1、 ETSI TS 1Digital cellular telecoUniversal Mobile TelTelecommSecurity Managem(3GPP TS 32.3TECHNICAL SPECIFICATION132 371 V13.0.0 (2016communications system (Phaelecommunications System (LTE; munication management; ement concept and requireme.371 version 13.0.0 Release 1316-02) hase 2+); (UMTS); ment
2、s 13) ETSI ETSI TS 132 371 V13.0.0 (2016-02)13GPP TS 32.371 version 13.0.0 Release 13Reference RTS/TSGS-0532371vd00 Keywords GSM,LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Associati
3、on but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print ve
4、rsions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a s
5、pecific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find err
6、ors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm exc
7、ept as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved.
8、 DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the
9、GSM Association. ETSI ETSI TS 132 371 V13.0.0 (2016-02)23GPP TS 32.371 version 13.0.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly availab
10、le for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server
11、(https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
12、essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be int
13、erpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need
14、not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 132 371 V13.0.0 (2016
15、-02)33GPP TS 32.371 version 13.0.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 6g32 References 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 Security Management background . 9g
16、34.1 Security domains 9g34.2 Security objectives . 10g34.3 Security threats . 10g34.4 Security Mechanisms and services . 11g34.5 TMN perspective regarding security threats. 11g35 Security Management context and architecture . 12g35.1 Context . 12g35.2 Architecture 13g36 Security threats in IRP conte
17、xt . 13g36.1 Security threats to IRPs 13g36.2 Mapping of Security requirements and Threats in IRP Context . 15g37 Security requirement of Itf-N . 16g3Annex A (informative): Protocols for IP Network Security to Support Itf-N . 18g3Annex B (informative): Firewalls for Network Security to Support Itf-N
18、 26g3Annex C (informative): Change history . 27g3History 28g3ETSI ETSI TS 132 371 V13.0.0 (2016-02)43GPP TS 32.371 version 13.0.0 Release 13Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to con
19、tinuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 p
20、resented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial
21、 only changes have been incorporated in the document. Introduction The present document is part of a TS-family covering the 3rdGeneration Partnership Project; Technical Specification Group Services and System Aspects; Telecommunication management; as identified below: 32.371: “Security Management co
22、ncept and requirements“. 32.372: “Security services for Integration Reference Points (IRP); Information Service (IS)“. 32.376: “Security services for Integration Reference Point (IRP); Solution Set (SS) definitions“. In 3GPP SA5 context, IRPs are introduced to address process interfaces at the Itf-N
23、 interface. The Itf-N interface is built up by a number of Integration Reference Points (IRPs) and a related Name Convention, which realize the functional capabilities over this interface. The basic structure of the IRPs is defined in 3GPP TS 32.101 1 and 3GPP TS 32.102 2. IRP consists of IRPManager
24、 and IRPAgent. Usually there are three types of transaction between IRPManager and IRPAgent, which are operation invocation, notification, and file transfer. However, there are different types of intentional threats against the transaction between IRPManagers and IRPAgents. All the threats are poten
25、tial risks of damage or degradation of telecommunication services, which operators should take measures to reduce or eliminate to secure the telecommunication service, network, and data. By introducing Security Management, the present document describes security requirements to relieve the threats b
26、etween IRPManagers and IRPAgents. As described in 3GPP TS 32.101 1, the architecture of Security Management is divided into two layers: Layer A - Application Layer Layer B - OAM Principles and high level requirements“. 2 3GPP TS 32.102: “Telecommunication management; Architecture“. 3 ITU-T Recommend
27、ation M.3016 (1998): “TMN security overview“. 4 3GPP TS 33.102: “3G Security; Security architecture“. 5 ITU-T Recommendation X.800: “Security architecture for Open Systems Interconnection for CCITT applications“. 6 3GPP TS 32.150: “Telecommunication management; Integration Reference Point (IRP) Conc
28、ept and definitions“. ETSI ETSI TS 132 371 V13.0.0 (2016-02)73GPP TS 32.371 version 13.0.0 Release 133 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ITU-T Recommendation X.800 5, ITU-T Recommendation M.3016 3 and the follow
29、ing apply: access control: prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner, see ITU-T Recommendation X.800 5. accountability: property that ensures that the actions of an entity may be traced uniquely to the entity, see ITU-T Reco
30、mmendation X.800 5. audit: See Security Audit. authentication: See data origin authentication and peer element authentication, see ITU-T Recommendation X.800 5. authorization: granting of rights, which includes the granting of access based on access rights, see ITU-T. Recommendation X.800 5 availabi
31、lity: property of being accessible and useable upon demand by an authorized entity, see ITU-T. Recommendation X.800 5 confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processes, see ITU-T Recommendation X.800 5. credentials: data
32、 that is transferred to establish the claimed identity of an entity, see ITU-T Recommendation X.800 5. cryptography: discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent it
33、s unauthorized us, see ITU-T Recommendation X.800 5. data integrity: property that data has not been altered or destroyed in an unauthorized manner, see ITU-T Recommendation X.800 5. data origin authentication: corroboration that the source of data received is as claimed, see ITU-T Recommendation X.
