SOURCE ITUT TITLE ITUT Security Standardization AGENDA ITEM

  • Slides: 113
Download presentation
SOURCE: ITU-T TITLE: ITU-T Security Standardization AGENDA ITEM: GTSC, agenda item 5. 5 CONTACT:

SOURCE: ITU-T TITLE: ITU-T Security Standardization AGENDA ITEM: GTSC, agenda item 5. 5 CONTACT: Herb Bertine, hbertine@lucent. com GSC 11(06)_GTSC_07 Telecommunication Security Herbert Bertine Chairman, ITU-T SG 17

High Level Security Drivers • ITU Plenipotentiary Conference (PP-02) ØIntensify efforts on security •

High Level Security Drivers • ITU Plenipotentiary Conference (PP-02) ØIntensify efforts on security • World Telecommunications Standardization Assembly (WTSA-04) ØSecurity robustness of protocols ØCombating/Countering spam • World Summit on the Information Society (WSIS-05) ØCyber security GSC: Standardization Advancing Global Communications

ITU-T Study Groups ITU-T work is divided up between Study Groups (SGs). • SG

ITU-T Study Groups ITU-T work is divided up between Study Groups (SGs). • SG 2: Operational aspects of service provision, networks and performance • SG 4: Telecommunication management • SG 5: Protection against electromagnetic environment effects • SG 6 Outside Plant and related indoor installations • SG 9 Integrated broadband cable networks and television and sound transmission • SG 11 Signaling requirements and protocols • SG 12 Performance and quality of service • SG 13 Next Generation Networks • SG 15: Optical and other transport networks • SG 16: Multimedia services, systems and terminals • SG 17: Security, languages and telecommunication software* • SG 19: Mobile Telecommunications Networks *SG 17 is the Lead Study Group on telecommunication security. GSC: Standardization Advancing Global Communications

Overview of ITU-T Security Standardization Collaboration is key factor GSC: Standardization Advancing Global Communications

Overview of ITU-T Security Standardization Collaboration is key factor GSC: Standardization Advancing Global Communications

WP 2/17 Security Questions (2005 -2008) Telecom Systems Users Telecom Systems Q 7/17 Security

WP 2/17 Security Questions (2005 -2008) Telecom Systems Users Telecom Systems Q 7/17 Security Management *ISM Guideline for Telecom *Incident Management *Risk Assessment Methodology *etc… *X. 1051 Q 4/17 Telebiometrics *Multimodal Model Fwk *System Mechanism *Protection Procedure *X. 1081 Secure Communication Services *Mobile Secure Communications *Home Network Security *Security Web Services Q 9/17 *X. 1121, X. 1122 Cyber Security Q 6/17 *Overview of Cyber-security *Vulnerability Information Sharing * Incident Handling Operations Countering spam Q 17/17 *Technical anti-spam measures Q 8/17 Q 5/17 Security Architecture & Framework *Architecture, Model, Concepts, Frameworks, *etc… *X. 800 series *X. 805 New Communications System Security *Vision, Coordination, Roadmap, Compendia… GSC: Standardization Advancing Global Communications

Highlights of what’s new since GSC-10 § Two new ITU-T Questions: – Q. 15/13,

Highlights of what’s new since GSC-10 § Two new ITU-T Questions: – Q. 15/13, NGN security – Q. 17/17, Countering spam by technical means § 38 security Recommendations are under development in Study Group 17 § Other SGs are developing security Recommendations for specific technologies – for example 5 on NGN security § Focus Group on Security Baseline For Network Operators § New Horizons for Security Standardization Workshop § Security standards roadmap § Cybersecurity web portal GSC: Standardization Advancing Global Communications

Q. 15/13 – NGN Security Recognizing that security is one of the defining features

Q. 15/13 – NGN Security Recognizing that security is one of the defining features of NGN, it is essential to put in place a set of standards that will guarantee, to the maximum degree possible, the security of the telecommunications infrastructure as PSTNs evolve to NGNs. The NGN Security studies must address and develop network architectures that: - Provide for maximal network and end-user resource protection Allow for highly-distributed intelligence end-to-end Allow for co-existence of multiple networking technologies Provide for end-to-end security mechanisms Provide for security solutions that apply over multiple administrative domains GSC: Standardization Advancing Global Communications

Q. 17/17 – Combating spam by technical means Spam has become a widespread problem

Q. 17/17 – Combating spam by technical means Spam has become a widespread problem causing a complex range of problems to users, service providers, and network operators around the globe. While spam was originally used to send unsolicited commercial messages, increasingly spam messages are being used to spread viruses, worms, and other malicious code that negatively impact the security and stability of the global telecommunication network. Spam may include the delivery of phishing and spyware. It is a global problem that requires a multifaceted, comprehensive approach. Study items to be considered include, but are not limited to: - What risks does spam pose to the telecommunication network? - What technical factors associated with the telecommunication network contribute to the difficulty of identifying the sources of spam? - How can new technologies lead to opportunities to counter spam and enhance the security of the telecommunication network? - Do advanced telecommunication network technologies (for example, SMS, instant messaging, Vo. IP) offer unique opportunities for spam that require unique solutions? - What technical work is already being undertaken within the IETF, in other fora, and by private sector entities to address the problem of spam? - What telecommunication network standardization work, if any, is needed to effectively counter spam as it relates to the stability and robustness of the telecommunication network? GSC: Standardization Advancing Global Communications

SG 17 Security Recommendations under development (1/3) ü Summaries of all Study Group 17

SG 17 Security Recommendations under development (1/3) ü Summaries of all Study Group 17 Recommendations under development are available on the Study Group 17 web page at: www. itu. int/itu-t/studygroups/com 17 Communications Systems Security Project X. sbno, Security baseline for network operators Security Architecture and Framework X. 805+, Division of the security features between the network and the users X. 805 nsa, Network security certification based on ITU-T Recommendation X. 805 X. ngn-akm, Framework for authentication and key management for link layer security of NGN X. pak, Password-authenticated key exchange (PAK) X. spn, Framework for creation, storage, distribution and enforcement of security policies for networks GSC: Standardization Advancing Global Communications

SG 17 Security Recommendations under development (2/3) Cyber Security X. cso, Overview of cybersecurity

SG 17 Security Recommendations under development (2/3) Cyber Security X. cso, Overview of cybersecurity X. sds, Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software X. cvlm, Guidelines on Cybersecurity Vulnerability Life-cycle Management X. vds, A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update Security Management X. 1051 (R), Information security management guidelines for telecommunications based on ISO/IEC 27002 X. rmg, Risk management guidelines for telecommunications X. sim, Security incident management guidelines for telecommunications Telebiometrics X. bip, Bio. API interworking protocol X. physiol, Telebiometrics related to human physiology X. tai, Telebiometrics authentication infrastructure X. tpp-1, A guideline of technical and managerial countermeasures for biometric data security X. tpp-2, A guideline for secure and efficient transmission of multi-modal biometric data X. tsm-1, General biometric authentication protocol and profile on telecommunication systems X. tsm-2, Profile of telecomunication device for Telebiometrics System Mechanism (TSM) GSC: Standardization Advancing Global Communications

SG 17 Security Recommendations under development (2/3) Secure Communication Services X. crs, Correlative reacting

SG 17 Security Recommendations under development (2/3) Secure Communication Services X. crs, Correlative reacting system in mobile network X. homesec-1, Framework of security technologies for home network X. homesec-2, Certificate profile for the device in the home network X. homesec-3, User authentication mechanisms for home network service X. msec-3, General security value added service (policy) for mobile data communication X. msec-4, Authentication architecture in mobile end-to-end data communication X. p 2 p-1, Requirements of security for peer-to-peer and peer-to-multi peer communications X. p 2 p-2, Security architecture and protocols for peer to peer network X. sap-1, Guideline on secure password-based authentication protocol with key exchange X. sap-2, Secure communication using TTP service X. websec-1, Security Assertion Markup Language (SAML) – X. 1141 now in AAP Last Call X. websec-2, e. Xtensible Access Control Markup Language (XACML) – X. 1142 now in AAP Last Call X. websec-3, Security architecture for message security in mobile web services Countering spam by technical means X. csreq, Requirement on countering spam X. fcs, Technical framework for countering email spam X. gcs, Guideline on countering email spam X. ocsip, Overview of countering spam for IP multimedia application X. tcs, Technical means for countering spam GSC: Standardization Advancing Global Communications

