1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1542 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Event/incident/heuristics exchange Session information mes
2、sage exchange format Recommendation ITU-T X.1542 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.5
3、99 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Teleb
4、iometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180
5、X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATIO
6、N EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD
7、COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details,
8、please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1542 (09/2016) i Recommendation ITU-T X.1542 Session information message exchange format Summary In todays environment, computer networks are vulnerable to threats from both inside and outside an organization. Firewall systems log sessi
9、on information about selected incoming and outgoing transmission control protocol/Internet protocol (TCP/IP) connections. However, those systems that are currently available are not generally interoperable because each system has its own special functionality, control mechanisms and session log form
10、ats. The need most security administrators face today is the maintenance of a consistent session information exchange format across diverse firewall systems and even varied infrastructures. Recommendation ITU-T X.1542 describes an information model for the session information message exchange format
11、 (SIMEF) and provides an associated data model specified with an extensible markup language (XML) schema. The SIMEF defines a data model representation for sharing transport layer session log information about centralized network security management and the security information exchange system. The
12、specification of any transport protocol is beyond the scope of this Recommendation. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1542 2016-09-07 17 11.1002/1000/12852 Keywords Data model, message exchange, network security, session information. * To access the Recommend
13、ation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1542 (09/2016) FOREWORD The International Telecommunication Union (ITU) is the United Nations specia
14、lized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them wi
15、th a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Rec
16、ommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for
17、conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recom
18、mendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any pa
19、rty. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property R
20、ights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers
21、 are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2016 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permi
22、ssion of ITU. Rec. ITU-T X.1542 (09/2016) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 1 5 Conventions 2 6 Overview . 2 7 Representation and definition . 3 7.1 SIMEF XML
23、 document 3 7.2 SIMEF data types . 3 8 The SIMEF data model . 5 8.1 Data model overview 5 8.2 The message classes . 7 9 Security consideration 26 Appendix I SIMEF example and schema . 27 I.1 SIMEF Schema . 27 I.2 SIMEF examples 28 Bibliography. 31 Rec. ITU-T X.1542 (09/2016) 1 Recommendation ITU-T X
24、.1542 Session information message exchange format 1 Scope This Recommendation describes the session information message exchange format (SIMEF), a data model to represent session information exported by security systems such as firewalls, and explains the rationale for using this model. An implement
25、ation of the data model in the extensible markup language (XML) is presented, an XML document type definition (DTD) is developed, and examples are provided. 2 References None. 3 Definitions 3.1 Terms defined elsewhere None. 3.2 Terms defined in this Recommendation This Recommendation defines the fol
26、lowing term: 3.2.1 analyser: A network security system that detects attacks by analysing incoming and outgoing session information. It also generates session log and sends to the security management systems. 3.2.2 session information: Information containing the transmission control protocol/user dat
27、agram protocol (TCP/UDP) session, application service and session entities as viewed by session information providers. A session is defined as the set of traffic that is managed as a unit for translation. TCP/UDP sessions are uniquely identified by the tuple of (source IP address, source TCP/UDP por
28、t, target IP address, target TCP/UDP port). NOTE This definition is based on b-IETF RFC 2663. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: BSD Berkeley Software Distribution CGI Common Gateway Interface DTD Document Type Definition FTP File Transfer
29、 Protocol HTTP Hypertext Transfer Protocol IP Internet Protocol LAN Local Area Network MAC Media Access Control NAT Network Address Translation NTP Network Time Protocol POSIX Portable Operating System Interface 2 Rec. ITU-T X.1542 (09/2016) SIMEF Session Information Message Exchange Format SNA Shar
30、ed Network Architecture SNMP Simple Network Management Protocol TCP Transmission Control Protocol UDP User Datagram Protocol UML Unified Modelling Language URL Uniform Resource Locator UTF Universal character set Transformation Format VPN Virtual Private Network XML extensible Markup Language 5 Conv
31、entions UNIX is a registered trademark of The Open Group. POSIX is a registered trademark of the IEEE. 6 Overview In todays network environment, computer networks are vulnerable to threats from both inside and outside an organization. Therefore, most network security research has been devoted to the
