1、 ETSI TS 132 371 V14.0.0 (2017-04) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Telecommunication management; Security Management concept and requirements (3GPP TS 32.371 version 14.0.0 Release 14) TECHNICAL SPECIFICATION ETSI E
2、TSI TS 132 371 V14.0.0 (2017-04)13GPP TS 32.371 version 14.0.0 Release 14Reference RTS/TSGS-0532371ve00 Keywords GSM,LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non l
3、ucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of th
4、e present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific netw
5、ork drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find error
6、s in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm excep
7、t as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. D
8、ECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and the
9、 GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 132 371 V14.0.0 (2017-04)23GPP TS 32.371 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertainin
10、g to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat
11、. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the
12、ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities,
13、UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shal
14、l“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used
15、in direct citation. ETSI ETSI TS 132 371 V14.0.0 (2017-04)33GPP TS 32.371 version 14.0.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 6g32 References 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Ab
16、breviations . 8g34 Security Management background . 9g34.1 Security domains 9g34.2 Security objectives . 10g34.3 Security threats . 10g34.4 Security Mechanisms and services . 10g34.5 TMN perspective regarding security threats. 11g35 Security Management context and architecture . 12g35.1 Context . 12
17、g35.2 Architecture 13g36 Security threats in IRP context . 13g36.1 Security threats to IRPs 13g36.2 Mapping of Security requirements and Threats in IRP Context . 15g37 Security requirement of Itf-N . 16g3Annex A (informative): Protocols for IP Network Security to Support Itf-N . 18g3Annex B (informa
18、tive): Firewalls for Network Security to Support Itf-N 27g3Annex C (informative): Change history . 28g3History 29g3ETSI ETSI TS 132 371 V14.0.0 (2017-04)43GPP TS 32.371 version 14.0.0 Release 14Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). T
19、he contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number a
20、s follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates
21、, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction The present document is part of a TS-family covering the 3rdGeneration Partnership Project; Technical Specification Group Services and System Aspects; Telecommunication management
22、; as identified below: 32.371: “Security Management concept and requirements“. 32.372: “Security services for Integration Reference Points (IRP); Information Service (IS)“. 32.376: “Security services for Integration Reference Point (IRP); Solution Set (SS) definitions“. In 3GPP SA5 context, IRPs are
23、 introduced to address process interfaces at the Itf-N interface. The Itf-N interface is built up by a number of Integration Reference Points (IRPs) and a related Name Convention, which realize the functional capabilities over this interface. The basic structure of the IRPs is defined in 3GPP TS 32.
24、101 1 and 3GPP TS 32.102 2. IRP consists of IRPManager and IRPAgent. Usually there are three types of transaction between IRPManager and IRPAgent, which are operation invocation, notification, and file transfer. However, there are different types of intentional threats against the transaction betwee
25、n IRPManagers and IRPAgents. All the threats are potential risks of damage or degradation of telecommunication services, which operators should take measures to reduce or eliminate to secure the telecommunication service, network, and data. By introducing Security Management, the present document de
26、scribes security requirements to relieve the threats between IRPManagers and IRPAgents. As described in 3GPP TS 32.101 1, the architecture of Security Management is divided into two layers: Layer A - Application Layer Layer B - OAM Principles and high level requirements“. 2 3GPP TS 32.102: “Telecomm
27、unication management; Architecture“. 3 ITU-T Recommendation M.3016 (1998): “TMN security overview“. 4 3GPP TS 33.102: “3G Security; Security architecture“. 5 ITU-T Recommendation X.800: “Security architecture for Open Systems Interconnection for CCITT applications“. 6 3GPP TS 32.150: “Telecommunicat
28、ion management; Integration Reference Point (IRP) Concept and definitions“. ETSI ETSI TS 132 371 V14.0.0 (2017-04)73GPP TS 32.371 version 14.0.0 Release 143 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ITU-T Recommendation
29、 X.800 5, ITU-T Recommendation M.3016 3 and the following apply: access control: prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner, see ITU-T Recommendation X.800 5. accountability: property that ensures that the actions of an entit
30、y may be traced uniquely to the entity, see ITU-T Recommendation X.800 5. audit: See Security Audit. authentication: See data origin authentication and peer element authentication, see ITU-T Recommendation X.800 5. authorization: granting of rights, which includes the granting of access based on acc
