ITU-T SG17 Q.2
Security Architecture and Framework
An overview for newcomers
Patrick Mwesigwa
Q.2/17 Rapporteur
15 March 2016
Contents
 Question text for Q.2/17
 Motivation, Question, Tasks and Relationships
 Recommendations and Supplements related to Q.2/17
 Draft Recommendations on developing under Q.2/17
 Future Plan for Next Study Period (2017-2020)
2
Question text for 2/17 – Motivation
 Security architecture Recommendations
– Recommendations ITU-T X.800, X.802 and X.803 describe security within the context of
open systems interconnection (OSI).
– The security architecture for systems providing end-to-end communications is provided in
Recommendation ITU-T X.805.
– A comprehensive set of detailed security frameworks covering aspects of security such as
authentication, access control, non-repudiation, confidentiality, integrity, and security audit
and alarms has been established (X.810, X.811, X.812, X.813, X.814, X.815 and X.816).
– Generic Upper Layers Security (GULS), Recommendations ITU-T X.830, X.831, X.832, X.833,
X.834 and X.835 have been developed.
– In cooperation with ISO/IEC JTC 1/SC 27, Recommendations ITU-T X.841, X.842 and X.843
on security information objects and trusted third party services have been established.
 A continued effort to maintain and enhance these security
Recommendations to satisfy the needs of emerging technologies (e.g., the
next generation networks (NGN) and Internet protocol based networks) and
services is required. This effort is reflected by X.1035 and X.1036 that show
details of password-authenticated key exchange protocols and policy
distribution and enforcement.
3
Question text for 2/17 – Motivation (cont’)
 Due to convergence and mobility, telecommunications carrier networks and
the associated information systems are exposed to new classes of security
threats. The attackers have a deeper reach into networks and require less
skill levels with a higher damage propensity. Viruses, hacking and denial of
service attacks have become pervasive and they adversely impact network
elements and support systems alike.
 The telecommunications and information technology industries are seeking
cost-effective comprehensive security solutions that are technology agnostic
and protect a wide spectrum of services and applications. To achieve such
solutions in multi-vendor environment, network security should be designed
around the standard security architectures and standard security
technologies. Taking into account the security threats to the
telecommunication environment and the current advancement of security
countermeasures against the threats, new security requirements and
solutions should be investigated. New Recommendations that show how to
combine the technology standards and security frameworks are needed to
implement comprehensive security for the emerging networks and services.
4
Question text for 2/17 – Question
 Study items to be considered include, but are not limited to:
– How should a comprehensive, coherent telecommunications security
solution be defined?
– What is the architecture for a comprehensive, coherent
telecommunications security solution?
– What is the framework for applying the security architecture in order to
establish a new security solution?
– What is the framework for applying the security architecture in order to
assess (and consequently improve) an existing security solution?
– What are the architectural underpinnings for security?
5.1 What is the architecture for end-to-end security?
5.2 What is the open systems security architecture?
5.3 What is the security architecture for the mobile environment?
5.4 What is the security architecture for evolving networks?
5.5 What is the security architecture for application services in
collaboration with Q7/17?
5
Question text for 2/17 – Question (cont’)
 Study items to be considered include, but are not limited to:
– What new security architecture and framework Recommendations are
required for providing security solutions in the changing environment?
– How should architectural standards be structured with respect to existing
Recommendations on security?
– How should architectural standards be structured with respect to the
existing advanced security technologies?
– How should the security framework Recommendations be modified to
adapt them to emerging technologies and what new framework
Recommendations are required?
– How are security services applied to provide security solutions?
– How is telecommunication/ICT infrastructure monitoring applied to
provide security solutions?
6
Question text for 2/17 – Tasks and Relationships
 Tasks include, but are not limited to:
– Development of a comprehensive set of security architecture and framework
Recommendations for providing standard security solutions for
telecommunications in collaboration with other standards development
organizations and ITU-T study groups.
– Studies and development of Recommendations on a trusted telecommunication
network architecture that integrates advanced security technologies.
– Maintenance and enhancements of Recommendations and Supplements in the
X.800-series and X.103x-series.
 Relationships:
– Recommendations: X-series and others related to security
– Questions: ITU-T Questions 1/17, 3/17, 4/17, 5/17, 6/17, 7/17, 8/17, 9/17, 10/17
and 11/17
– Study Groups: ITU-T SGs 2, 9, 11, 13 and 16
– Standardization bodies: ISO/IEC JTC 1/SC 27 and SC 37; IEC TC 25; ISO TC12; IETF;
ATIS; ETSI; 3GPP, 3GPP2; FIINA.
7
Contents
 Question text for Q.2/17
 Motivation, Question, Tasks and Relationships
 Recommendations and supplements related to Q.2/17
 Draft Recommendations on developing under Q.2/17
 Future Plan for Next Study Period (2017-2020)
8
Recommendations related to Q.2/17
 OSI security architecture (Rec. ITU-T X.800)
 OSI security models
(Recs. ITU-T X.802, X.803, X.830, X.831, X.832, X.833, X.834,
X.835)
 OSI security frameworks for open systems
(Recs. ITU-T X.810, X.811, X.812, X.813, X.814, X.815, X.816,
X.841)
 Security architecture for systems providing end-to-end
communications (Rec. ITU-T X.805)
9
Recommendation ITU-T X.805
Security architecture for systems providing end-to-end
communications (10/2003)
 Defines a general network security architecture for providing
end-to-end network security
 For a systematic security design of products.