32、 development of integrated network security management systems and network monitoring utilities that allow an organization to capture TCP/IP packets that pass through its network devices, and view the captured data as sequences of conversations between clients and servers. For example, firewall syst
33、ems log session information about selected incoming and outgoing TCP/IP connections. The concept of SIMEF is shown in Figure 1. The session information can be collected from firewall systems, network address translation (NAT) devices, and so on. SIMEF specifies the data model that covers client/serv
34、er network connection, end user device and application service. The SIMEF defines a data model and related message classes for sharing the transport layer session information of interest to security management systems and information sharing systems. It can be applied to the intrusion information ex
35、change system. Figure 1 The concept of SIMEF Rec. ITU-T X.1542 (09/2016) 3 7 Representation and definition This Recommendation uses three notations: unified modelling language (UML) to describe the data model, XML to describe the markup used in SIMEF documents and SIMEF markup to represent the docum
36、ents themselves. 7.1 SIMEF XML document This clause describes SIMEF XML document formatting rules. Most of these rules are “inherited“ from those for formatting XML documents. The format of an SIMEF XML document prolog is described in clauses 7.1.1 to 7.1.2. 7.1.1 XML declaration SIMEF documents bei
37、ng exchanged between SIMEF-compliant applications shall begin with an XML declaration and shall specify the XML version in use. Specification of the encoding in use is recommended. An SIMEF message should therefore start with: SIMEF-compliant applications may choose to omit the XML declaration inter
38、nally to conserve space, adding it only when the message is sent to another destination (e.g., a web browser). This practice is not recommended unless it can be accomplished without loss of each messages version and encoding information. Implementers may decide, therefore, to have analysers and mana
39、gers agree out-of-band on the particular document type definition (DTD) they will be using to exchange messages (the standard one as defined here or one with extensions), and then omit the DTD from SIMEF messages. The method for negotiating this agreement is outside the scope of this Recommendation.
40、 7.1.2 Character data processing in SIMEF For portability reasons, SIMEF-compliant applications should not use, and SIMEF messages should not be encoded in, character encodings other than UTF-8 and UTF-16. Consistent with the XML standard, if no encoding is specified for an SIMEF message, UTF-8 is a
41、ssumed. 7.1.2.1 Character entity references It is recommended that SIMEF-compliant applications use the entity reference form of the characters in general, this can be done by specifying the “xml:lang“ attribute for the top-level element and letting all other elements “inherit“ that definition. 7.2
42、SIMEF data types Within an XML SIMEF message, all data shall be expressed as text, since XML is a text-formatting language. It provides typing information for the attributes of the classes in the data model. Each data type in the model has specific formatting requirements in an XML SIMEF message; th
43、ese requirements are set forth in this clause. 4 Rec. ITU-T X.1542 (09/2016) 7.2.1 Integers Integer attributes are represented by the INTEGER data type. Integer data shall be encoded in Base 10 or Base 16. Base 10 integer encoding uses the digits 0 to 9 and an optional sign (+ or ). For example, “12
44、3“, “456“. Base 16 integer encoding uses the digits 0 to 9 and a to f (or their uppercase equivalents), and is preceded by the characters “0x“. For example, “0x1a2b“. 7.2.2 Real numbers Real (floating-point) attributes are represented by the REAL data type. Real data shall be encoded in Base 10. Rea
45、l encoding is that of the Portable Operating System Interface (POSIX) 1003.1 b-IEEE 1003.1 “strtod“ library function: an optional sign (+ or ) followed by a non-empty string of decimal digits, optionally containing a radix character, then an optional exponent part. An exponent part consists of an e
46、or E, followed by an optional sign, followed by one or more decimal digits. For example, “123.45e02“, “567, 89e03“. SIMEF-compliant applications shall support both the . and , radix characters. 7.2.3 Characters and strings Single character attributes are represented by the CHARACTER data type. Multi
47、-character attributes of known length are represented by the STRING data type. Character and string data have no special formatting requirements, other than the need to occasionally use character references to represent special characters. 7.2.3.1 Character entity references Within XML documents, ce
48、rtain characters have special meanings in some contexts. To include the actual character itself in one of these contexts, a special escape sequence, called an entity reference, shall be used. The characters that sometimes need to be escaped and their entity referencesare: Character Entity reference
49、“ 7.2.3.2 Character code references Any character defined by the b-ISO/IEC 10646 and Unicode standards may be included in an XML document by the use of a character reference. A character reference is started with the characters . Between these characters, the character code for the character is inserted. If the character code is preceded by an x it is interpreted in hexadecimal (base 16); otherwise, it is interpreted in decimal (base 10). For instance, the ampersand ( or and t