1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 3(04/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.800-X.849 series Supplement on guidelines for implementing system and network security ITU-T X-series Re
2、commendations Supplement 3 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND S
3、YSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099
4、SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECUR
5、ITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list of ITU-T Recommendations. X series Supplem
6、ent 3 (04/2008) i Supplement 3 to ITU-T X-series Recommendations ITU-T X.800-X.849 series Supplement on guidelines for implementing system and network security Summary Network security is designed around a strong security framework, available tools, and standardized protocols. In complex multi-vendo
7、r environments, standards-based security solutions can ensure interoperability and operational efficiencies in realizing end-to-end security. Network providers depend upon security information available to them to help plan, design and implement and maintain their networks in order to meet the secur
8、ity objectives. Standards-based systematic methodology and guidelines identify and address critical security challenges of network and information security. This supplement establishes guidelines for implementing system and network security with a focus on telecommunications networks. This supplemen
9、t provides security guidelines for critical activities during the network life-cycle. These guidelines address four areas: 1) technical security policy, 2) asset identification, 3) threats, vulnerabilities and mitigations, and 4) security assessment. The guidelines and associated templates help in s
10、ystematically addressing the security of networks. Source Supplement 3 to ITU-T X-series Recommendations was agreed on 18 April 2008 by ITU-T Study Group 17 (2005-2008). ii X series Supplement 3 (04/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agen
11、cy in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view
12、to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendatio
13、ns is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness t
14、o indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the publication is achieved w
15、hen all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY
16、 RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by I
17、TU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not
18、represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement
19、 3 (04/2008) iii CONTENTS Page 1 Scope 1 1.1 Guidance to organizations on technical security policies. 1 1.2 Guidance on hierarchical-asset identification 1 1.3 Guidance on understanding threats, vulnerabilities and mitigations 1 1.4 Guidance on security assessments 1 2 References. 1 3 Definitions 2
20、 4 Abbreviations and acronyms 2 5 Conventions 2 6 Guidelines phases . 2 6.1 Security integration into product and systems life-cycle . 2 6.2 Guidance to organizations on technical security policies. 4 6.3 Guidance on hierarchical-asset identification 8 6.4 Guidance for understanding threats, vulnera
21、bilities and mitigations . 9 6.5 Guidance on security assessments 14 Bibliography. 22 iv X series Supplement 3 (04/2008) Introduction Network security is designed around a strong security framework, the available tools, and standardized protocols. In complex multi-vendor environments, standards-base
22、d security solutions can ensure interoperability and operational efficiencies in realizing end-to-end security. Network operators depend upon key security information to plan/design, implement and maintain secure networks to meet the organizations business and technical goals. The figure below shows
23、 the key security activities and associated results needed during the security life-cycle. Standards-based systematic methodology and guidelines help in identifying and addressing critical security information challenges of systems and networks. A systematic assessment can provide a baseline of the
24、current level of security and mitigations that are required to support the security life-cycle. This supplement establishes guidelines for implementing system and network security with a focus on telecommunications networks. This supplement provides security guidelines for critical activities during
25、 the network security life-cycle. These guidelines address four areas: 1) technical security policy, 2) hierarchical-asset identification, 3) threats, vulnerabilities and mitigations based on hierarchical assets, and 4) security assessment. The guidelines and associated templates will help in system
26、atically addressing the security of networks. 1) Guidance to organizations on technical security policies This clause describes the value of a security policy and provides guidance on the components of a technical security policy. Recommendation ITU-T X.1051| ISO/IEC 27011 provides details of ISMS s
27、ecurity policy. This supplement leverages existing standards on security policy to build and manage the technical policy. The guidelines in this supplement show key components required to build and continuously manage the technical policy. SECURITY ARCHITECTURE Inputs ActivitiesResults DESIGN ANALYS
28、IS TECHNICAL SECURITY POLICYSECURITYOBJECTIVES,REGULATORY proof of data origin, proof of ownership, proof of resource use). It ensures the availability of evidence that can be presented to a third party and used to prove that some kind of event or action has taken place. 6.5.15 Data confidentiality
29、sub-control (DC) The data confidentiality sub-control protects data from unauthorized disclosure. Data confidentiality ensures that the data content cannot be understood by unauthorized entities. Encryption, access control lists and file permissions are methods often used to provide data confidentia
30、lity. 6.5.16 Communication security sub-control (CS) The communication security sub-control ensures that information flows only between the authorized end points (the information is not diverted or intercepted as it flows between these end points). 6.5.17 Data integrity sub-control (DI) The data int