SG 13 Security Recommendations under development NGN Security • Security Requirements for NGN Release

SG 13 Security Recommendations under development NGN Security • Security Requirements for NGN Release 1* • Guidelines for NGN Security Release 1* • Authentication requirements for NGN Release 1 • AAA Service for Network Access to NGN • Security considerations for Pseudowire (PWE) technology * Continuation of the work originated in the ITU-T Focus Group on NGN GSC: Standardization Advancing Global Communications

Focus Group: Security Baseline for Network Operators • Established October 2005 by SG 17

Focus Group: Security Baseline for Network Operators • Established October 2005 by SG 17 • Objectives: – Define a security baseline against which network operators can assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied – Describe a network operator’s readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security threats – Provide meaningful criteria that can be used by network operators against which other network operators can be assessed, if required. • Next Step – Survey network operators by means of a questionnaire GSC: Standardization Advancing Global Communications

New Horizons for Security Standardization Workshop • Workshop held in Geneva 3 -4 October

New Horizons for Security Standardization Workshop • Workshop held in Geneva 3 -4 October 2005 • Objectives – – – Provide an overview of key international security standardization activities; Seek to identify primary security concerns and issues; Determine which issues are amenable to a standards-based solution; Identify which SDOs are best equipped to do so; and Consider how SDOs can collaborate to improve the timeliness and effectiveness of security standards and avoid duplication of effort. • Results reported under following topics: – – – – – What are the crucial problems in ICT security standardization? Meta issues and need for a global framework; Standards Requirements and Priorities; Liaison and information sharing; User issues; Technology and threat issues; Focus for future standardization work; Process issues; Follow-on issues • Report available at www. itu. int/ITU-T/worksem/security/200510/index. html GSC: Standardization Advancing Global Communications

ICT Security Standards Roadmap • Four Part Roadmap – Part 1 contains information about

ICT Security Standards Roadmap • Four Part Roadmap – Part 1 contains information about organizations working on ICT security standards – Part 2 is a database of existing security standards • Presently includes ITU-T, ISO/IEC JTC 1 and IETF standards • Will be expanded to include other standards – Part 3 will be a list of standards in development – Part 4 will identify future needs and proposed new standards • Publicly available under Special Projects and Issues at: – www. itu. int/ITU-T/studygroups/com 17/index • We invite you to use the Roadmap, provide feedback and help us develop it to meet your needs GSC: Standardization Advancing Global Communications

The ITU Global Cybersecurity Gateway LIVE at: http: //www. itu. int/cybersecurity Provides an easy-to-use

The ITU Global Cybersecurity Gateway LIVE at: http: //www. itu. int/cybersecurity Provides an easy-to-use information resource on national, regional and international cybersecurity-related activities and initiatives worldwide. GSC: Standardization Advancing Global Communications

Structure of the Cybersecurity Gateway § The portal is geared towards four specific audiences:

Structure of the Cybersecurity Gateway § The portal is geared towards four specific audiences: “Citizens”; “Businesses”; “Governments”, “International Organizations” § Database information collected within five main themes: 1. Information sharing of national approaches, good practices and guidelines; 2. Developing watch, warning and incident response capabilities; 3. Technical standards and industry solutions; 4. Harmonizing national legal approaches and international legal coordination and enforcement; 5. Privacy, data and consumer protection. § Additional information resources on the following topics: spam, spyware, phishing, scams and frauds, worms and viruses, denial of service attacks, etc. GSC: Standardization Advancing Global Communications

GSC: Standardization Advancing Global Communications

GSC: Standardization Advancing Global Communications

Some useful web resources • ITU-T Home page www. itu. int/itu-t • Study Group

Some useful web resources • ITU-T Home page www. itu. int/itu-t • Study Group 17 www. itu. int/itu-t/studygroups/com 17 • LSG on Security http: //www. itu. int/ITU-T/studygroups/com 17/tel-security. html e-mail: tsbsg 17@itu. int • Recommendations www. itu. int/ITU-T/publications/recs. html • ITU-T Lighthouse www. itu. int/ITU-T/lighthouse • ITU-T Workshops www. itu. int/ITU-T/worksem • Security Roadmap http: //www. itu. int/ITU-T/studygroups/com 17/ict/index. html • Cybersecurity Portal http: //www. itu. int/cybersecurity GSC: Standardization Advancing Global Communications

Closing Observations ü Security is everybody's business ü Collaboration with other SDOs is necessary

Closing Observations ü Security is everybody's business ü Collaboration with other SDOs is necessary ü Security needs to be designed in upfront ü Security must be an ongoing effort ü Systematically addressing vulnerabilities (intrinsic properties of networks/systems) is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be —X. 805 is helpful here GSC: Standardization Advancing Global Communications

Additional details on security work in ITU-T Study Groups: - Study Group 17 -

Additional details on security work in ITU-T Study Groups: - Study Group 17 - Study Group 4 - Study Group 9 - Study Group 13 - Study Group 16 - Study Group 19 GSC: Standardization Advancing Global Communications

ITU-T SG 17 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 17 Work on Security GSC: Standardization Advancing Global Communications

Study Group 17: Security, languages and telecommunication software • SG 17 is the Lead

Study Group 17: Security, languages and telecommunication software • SG 17 is the Lead Study Group on telecommunication security - It is responsible for coordination of security across all Study Groups. • Subdivided into three Working Parties (WPs) – WP 1 - Open systems technologies; – WP 2 - Telecommunications security; and – WP 3 - Languages and telecommunications software • Most (but not all) security Questions are in WP 2 • Summaries of all draft Recommendations under development in SG 17 are available on the SG 17 web page at www. itu. int/itu-t/studygroups/com 17 GSC: Standardization Advancing Global Communications

Current SG 17 security-related Questions Working Party 1: • 1/17 End-to-end Multicast Communications with

Current SG 17 security-related Questions Working Party 1: • 1/17 End-to-end Multicast Communications with Qo. S Managing Facility • 2/17 Directory services, Directory systems, and publickey/attribute certificates • 3/17 Open Systems Interconnection (OSI) • 16/17 Internationalized Domain Names (IDN) Working Party 2: • 4/17 Communications Systems Security Project • 5/17 Security Architecture and Framework • 6/17 Cyber Security • 7/17 Security Management • 8/17 Telebiometrics • 9/17 Secure Communication Services • 17/17 Countering spam by technical means GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 4 Communications Systems Security Project • Security Workshop • ICT

ITU-T SG 17 Question 4 Communications Systems Security Project • Security Workshop • ICT Security Roadmap • Focus Group on Security Baseline For Network Operators GSC: Standardization Advancing Global Communications

New Horizons for Security Standardization Workshop • • Workshop held in Geneva 3 -4

New Horizons for Security Standardization Workshop • • Workshop held in Geneva 3 -4 October 2005 Hosted by ITU-T SG 17 as part of security coordination responsibility ISO/IEC JTC 1 played an important role in planning the program and in providing speakers/panelists. Speakers, panelists, chairs from: – – – ITU-T ISO/IEC IETF Consortia – OASIS, 3 GPP Regional SDOs – ATIS, ETSI, RAIS GSC: Standardization Advancing Global Communications

Workshop Objectives • Provide an overview of key international security standardization activities; • Seek

