1、 International Telecommunication Union ITU-T X.1206TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security A vendor-neutral framework for automatic notification of security related information and dissemina
2、tion of updates Recommendation ITU-T X.1206 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179
3、Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Secu
4、rity Protocols X.270X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASP
5、ECTS Networking X.600X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.7
6、19 Structure of Management Information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTR
7、IBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1206 (04/2008) i Recommendation ITU-T X.1206 A vendor-neutral framework for automatic notification of security related information and dissemination of
8、updates Summary Recommendation ITU-T X.1206 provides a framework for automatic notification of security related information and dissemination of updates. The key point of the framework is that it is a vendor-neutral framework. Once an Asset is registered, updates on vulnerabilities information and p
9、atches or updates can be automatically made available to the users or directly to applications regarding the Asset. Source Recommendation ITU-T X.1206 was approved on 18 April 2008 by ITU-T Study Group 17 (2005-2008) under the WTSA Resolution 1 procedure. ii Rec. ITU-T X.1206 (04/2008) FOREWORD The
10、International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technica
11、l, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in
12、turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. N
13、OTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure
14、 e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not
15、 suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the
16、 evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, wh
17、ich may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication
18、may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1206 (04/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined in this Recommendation. 1 4 Abbreviations 2 5 Conventions 2 6 Introduction 2 7 Current situation regardin
19、g vulnerability information 3 8 Overview of vendor-neutral framework . 5 8.1 Multiple sources of vulnerability information, updates and patches 5 8.2 Example application operation. 6 8.3 Security and privacy considerations. 7 9 Recommendation architecture 7 9.1 Message core layer . 7 9.2 Message/app
20、lication layer 8 9.3 Scalability. 8 9.4 Extensibility 8 9.5 Platform independence . 9 9.6 Client/Server communication. 9 10 Components of the framework . 9 10.1 Message container 9 10.2 Version message. 13 11 Schemas 19 11.1 Message_Core 19 11.2 Message_Version . 21 Bibliography. 26 Rec. ITU-T X.120
21、6 (04/2008) 1 Recommendation ITU-T X.1206 A vendor-neutral framework for automatic notification of security related information and dissemination of updates 1 Scope This Recommendation provides a framework of bidirectional flow of automatic notification and distribution of vulnerability information
22、as well as the distribution of updates and/or patches. In addition, this Recommendation makes it possible for system administrators to know the condition of any Asset within their realm of responsibility. Clauses 6 and 7 describe the problems of maintaining Assets from an Asset identification point
23、of view, as well as information dissemination and systems/networks management points of view. Clause 8 describes the overview of the vendor-neutral framework, which includes an example system supported by the adoption of the framework, comportments of the framework and an exemplary sequence of excha
24、nges within the framework. Clause 8 also describes the security that should be considered in the vendor-neutral framework. Clause 9 describes the functionalities and features of this Recommendation. Clause 10 provides the definitions of the data structures of components of this Recommendation. Claus
25、e 11 contains the XML schema defined and described in clause 10. This Recommendation provides a framework that any vendor can use for notification, as well as the receiving of vulnerability information and dissemination of required patches/updates for covered Assets, and defines the format of the in
26、formation that should be used in and between components implementing this framework. This Recommendation does not define protocols to be used in the communication between components as many protocols are supported without special consideration. Some common roles and responsibilities will be needed t
27、o be established for operation based on the vendor-neutral framework; however, a discussion regarding the establishment and operation of possible roles and their resulting responsibilities is not within the scope of this Recommendation. 2 References None. 3 Definitions 3.1 Terms defined in this Reco
28、mmendation This Recommendation defines the following terms: 3.1.1 agent: An implementation of this Recommendation operating in support of an installed asset on a given device, in support of server functionality or in support of local server functionality. 3.1.2 asset: A device, separately identifiab
29、le piece of hardware, application, operating system or instance of executable code. 3.1.3 client: A device which requests services from another device. 3.1.4 device: A system acting as either a client, server, or both, local server. 3.1.5 group: A number of devices operated on as a single unit. 2 Re
30、c. ITU-T X.1206 (04/2008) 3.1.6 local server: A client acting as a server node for additional downstream clients. 3.1.7 message: A request for a specific action to be performed, e.g., general actions such as “Register“ an asset as being of a given version and/or contained components of given version
31、s, “Request“ existing or future available updates, patches or vulnerability information, etc. Messages extending the functionality of this Recommendation may be defined outside the scope of this Recommendation. 3.1.8 message data: Information provided in support of a given message. Among an almost i
32、nfinite number of possibilities, specific examples defined in this Recommendation are data defining version information, vulnerability information pertaining to given versions as well as updates or patches for specific versions. 3.1.9 message set: A combination and association of a universally uniqu
33、e identifier, a message and the messages associated message datas definition, all defined within an XML schema derived from and extending Message_Core defined herein. 3.1.10 patch: A broadly released fix for a product-specific, security-related vulnerability. A method of updating a file that replace
34、s only the parts being changed, rather than the entire file. 3.1.11 server: A device used to service requests from other devices. 3.1.12 vulnerability: Any weakness, administrative process or act, or physical exposure that makes a computer or network of computers susceptible to exploit by a threat.
