1、 International Telecommunication Union ITU-T X.1036TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Framework for creation, storage, distribution and enforcement of policies for network security ITU-
2、T Recommendation X.1036 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arran
3、gements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270
4、X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.60
5、0X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Mana
6、gement Information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.
7、900X.999 TELECOMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1036 (11/2007) i ITU-T Recommendation X.1036 Framework for creation, storage, distribution and enforcement of policies for network security Summary ITU-T Recommendation X.1
8、036 establishes a set of network security policies that will drive the security controls of a system or a service. It also specifies the framework for the creation, storage, distribution and enforcement of policies for network security that can be applied to various network conditions and devices. S
9、ource ITU-T Recommendation X.1036 was approved on 13 November 2007 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1036 (11/2007) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of teleco
10、mmunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecomm
11、unications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the proc
12、edure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a tele
13、communication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of th
14、ese mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS IT
15、U draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU memb
16、ers or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may no
17、t represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1036
18、 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Terms and definitions . 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation. 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Network security policy 3 6.1 Attack detection policy. 4 6.2 Access control policy . 4 6.3 Ale
19、rt control policy. 4 6.4 Traffic control policy 4 6.5 Routing control policy 4 7 Network security policy information model. 4 7.1 Class definitions of NSPIM 4 7.2 The class hierarchy of NSPIM . 28 7.3 Association and aggregation of NSPIM. 30 7.4 Relation of Classes . 32 8 Network security policy fra
20、mework . 33 8.1 Creation of policies. 34 8.2 Storage of policies 35 8.3 Distribution of policies. 36 8.4 Enforcement of policies 37 8.5 An example of policy conversion and distribution. 38 Bibliography. 41 ITU-T Rec. X.1036 (11/2007) 1 ITU-T Recommendation X.1036 Framework for creation, storage, dis
21、tribution and enforcement of policies for network security 1 Scope Most of current security research has been devoted to the development of security systems such as IDS (intrusion detection system) or firewall. Note, however, that those systems that are currently available are not generally interope
22、rable because each system has its own special functionality and control mechanism. This proves to be greatly bothersome to operators who have to control one or more networks including several security systems. As such, controlling different security systems effectively or easily managing them in a u
23、nified manner has become a hot issue. This Recommendation defines the network security policy information model (NSPIM) extended on the basis of policy core information model (PCIM) and PCIM extension (PCIMe) of IETF in representing several policies used in the policy-based network security system.
24、NSPIM is highlighted as a solution for effectively controlling various network devices. NSPIM delivers consistent, unified, and an understandable view of a network without the implementation details. Such benefit of NSPIM is enhanced as the network grows increasingly complex and offers more services
25、. To model the interaction between network elements, services, and clients of the network, the flexible and extensible information model for security policy is required for the design of each component of NSPIM. Management, signalling/control, and user planes as defined in ITU-T X.805 can be used to
26、 determine the necessary controls needed to support a security policy. The scope of this Recommendation covers the establishment of a set of security policies for protecting the network and proposal of a network security policy framework that creates, stores, distributes and executes these network s
27、ecurity policies. The network security policy information model is also introduced to represent the security policies used for intrusion detection and response in several modules in the network security system. 2 References The following ITU-T Recommendations and other references contain provisions
28、which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility o
29、f applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation.
30、 ITU-T X.800 ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.805 ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.810 ITU-T Recommendation X.810 (1995) | ISO/IEC
31、 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.812 ITU-T Recommendation X.812 (1995) | ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework.
32、 2 ITU-T Rec. X.1036 (11/2007) IETF RFC 3060 IETF RFC 3060 (2001), Policy Core Information Model Version 1 Specification, IEFT RFC 3460 IETF RFC 3460 (2003), Policy Core Information Model (PCIM) Extensions, 3 Terms and definitions 3.1 Terms defined elsewhere This Recommendation uses the following te
33、rms defined elsewhere: 3.1.1 associations: IETF RFC 3060 3.1.2 aggregations: IETF RFC 3060 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 action: This operation is governed by a policy rule. Any action evaluated to be TRUE based on a rule is triggered
34、. 3.2.2 attack: An attack may either be a known attack or an unknown attack. The known attack means that the pattern or packet for attack is opened. Although the pattern or packet for attack is not opened for the unknown attack, it refers to the behaviour related to worsening network situation. 3.2.
