1、 International Telecommunication Union ITU-T M.3410TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (08/2008) SERIES M: TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Telecommunications management network Guidelines and requirements for security management systems to support tele
2、communications management Recommendation ITU-T M.3410 ITU-T M-SERIES RECOMMENDATIONS TELECOMMUNICATION MANAGEMENT, INCLUDING TMN AND NETWORK MAINTENANCE Introduction and general principles of maintenance and maintenance organization M.10M.299 International transmission systems M.300M.559 Internation
3、al telephone circuits M.560M.759 Common channel signalling systems M.760M.799 International telegraph systems and phototelegraph transmission M.800M.899 International leased group and supergroup links M.900M.999 International leased circuits M.1000M.1099 Mobile telecommunication systems and services
4、 M.1100M.1199 International public telephone network M.1200M.1299 International data transmission systems M.1300M.1399 Designations and information exchange M.1400M.1999 International transport network M.2000M.2999 Telecommunications management network M.3000M.3599 Integrated services digital networ
5、ks M.3600M.3999 Common channel signalling systems M.4000M.4999 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T M.3410 (08/2008) i Recommendation ITU-T M.3410 Guidelines and requirements for security management systems to support telecommunications management Summar
6、y Recommendation ITU-T M.3410 describes a set of functions considered necessary for the management of security mechanisms deployed in current and next generation packet-oriented networks. A logical collection of management functionality used to perform “operations, administration, maintenance and pr
7、ovisioning“ (OAM Support servers (e.g., DNS b-IETF RFC 2181, DHCP b-IETF RFC 2131, NTP b-IETF RFC 1305, backup, and other infrastructure support services); Internetworking/transport components (e.g., multiplexers, switches, routers, transport gateways, application gateways, gateway controllers, pack
8、et-filters a.k.a. firewalls, content filters, access points, bridges, wired and wireless telephony devices and monitoring probes for QoS, and network activity, to name a few); End user host systems (e.g., laptop systems, desktop systems, workstations, printers, etc.); and Management systems (e.g., e
9、lement management, network management, service management, and business management systems). All of the above entities are referred to in this Recommendation as managed elements (MEs) from a security management perspective. The requirements specified in this Recommendation should be applicable to a
10、TSPs current infrastructure and also infrastructure evolution necessary for building their next generation networks (NGNs) (see ITU-T Y.2001 and ITU-T Y.2012). This Recommendation draws on an ATIS standard b-ATIS 0300074 as a major source of information and text. A key aspect of this Recommendation
11、is that it defines a logical architecture and set of functionality independent of physical implementation. Functionality is defined in terms of functional entities, their logical relationships as well as aggregation of functional entities (FEs) into functional groups (FGs). Deployment and implementa
12、tion of these FEs and FGs, within an infrastructure, can take many forms, such as centralized, hierarchical, distributed, or some combination of these. This Recommendation takes no stand as to the implementation of FEs and FGs in so far as implementation decisions do not have security-related ramifi
13、cations. The detailed description of the interactions between FGs is not described in this Recommendation. Annex A contains a normative proforma wherein specific SMS requirements are documented. Appendices I, II and III are informative and cover: Appendix I: The relationship between the SMS and the
14、security concepts covered in ITU-T X.800. Appendix II: The relationship between the SMS and other TSP management systems and frameworks. Appendix III: The structure and organization of NGN networks and their growing complexity. 2 Rec. ITU-T M.3410 (08/2008) 2 References The following ITU-T Recommend
15、ations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are theref
16、ore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-
17、alone document, the status of a Recommendation. ITU-T M.60 Recommendation ITU-T M.60 (1993), Maintenance terminology and definitions. ITU-T M.3010 Recommendation ITU-T M.3010 (2000), Principles for a telecommunications management network. ITU-T M.3016.0 Recommendation ITU-T M.3016.0 (2005), Security
18、 for the management plane: Overview. ITU-T M.3016.1 Recommendation ITU-T M.3016.1 (2005), Security for the management plane: Security requirements. ITU-T M.3016.2 Recommendation ITU-T M.3016.2 (2005), Security for the management plane: Security services. ITU-T M.3016.3 Recommendation ITU-T M.3016.3
19、(2005), Security for the management plane: Security mechanism. ITU-T M.3016.4 Recommendation ITU-T M.3016.4 (2005), Security for the management plane: Profile proforma. ITU-T M.3050.2 Recommendation ITU-T M.3050.2 (2004), Enhanced Telecom Operations Map (eTOM) Process decompositions and descriptions
20、. ITU-T M.3060 Recommendation ITU-T M.3060/Y.2401 (2006), Principles for the management of Next Generation Networks. ITU-T X.500 Recommendation ITU-T X.500 (2005) | ISO/IEC 9594-1:2005, Information technology Open Systems Interconnection The Directory: Overview of concepts, models and services. ITU-
21、T X.509 Recommendation ITU-T X.509 (2000) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.700 Recommendation ITU-T X.700 (1992), Management framework for Open Systems Interconnection (OSI) for CCITT ap
22、plications. ITU-T X.733 Recommendation ITU-T X.733 (1992) | ISO/IEC 10164-4:1992, Information technology Open Systems Interconnection Systems Management: Alarm reporting function. ITU-T X.736 Recommendation ITU-T X.736 (1992) | ISO/IEC 10164-7:1992, Information technology Open Systems Interconnectio
23、n Systems Management; Security alarm reporting function. ITU-T X.800 Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications.