Workshop Objectives • Provide an overview of key international security standardization activities; • Seek to find out from stakeholders (e. g. , network operators, system developers, manufacturers and end-users) their primary security concerns and issues (including possible issues of adoption or implementation of standards); • Try to determine which issues are amenable to a standards-based solution and how the SDOs can most effectively play a role in helping address these issues; • Identify which SDOs are already working on these issues or are best equipped to do so; and • Consider how SDOs can collaborate to improve the timeliness and effectiveness of security standards and avoid duplication of effort. GSC: Standardization Advancing Global Communications

Workshop Results • Excellent discussions, feedback and suggestions • Documented in detail in the

Workshop Results • Excellent discussions, feedback and suggestions • Documented in detail in the Workshop report • Results are reported under following topics: – – – – – What are the crucial problems in ICT security standardization? Meta issues and need for a global framework; Standards Requirements and Priorities; Liaison and information sharing; User issues; Technology and threat issues; Focus for future standardization work; Process issues; Follow-on issues • The report is available on-line at: – www. itu. int/ITU-T/worksem/security/200510/index. html GSC: Standardization Advancing Global Communications

ICT Security Standards Roadmap (An SG 17 Work-in-progress) • Part 1 contains information about

ICT Security Standards Roadmap (An SG 17 Work-in-progress) • Part 1 contains information about organizations working on ICT security standards • Part 2 is database of existing security standards • Part 3 will be a list of standards in development • Part 4 will identify future needs and proposed new standards GSC: Standardization Advancing Global Communications

Roadmap access • Part 2 includes ITU-T, ISO/IEC JTC 1 and IETF standards. It

Roadmap access • Part 2 includes ITU-T, ISO/IEC JTC 1 and IETF standards. It will be expanded to include other standards (e. g. regional and consortia specifications). • It will also be converted to a Database format to allow searching and to allow organizations to manage their own data • Publicly available under Special Projects and Issues at: – www. itu. int/ITU-T/studygroups/com 17/index • We invite you to use the Roadmap, provide feedback and help us develop it to meet your needs GSC: Standardization Advancing Global Communications

Other Q. 4/17 projects • Security in Telecommunications and Information Technology – an overview

Other Q. 4/17 projects • Security in Telecommunications and Information Technology – an overview of existing ITU-T Recommendations for secure telecommunications. www. itu. int/ITU-T/publications/index. html • Security compendium: • catalogue of approved ITU-T Recommendations related to telecommunication security • extract of ITU-T approved security definitions • listing of ITU-T security related Questions www. itu. int/ITU-T/studygroups/com 17/tel-security. html • We are in the process of establishing a Security Experts Network (SEN) to maintain on-going dialogue on key issues of security standardization. GSC: Standardization Advancing Global Communications

Focus Group: Security Baseline for Network Operators • Established October 2005 by SG 17

Focus Group: Security Baseline for Network Operators • Established October 2005 by SG 17 • Objectives: – Define a security baseline against which network operators can assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied – Describe a network operator’s readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security threats – Provide meaningful criteria that can be used by network operators against which other network operators can be assessed, if required. • Next Step – Survey network operators by means of a questionnaire GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 5 Security Architecture and Framework • Brief description of Q.

ITU-T SG 17 Question 5 Security Architecture and Framework • Brief description of Q. 5 • Milestones • Draft Recommendations under development GSC: Standardization Advancing Global Communications

Brief description of Q. 5/17 • Motivation – The telecommunications and information technology industries

Brief description of Q. 5/17 • Motivation – The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions that could be applied to various types of networks, services and applications. To achieve such solutions in multi-vendor environment, network security should be designed around the standard security architectures and standard security technologies. • Major tasks – Development of a comprehensive set of Recommendations for providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups. – Maintenance and enhancements of Recommendations in the X. 800 series: X. 800, X. 802, X. 803, X. 805, X. 810, X. 811, X. 812, X. 813, X. 814, X. 815, X. 816, X. 830, X. 831, X. 832, X. 833, X. 834, X. 835, X. 841, X. 842 and X. 843 GSC: Standardization Advancing Global Communications

Q. 5/17 Milestones • ITU-T Recommendation X. 805, Security Architecture for Systems Providing End-to-end

Q. 5/17 Milestones • ITU-T Recommendation X. 805, Security Architecture for Systems Providing End-to-end Communications, was published in 2003. • ISO Standard 18028 -2, Network security architecture, was developed in collaboration between ITU-T Q. 5/17 and ISO/IEC JTC 1 SC 27 WG 1. The Standard is technically aligned with X. 805. It was published in 2006. GSC: Standardization Advancing Global Communications

ITU-T Recommendation X. 805 defines a network security architecture for providing end -to-end network

ITU-T Recommendation X. 805 defines a network security architecture for providing end -to-end network security. The architecture can be applied to various kinds of networks where the end-to-end security is a concern and independently of the network’s underlying technology. GSC: Standardization Advancing Global Communications

Q. 5/17 Draft Recommendations 1/2 • Applications and further development of major concepts of

Q. 5/17 Draft Recommendations 1/2 • Applications and further development of major concepts of ITU-T Recommendation X. 805 – X. 805+, Division of the security features between the network and the users. This Recommendation specifies division of security features between the networks and users. It provides guidance on applying concepts of the X. 805 architecture to securing service provider’s, application provider’s networks and the end user’s equipment. – X. 805 nsa, Network security certification based on ITU-T Recommendation X. 805. This Recommendation describes the methodology, processes and controls required for network security certification based on ITU-T Recommendation X. 805, Security Architecture for Systems Providing End-to-End Communications. GSC: Standardization Advancing Global Communications

Q. 5/17 Draft Recommendations 2/2 • Standardization in support of Authentication Security Dimension (defined

Q. 5/17 Draft Recommendations 2/2 • Standardization in support of Authentication Security Dimension (defined in X. 805) – X. pak, Password-authenticated Key Exchange Protocol (PAK). This Recommendation specifies a password-based protocol for authentication and key exchange, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchange. – X. ngn-akm, Framework for authentication and key management for link layer security of NGN. This Recommendation establishes a framework for authentication and key management for securing the link layer of NGN. It also provides guidance on selection of the EAP methods for NGN. • Standardization of network security policies – X. spn, Framework for creation, storage, distribution, and enforcement of security policies for networks. This Recommendation establishes security policies that are to drive security controls of a system or service. It also specifies a framework for creation, storage, distribution, and enforcement of policies for network security that can be applied to various environmental conditions and network devices. GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 6 Cyber Security • • • Motivation Objectives Scope Current

ITU-T SG 17 Question 6 Cyber Security • • • Motivation Objectives Scope Current area of focus Draft Recommendations under development GSC: Standardization Advancing Global Communications

Q. 6/17 Motivation • Network connectivity and ubiquitous access is central to today’s IT

Q. 6/17 Motivation • Network connectivity and ubiquitous access is central to today’s IT systems • Wide spread access and loose coupling of interconnected IT systems is a primary source of widespread vulnerability • Threats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the rise • Network protocols in use today were developed in an environment of trust. • Most new investments and development is dedicated to building new functionality and not on securing that functionality • An understanding of cybersecurity is needed in order to build a foundation of knowledge that can aid in securing the networks of tomorrow GSC: Standardization Advancing Global Communications

Q. 6/17 Objectives • Perform actions in accordance with Lead Study Group (LSG) responsibility

Q. 6/17 Objectives • Perform actions in accordance with Lead Study Group (LSG) responsibility with the focus on cybersecurity • Work with Q. 1 of SG 2 on a definition of Cybersecurity • Identify and develop standards required for addressing the challenges in cybersecurity, within the scope of Q. 6/17 • Provide assistance to other ITU-T Study Groups in applying relevant cybersecurity Recommendations for specific security solutions. Review project-oriented security solutions for consistency. • Maintain and update existing Recommendations within the scope of Q. 6/17. • Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1 eg. SC 6, SC 27 and SC 37), and consortia as appropriate. • Provide awareness on new security technologies related to cybersecurity GSC: Standardization Advancing Global Communications