35、3 condition: This is an expression of a condition type; its values are used to specify a constraint within a policy rule. A given condition can be negated using the NOT operator. 3.2.4 information model: This is an abstraction and representation of the entities in a managed environment as well as th
36、eir properties, attributes and operations, and way of relating to each other. It is independent of any specific repository, application, protocol or platform. 3.2.5 policy: A policy defines one or more rules. Each rule binds one or more actions to sets of conditions describing by whom (users), for w
37、hat (systems, applications), and under what circumstances (time, day of the week, date) the actions may be triggered. 3.2.6 policy conflict: It defines the actions of two rules contradicting each other. The entity implementing the policy will not be able to determine which action to perform. To prev
38、ent this situation, the implementers of policy systems must provide conflict detection and avoidance or resolution mechanisms. 3.2.7 role: This is a string characterizing a particular function of a network element or an interface that can be used to identify particular behaviours associated with the
39、 element. It is a selector for policy rules to determine the applicability of the rule to a particular network element. Roles abstract the capabilities and/or use of network devices and resources. 3.2.8 rule: This is a policy component that binds an action to the conditions governing whether or not
40、the action is performed. When controlling network resources, the action is usually intended to provide a service. The following is a simplified expression for a rule: IF condition, THEN action. 4 Abreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CIM Common
41、Information Model COPS Common Open Policy Service DMTF Distributed Management Task Force ITU-T Rec. X.1036 (11/2007) 3 ICMP Internet Control Message Protocol IDS Intrusion Detection System LDAP Lightweight Directory Access Protocol NSPIM Network Security Policy Information Model PBNM Policy-Based Ne
42、twork Management PCIM Policy Core Information Model PCIMe PCIM extension PDU Policy Decision Unit PEP Policy Enforcement Point PES Policy Enforcement System PIB Policy Information Base PMU Policy Management Unit PR Policy Repository 5 Conventions None. 6 Network security policy The network service a
43、nd system can be protected by monitoring known attacks blocking harmful packets and limiting traffic congestion. Security policies play an important role in enabling intrusion detection and automated responses. Depending on the role, the network security policy is divided into 5 sub-policies, each o
44、f which is expressed as condition/action pairs. This can be generated by administrators or security managers and enforced by the security agents. The condition attribute and action classified according to the types of policies are shown in Table 1. Table 1 Network security policies Name Condition at
45、tribute Action Attack Detection Policy Packet Header Fields, Packet Payload Fields Alert Drop Access Control Policy Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, Direction, TCP 6 Flags, ICMP Type, ICMP Code Permit Deny Alert Control Policy Source IP Address, Des
46、tination IP Address, Source Port, Destination Port, Protocol, Attack ID Filtering Sampling Traffic Control Policy Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, Direction Forward Rate Limit Routing Control Policy Destination IP Address Drop Attack Detection Polic
47、y can be used to detect and mitigate the known attacks. The access control policy, traffic control policy and routing control policy can be used to detect and mitigate the unknown attacks. 4 ITU-T Rec. X.1036 (11/2007) 6.1 Attack detection policy In detecting known attacks, the attack detection poli
48、cy can refer to the attack detection rules from intrusion detection systems. The monitoring device drops a packet and/or sends an alert to the policy server after comparing the packet with the pattern defined in the attack detection rule. 6.2 Access control policy The access control policy decides o
49、n permission or denial for incoming packets to a firewall or a router in accordance with the value of packet header fields. 6.3 Alert control policy The alert control policy controls the transmission of alerts from IDS. This policy allows a policy enforcement system to send the sample of alerts or to filter alerts. 6.4 Traffic control policy The traffic control policy prescribes the control against excessive traffic in a router or a traffic control device. This policy limits network traffic and helps increase network perform