24、 Rec. ITU-T M.3410 (08/2008) 3 ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10181-2:1996, Information technology Open S
25、ystems Interconnection Security frameworks for open systems: Authentication framework. ITU-T X.812 Recommendation ITU-T X.812 (1995) | ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ITU-T X.816 Recommendation
26、ITU-T X.816 (1995) | ISO/IEC 10181-7:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Security audit and alarms framework. ITU-T Y.2001 Recommendation ITU-T Y.2001 (2004), General overview of NGN. ITU-T Y.2012 Recommendation ITU-T Y.2012 (2006), Functio
27、nal requirements and architecture of the NGN release 1. ISO/IEC 15408-1 ISO/IEC 15408-1:2005, Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IEC 27002 ISO/IEC 27002:2005, Information technology Security techniques Code of pr
28、actice for information security management. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access control: ITU-T X.800 3.1.2 access control list: ITU-T X.800 3.1.3 alarm: ITU-T X.733 3.1.4 active threat: ITU-T X.800 3.1.5 asymmetric au
29、thentication method: ITU-T X.811 3.1.6 audit trail, see security audit trail: ITU-T X.800 3.1.7 authenticated identity: ITU-T X.811 3.1.8 authentication: ITU-T X.800 3.1.9 authentication information: ITU-T X.800 3.1.10 authorization: ITU-T X.800 3.1.11 business management layer: ITU-T M.3010 3.1.12
30、ciphertext: ITU-T X.800 3.1.13 cleartext: ITU-T X.800 3.1.14 confidentiality: ITU-T X.800 3.1.15 control security plane: Clause 8.2 of ITU-T X.805 3.1.16 credentials: ITU-T X.800 4 Rec. ITU-T M.3410 (08/2008) 3.1.17 cryptanalysis: ITU-T X.800 3.1.18 cryptography: ITU-T X.800 3.1.19 data integrity: I
31、TU-T X.800 3.1.20 decipherment: ITU-T X.800 3.1.21 decryption: ITU-T X.800 3.1.22 denial of service: ITU-T X.800 3.1.23 digital signature: ITU-T X.800 3.1.24 element management layer: ITU-T M.3010 3.1.25 encipherment: ITU-T X.800 3.1.26 encryption: ITU-T X.800 3.1.27 end-to-end encipherment: ITU-T X
32、.800 3.1.28 end-user security plane: Clause 8.3 of ITU-T X.805 3.1.29 hash function: ITU-T X.810 3.1.30 initiator: ITU-T X.812 3.1.31 integrity: ITU-T X.800 3.1.32 key: ITU-T X.800 3.1.33 key management: ITU-T X.800 3.1.34 network element: ITU-T M.3010 3.1.35 network management layer: ITU-T M.3010 3
33、.1.36 managed element (ME): ITU-T M.60 3.1.37 managed resources: ITU-T M.60 3.1.38 management security plane: Clause 8.1 of ITU-T X.805 3.1.39 management system: ITU-T M.60 3.1.40 masquerade: ITU-T X.800 3.1.41 non-repudiation: ITU-T X.800 3.1.42 object: ITU-T M.60 3.1.43 one-way hash function: ITU-
34、T X.810 3.1.44 operations system: ITU-T M.3010 3.1.45 passive threat: ITU-T X.800 3.1.46 password: ITU-T X.800 3.1.47 peer-entity authentication: ITU-T X.800 3.1.48 physical security: ITU-T X.800 3.1.49 privacy: ITU-T X.800 3.1.50 private key: ITU-T X.810 3.1.51 public key: ITU-T X.810 3.1.52 public
35、-key certificate: ITU-T X.509 3.1.53 repudiation: ITU-T X.800 Rec. ITU-T M.3410 (08/2008) 5 3.1.54 risk: ISO/IEC 27002 3.1.55 role: ISO/IEC 15408-1 3.1.56 secret key: ITU-T X.810 3.1.57 security alarm: ITU-T X.736 3.1.58 security audit: ITU-T X.800 3.1.59 security audit record: ITU-T X.816 3.1.60 se
36、curity audit trail: ITU-T X.800 3.1.61 security certificate: ITU-T X.810 3.1.62 security management information base (SMIB): ITU-T X.700 3.1.63 security policy: ITU-T X.800 3.1.64 security-related event: ITU-T X.736 3.1.65 service management layer (SML): ITU-T M.3010 3.1.66 service management layer
37、operations system function block (S-OSF): ITU-T M.3010 3.1.67 signature: ITU-T X.800 3.1.68 stratum/strata: ITU-T Y.2012 3.1.69 subject: ISO/IEC 15408-1 3.1.70 symmetric authentication method: ITU-T X.811 3.1.71 target: ITU-T X.812 3.1.72 threat: ITU-T X.800 3.1.73 trust: ITU-T X.810 3.1.74 trusted