Q. 6/17 Scope • Definition of Cybersecurity • Security of Telecommunications Network Infrastructure •

Q. 6/17 Scope • Definition of Cybersecurity • Security of Telecommunications Network Infrastructure • Security Knowledge and Awareness of Telecom Personnel and Users • Security Requirements for Design of New Communications Protocol and Systems • Communications relating to Cybersecurity • Security Processes – Life-cycle Processes relating to Incident and Vulnerability • Security of Identity in Telecommunication Network • Legal/Policy Considerations GSC: Standardization Advancing Global Communications

Q. 6/17 Current Area of Focus • Work with SG 2 on the definition

Q. 6/17 Current Area of Focus • Work with SG 2 on the definition and requirements of cybersecurity. • Collaborate with Q 5, 7, 9, 17/17 and SG 2 in order to achieve better understanding of various aspects of network security. • Collaborate with IETF, OASIS, ISO/IEC JTC 1, W 3 C, APEC-TEL and other standardization bodies on cybersecurity. • Work on framework for secure network operations to address how telecommunications network providers secure their infrastructure and maintain secure operations. • Work on Recommendation for standardization of vulnerability data definition. • Study new cybersecurity issues – How should ISPs deal with botnets, evaluating the output of appropriate bodies when available. • Call for contributions for the outstanding questions identified in the revised scope. GSC: Standardization Advancing Global Communications

Q. 6/17 Draft Recommendations 1/2 1. Overview of Cybersecurity (X. cso) – This Recommendation

Q. 6/17 Draft Recommendations 1/2 1. Overview of Cybersecurity (X. cso) – This Recommendation provides a definition for Cybersecurity. The Recommendation provides a taxonomy of security threats from an operator point of view. Cybersecurity vulnerabilities and threats are presented and discussed at various network layers. – Various Cybersecurity technologies that are available to remedy the threats include: Routers, Firewalls, Antivirus protection, Intrusion detection systems, Intrusion protection systems, Secure computing, Audit and Monitoring. Network protection principles such as defence in depth, access and identity management with application to Cybersecurity are discussed. Risk Management strategies and techniques are discussed including the value of training and education in protecting the network. A discussion of Cybersecurity Standards, Cybersecurity implementation issues and certification are presented. 2. A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update (X. vds) – This Recommendation provides a framework of automatic notification on vulnerability information. The key point of the framework is that it is a vendor-neutral framework. Once users register their software, updates on the vulnerabilities and patches of the registered software will automatically be made available to the users. Upon notification, users can then apply GSC: Standardization Advancing Global Communications

Q. 6/17 Draft Recommendations 2/2 3. Guidelines for Internet Service Providers and End-users for

Q. 6/17 Draft Recommendations 2/2 3. Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software (X. sds) – 4. This Recommendation provides guidelines for Internet Service Providers (ISP) and end-users for addressing the risks of spyware and deceptive software. The Recommendation promotes best practices around principles of clear notices, and users’ consents and controls for ISP web hosting services. The Recommendation also promotes best practices to end-users on the Internet to secure their computing devices and information against the risks of spyware and deceptive software Guidelines on Cybersecurity Vulnerability Life-cycle Management(X. cvlm) – The Recommendation provides a framework for the provision of monitoring, discovering, responding and post-analysis of vulnerabilities. Service providers can use this Recommendation to complement their existing Information Security Management System process in the aspect of regular vulnerability assessment, vulnerability management, incident handling and incident management. GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 7 Security Management Systems • • Tasks Recommendations planned Revised

ITU-T SG 17 Question 7 Security Management Systems • • Tasks Recommendations planned Revised X. 1051 Approach for revised X. 1051 GSC: Standardization Advancing Global Communications

Q. 7/17 Tasks • Information Security Management Guidelines for telecommunications (Existing X. 1051, Information

Q. 7/17 Tasks • Information Security Management Guidelines for telecommunications (Existing X. 1051, Information security management system – Requirements for telecommunications (ISMS-T) ) ・Maintain and revise Recommendation X. 1051, “Information Security Management Guidelines for telecommunications based on ISO/IEC 27002”. ・Jointly develop a guideline of information security management with ISO/IEC JTC 1/SC 27. • Risk Management Methodology ・Study and develop a methodology of risk management for telecommunications in line with Recommendation X. 1051. ・Produce and consent a new ITU-T Recommendation for risk management methodology. • Incident Management ・Study and develop a handling and response procedure on security incidents for the telecommunications in line with Recommendation X. 1051. ・Produce and consent a new ITU-T Recommendation for incident management methodology and procedures. GSC: Standardization Advancing Global Communications

Recommendations planned in Q. 7/17 (Security Management) X. 1050: To be proposed X. 1051:

Recommendations planned in Q. 7/17 (Security Management) X. 1050: To be proposed X. 1051: In revision process Information Security Management Guidelines for Telecommunications based on ISO/IEC 27002 X. 1052: To be proposed X. 1053: To be proposed (Implementation Guide for Telecoms) X. 1054: To be proposed (Measurements and metrics for Telecommunications) X. 1055 : In the first stage of development Risk Management Guidelines for Telecommunications X. 1056: In the first stage of development Security Incident Management Guidelines for Telecommunications X. 1057: To be proposed (Identity Management for Telecoms) GSC: Standardization Advancing Global Communications

Information security management guidelines for Telecommunications (Revised X. 1051) Revised X. 1051 Security policy

Information security management guidelines for Telecommunications (Revised X. 1051) Revised X. 1051 Security policy Organising information security Asset management Human resources security Physical & environmental security Information Assets for Telecom Communications & operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance GSC: Standardization Advancing Global Communications

Q. 7/17 Approach to develop revised Recommendation X. 1051 ISMS Process CONTROL Implementation guidance

Q. 7/17 Approach to develop revised Recommendation X. 1051 ISMS Process CONTROL Implementation guidance Other information ISO/IEC 17799 (2005) 27002 CONTROL Implementation guidance for Telecom CONTROL Implementation requirements for Telecom Other information Revised X. 1051 Existing X. 1051 GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 8 Telebiometrics • Objectives • Study areas on Biometric Processes

ITU-T SG 17 Question 8 Telebiometrics • Objectives • Study areas on Biometric Processes • X. 1081 and draft Recommendations under development GSC: Standardization Advancing Global Communications

Q. 8/17 Objectives 1)To define telebiometric multimodal model framework 2)To specify biometric authentication mechanism

Q. 8/17 Objectives 1)To define telebiometric multimodal model framework 2)To specify biometric authentication mechanism in open network 3)To provide protection procedures and countermeasures for telebiometric systems GSC: Standardization Advancing Global Communications

Q. 8/17 Study areas on Biometric Processes X. tai: Telebiometrics Authentication Infrastructure X. bip:

Q. 8/17 Study areas on Biometric Processes X. tai: Telebiometrics Authentication Infrastructure X. bip: Bio. API Interworking Protocol X. 1081 X. physiol Safety conformity X. tsm: Telebiometrics System Mechanism X. tpp: Telebiometrics Protection Procedure s Storage Biometric Sensors Acquisition ( Capturing) NW NW Extraction NW Matching Score NW NW: Network Decision NW Yes/No GSC: Standardization Advancing Global Communications Application

Q. 8/17 Recommendations 1/4 - X. 1081 – The telebiometric multimodal model framework –

Q. 8/17 Recommendations 1/4 - X. 1081 – The telebiometric multimodal model framework – A framework for the specification of security and safety aspects of telebiometrics This Recommendation defines a telebiometric multimodal model that can be used as a framework for identifying and specifying aspects of telebiometrics, and for classifying biometric technologies used for identification (security aspects). - X. physiol – Telebiometrics related to human physiology This Recommendation gives names and symbols for quantities and units concerned with emissions from the human body that can be detected by a sensor, and with effects on the human body produced by the telebiometric devices in his environments. GSC: Standardization Advancing Global Communications

