1、 International Telecommunication Union ITU-T X.1031TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Roles of end users and telecommunications networks within security architecture Recommendation ITU-
2、T X.1031 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.
3、199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Man
4、aged Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficien
5、cy X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Informat
6、ion X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECO
7、MMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1031 (03/2008) i Recommendation ITU-T X.1031 Roles of end users and telecommunications networks within security architecture Summary Recommendation ITU-T X.1031 provides guidance for appl
8、ying the concepts of Recommendation ITU-T X.805 architecture to divide security controls between the telecommunication networks (including service providers and/or application providers networks) and the end users equipment. The Recommendation also defines the factors to be taken into account in set
9、ting up or dividing the interaction of security controls between the telecommunication network and the users. In addition, a classification of security controls for telecommunication is given. Source Recommendation ITU-T X.1031 was approved on 22 March 2008 by ITU-T Study Group 17 (2005-2008) under
10、Recommendation ITU-T A.8 procedure. ii Rec. ITU-T X.1031 (03/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector
11、 (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every f
12、our years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, t
13、he necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary.
14、 However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negat
15、ive equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the us
16、e of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation
17、, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/ww
18、w.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1031 (03/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms def
19、ined in this Recommendation. 2 4 Abbreviations and acronyms 2 5 Conventions 2 6 Applying the X.805 concepts to the networks and end-user equipment 2 6.1 Three security layers in a network and in the end-user equipment 2 6.2 Classification of security controls in telecommunication 4 6.3 Roles of netw
20、ork and users. 5 6.4 Applicability of the security architecture components to network and users 6 7 Capabilities for further division of the security controls 8 8 Relationship to other ITU-T Recommendations concerning security 9 Annex A Possible composition of technical facilities of network and use
21、rs 11 Bibliography. 12 Rec. ITU-T X.1031 (03/2008) 1 Recommendation ITU-T X.1031 Roles of end users and telecommunications networks within security architecture 1 Scope 1.1 Security support in the telecommunication systems is essential for the telecommunication operators and for the users of their s
22、ervices. Because of this, security controls must be implemented in the telecommunication network as well as in the end-user terminals. Such controls are to support the security solutions, defined according to a security policy, in the environment of the user-to-user communication. ITU-T X.805 define
23、s security architecture for systems providing end-to-end communications. This Recommendation provides guidance on applying the concepts of ITU-T X.805 with a focus on the specifics of the use of X.805 for securing the networks and the end-user equipment. 1.2 Division of the security controls between
24、 the network and its users meets a common architectural layout of the telecommunication systems, where user premises equipment is strictly separated from the network at the infrastructure layer. 1.3 Relations between the user and the network (the communication operator) have certain regulatory and t
25、echnical aspects. This Recommendation deals solely with the technical aspects. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indica
26、ted were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Rec
27、ommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. 3 Definitions
28、 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 quality of service b-ITU-T E.800: The collective effect of service performance which determines the degree of satisfaction of a user of the service. NOTE 1 The “quality of service“ is characterized by
29、the combined aspects of service support performance, service operability performance, serveability performance, service security performance and other factors specific to each service. NOTE 2 The term “quality of service“ is not used to express a degree of excellence in a comparative sense nor is it
30、 used in a quantitative sense for technical evaluations. In this case, a qualifying adjective (modifier) should be used. 3.1.2 security controls (based on b-ISO/IEC TR 19791): The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information syst
31、em to protect the data confidentiality, data integrity, and availability of the system and its information. 2 Rec. ITU-T X.1031 (03/2008) NOTE This definition is intended to include controls that provide accountability, access control, authentication, non-repudiation, communication security, and pri
32、vacy, which are sometimes considered as distinct from data confidentiality, data integrity and availability. 3.1.3 security dimension (based on ITU-T X.805): A set of security measures designed to address a particular aspect of the network security. There exist eight such sets identified to protect
