1、 ETSI TR 185 008 V2.0.0 (2008-02)Technical Report Telecommunications and Internet converged Services andProtocols for Advanced Networking (TISPAN);Analysis of security mechanisms forcustomer networks connected to TISPAN NGN R2ETSI ETSI TR 185 008 V2.0.0 (2008-02) 2 Reference DTR/TISPAN-05017-NGN-R2
2、Keywords authentication, gateway, network, service, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Imp
3、ortant notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is t
4、he Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Inf
5、ormation on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No
6、part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2008. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are
7、Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 185 008 V2.0.0 (2008-02) 3 Contents Intellectual Property Rights4 Foreword.4 1 Scope 5 2 References 5 2.1 Norm
8、ative references .5 2.2 Informative references5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .7 4 CPN Reference Architecture8 5 Main security threats and security recommendations 8 6 Security mechanisms for Customer Premises Network .9 6.1 Authentication and authorization mec
9、hanisms.9 6.1.1 Wireless security mechanisms 10 6.2 Security Management functionality .11 6.3 Firewall 11 6.4 Network Access Control (NAC) 12 6.4.1 Network Endpoint Assessment (NEA) .12 6.5 Antispoofing.12 6.6 VPN capabilities.13 6.6.1 VPN Capability Based on IPsec .13 6.6.1.1 Remote access case .13
10、 6.6.2 Tunnelling using SSL/TLS .14 6.6.3 OpenVPN14 6.6.4 VPN Quarantine14 6.7 Anti-virus .14 6.8 URL/URI filtering and prime user control .15 6.9 Unsolicited communication prevention15 6.10 Intrusion detection system16 6.11 Network Address Translation (NAT).16 7 Recommendations for security mechani
11、sms implementation 16 7.1 Authentication and authorization mechanisms.16 7.1.1 Wireless security mechanisms 16 7.2 Security Management functionality .16 7.3 Firewall 17 7.4 Network Access Control 17 7.4.1 Network Endpoint Assessment.17 7.5 Antispoofing.17 7.6 VPN capabilities.17 7.7 Anti-virus .17 7
12、.8 URL/URI filtering and prime user control .17 7.9 Unsolicited communication prevention17 7.10 Intrusion detection System .17 7.11 Network Address Translation.17 7.12 Summary 18 7.12.1 CNG18 7.12.2 CND18 History 19 ETSI ETSI TR 185 008 V2.0.0 (2008-02) 4 Intellectual Property Rights IPRs essential
13、or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Es
14、sential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETS
15、I. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommu
16、nications and Internet converged Services and Protocols for Advanced Networking (TISPAN). ETSI ETSI TR 185 008 V2.0.0 (2008-02) 5 1 Scope The present document present an analysis of the security mechanisms that could be supported in the customer environment (Customer Network Gateway or Customer Devi
17、ces) with reference to the overall end to end security architecture for the NGN defined by WG7. As examples, these mechanisms can be related to authentication (for connectivity and for services), firewalling and network access/parental control, virus protection, intrusion detection, Anti Spam capabi
18、lities. The activity will be performed in close relationship with WG7. The reactions to threats or the protections against threats described in the present document will involve only the CPN, not the external network. 2 References References are either specific (identified by date of publication and
19、/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. Non-specific reference may be made only to a complete document or a part thereof and only in the following cases: - if it is accepted that it will be possible to use all future changes
20、 of the referenced document for the purposes of the referring document; - for informative references. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. For online referenced documents, information sufficient
21、to identify and locate the source shall be provided. Preferably, the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
22、method of access to the referenced document and the full network address, with the same punctuation and use of upper case and lower case letters. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative ref
23、erences None. 2.2 Informative references 1 ETSI TS 187 001: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements“. 2 ETSI TR 121 905: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunica
24、tions System (UMTS); Vocabulary for 3GPP Specifications (Release 7) (3GPP TR 21.905)“. 3 ISO/IEC 7498-2: “Information Processing Systems - Interconnection Reference Model - Part 2: Security Architecture“. 4 draft-ietf-nea-requirements-04.txt, Network Endpoint Assessment (NEA): “Overview and Requirem
25、ents“, August 2007. ETSI ETSI TR 185 008 V2.0.0 (2008-02) 6 5 ETSI TS 133 234: “Universal Mobile Telecommunications System (UMTS); 3G security; Wireless Local Area Network (WLAN) interworking security“. 6 ETSI TS 133 203: “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telec
26、ommunications System (UMTS); 3G security; Access security for IP-based services“. 7 ETSI TS 133 246: “Universal Mobile Telecommunications System (UMTS); 3G Security; Security of Multimedia Broadcast/Multicast Service (MBMS)“. 8 ETSI TS 133 110: “Universal Mobile Telecommunications System (UMTS); Key
27、 establishment between a UICC and a terminal“. 9 ETSI TS 185 005: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Services requirements and capabilities for customer networks connected to TISPAN NGN“. 10 ETSI TS 185 006: “Telecommunications and Int
28、ernet converged Services and Protocols for Advanced Networking (TISPAN); TISPAN Customer Devices architecture and interfaces“. 11 ETSI TR 187 008: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NAT traversal feasibility study report“. 12 IETF RFC
29、1827: “IP Encapsulating Security Payload (ESP)“. 13 IEEE 802.11a: “IEEE Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN Specific Requirements - Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY) specifications: High Speed Physical Layer in the 5
