting directly with software clients on end user devices. The use cases consist of an array of business and compliance obligations. The present document then continues to derive a set of related cyber defence technical requirements that include: 1) secure and controlled exposu
26、re of traffic observables; 2) sufficient observable information for acquisition and analysis for defence measures; and 3) the ability to institute defence measures as part of gateway management. The present document then examines the emerging new challenges and mechanisms for gateway cyber defence.
27、The challenges include virtualization implementations, 5G mobile systems, Internet of Things deployments, Over The Top services, and “encrypt everything“ initiatives. On the positive side, the considerable industry and academic research and development efforts have produced a combination of existing
28、 protocol adaptations and effective new protocols and platforms that have considerable promise - especially one known as mcTLS. ETSI ETSI TR 103 421 V1.1.1 (2017-04) 6 The present document concludes with several recommendations that include a consensus view on what information and secure access capa
29、bilities are required to support gateway cyber defence, what steps the ETSI Cybersecurity Technical Committee should take for a new Technical Specification to support the requirements, and how collaboration with external bodies might encourage use of gateway cyber defence capabilities. Introduction
30、A network gateway is a device that enables or facilitates the interconnecting of networks or applications via those networks. They have existed since the origins of electronic communication. With the emergence of packet data networks, they have assumed many different roles, including cyber defence.
31、Those additional roles are commonly denominated as “middlebox“ functions i.3. An especially common network gateway used for cyber defence purposes is referred to as a firewall - defined by 3GPP as a functional entity which blocks or permits the flow of various traffic types based on a set of policy
32、rules and definitions. All signalling to internal network resources can be directed via a network gateway dedicated to that purpose. Network gateways serve many critical needs that include management of network traffic and meeting service level agreement or regulatory requirements. One of those crit
33、ical needs is that of cyber defence - which can be met through the detection and prevention of threats at the external border point of all kinds of networks ranging from a national infrastructure to an organization or home network. Deep Packet Inspection capabilities are widely deployed to facilitat
34、e these capabilities. However, the appearance of ever more sophisticated threats and adaptive malware is proving challenging to detection and blocking efforts. A significant cyber security challenge emerging today is the combination of Over the Top services combined with “encrypt everything“ initiat
35、ives that generated potentially huge amounts of traffic between some arbitrary service portal somewhere in the world, and an end users terminal - even an application on a device. Some Internet of Things implementations also fall into this category. While these steps meet significant needs today, the
36、se practices may have adverse effects such as impeding detection of malware and other cyber security threats, as well as managing network traffic and meeting a broad array of business, organizational, and regulatory requirements. A balanced approach is needed that provides support to all the require
37、ments that exist today. The emergence of NFV-SDN implementations is engendering considerable new efforts to virtualize network gateway capabilities. These efforts include the use of on-demand Big Data Analysis to more rapidly detect and mitigate threats. Many different industry forums today are exam
38、ining network gateway requirements and solutions available - largely as insular work items and projects. The present document assembles an understanding of the related ecosystem, models, protocols, and implementation mechanisms for gateway-based cyber defence. ETSI ETSI TR 103 421 V1.1.1 (2017-04) 7
39、 1 Scope The present document provides an overview and recommendations concerning cyber defence capabilities at network gateways. It analyses the network gateway cyber defence ecosystem, technical requirements, new challenges and techniques and then draws recommendations for new standardization work
40、 in that area. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only t
41、he cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced d
42、ocuments are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 SIGCOMM 15, Naylor et al., Multi-Context TLS (mcTLS): “Enabling Secure In-Network Functionality in TLS“, August 17 - 21, 2015, London, United Kingdom. NOTE: A
43、vailable at http:/conferences.sigcomm.org/sigcomm/2015/pdf/papers/p199.pdf. i.2 ETSI TR 103 456: “CYBER; Implementation of the Network and Information Security (NIS) Directive“. i.3 IETF RFC 3224: “Middleboxes: Taxonomy and Issues“, February 2002. i.4 IETF draft-mm-wg-effect-encrypt-04: “Effect of U
44、biquitous Encryption“, October 2016. i.5 OASIS CybOX Version 2.1.1. Part 01: “Overview“. NOTE: Available at http:/docs.oasis-open.org/cti/cybox/v2.1.1/cybox-v2.1.1-part01-overview.pdf. See also, CybOX Project/specifications, https:/ i.6 NIST SP 800-117: “Guide to Adopting and Using the Security Cont
45、ent Automation Protocol (SCAP)“. i.7 SP 800-126 Revision 2: “The Technical Specification for the Security Content Automation Protocol (SCAP)“. i.8 Recommendation ITU.T X.1500: “Overview of cybersecurity information exchange“. NOTE: See http:/www.itu.int/itu-t/recommendations/rec.aspx?rec=11060. i.9
46、IETF RFC 7632: “Endpoint Security Posture Assessment: Enterprise Use Cases“. i.10 IETF draft-ietf-sacm-requirements-15: “Security Automation and Continuous Monitoring (SACM) Requirements“. NOTE: Available at https:/datatracker.ietf.org/doc/draft-ietf-sacm-requirements/. i.11 ETSI TS 101 331 (V1.4.1)
47、: “Lawful Interception (LI); Requirements of Law Enforcement Agencies“. ETSI ETSI TR 103 421 V1.1.1 (2017-04) 8 i.12 ETSI TS 133 106 (V13.4.0): “Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Lawful interception requirements (3GPP TS 33.106 version 13.4.0 Release 13)“. i.13 ETS
48、I TS 102 656 (V1.2.2): “Lawful Interception (LI); Retained Data; Requirements of Law Enforcement Agencies for handling Retained Data“. i.14 Recommendation ITU-T X.1038: “Security Requirements and reference architecture for Software-Defined Networking“ (10/2016). NOTE: Available at http:/www.itu.int/
49、itu-t/recommendations/rec.aspx?rec=13058. i.15 5G PPP Architecture Working Group, View on 5G Architecture, Version 1.0, July 2016. NOTE: Available at https:/5g-ppp.eu/wp-content/uploads/2014/02/5G-PPP-5G-Architecture-WP-July-2016.pdf. i.16 European Commission, Copyright and Neighbouring Rights. NOTE: Available at , http:/ec.europa.eu/internal_market/copyright/documents/index_en.htm. i.17 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the pro