35、4 Abbreviations This Recommendation uses the following abbreviations and acronyms: API Application Programming Interface GUID Globally Unique IDentifier HTTP HyperText Transfer Protocol ISIRT Information Security Incident Response Team ISP Internet Service provider OS Operating System POAS Platform/
36、Operating System/Application/Service URI Uniform Resource Identifier 5 Conventions None. 6 Introduction As more people begin to use computers in their homes and workplaces, and fewer have any kind of official training in the operation of their computers, let alone security-related issues, one quickl
37、y approaches the point where security, not only becomes almost impossible to maintain, but it becomes more difficult for those responsible for maintaining security on a system level to know much about the condition of the systems they are responsible for and provide services until some breach or acc
38、ident occurs, by which time it is already too late. That is primarily due to the fact that so many different computers are in different states of maintenance and update. Where security-related issues are concerned, system management is much less of a preventative process than of a disaster managemen
39、t and recovery process. Rec. ITU-T X.1206 (04/2008) 3 Although a number of applications and even operating systems (OS) have their own update mechanisms, they all have a number of problems in common. One such problem is that all the update mechanisms rely on being enabled, in the first place, and, i
40、n the second, allowed to do their job when the user is notified of an update being available, assuming that the user has enabled the notifications. Likely worst of all though is that these problems leave system administrators totally out of the picture, so that without installing their own monitorin
41、g systems on each computer under their responsibility, they have no idea as to the general level of security within the networks and systems they are responsible for. Another consideration is that while updating software to the latest available it is often the case where updates alone are not the so
42、lution, but instead improved usage practices for which no update, other than the information being received by the end user, is of use. Even though various applications and OSs may have updating mechanisms in place, none of them has a uniform method of keeping users informed of the latest best pract
43、ices leading to continued secure use. Also of importance are the methods used to distribute updates. Currently, all updates through the various update mechanisms source the updates through dedicated channels, one for each update session. But where updates, or other important information made availab
44、le to various redistribution centers, e.g., ISPs or corporate networks, are subsequently distributed within the networks in a trusted and secure manner, the bandwidth required for distribution could effectively be cut in half or at least reduced to a great extent just as in the case of hypertext tra
45、nsfer protocol (HTTP) proxies. Another concern that is mismanaged in most cases is where users themselves find a problem regarding the use or actions of a given asset, without having anyone to refer the problem to. Even if some method is in place for users to contact system administrators or other s
46、upport personnel, using such a system ends up more like a game of “20 questions“ where the user and support person must go back and forth asking for information and replying usually with more questions. It is often difficult for even an experienced support person to have a clear understanding of wha
47、t exactly comprises many assets. Due to modular software architectures and various pieces of software actually comprising modules from different vendors, all with their own versioning systems, even if an update or relevant piece of information about a given product or sub-module is made available, k
48、nowing to what and to whom it applies can be a difficult task, often leading the less informed to ignore much of what their systems may rely for security. In the end, one ends up with users being uninformed and those responsible for system wide security being essentially left out of the loop. 7 Curr
49、ent situation regarding vulnerability information Vulnerability information is presently released by many vendors and many security-related organizations, such as the Information Security Incident Response Team (ISIRT), in an effort to make users aware of the security-related issues as well as providing updates and patches, when required. However, it is often the case that end users neither make use of the information, updates or patches or even know if, whatever is provided, applies to them. There are various reasons for this situation, but first one