31、egrity sub-control ensures the correctness or accuracy of data. The data is protected against unauthorized modification, deletion, creation, and replication and provides an indication of these unauthorized activities. 6.5.18 Availability sub-control (AV) The availability sub-control ensures that the
32、re is no denial of authorized access to network elements, stored information, information flows, services and applications due to events impacting the network. Disaster recovery solutions are included in this category. 6.5.19 Privacy sub-control (PR) The privacy sub-control provides for the protecti
33、on of information that might be derived from the observation of network activities. Examples of this information include web-sites that a user has visited, a users geographic location, and the IP addresses and DNS names of devices in a service provider network. 18 X series Supplement 3 (04/2008) 6.5
34、.20 Target network identification and assets to be secured The scope of security assessment is determined by the target network identification and the assets that need to be secured. The asset identification is described in clause 6.3. These guidelines apply in the security assessment clause also an
35、d they are not repeated here. 6.5.21 Guidelines for planning/definition phase Define network security requirements and security architecture: Network security requirements are derived from the business security objectives. Additional details for these objectives are defined by the policy and regulat
36、ory requirements, architecture and deployment environment. Policy guidelines are provided in clause 6.2. Identify the technology specific security requirements (TSSR) applicable to the network: TSSR identification will be spread over the two phases of the security life-cycle, planning and definition
37、, and design and implementation. The security requirements for the solution should be compatible with the applicable TSSR. TSSRs need to be derived from applicable standards and industry practices by the organization. The threat analysis clause explains how to identify the threats at this stage. Ser
38、vices and applications (without the sub-assets) are identified at this stage. The planning and definition phase analyses security by: 1) Deriving the high level security features and comparing them against the security coverage to address the applicable threats, TSSR, and policy/regulatory requireme
39、nts. 2) Identifying the security features that will be further developed to implement access control, authentication, non-repudiation, data confidentiality, communication security, data integrity, privacy and availability. 3) Providing results to include the list of security requirements, TSSR and g
40、aps in the security features as shown in Table 6. Table 6 Security planning and definition # Business objectives Services/ applications Known threats Applicable TSSR Impact sub- controls Security features planned Gaps 1 Req 1 Svc 1 Threat 1 TSSR 1 AC, AU, etc. Feature 1 None 2 Req 2 Svc 1 Threat 2 T
41、SSR n NR, etc. - Support NR 6.5.22 Guidelines for design and implementation The design and implementation phase of the security life-cycle provides the technical details of architecture, protocols, network technology, software development, OAM&P design. Evaluating and baselining security is a key ac
42、tivity of this phase. Results of this phase leverage the input from the planning and definition phase. Key activities of this phase include: 1) Security assets Assets can belong in any one of the controls as discussed in clauses 6.5.2-6.5.10. Asset identification by controls will help in building a
43、comprehensive list covering the management, signalling, and end-user activities. Asset identification is described in clause 6.3. X series Supplement 3 (04/2008) 19 2) Threat analysis and mitigations Threat analysis determines threat mitigations and their implementation priority. Threat analysis is
44、described in clause 6.4. Threat, vulnerability management, and implementing mitigations are critical in the design and implementation phase. 3) TSSR Identify TSSRs that are applicable to the security of services, applications, and network technology that is being planned. TSSRs serve as a key input
45、to security quantification activity together with the threat, vulnerability management. 4) Establish security baseline for the current implementation. Baseline of design plans can be derived by determining the current security position. This includes interviews with the security engineers, architect
46、s and product managers responsible for the network elements, threat analysis and vulnerability testing and verification. The results of security quantification need to present the compliance of various controls and sub-controls described in clauses 6.5.2-6.5.19. This supplement does not specify the
47、format for the representation of the results. It is common practice in the industry to represent implementation levels at a given time, as a measure of security quantification. Tables 7 and 8 show the assessment results for the implementation phase. The vulnerabilities in the solution can be identif
48、ied by various industry techniques, such as architecture analysis, security audits/scans, testing. The results of this phase need to provide a list of mitigations that are prioritized to address the impact on the controls and sub-controls. The assets and mitigations in Tables 7 and 8 can be independ
49、ent or they may overlap. A systematic analysis indicated by these tables ensures that no assets and the associated threats and vulnerabilities are overlooked. Table 7 Security implementation Applications Service/ Application Asset Threat exposure Vulnerability Impact sub-controls Mitigation Gaps Prioriti-zation of mitigation M-A Asset1 How is vulnerability exploited by the exposure Identify the vulnerabilities from testing and analysis. What sub- controls of 6.5.11 are impacted Describe mitigation List the gaps in sub-controls P