Q. 8/17 Recommendations 2/4 - X. tsm-1 – General biometric authentication protocol and profile

Q. 8/17 Recommendations 2/4 - X. tsm-1 – General biometric authentication protocol and profile on telecommunication system This Recommendation defines communication mechanism and protocols of biometric authentication for unspecified end‑users and service providers on open network. - X. tsm-2 – Profile of telecomunication device for Telebiometrics System Mechanism (TSM) This Recommendation defines the requirements, security profiles of client terminals for biometric authentication over the open network. GSC: Standardization Advancing Global Communications

Q. 8/17 Recommendations 3/4 - X. tai – Telebiometrics authentication infrastructure This Recommendation specifies

Q. 8/17 Recommendations 3/4 - X. tai – Telebiometrics authentication infrastructure This Recommendation specifies a framework to implement biometric identity authentication with certificate issuance, management, usage and revocation. - X. bip – Bio. API interworking protocol This Recommendation is common text of ITU-T and ISO/IEC JTC 1 SC 37. It specifies the syntax, semantics, and encodings of a set of messages ("BIP messages") that enable Bio. API-conforming application in telebiometric systems. GSC: Standardization Advancing Global Communications

Q. 8/17 Recommendations 4/4 - X. tpp-1 – A guideline of technical and managerial

Q. 8/17 Recommendations 4/4 - X. tpp-1 – A guideline of technical and managerial countermeasures for biometric data security This Recommendation defines weakness and threats in operating telebiometric systems and proposes a general guideline of security countermeasures from both technical and managerial perspectives. - X. tpp-2 – A guideline for secure and efficient transmission of multi-modal biometric data This Recommendation defines threat characteristics of multi-modal biometric system, and provides cryptographic methods and network protocols for transmission of multi-modal biometric data. GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 9 Secure Communication Services • • • Focus Position of

ITU-T SG 17 Question 9 Secure Communication Services • • • Focus Position of each topic Mobile security Home network security Web services security Secure applications services GSC: Standardization Advancing Global Communications

Q. 9/17 Focus • Develop a set of standards of secure application services, including

Q. 9/17 Focus • Develop a set of standards of secure application services, including – Mobile security Under study – Home network security Under study – Web Services security Under study – Secure application services Under study – Privacy protection for RFID and multimedia content and digital Identity management To be studied GSC: Standardization Advancing Global Communications

Position of each topic Web Services security Application Server Mobile Terminal Mobile Network Mobile

Position of each topic Web Services security Application Server Mobile Terminal Mobile Network Mobile security Open Network Home network security Secure application services GSC: Standardization Advancing Global Communications

Q. 9/17 - Mobile Security • X. 1121, Framework of security technologies for mobile

Q. 9/17 - Mobile Security • X. 1121, Framework of security technologies for mobile end-to-end data communications – Approved 2004 • X. 1122, Guideline for implementing secure mobile systems based on PKI – Approved 2004 • X. msec-3, General security value added service (policy) for mobile data communication – Develops general security service as value added service for secure mobile end-to-end data communication. • X. msec-4, Authentication architecture in mobile end-to-end data communication – Constructs generic authentication architecture for mobile data communication between mobile users and application servers. • X. crs, Correlative reacting system in mobile network – Develops the generic architecture of a correlative reactive system to protect the mobile terminal against Virus, worms, Trojan. Horses or other network attacks to both the mobile network and its mobile users. GSC: Standardization Advancing Global Communications

Q. 9/17 - Home network security • X. homesec-1, Framework for security technologies for

Q. 9/17 - Home network security • X. homesec-1, Framework for security technologies for home network – Framework of security technologies for home network – Define security threats and security requirements, security function requirements for each entity in the network, and possible implementation layer • X. homesec-2, Certificate profile for the device in the home network – Device certificate profile for the home network – Develops framework of home network device certificate. • X. homesec-3, User authentication mechanisms for home network service – User authentication mechanisms for home network service. – Provides the user authentication mechanism in the home network, which enables various authentication means such as password, certificate, biometrics and so on. GSC: Standardization Advancing Global Communications

Q. 9/17 - Web Services security • X. websec-1, Security Assertion Markup Language (SAML)

Q. 9/17 - Web Services security • X. websec-1, Security Assertion Markup Language (SAML) – Security assertion markup language – Adoption of OASIS SAML v 2. 0 into ITU-T Recommendation X. 1141 - Consented April 2006 – Define XML-based framework for exchanging security information. – The security information expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. • X. websec-2, e. Xtensible Access Control Markup Language (XACML) – e. Xtensible Access Control Markup Language – Adoption of OASIS XACML v 2. 0 into ITU-T Recommendation X. 1142 - Consented April 2006 – Provides an XML vocabulary for expressing access control policies and the syntax of the language and the rules for evaluating policies. • X. websec-3, Security architecture for message security in mobile Web Services – Develops a guideline on message security architecture and service scenarios for securing messages for mobile Web Services. GSC: Standardization Advancing Global Communications

Q. 9/17 - Secure applications services • X. sap-1, Guideline on strong password authentication

Q. 9/17 - Secure applications services • X. sap-1, Guideline on strong password authentication protocols – Guideline on secure password-based authentication protocol with key exchange. – Define a set of requirements for password-based protocol with key exchange and a selection guideline by setting up criteria that can be used in choosing an optimum authentication protocol for each application. • X. sap-2, Secure communication using TTP service – Secure end-to-end data communication techniques using TTP services – Specifies secure end-to-end data communication techniques using TTP services that are services defined in X. 842 or other services. • X. p 2 p-1, Anonymous authentication architecture in community communication – Requirements of security for peer-to-peer and peer-to-multi peer communications – Investigates threat analysis for P 2 P and P 2 MP communication services and describes security requirements for secure P 2 P and P 2 MP communication services. • X. p 2 p-2, Security architecture and protocols for peer to peer network – Describes the security techniques and protocols in the P 2 P environment. GSC: Standardization Advancing Global Communications

ITU-T SG 17 Question 17 Countering spam by technical means • Objectives • Set

ITU-T SG 17 Question 17 Countering spam by technical means • Objectives • Set of Recommendations GSC: Standardization Advancing Global Communications

Q. 17/17 Objectives • The aim of this Question is to develop a set

Q. 17/17 Objectives • The aim of this Question is to develop a set of Recommendations on countering spam by technical means for ITU-T, taking into account the need for collaboration with ITU-T other Study Groups and cooperation with other SDOs. The Question focuses particularly on technical requirement, frameworks and new technologies for countering spam. Guidelines on countering spam by technical means are also studied. GSC: Standardization Advancing Global Communications

Q. 17/17 Set of Recommendations Requirement on countering spam (X. csreq) Draft Technical framework

Q. 17/17 Set of Recommendations Requirement on countering spam (X. csreq) Draft Technical framework for countering email spam (X. fcs) Draft Framework Recommendations: IP multimedia application area (TBD) Technology Recommendations: Technical means for countering spam (X. tcs) TBD Technical means for countering IP multimedia spam (X. tcs) TBD Overview of countering spam for IP multimedia application (X. ocsip) Draft Guideline on countering email spam (X. gcs) Draft Other SDOs GSC: Standardization Advancing Global Communications

Q. 17/17 Brief Summaries of draft Recommendations under development 1/2 • X. csreq, Requirement

Q. 17/17 Brief Summaries of draft Recommendations under development 1/2 • X. csreq, Requirement on countering spam This Recommendation provides the general characteristics of spam, elicits generic objectives and provides an overview of the technical requirements on countering spam. In addition, this Recommendation provides checklist to evaluate the solution on countering spam. • X. fcs, Technical framework for countering email spam This Recommendation specifies the technical framework for network structure for the countering spam. Functions inside the framework are defined. It also includes the commonsensible characteristics of email spam, the universal rules of judgement and the common methods of countering email spam. GSC: Standardization Advancing Global Communications