33、against all major security threats. These dimensions are not limited to the network, but extend to applications and end user information as well. The security dimensions are: (1) access control, (2) authentication, (3) non-repudiation, (4) data confidentiality, (5) communication security, (6) data i
34、ntegrity, (7) availability, and (8) privacy. 3.1.4 security layers (based on ITU-T X.805): A hierarchy of network equipment and facility groupings to which the security dimensions must be applied. There are three security layers identified: infrastructure security layer, services security layer, and
35、 application security layer. 3.1.5 security plane (based on ITU-T X.805): A certain type of network activity protected by security dimensions. There are three security planes identified: management plane, control plane, and end-user plane. 3.2 Terms defined in this Recommendation None. 4 Abbreviatio
36、ns and acronyms This Recommendation uses the following abbreviations and acronyms: N-D Network security controls Dependent on UNI N-I Network security controls Independent from UNI QoS Quality of Service U-D User security controls Dependent on UNI U-I User security controls Independent from UNI UNI
37、User-Network Interface 5 Conventions None. 6 Applying the X.805 concepts to the networks and end-user equipment 6.1 Three security layers in a network and in the end-user equipment 6.1.1 According to ITU-T X.805, there are three different hierarchical security layers in a telecommunication system: i
38、nfrastructure security layer; services security layer; applications security layer. These security layers protect three types of telecommunication system activities: management plane; control plane; end-user plane. Rec. ITU-T X.1031 (03/2008) 3 6.1.2 The above-listed concepts of the security archite
39、cture are applicable to both, the network and the end-user equipment as illustrated by Figure 1. User-network interface is supported by the subscriber line, which may be wireline or wireless. X.1031(08)_F01NetworkEnd-user equipmentSecurity layersApplications securityServices securityInfrastructure s
40、ecurityEnd-user planeSecurity layersApplications securityServices securityInfrastructure securityEnd-user planeControl planeManagement plane Management planeControl planeUser-network interface (UNI)Figure 1 Applying the concepts of X.805 to the network and to the end-user equipment 6.1.3 In line wit
41、h clause 6.1.2, there are functionality layers defined for a network and for the end-user equipment as depicted in Figure 2: infrastructure layer; services layer; applications layer. The following elements will correspond to these layers: a) technical facilities of the infrastructure providers, serv
42、ice providers and application providers within the network; b) technical facilities for the use of the infrastructure, services and applications at the end-user equipment. A more detailed description of the possible technical facilities composition of network and user is offered in Annex A. Network
43、End-user equipment Applications layer Application providers Application utilization function Services layer Service providers Service utilization function Infrastructure layer Infrastructure providers UNI Infrastructure utilization function Figure 2 Three functionality layers in network and at user
44、end 4 Rec. ITU-T X.1031 (03/2008) 6.1.4 The numerous users with different terminal types, requirements in term of quality of service, security requirements, etc., could be connected to the same network. 6.1.5 An important element of the system comprising the network and the end-user equipment (see F
45、igures 1 and 2) is the user-network interface (UNI). This interface divides the users and networks technical facilities (including the security controls), and, at the same time, it facilitates interaction between these technical facilities. 6.2 Classification of security controls in telecommunicatio
46、n 6.2.1 The architectural approach under consideration in this Recommendation provides for the introduction of an additional classification of the security controls in telecommunication. 6.2.2 Taking into account the location of security controls, they may be divided into three groups: Group N (netw
47、ork security controls): security controls that may be used in the network; Group U (user security controls): security controls that may be used by the user; Group NU (network and user security controls): security controls that may be used in the network and by the user. 6.2.3 Considering interrelati
48、ons of both the network and user security controls with the user-network interface (UNI), Groups N, U and NU could be split further into six classes (see Figure 3), as follows: Class N-I (network security controls Independent from UNI): The security controls implemented in the network and unrelated
49、to the UNI interface; Class N-D (network security controls Dependent on UNI): The security controls implemented in the network and related to the UNI interface; Class U-I (user security controls Independent from UNI): The security controls realized at the user end and unrelated to the UNI interface; Class U-D (user security controls Dependent on UNI): The security controls realized at the user end and related to the UNI interface; Class NU-I (network and user secu