30、 GHz band“. 14 IEEE 802.11b: “IEEE Standard for Information Technology - Telecommunications and information exchange between systems - Local and Metropolitan networks - Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Higher Speed Physi
31、cal Layer (PHY) Extension in the 2.4 GHz band“. 15 IEEE 802.11i: “IEEE Standard for information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks- Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY
32、) specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements“. 16 IEEE 802.11g: “IEEE Standard for Information Technology - Telecommunications and Information Exchange Between Systems - Local and Metropolitan Area Networks Specific Requirements - Part 11: Wireless LAN Medium Acce
33、ss Control (MAC) and Physical Layer (PHY) Specifications: Further Higher Data Rate Extension in the 2.4 GHz Band“. 17 ETSI TR 187 009: “Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Feasibility study of prevention of unsolicited comm
34、unication in the NGN“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: authentication: property by which the correct identity of an entity or party is established with a required assurance.The party being authentica
35、ted could be a user, subscriber, home environment or serving network (see TR 121 905 2) authorization: granting of permission based on authenticated identification (see ISO/IEC 7498-2 3) NOTE: In some contexts, authorization may be granted without requiring authentication or identification e.g. emer
36、gency call services. ETSI ETSI TR 185 008 V2.0.0 (2008-02) 7 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AES Advanced Encryption Standard AV Anti-Virus CND Customer Network Device CNG Customer Network Gateway CPN Customer Premises Network EAP Extens
37、ible Authentication Protocol FMCA Fixed-Mobile Convergence Alliance IDS Intrusion Detection System IMS IP Multimedia subsystem IPSEC Internet Protocol SECurity IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 MMS Multimedia Messaging Service MPLS Multiple Protocol Label Switching NA
38、C Network Access Control NAT Network Address Translation NEA Network Endpoint AssessmentP-CSCF Proxy-Call Session Control Function PDA Personal digital assistant RTP Real-time Transport Protocol SMS Short Message Service SSL Secure socket Layer TCP Transmission Control Protocol TLS Transport Layer S
39、ecurity UC Unsolicited CommunicationUE User Equipment UICC Universal Integrated Circuit Card URI Uniform Resource Identifier URL Uniform Resource Locator UTM Unified Threat Management VPN Virtual Private Network WFA Wi-Fi Alliance Wi-Fi Wireless Fidelity WPA2 Wi-Fi Protected Access 2 ETSI ETSI TR 18
40、5 008 V2.0.0 (2008-02) 8 4 CPN Reference Architecture A typical example of architecture could be the following one, where several types of devices are connected to the CNG. Of course, there could be several of each type. Network TV Set top box PC CNG PDA Phone Figure 1: Example of CNP architecture 5
41、 Main security threats and security recommendations Considering the CPN, security problems can have two origins. They can be originated from inside the CPN, or from outside the CPN. The external origin itself can be sub-divided into two parts, the legitimate network to which the CPN is connected, or
42、 a non legitimate network to which the CPN can be accidentally connected (e.g. WLAN). Threats on security can be categorized with the following: System/device integrity: case of the virus attack, malware. Unsolicited information: it can be either spam problems (can lead to device integrity problem i
43、n case of virus transmission) or display of text, pictures, video, not initially requested by the customer. Unauthorized access: this could either be an external third party accessing the CPN (and using it to access services through the CNG), or someone authorized to access an use the CPN but access
44、ing unauthorized data in the network (e.g. children accessing adult content). Confidentiality: private data can be protected from interception during communication, or from being stolen (due to spyware or unauthorized access). Service availability: contains all the actions that would lead to a DoS.
45、Masquerade: this term covers all the possibilities for a spoofing attack as already known on the Internet. This is mainly man-in-the-middle attack and internet protocol spoofing, URL spoofing and phishing, referer spoofing, poisoning of file-sharing networks, caller ID spoofing, e-mail address spoof
46、ing, login spoofing. The starting point for security recommendations is the following already existing security requirements found in TS 185 005 9: The CNG shall support mechanisms to authenticate itself to the NGN for connectivity purposes. The CNG shall support mechanisms to authenticate itself to
47、 the NGN for service usage purposes. ETSI ETSI TR 185 008 V2.0.0 (2008-02) 9 The CNG shall support mechanisms to authenticate CNDs to the NGN for service usage purposes if they are not able to fully support the related procedures in an autonomous way. The CNG shall support mechanisms for authenticat
48、ion of wireless CNDs for local connectivity. Similar mechanisms may be also implemented for non-wireless devices. The CNG and CPN shall support mechanisms that prevent access to the network by unauthorized users. The capacity of the authorized entities should depend on the security policies defined
49、by the service providers, managing the CNG. The CNG and the CPN shall implement mechanisms to limit the visibility of the WAN side network and resources to authorized entities. The diagnostic operations on the CPN by an operator shall be performed in accordance with rules protecting the users privacy. CPN environment shall be protected with a stateful firewall function, which may be implemented in the CNG. The CNG and the CPN shall be able to support parental control related functionalities limiting t