38、third party: ITU-T X.810 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 application security administrator: An application security administrator is an individual who has responsibility for the administration of those attributes and capabilities of an
39、 application (sub-) system related to security of the application (e.g., application administrative and user accounts and authorizations). 3.2.2 application system administrator: An application system administrator is an individual who has responsibility for the administration of all non-security-re
40、lated attributes and capabilities of an application (sub-) system (e.g., application features, capabilities, configuration parameters and monitoring of the application). 3.2.3 business management system (BMS): A business management system is a business management layer ITU-T M.3010 operations system
41、. 3.2.4 element management system (EMS): An element management system is an element management layer ITU-T M.3010 operations system. 3.2.5 functional entity (FE): A functional entity is a cluster of functionality (sub-functions) that are viewed as a single entity from the point of view of the end-to
42、-end functional architecture. 3.2.6 functional group (FG): A functional group is a cluster of functional entities grouped (and named) solely for convenience and architectural clarity. 6 Rec. ITU-T M.3410 (08/2008) 3.2.7 managed element operator(s): A managed element operator is an individual who has
43、 responsibility to perform specified tasks/activities on a managed element that are administrative in nature (e.g., backup, patching, surveillance, etc.). 3.2.8 managed element security administrator: A managed element security administrator is an individual who has responsibility for the administra
44、tion of those attributes and capabilities of a managed element related to security of the managed element, regardless of what applications execute on the managed element (e.g., managed element administrative and user accounts and authorizations). 3.2.9 managed element system administrator: A managed
45、 element system administrator is an individual who has responsibility for the administration of all non-security-related attributes and capabilities of a managed element (e.g., managed element features, capabilities, configuration parameters and monitoring of the managed element). 3.2.10 network man
46、agement system (NMS): A network management system is a network management layer ITU-T M.3010 operations system. 3.2.11 role: The description of an individuals sphere of responsibility. NOTE It may be used for enforcing access control in accordance with the principle of least privilege (see: managed
47、element operator(s), managed element system administrator, managed element security administrator, application system administrator, application security administrator above). 3.2.12 security administrator: An authority (a person or group of people) responsible for implementing the security policy f
48、or a security domain. 3.2.13 security event: A security-related event ITU-T X.736. 3.2.14 security management system (SMS): A logical collection of management functionality used to perform “operations, administration, maintenance and provisioning“ (OAM and 2) administrator accounts for MEs. Rec. ITU
49、-T M.3410 (08/2008) 17 FEs within administrator account management FG interact with deployed transport, signalling and control, application service delivery and management MEs, as defined in ITU-T Y.2012, as well as non-NGN MEs. SEC-6: The administrator account management FG should communicate with other SMS