Q. 17/17 Brief Summaries of draft Recommendations under development 2/2 • X. gcs, Guideline

Q. 17/17 Brief Summaries of draft Recommendations under development 2/2 • X. gcs, Guideline on countering email spam (X. gcs) This Recommendation specifies technical issues on countering email spam. It provides the current technical solutions and related activities from various SDOs and relevant organizations on countering email spam. It will be used as a basis for further development of technical Recommendations on countering email spam. • X. ocsip, Overview of countering spam for IP multimedia application This Recommendation specifies basic concepts, characteristics, and effects of spam in IP multimedia applications such as IP Telephony, video on demand, IP TV, instant messaging, multimedia conference, etc. It will provide basis and guideline for developing further technical solutions on countering spam. GSC: Standardization Advancing Global Communications

Security Work in other ITU-T Study Groups • • • SG 4 – Security

Security Work in other ITU-T Study Groups • • • SG 4 – Security of Management plane SG 9 – IPCablecom SG 13 – NGN security SG 16 – Multimedia security SG 19 – Security in IMT-2000 GSC: Standardization Advancing Global Communications

ITU-T SG 4 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 4 Work on Security GSC: Standardization Advancing Global Communications

SG 4: Security of the Management Plane (M. 3016 series) • Approved last year,

SG 4: Security of the Management Plane (M. 3016 series) • Approved last year, the M. 3016 series is viewed as a key aspect of NGN Management; it is included – in the NGN Management Roadmap issued by the NGNMFG – In M. 3060 on the Principles of NGN Management • The M. 3016 series consists of 5 parts: – – – M. 3016. 0: Overview M. 3016. 1: Requirements M. 3016. 2: Services M. 3016. 3: Mechanisms M. 3016. 4: Profile proforma • The role of M. 3016. 4 is unique in that it provides a template for other SDOs and forums to indicate for their membership what parts of M. 3016 are mandatory or optional GSC: Standardization Advancing Global Communications

ITU-T SG 9 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 9 Work on Security GSC: Standardization Advancing Global Communications

SG 9: IPCablecom Evolution • Enhance cable’s existing IP service environment to accelerate the

SG 9: IPCablecom Evolution • Enhance cable’s existing IP service environment to accelerate the convergence of voice, video, data, and mobility • Define an application agnostic architecture that allows cable operators to rapidly innovate new services • Provide a suite of Recommendations that define the elements and interfaces needed to facilitate multi-vendor interoperability • Incorporate leading communications technologies from the IETF and 3 GPP IMS GSC: Standardization Advancing Global Communications

SG 9: IPCablecom Evolution OSS evolves to support new clients and services Operational Support

SG 9: IPCablecom Evolution OSS evolves to support new clients and services Operational Support Systems Policy Control Provisioning, Management, Security, Accounting PSTN New capabilities added to support additional clients and services PSTN Gateway CMS NAT Traversal Managed IP Network IPCablecom Network Signaling Framework, Subscriber Data CMTS Applications Voice, Video, IM Presence, Wireless DOCSIS® Telephony was the first service GSC: Standardization Advancing Global Communications IPCablecom expands to support other services

SG 9: Targeted Applications • Enhanced Cable Voice and Video IP Telephony – Support

SG 9: Targeted Applications • Enhanced Cable Voice and Video IP Telephony – Support for new media and client types (e. g. , video telephony, soft clients) – Call treatment based on presence, device capability, identity – Maintain support for cable telephony features enabled by current IPCablecom Recommendations • Fixed-mobile Convergence over Cable – Support for dual mode cellular/Wi. Fi handsets over DOCSIS – Call handover between IPCablecom Vo. IP networks and cellular networks – Integrated features and call control between cellular and Vo. IP platforms • Cable Cross-Platform Features – Cross platform notification, messaging (e. g. , Caller-ID on TV) – Third-party call control features, such as ‘Click to dial’ GSC: Standardization Advancing Global Communications

SG 9: Design Approach • Incorporate new IP communication technologies – Focus on the

SG 9: Design Approach • Incorporate new IP communication technologies – Focus on the Session Initiation Protocol (SIP) and supporting protocols – Leverage the 3 GPP IMS as a service delivery platform • Develop a modular and extensible architecture that allows new services to be added without impacting the core IPCablecom infrastructure • Ensure backward compatibility with existing IPCablecom Recommendations • Support a wide variety of client devices GSC: Standardization Advancing Global Communications

SG 9: IPCablecom Security Requirements Under Consideration • Support a range of authentication schemes

SG 9: IPCablecom Security Requirements Under Consideration • Support a range of authentication schemes – UICCs (similar to SIM card) – Digital Certificates (existing IPCablecom EMTAs) – SIP digest (software clients) • Support a range of secure signaling options – IPsec – TLS – Disabled • • Support secure configuration before registration Support TLS for intra-domain security Minimize changes to IMS Reuse existing standards GSC: Standardization Advancing Global Communications

SG 9: DOCSIS Base Line Privacy Plus • The primary goals of DOCSIS BPI+

SG 9: DOCSIS Base Line Privacy Plus • The primary goals of DOCSIS BPI+ are to provide privacy of customer traffic, integrity of software downloads, and prevent theft of service. • DOCSIS BPI+ provides a number of tools to support these goals: – Traffic encryption for privacy/confidentiality. – Secure Software Download to assure a valid CM image. – Configuration file authentication to help secure the provisioning process. • Focus is on the link layer between the CMTS and CM. Security outside the DOCSIS network is provided by applications and other networks. GSC: Standardization Advancing Global Communications

SG 9: DOCSIS BPI+ Security Algorithms • A Cable Modem Terminations System (CMTS) authenticates

SG 9: DOCSIS BPI+ Security Algorithms • A Cable Modem Terminations System (CMTS) authenticates cable modems (CM) using X. 509 certificates and RSA public key cryptography. • Subscriber Traffic encryption – 3 DES used for key exchange – DES used for traffic encryption. AES being considered for future DOCSIS versions. • SW download image validation is performed using X. 509 certificates and digital signatures using RSA public key cryptography. • Message integrity checks (MIC) with keyed MD 5 hash used for CM configuration file security. GSC: Standardization Advancing Global Communications

ITU-T SG 13 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 13 Work on Security GSC: Standardization Advancing Global Communications

SG 13: NGN Security Outline • • • Why NGN security? The ITU-T work

SG 13: NGN Security Outline • • • Why NGN security? The ITU-T work on NGN Security Relationship to other SDOs Output of the NGN Focus Group Recent developments—starting the SG 13 Security work Top NGN security issues that need resolution Security is among the key differentiators of the NGN. It is also among its biggest challenges!. . GSC: Standardization Advancing Global Communications

SG 13: Why Security? (Threat examples) • Subscriber’s perspective – Eavesdropping, theft of PIN

SG 13: Why Security? (Threat examples) • Subscriber’s perspective – Eavesdropping, theft of PIN codes – Tele-spam – Identity theft – Infection by viruses, worms, and spyware – Loss of privacy (call patterns, location, etc. ) – Flooding attacks on the end point • Provider’s perspective – Theft of service – Denial of service – Disclosure of network topology – Non-audited configuration changes – Additional related risks to the PSTN… In NGN, known IP security vulnerabilities can make PSTN vulnerable, too! GSC: Standardization Advancing Global Communications

SG 13: The ITU-T work on NGN Security • SG 13: Lead Study Group

SG 13: The ITU-T work on NGN Security • SG 13: Lead Study Group on the NGN standardization. (Question 15/13 is responsible for X. 805 -based NGN security) • SG 17: Lead Study Group on Telecommunication Security—the fundamental X. 800 series, PKI, etc. • SG 4: Lead Study Group on Telecommunication Management—Management Plane security • SG 11: Lead Study Group on signaling and protocols —security of the Control and Signaling planes • SG 16: Lead Study Group on multimedia terminals, systems and applications—Multimedia security has concluded; work has moved to GSC: FGNGN Standardization Advancing its Global Communications SG 13

Collaboration of ITU-T with other bodies on NGN security Recommendations ISO/IEC JTC 1 SC

