1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T Series X TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 30 (09/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.805 Security guidelines for mobile virtual network operators ITU-T X-
2、series Recommendations Supplement 30 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWO
3、RKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.
4、1080X.1099 SECURE APPLICATIONS AND SERVICES (1) Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols (1) X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.11
5、99 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES (2) Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1319 Smart grid security X.1330X.1339 Certified mail X.1340X.1349 Inte
6、rnet of things (IoT) security X.1360X.1369 Intelligent transportation system (ITS) security X.1370X.1389 Distributed legder technology security X.1400X.1429 Security protocols (2) X.1450X.1459 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.15
7、20X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computin
8、g security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. X series Supplement 30 (09/2017)
9、 i Supplement 30 to ITU-T X-series Recommendations ITU-T X.805 Security guidelines for mobile virtual network operators Summary Supplement 30 to ITU-T X-series Recommendations provides security guidelines for mobile virtual network operators (MVNOs). Security is very important to MVNOs and most MVNO
10、s have a lot of security similarities. This Supplement analyses the main features of MVNOs and the typical security threats that they face. Based on the structure of MVNOs, this Supplement provides a security framework for MVNOs, including security objectives and security requirements. History Editi
11、on Recommendation Approval Study Group Unique ID* 1.0 ITU-T X Suppl. 30 2017-09-06 17 11.1002/1000/13410 Keywords Mobile virtual network operator, MVNO, security guide. * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recomm
12、endations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii X series Supplement 30 (09/2017) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). T
13、he ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Stand
14、ardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information
15、 technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compl
16、iance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory
17、language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this
18、publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of appr
19、oval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent
20、 database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 30 (09/2017) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 T
21、erms defined elsewhere 1 3.2 Terms defined in this Supplement 1 4 Abbreviations and acronyms 1 5 Conventions 2 6 Background . 2 7 Security threats for operation 3 8 Security requirements . 4 9 Security countermeasures . 5 9.1 Detection and recognition . 6 9.2 Protection 6 9.3 Security audit and reco
22、very 8 Appendix I A practice of MVNO security 10 Bibliography. 12 iv X series Supplement 30 (09/2017) Introduction A mobile virtual network operator (MVNO) is a mobile communication services provider that does not own the wireless network infrastructure over which the MVNO provides services to its c
23、ustomers. An MVNO enters into a business agreement with a mobile network operator (MNO) to obtain bulk access to network services at wholesale rates and then sets retail prices independently. An MVNO usually uses its own customer service, billing support systems, marketing and sales personnel, or em
24、ploys the services of a mobile virtual network enabler (MVNE). Different from traditional network operators, who own relatively independent telecommunication networks, an MVNO can only manage part of telecommunication networks and services. The service resellers of MVNOs are scattered in different p
25、laces and connect to the MVNOs through different connections. It is inevitable that MVNOs face serious security threats due to inadequate security practices and requirements, which are very different from the security requirements of traditional network operators. Generally, the security capabilitie
26、s of MVNOs are weaker than those of traditional network operators. MVNOs are becoming the main targets of security exploits; therefore, it is very important to develop security guidelines for MVNOs. X series Supplement 30 (09/2017) 1 Supplement 30 to ITU-T X-series Recommendations ITU-T X.805 Securi
27、ty guidelines for mobile virtual network operators 1 Scope This Supplement provides security guidelines for mobile virtual network operators (MVNOs) on how to take action against common security threats. This Supplement analyses the requirements and categories of security measures for MVNOs. It defi
28、nes a set of detailed security requirements and measures for MVNOs daily operation and maintenance. This Supplement will be helpful in reducing the security risks to MVNOs. The target audience of this Supplement is MVNOs. 2 References ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architect
29、ure for systems providing end-to-end communications. 3 Definitions 3.1 Terms defined elsewhere This Supplement uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unautho
30、rized manner. 3.1.2 authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.3 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.2 Terms defined in this Supplement This Supplement defines the
31、 following term: 3.2.1 mobile virtual network operator (MVNO): A wireless communication services provider that does not own the wireless network infrastructure over which it provides services to its customers. 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms
32、: CRM Customer Relationship Management CSRF Cross-Site Request Forgery DDoS Distributed Denial of Service DLP Data Loss Prevention DoS Denial of Service DMZ Demilitarized Zone HLR Home Location Register HSS Home Subscriber Server IAM Identity and Authorization Management IPS Intrusion Prevention Sys
33、tem 2 X series Supplement 30 (09/2017) ISP Internet Service Provider IPSec Internet Protocol Security IT Information Technology L2TP Layer 2 Tunnelling Protocol MNO Mobile Network Operator MVNE Mobile Virtual Network Enabler MVNO Mobile Virtual Network Operator RPO Recovery Point Objective RTO Recov
34、ery Time Objective SSL Secure Socket Layer SQL Structured Query Language VPN Virtual Private Network WAF Web Application Firewall XSS Cross-Site Scripting 5 Conventions None. 6 Background A mobile virtual network operator (MVNO) is a mobile communication services provider that does not own the wirel
35、ess network infrastructure over which the MVNO provides services to its customers. An MVNO leases the wireless capacity from traditional network operators and packages it for a specific application. Typically, an MVNO owns its customer base, sales channel and specific brand, while providing competit
36、ive billing policies. An MVNO conventionally covers a range of different business approaches to providing mobile services. There are four common operating models of MVNOs: reseller, service operator, full MVNO and mobile virtual network enabler (MVNE), as illustrated in Figure 1. Figure 1 Common ope
37、rating models of MVNO The four operating models of MVNOs are as follows: 1) The reseller model suits an organization that can leverage its existing distribution channels to sell mobile services, but has little need to innovate the services it provides or differentiate itself from other players. Typi
38、cally, this means selling no-frills voice and messaging services. 2) The service operator model suits those organizations that wish to gain control over the services they provide, both in terms of pricing and service innovation. This means the service X series Supplement 30 (09/2017) 3 operator mode
39、l suits players that seek to address specific customer segments, by differentiating themselves from other players in those segments through innovation in pricing and/or service content. 3) The full MVNO suits players aiming to achieve additional differentiation from service operators and mobile netw
40、ork operators (MNOs), by offering leading edge products and services, and achieving a high degree of independence at the outset. The full MVNO model may be the best approach for some players who would otherwise select the reseller or service operator models and introduce differentiating services int
41、o their offerings at a later date. This is because the control provided by the full MVNO model may offer better short-and long-term opportunities. 4) The MVNE model acts as an interface between a reseller or service operator and a host MNO. Traditional network operators own relatively independent te
42、lecommunication networks, whereas MVNOs can only manage part of telecommunication networks and services. MVNOs service resellers are scattered in various places and connect to the MVNOs through assorted connections. It is evitable that an MVNO will face serious security threats due to inadequate sec
43、urity practices and weak fundamental security requirements. Generally, the security capabilities of MVNOs are weaker than those of traditional network operators. This weakness causes MVNOs to become the main targets of security exploits, thus it is very important to produce a security guide for MVNO
44、s. This Supplement mainly focuses on full MVNOs and MVNEs. Security documents for other models may also refer to this Supplement. 7 Security threats for operation Generally, an MNO has a complete infrastructure chain including radio access, switches and other network elements, customer relationship
45、management (CRM) and billing systems, services and content systems, and user management systems like SIM cards, home location register (HLR) and home subscriber server (HSS) offerings. In comparison, an MVNO would have some, but not all, network elements, an independent CRM and billing system, and i
46、ts own user management systems which may or may not include SIM cards, but it would not have its own radio access infrastructure. Unlike an MNO with a huge network infrastructure, an MVNOs information assets may mainly include generic equipment/systems such as databases, clusters of servers, PCs and
47、 network security equipment. An MVNOs complexity and diversity, and the inevitable vulnerabilities of its information systems and any existing flaws in administrative, logical or physical security design could be exploited and could lead to a variety of security threats. The security threats faced b
48、y MVNOs could be summarized in the following aspects. See ITU-T X.805: Destruction of information and/or other resources The daily operations of an MVNO rely heavily on the Internet, which inevitably brings about traditional Internet security threats. Illegal intruders could utilize various kinds of
49、 vulnerabilities in security mechanisms such as access control, authentication and authorization, to execute malicious activities, which may result in information/system damage. Corruption or modification of information Like all other information technology (IT) organizations, the accuracy of electronic data is a prerequisite to ensure the smooth operation of an MVNO. However, there are many factors which could provide opportunities for corruption or modification of information, such as: u