1、 International Telecommunication Union ITU-T M.3016.1TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2005) SERIES M: TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Telecommunications management network Security for the management plane: Security requirements ITU-T Recommenda
2、tion M.3016.1 ITU-T M-SERIES RECOMMENDATIONS TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Introduction and general principles of maintenance and maintenance organization M.10M.299 International transmission systems M.300M.559 International telephone circuits M.560M.759 Common
3、channel signalling systems M.760M.799 International telegraph systems and phototelegraph transmission M.800M.899 International leased group and supergroup links M.900M.999 International leased circuits M.1000M.1099 Mobile telecommunication systems and services M.1100M.1199 International public telep
4、hone network M.1200M.1299 International data transmission systems M.1300M.1399 Designations and information exchange M.1400M.1999 International transport network M.2000M.2999 Telecommunications management network M.3000M.3599 Integrated services digital networks M.3600M.3999 Common channel signallin
5、g systems M.4000M.4999 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. M.3016.1 (04/2005) i ITU-T Recommendation M.3016.1 Security for the management plane: Security requirements Summary This Recommendation identifies the security requirements for the management pl
6、ane in telecommunication management. It focuses specifically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the telecommunication infrastructure. Source ITU-T Recommendation M.3016.1 was approved on 13 April 2005 by ITU-T Study
7、 Group 4 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. M.3016.1 (04/2005) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a perm
8、anent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establi
9、shes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary stand
10、ards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Reco
11、mmendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents ar
12、e used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Int
13、ellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not rece
14、ived notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2005 All rights reserved
15、. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. M.3016.1 (04/2005) iii CONTENTS Page 1 Scope 1 1.1 Purpose . 1 1.2 Relationship with X.805 Security Architecture 1 1.3 Relationship with E.408 telecommunication networks
16、security requirements . 1 2 References. 2 3 Terms and definitions . 2 4 Abbreviations and acronyms 3 5 Conventions 4 6 Security requirements . 5 6.1 Verification of identities. 5 6.2 Controlled access and authorization. 7 6.3 Protection of confidentiality. 11 6.4 Protection of data integrity . 12 6.
17、5 Accountability 13 6.6 Security logging and audit 13 6.7 Security alarm reporting. 14 6.8 Protection of the DCN 14 Annex A Mapping of security requirements, services and mechanisms 14 Appendix I Additional security considerations. 20 I.1 Applicability to enterprise operations, administration, maint
18、enance and provisioning 20 I.2 Common object request broker architecture, simple network management protocol, extensible markup language, and simple object access protocol 20 I.3 Lawfully authorized electronic surveillance 23 I.4 Physical security considerations. 24 I.5 Development process 29 Append
19、ix II Framework and design guidelines 35 II.1 Framework and model 35 II.2 Design guidelines . 37 Appendix III Semantics of terms used in the M.3016.x series . 38 BIBLIOGRAPHY 43 iv ITU-T Rec. M.3016.1 (04/2005) Introduction Telecommunications is a critical infrastructure for global communication and
20、 economy. Appropriate security for the management functions controlling this infrastructure is essential. Many standards for Telecommunication network management security exist. However, compliance is low and implementations are inconsistent across the various telecommunication equipment and softwar
21、e components. This Recommendation identifies the security requirements to allow vendors, agencies, and service providers to implement a secure telecommunication management infrastructure. Although the present set of requirements represents the current understanding of the state of the art, technolog
22、ies will advance and conditions change. To be successful, this Recommendation must evolve as conditions warrant. This Recommendation is intended as a foundation. Service providers may include additional requirements to meet their specific needs over and above those dealt within this Recommendation.