Collaboration of ITU-T with other bodies on NGN security Recommendations ISO/IEC JTC 1 SC 27, … IETF ITU-T SG 13, 17, 4, 11, 16 … ATIS 3 GPP ETSI TISPAN Fora (such as OASIS) TIA SG 13 is the Lead Study Group for NGN SG 17 is the Lead Study Group for Security GSC: Standardization Advancing Global Communications 3 GPP 2

SG 13: Question 15, NGN security • Question 15 (NGN security) of SG 13

SG 13: Question 15, NGN security • Question 15 (NGN security) of SG 13 – ITU-T lead study group for NGN and satellite matters - will continue standards work started by FGNGN WG 5. • Q. 15/13 major tasks are: – Lead the NGN-specific security project-level issues within SG 13 and with other Study Groups. Recognizing SG 17’s overall role as the Lead Study Group for Telecommunication Security, advise and assist SG 17 on NGN security coordination issues. – Apply the X. 805 Security architecture for systems providing end-toend communication within the context of an NGN environment – Ensure that • the developed NGN architecture is consistent with accepted security principles • Ensure that AAA principles are integrated as required throughout the NGN GSC: Standardization Advancing Global Communications

SG 13: FGNGN output: Security Requirements for NGN Release 1 (highlights) • Security requirements

SG 13: FGNGN output: Security Requirements for NGN Release 1 (highlights) • Security requirements for the Service Stratum – IMS security – Transport domain to NGN core network interface – Open service platforms and applications security – Vo. IP – Emergency Telecommunication Services and Telecommunications for Disaster Relief • Security requirements for the Transport Stratum – NGN customer network domain – Customer network to IPConnectivity Access Network (IP-CAN) interface – Core network functions – NGN customer network to NGN customer network interface GSC: Standardization Advancing Global Communications

SG 13: FGNGN output: Guidelines for NGN Security Release 1 (highlights) • General –

SG 13: FGNGN output: Guidelines for NGN Security Release 1 (highlights) • General – General principles and guidelines for building secure Next Generation Networks – Detailed examination of IMS access security and NAT and firewall traversal – NGN Security Models – Security Associations model for NGN • Security of the NGN subsystems – IP-Connectivity Access Network – IMS Network domain and IMS-tonon-IMS network security – IMS access – Framework for open platform for services and applications in NGN – Emergency Telecommunications Service (ETS) and Telecommunications for Disaster Relief (TDR) Security – Overview of the existing standard solutions related to NAT and firewall traversal GSC: Standardization Advancing Global Communications

SG 13: Focus of the current work of Question 15, NGN security • •

SG 13: Focus of the current work of Question 15, NGN security • • • Security Requirements for NGN Release 1 Authentication requirements for NGN Release 1 AAA Service for Network Access to NGN Guidelines for NGN Security Release 1 Security considerations for Pseudowire (PWE) technology At the heart of securing network protocols, the biggest challenge is authentication. GSC: Standardization Advancing Global Communications

SG 13: Major Issues for NGN Security Standardization • Key distribution (for end-users and

SG 13: Major Issues for NGN Security Standardization • Key distribution (for end-users and network elements) and Public Key Infrastructure • “Network privacy”—topology hiding and NAT/Firewall traversal for real-time applications • Convergence with IT security • Management of security functions (e. g. , policy) • Guidelines on the implementation of the IETF protocols (e. g. , IPsec options) • Security for supporting access: DSL, WLAN, and cable access scenarios • Guidelines for handling 3 GPP vs. 3 GPP 2 differences in IMS Security Both—network assets and network traffic—must be protected. Proper management procedures will help prevent attacks from within. GSC: Standardization Advancing Global Communications

SG 13: NGN Architecture GSC: Standardization Advancing Global Communications

SG 13: NGN Architecture GSC: Standardization Advancing Global Communications

ITU-T SG 16 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 16 Work on Security GSC: Standardization Advancing Global Communications

Question 25/16 “Multimedia Security in Next-Generation Networks” (NGN-MM-SEC) • • Study Group 16 concentrates

Question 25/16 “Multimedia Security in Next-Generation Networks” (NGN-MM-SEC) • • Study Group 16 concentrates on Multimedia systems. Q. 25/16 focuses on the application-security issues of MM applications in next generation networks Standardizes Multimedia Security So far Q. 25 has been standardizing MM-security for the “ 1 st generation MM/pre-NGN? -systems”: – H. 323/H. 248 -based systems. GSC: Standardization Advancing Global Communications

Evolution of H. 235 Core Security Framework Engineering 1 st Deployment Improvement and Additions

Evolution of H. 235 Core Security Framework Engineering 1 st Deployment Improvement and Additions Consolidation H. 235 V 3 + Annex I H. 235 V 3 Amd 1 + Annex H H. 235 Annex G H. 235 V 2 Security Profiles Annex D Initial Draft H. 235 V 1 Annex E approved started 1997 1998 Annex F Annex E H. 530 approved consent H. 323 V 5 H. 323 V 4 H. 323 V 2 1996 Annex D 1999 2000 2001 2002 2003 2004 => 2005 GSC: Standardization Advancing Global Communications

H. 235 V 4 Subseries Recommendations • • Major restructuring of H. 235 v

H. 235 V 4 Subseries Recommendations • • Major restructuring of H. 235 v 3 Amd 1 and annexes in stand-alone subseries Recommendations H. 235. x subseries specify scenario-specific MMsecurity procedures as H. 235 -profiles for H. 323 • • • Some new parts added Some enhancements and extensions Incorporated corrections • Approved in Sept. 2005 GSC: Standardization Advancing Global Communications

H. 323 Security Recommendations (1) • H. 235. 0 “Security framework for H-series (H.

H. 323 Security Recommendations (1) • H. 235. 0 “Security framework for H-series (H. 323 and other H. 245 -based) multimedia systems” Þ Overview of H. 235. x subseries and common procedures with baseline text • H. 235. 1 "Baseline Security Profile” Þ Authentication & integrity for H. 225. 0 signaling using shared secrets • H. 235. 2 "Signature Security Profile” Þ Authentication & integrity for H. 225. 0 signaling using X. 509 digital certificates and signatures GSC: Standardization Advancing Global Communications

H. 323 Security Recommendations (2) • Þ Authentication & integrity for H. 225. 0

H. 323 Security Recommendations (2) • Þ Authentication & integrity for H. 225. 0 signaling using an optimized combination of X. 509 digital certificates, signatures and shared secret key management; specification of an optional proxy-based security processor enhanced • extended H. 235. 3 "Hybrid Security Profile" H. 235. 4 "Direct and Selective Routed Call Security" Þ Key management procedures in corporate and in interdomain environments to obtain key material for securing H. 225. 0 call signaling in GK directrouted/selective routed scenarios GSC: Standardization Advancing Global Communications

H. 323 Security Recommendations (3) • enhanced Þ Secured password (using EKE/SPEKE approach) in

H. 323 Security Recommendations (3) • enhanced Þ Secured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H. 225. 0 signaling • modified H. 235. 5 "Framework for secure authentication in RAS using weak shared secrets" H. 235. 6 "Voice encryption profile with native H. 235/H. 245 key management" Þ Key management and encryption mechanisms for RTP GSC: Standardization Advancing Global Communications

H. 323 Security Recommendations (4) • H. 235. 7 "Usage of the MIKEY Key

H. 323 Security Recommendations (4) • H. 235. 7 "Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H. 235" Þ Usage of the MIKEY key management for SRTP • H. 235. 8 "Key Exchange for SRTP using secure Signalling Channels" Þ SRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS) • H. 235. 9 "Security Gateway Support for H. 323" Þ Discovery of H. 323 Security Gateways (SG = H. 323 NAT/FW ALG) and key management for H. 225. 0 signaling GSC: Standardization Advancing Global Communications

Other SG 16 MM-SEC Results • H. 350. 2 (2003) “H. 350. 2 Directory

Other SG 16 MM-SEC Results • H. 350. 2 (2003) “H. 350. 2 Directory Services Architecture for H. 235” Þ An LDAP schema to represent H. 235 elements (PWs, certificates, ID information) • H. 530 (Revision 2003) “Symmetric security procedures for H. 323 mobility in H. 510” Þ Authentication, access control and key management in mobile H. 323 -based corporate networks GSC: Standardization Advancing Global Communications