34、800 5. denial of service: prevention of authorized access to resources or the delaying of time-critical operations, see ITU-T Recommendation X.800 5. digital signature: data appended to, or a cryptographic transformation (see cryptography) of a data unit that allows a recipient of the data unit to p
35、rove the source and integrity of the data unit and protect against forgery e.g. by the recipient, see ITU-T Recommendation X.800 5. eavesdropping: breach of confidentiality by monitoring communication, see ITU-T Recommendation M.3016 3. forgery: entity fabricates information and claims that such inf
36、ormation was received from another entity or sent to another entity, see ITU-T Recommendation M.3016 3. Integration Reference Point (IRP): See 3GPP TS 32.150 6. IRPAgent: See 3GPP TS 32.150 6. IRPManager: See 3GPP TS 32.150 6. loss or corruption of information: integrity of data transferred is compr
37、omised by unauthorized deletion, insertion, modification, re-ordering, replay or delay, see ITU-T Recommendation M.3016 3. Operations System (OS): indicates a generic management system, independent of its location level within the management hierarchy. masquerade: pretence by an entity to be a diffe
38、rent entity, see ITU-T Recommendation X.800 5. ETSI ETSI TS 132 371 V13.0.0 (2016-02)83GPP TS 32.371 version 13.0.0 Release 13password: confidential authentication information, usually composed of a string of characters, see ITU-T Recommendation X.800 5. Peer Entity Authentication: The corroboration
39、 that a peer entity in an association is the one claimed, see ITU-T Recommendation X.800 5. repudiation: denial by one of the entities involved in a communication of having participated in all or part of the communication, see ITU-T Recommendation X.800 5. security audit: independent review and exam
40、ination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures, see ITU-T Recommendation X.800
41、 5. threat: potential violation of security, see ITU-T Recommendation X.800 5. unauthorized access: entity attempts to access data in violation of the security policy in force, see ITU-T Recommendation M.3016 3. 3.2 Abbreviations For the purposes of the present document, the following abbreviations
42、apply: CM Configuration Management CS Communication SurveillanceDCN Data Communication Network EM Element Manager EP Entry Point FT File TransferIRP Integration Reference Point IS Information Service (see 3GPP TS 32.101 1) ITU-T International Telecommunication Union - Telecommunication standardizati
43、on sector NE Network Element NL Notification LogNM Network Manager NRM Network Resource Model OAM The set of security features that secure access to mobile stations; The set of security features that enable applications in the user and in the provider domain to securely exchange messages. The Networ
44、k domain provides the set of security features that enable nodes in the provider domain to securely exchange signalling data, and protect against attacks on the wireline network. This domain covers protection of the network, network elements and all internal (control and signalling) traffic against
45、security threats. The network elements can belong to a single operator (intra-operator) or to different operators (inter-operator). The OAM Installation of security mechanisms; Key management (management part); Establishment of identities, keys, access control information, etc.; Management of securi
46、ty audit trail and security alarms. Using the above partitioned view, the scope of the present document is focused on security requirements of the OAM Data integrity; Accountability; Availability; 4.3 Security threats A security threat is defined by ITU-T Recommendation M.3016 3 as a potential viola
47、tion of security that can be directed at one of the four basic security objectives (see subclause 4.2). ITU-T Recommendation X.800 5 defines the following security threats: Masquerade. Eavesdropping. Unauthorized access. Loss or corruption of information. Repudiation. Forgery. Denial of service. NOT
48、E: In contemporary network security jargon, “denial of service“ is most often used to describe a class of attacks that are intended to subvert the delivery of service. In this context the “denial of service“ threat can be best described as “denial of service delivery“. ETSI ETSI TS 132 371 V13.0.0 (
49、2016-02)113GPP TS 32.371 version 13.0.0 Release 134.4 Security Mechanisms and services ITU-T Recommendation X.800 5 defines a set of security mechanisms that can be used to implement security objectives within a network Security mechanisms are manifested within and/or by security services. The fundamental security services are identified by ITU-T Recommendation X.800 5 as being: Peer entity authentication. Data origin authentication. Access control service.