31、ess rights, see ITU-T. Recommendation X.800 5 availability: property of being accessible and useable upon demand by an authorized entity, see ITU-T. Recommendation X.800 5 confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processe
32、s, see ITU-T Recommendation X.800 5. credentials: data that is transferred to establish the claimed identity of an entity, see ITU-T Recommendation X.800 5. cryptography: discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content,
33、 prevent its undetected modification and/or prevent its unauthorized us, see ITU-T Recommendation X.800 5. data integrity: property that data has not been altered or destroyed in an unauthorized manner, see ITU-T Recommendation X.800 5. data origin authentication: corroboration that the source of da
34、ta received is as claimed, see ITU-T Recommendation X.800 5. denial of service: prevention of authorized access to resources or the delaying of time-critical operations, see ITU-T Recommendation X.800 5. digital signature: data appended to, or a cryptographic transformation (see cryptography) of a d
35、ata unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient, see ITU-T Recommendation X.800 5. eavesdropping: breach of confidentiality by monitoring communication, see ITU-T Recommendation M.3016 3. forgery:
36、entity fabricates information and claims that such information was received from another entity or sent to another entity, see ITU-T Recommendation M.3016 3. Integration Reference Point (IRP): See 3GPP TS 32.150 6. IRPAgent: See 3GPP TS 32.150 6. IRPManager: See 3GPP TS 32.150 6. loss or corruption
37、of information: integrity of data transferred is compromised by unauthorized deletion, insertion, modification, re-ordering, replay or delay, see ITU-T Recommendation M.3016 3. Operations System (OS): indicates a generic management system, independent of its location level within the management hier
38、archy. masquerade: pretence by an entity to be a different entity, see ITU-T Recommendation X.800 5. ETSI ETSI TS 132 371 V14.0.0 (2017-04)83GPP TS 32.371 version 14.0.0 Release 14password: confidential authentication information, usually composed of a string of characters, see ITU-T Recommendation
39、X.800 5. Peer Entity Authentication: The corroboration that a peer entity in an association is the one claimed, see ITU-T Recommendation X.800 5. repudiation: denial by one of the entities involved in a communication of having participated in all or part of the communication, see ITU-T Recommendatio
40、n X.800 5. security audit: independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control,
41、 policy and procedures, see ITU-T Recommendation X.800 5. threat: potential violation of security, see ITU-T Recommendation X.800 5. unauthorized access: entity attempts to access data in violation of the security policy in force, see ITU-T Recommendation M.3016 3. 3.2 Abbreviations For the purposes
42、 of the present document, the following abbreviations apply: CM Configuration Management CS Communication SurveillanceDCN Data Communication Network EM Element Manager EP Entry Point FT File TransferIRP Integration Reference Point IS Information Service (see 3GPP TS 32.101 1) ITU-T International Tel
43、ecommunication Union - Telecommunication standardization sector NE Network Element NL Notification LogNM Network Manager NRM Network Resource Model OAM - The set of security features that secure access to mobile stations; - The set of security features that enable applications in the user and in the
44、 provider domain to securely exchange messages. The Network domain provides the set of security features that enable nodes in the provider domain to securely exchange signalling data, and protect against attacks on the wireline network. This domain covers protection of the network, network elements
45、and all internal (control and signalling) traffic against security threats. The network elements can belong to a single operator (intra-operator) or to different operators (inter-operator). The OAM - Installation of security mechanisms; - Key management (management part); - Establishment of identiti
46、es, keys, access control information, etc.; - Management of security audit trail and security alarms. Using the above partitioned view, the scope of the present document is focused on security requirements of the OAM - Data integrity; - Accountability; - Availability; 4.3 Security threats A security
47、 threat is defined by ITU-T Recommendation M.3016 3 as a potential violation of security that can be directed at one of the four basic security objectives (see subclause 4.2). ITU-T Recommendation X.800 5 defines the following security threats: - Masquerade. - Eavesdropping. - Unauthorized access. -
48、 Loss or corruption of information. - Repudiation. - Forgery. - Denial of service. NOTE: In contemporary network security jargon, “denial of service“ is most often used to describe a class of attacks that are intended to subvert the delivery of service. In this context the “denial of service“ threat
49、 can be best described as “denial of service delivery“. 4.4 Security Mechanisms and services ITU-T Recommendation X.800 5 defines a set of security mechanisms that can be used to implement security objectives within a network Security mechanisms are manifested within and/or by security services. The fundamental security services are identified by ITU-T Recommendation X.800 5 as being: - Peer entity authentication. ETSI ETSI TS 132 371 V14.0.0 (2017-04)113GPP TS 32.371 version 14.0.0 Release 14- Da