23、This Recommendation is part of the M.3016.x series of ITU-T Recommendations intended to provide guidance and recommendations for securing the management plane of evolving networks: ITU-T Rec. M.3016.0 Security for the management plane: Overview. ITU-T Rec. M.3016.1 Security for the management plane:
24、 Security requirements. ITU-T Rec. M.3016.2 Security for the management plane: Security services. ITU-T Rec. M.3016.3 Security for the management plane: Security mechanism. ITU-T Rec. M.3016.4 Security for the management plane: Profile proforma. ITU-T Rec. M.3016.1 (04/2005) 1 ITU-T Recommendation M
25、.3016.1 Security for the management plane: Security requirements 1 Scope ITU-T Recs M.3016.1-3 specify a set of requirements, services and mechanisms for the appropriate security of the management functions necessary to support the telecommunication infrastructure. Because different administrations
26、and organizations require varying levels of security support, ITU-T Recs M.3016.1-3 do not specify whether a requirement, service/or mechanism is mandatory or optional. This Recommendation identifies the security requirements for the management plane in Telecommunication management. It focuses speci
27、fically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the Telecommunication infrastructure. This Recommendation is generic in nature and does not identify or address the requirements for a specific Telecommunications Managemen
28、t Network (TMN) interface. The proforma defined in ITU-T Rec. M.3016.4 is provided to assist organizations, administrations and other national/international organizations, specify the mandatory and optional support of the requirements as well as value ranges, values, etc. to help implement their sec
29、urity policies. 1.1 Purpose ITU-T Rec. M.3016.0 identifies a number of objectives, for securing the management network and threats that introduce risks with regard to meeting these objectives. This Recommendation derives the requirements from the objectives against threats and identifies the securit
30、y services that counter them. In defining the services, mechanisms are used based on certain algorithms. The other Recommendations in this series build on the structure set forth in the ITU-T Rec. M.3016.0 overview. It augments the various steps required to secure the management plane. 1.2 Relations
31、hip with X.805 security architecture ITU-T Rec. X.805 defines security architecture for providing end-to-end network security. The X.805 security architecture logically divides a complex set of end-to-end network security-related features into three separate architectural components, namely Security
32、 Dimensions, Security Layers and Security Planes (see Figure 2/X.805). A Security Dimension is a set of security measures designed to address a particular aspect of the network security. ITU-T Rec. X.805 defines three Security Layers: the Infrastructure Security Layer, the Services Security Layer, a
33、nd the Applications Security Layer, which build on one another to provide network-based solutions. A Security Plane is a certain type of network activity protected by Security Dimensions. Three Security Planes are identified in ITU-T Rec. X.805, namely, Management Plane, Control Plane, and End-User
34、Plane. To provide a complete solution, security measures (e.g., access control, authentication) should be applied to each type of network activity (i.e., management plane activity, control plane activity, and end user plane activity) for the network infrastructure, network services, and network appl
35、ications. This Recommendation focuses specifically on the security aspect of the management plane for network elements (NE) and management systems (MS), which are part of the network infrastructure. 1.3 Relationship with E.408 telecommunication networks security requirements ITU-T Rec. E.408 provide
36、s an overview of security requirements and a framework that identifies security threats to telecommunication networks in general (both fixed and mobile; both voice and data) and gives guidance for planning countermeasures that can be taken to mitigate the risks 2 ITU-T Rec. M.3016.1 (04/2005) arisin
37、g from the threats. It is generic in nature and does not identify or address requirements for specific networks. The M.3016.x series identifies the security requirements, services, and mechanisms for the telecommunication network, i.e., the management plane in general in telecommunication management
38、. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revis
39、ion; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this
40、Recommendation does not give it, as a stand-alone document, the status of a Recommendation ITU-T Recommendation E.408 (2004), Telecommunication networks security requirements. ITU-T Recommendation G.8080/Y.1304 (2001), Architecture for the automatically switched optical network (ASON), plus Amendmen
41、t 2 (2005). ITU-T Recommendation M.3010 (2000), Principles for a telecommunications management network. ITU-T Recommendation M.3013 (2000), Considerations for a telecommunications management network. ITU-T Recommendation M.3016.0 (2005), Security for the management plane: Overview. ITU-T Recommendat
42、ion M.3016.2 (2005), Security for the management plane: Security services. ITU-T Recommendation M.3016.3 (2005), Security for the management plane: Security mechanism. ITU-T Recommendation M.3016.4 (2005), Security for the management plane: Profile proforma. ITU-T Recommendation X.509 (2000), Inform
43、ation Technology Open Systems Interconnection: The Directory: Public-key and attribute certificate frameworks, plus Technical Cor.1 (2001), Technical Cor.2 (2002) and Technical Cor.3 (2003). ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applicati
44、ons, plus Amendment 1 (1996), Layer Two Security Service and Mechanisms for LANs. ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications. IETF RFC 1750 (1994), Randomness Recommendations for Security. 3 Terms and definitions This Recommendation uses
45、the following terms from ITU-T Rec. G.8080/Y.1304: Control Plane; Management Plane; Transport Plane. ITU-T Rec. M.3016.1 (04/2005) 3 This Recommendation uses the following terms from ITU-T Rec. M.3010: Management System; Network Element. This Recommendation uses the following term from ITU-T Rec. M.
46、3013: Element Management System. This Recommendation uses the following term from ITU-T Rec. X.509: Strong Authentication. This Recommendation uses the following terms from ITU-T Rec. X.800: Access Control; Authentication. This Recommendation defines the following term: 3.1 critical security adminis
47、tration actions; which include but are not limited to: a) Defining and assigning user privileges; b) Adding and deleting user IDs; c) Disabling the use of specific user IDs as login IDs; d) Initializing and resetting login passwords; e) Initializing and changing cryptographic keys; f) Setting the sy
48、stems aging threshold for login passwords; g) Setting the systems limit on the number of failed logins for each login ID; h) Removing a lockout, or changing the systems lockout timer value; i) Setting the systems inactivity timer value; j) Setting system security logging and alarm configuration; k)
49、Managing the security logging processes; l) Upgrading security software; m) Terminating any user or system session. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: AAA Authentication, Authorization and Accounting ACS Access Control Server ALE Annualized Loss Expectancy ANSI American National Standards Institute CO Central Office CORBA Common Object Request Broker Architecture CSI Common Secure Interoperability DoS Denial of Service EMS Element Management System FTP F