Q. 5/16 (H. 300 NAT/FW Traversal) Results (1) • H. 460. 18 “Traversal of

Q. 5/16 (H. 300 NAT/FW Traversal) Results (1) • H. 460. 18 “Traversal of H. 323 signalling across FWs and NATs” Þ H. 323 protocol enhancements and new client/server proxies to allow H. 323 signalling protocols traverse NATs & FWs; H. 323 endpoints can remain unchanged • H. 460. 19 “NAT & FW traversal procedures for RTP in H. 323 systems” Þ uses multiplexed RTP media mode and symmetric RTP in conjunction with H. 460. 18 as a short-term solution GSC: Standardization Advancing Global Communications

More Q. 5/16 Results (2) • Technical Paper “Requirements for Network Address Translator and

More Q. 5/16 Results (2) • Technical Paper “Requirements for Network Address Translator and Firewall Traversal of H. 323 Multimedia Systems” Þ Documentation of scenarios and requirements for NAT & FW traversal in H. 323 • Technical Paper “Firewall and NAT traversal Problems in H. 323 Systems” Þ An analysis of scenarios and various problems encountered by H. 323 around NAT & FW traversal GSC: Standardization Advancing Global Communications

New Q. 25/16 items under current study (1) • Draft H. 460. spn “Security

New Q. 25/16 items under current study (1) • Draft H. 460. spn “Security protocol negotiation” ° • Goal: Negotiate security protocols (IPsec or TLS) for H. 323 signaling) (Draft) H. FSIC “Federated Architecture for Secure Internet Conferencing” ° Goal: Define a generic protocol independent security profile for globally scalable security conferencing using trust federations. GSC: Standardization Advancing Global Communications

New Q. 25/16 items under current study (2) • Study Anti-DDo. S (Denial-of-Service) countermeasures

New Q. 25/16 items under current study (2) • Study Anti-DDo. S (Denial-of-Service) countermeasures for (H. 323 -based) NAT/FW proxy and MM applications • Security for MM-Qo. S (H. mmqos. security) • MM security aspects of Vision H. 325 “Next-generation Multimedia Terminals and Systems” ° Goal: MM-security for H. 325, MM security for Audiovisual on Demand services, Multimedia Conferencing, Distant learning, . . . GSC: Standardization Advancing Global Communications

New Q. 25/16 items under current study (3) • Study Multimedia-Security aspects of Digital

New Q. 25/16 items under current study (3) • Study Multimedia-Security aspects of Digital Rights Management (MM-DRM) – What does MM-DRM mean? – Understand DRM security needs for MM content of MM applications (e. g. IPTV, …) – Contributions are solicited. – Which other groups are active/interested in this area? GSC: Standardization Advancing Global Communications

Ongoing Q. 5/16 work items • Draft H. proxy ° Goal: Specify signaling &

Ongoing Q. 5/16 work items • Draft H. proxy ° Goal: Specify signaling & media client/server proxies connected with a (UDP) tunneling protocol for H. 323 NAT & FW traversal GSC: Standardization Advancing Global Communications

SG 16: Summary • Multimedia systems and applications as being studied by SG 16

SG 16: Summary • Multimedia systems and applications as being studied by SG 16 face important security challenges: – MM-security and NAT/FW traversal • Q. 25/16 and Q. 5/16 are addressing these issues and have provided various Recommendations • The work continues in the scope of NGN-Multimedia Security. GSC: Standardization Advancing Global Communications

ITU-T SG 19 Work on Security GSC: Standardization Advancing Global Communications

ITU-T SG 19 Work on Security GSC: Standardization Advancing Global Communications

Security Work in SG 19 (1/3) • Q. 1/19 Service and network capability requirements

Security Work in SG 19 (1/3) • Q. 1/19 Service and network capability requirements and network architecture – PDNR Q. FNAB “Functional Network Architecture for Systems Beyond IMT-2000” has included security requirements from the beginning, building on existing material in related domains • Q. 2/19 Mobility management – Security is included as a fundamental component of the analysis mobility management mechanisms in Q-series Supplement 47 “Technical Report on NNI Mobility Management Requirements” – Currently progressing, on the same basis and jointly with Q. 6/13: • • Rec. MMR Mobility Management Requirements (Stage 1) Rec. MMF Mobility Management Framework (Stage 2) Rec. LMF Location Mobility Management Framework (Stage 2) Rec. HMF Handover Management Framework (Stage 2) GSC: Standardization Advancing Global Communications

Security Work in SG 19 (2/3) • Q. 3/19 Identification of existing and evolving

Security Work in SG 19 (2/3) • Q. 3/19 Identification of existing and evolving IMT 2000 systems – Q. 1741 and Q. 1742 series of Recommendations include security as a key aspect of its referencing Recommendations for IMT-2000 (3 G) Family Members identified in its Q. 1741. x (3 GPP) and Q. 1742. x (3 GPP 2) series Recommendations, including: • • an evaluation of perceived threats a list of security requirements to address the threats security objectives and principles a defined security architecture (i. e. , security features and mechanisms) • cryptographic algorithm requirements • lawful interception architecture and functions – Additional information in backup charts GSC: Standardization Advancing Global Communications

Security in SG 19 Work (3/3) • Q. 4/19 Preparation of a handbook on

Security in SG 19 Work (3/3) • Q. 4/19 Preparation of a handbook on IMT 2000 – Next edition of “Handbook of evolving IMT 2000 Systems (Core Network Aspects)” in progress includes a new chapter “Safety and security issues for IMT-2000” • Q. 5/19 Convergence of evolving IMT-2000 networks with evolving fixed networks – Includes security consideration for such areas as user identification and authentication, including IMS security (see Q. 3/19) GSC: Standardization Advancing Global Communications

ITU-T SSG & SG 19 Rec. Q. 1741 -series • Q. 1741. 1 IMT-2000

ITU-T SSG & SG 19 Rec. Q. 1741 -series • Q. 1741. 1 IMT-2000 references to release 1999 of GSM evolved UMTS core network with UTRAN access network • Q. 1741. 2 IMT-2000 references to release 4. . . • Q. 1741. 3 IMT-2000 references to release 5. . . • Q. 1741. 4 IMT-2000 references to release 6. . . – Includes references to the 3 GPP security specifications as TS 22. 101: Service aspects; Service principles, TS 33. 102: Security Architecture, TS 33. 106: Lawful interception requirements, TS 33. 107: Lawful interception Architecture and Functions, TS 33. 108: Handover interface for Lawful Interception (LI), TS 33. 200: Network Domain Security – MAP, TS 33. 203: Access security for IP-based services, TS 33. 210: Security; Network Domain Security (NDS); IP network layer security, TS 35. 205, . 206, . 207, . 208 and. 909: Specification of the MILENAGE Algorithm Set GSC: Standardization Advancing Global Communications

ITU-T SSG & SG 19 Rec. Q. 1742 -series • Q. 1742. 1 IMT-2000

ITU-T SSG & SG 19 Rec. Q. 1742 -series • Q. 1742. 1 IMT-2000 references to ANSI-41 evolved core network with cdma 2000 access network • Q. 1742. 2 IMT-2000 references (. . . as of 11 July 2002) to. . . • Q. 1742. 3 IMT-2000 references (. . . as of 30 June 2003) to. . . • Q. 1742. 4 IMT-2000 references (. . . as of 30 June 2004) to. . . – “The 3 GPP 2 Steering Committee found that the Packet Data Surveillance Feature (also known as Packet Data Intercept, Legal Surveillance, Lawful Surveillance, or Electronic Surveillance) was regional in nature and should be left to the appropriate SDOs to develop, with 3 GPP 2 consulting as requested. ” GSC: Standardization Advancing Global Communications