Rec. ITU-T X.805 - Security architectural elements
10
Recommendations related to Q.2/17
 Roles of end users and telecommunications networks within
security architecture (Rec. ITU-T X.1031)
 IP-based telecommunication network security system (TNSS)
(Rec. ITU-T X.1032)
 EAP + key management guideline (Rec. ITU-T X.1034)
 Password-authenticated key exchange (PAK) protocol (Rec. ITU-T
X.1035)
 Framework for creation, storage, distribution and enforcement
of policies for network security (Rec. ITU-T X.1036)
 IPv6 security (Rec. ITU-T X.1037)
11
Supplements related to Q.2/17
 X.Suppl. 2: ITU-T X.800-X.849 series – Supplement on security
baseline for network operators
 X Suppl. 3: ITU-T X.800-X.849 series – Supplement on guidelines
for implementing system and network security
 X Suppl. 15: ITU-T X.800-X.849 series - Supplement on guidance
for creating a national IP-based public network security centre
for developing countries
 X.Suppl. 16: ITU-T X.800-X.849 series – Supplement on
architectural systems for security controls for preventing
fraudulent activities in public carrier networks
 X.Suppl. 23: ITU-T X.1037 - Supplement on security management
guidelines for the implementation of an IPv6 environment in
telecommunication organizations
12
Some application-specific architectures
 P2P (peer-to-peer) communication
 Rec. ITU-T X.1161: Framework for secure peer-to-peer communications
 Rec. ITU-T X.1162: Security architecture and operations for peer-to-peer
networks
 Mobile web services
 Rec. ITU-T X.1143: Security architecture for message security in mobile
web services
 Network management architecture
 Rec. ITU-T M.3010: Principles for a telecommunications management
network
 IPCablecom architecture
 Rec. ITU-T J.160: Architectural framework for the delivery of time-critical
services over cable television networks using cable modems
 IPTV service
 Rec. ITU-T X.1191: Functional requirements and architecture for IPTV
security aspects
13
Contents
 Question text for Q.2/17
 Motivation, Question, Tasks and Relationships
 Recommendations and supplements related to Q.2/17
 Draft Recommendations on developing under Q.2/17
 Future Plan for Next Study Period (2017-2020)
14
Draft Recommendation ITU-T X.gsiiso
Guidelines on security of the individual information service for
operators (Timing : 2016-03, Consent)
 Addresses the aspects of security of the information service
provided by the telecommunication operators
 Defines the classification of the telecommunication information
service;
• Communication services: telephone, internet broadband etc.
• Content services: web indexing/searching, mobile TV/IPTV etc.
• Information services: e-government, e-commerce, e-health,
etc.
• Individual information services: users’ requirements, privileges,
preferences, and habitual behaviors, etc.
15
Draft Recommendation ITU-T X.sdnsec-2
Security requirements and reference architecture for SoftwareDefined Networking (Timing : 2017-10, Consent)
Authentication
Key/Certificate
Management
Data Confidentiality
Data Integrity
SDN
Application
Layer
(SDN-AL)
Application-Control
Interface
Log and Audit
Security Management
Authentication
Authorization
Data Confidentiality
Data Integrity
Types of Flow Entries
pushing to SDN Switch
Supporting Preventing
Flow Rules Confliction
Key/Certificate
Management
System/Software
Integrity Protection
SDN
Control
Layer
(SDN-CL)
Trusted Computing
Supporting Security
Monitoring
High Assurance
Resource-Control
Interface
Authentication
Log and Audit
Security Management
Multi layer Management Function
 Describe use cases to
detail new security
threats when
introducing SDN;
 Identify security threats;
 Define security
requirements;
 Provide possible security
mechanisms for new
security threats;
 Design security
reference architecture
for SDN
Authorization
Data Confidentiality
Data Integrity
Supporting Preventing Flow
Table Overflow
Key/Certificate
Management
SDN
Resource
Layer
(SDN-RL)
Supporting Packet
Scan Detection
Security reference architecture for SDN, in Rec. ITU-T Y.3300 16
Draft Supplement ITU-T X.sgmvno
ITU-T X.805 - Supplement on Security guideline for mobile virtual
network operator (MVNO) (Timing : 2016-09, Agreement)
 Provides security guideline
for MVNOs
• Main features and typical
threats of MVNOs
• Security framework
including security
objectives and security
requirements.
Network operator
BOSS
Service systems
Mobile Virtual Network Operator
(MVNO)
Network management
Service system
Billing system Customer service system
Network operator
Service reseller
Service reseller
Service reseller
Mobile Virtual Network Operator (MVNO)
17
Draft Recommendation ITU-T X.tigsc
Technical implementation guidelines for ITU-T X.805 (Timing :
2016-09, Consent)
 Provides technical implementation guideline for security
countermeasures
• A set of technical countermeasures or solutions to
implement technical information security domains, including
access control, authentication, Non-repudiation, data
confidentiality, communication security, data integrity,
availability, and privacy.
• Provides examples for applying the set of technical
countermeasures to the organizations with practical levels of
information security domains
18
Contents
 Question text for Q.2/17
 Motivation, Question, Tasks and Relationships
 Recommendations and supplements related to Q.2/17
 Draft Recommendations on developing under Q.2/17
 Future Plan for Next Study Period (2017-2020)
19
Future Plan for Next Study Period (2017-2020)
 Q.2/17 will address all aspects of security architecture and
framework;
• OSI security architecture and security architecture in end-to-end
communication
• Guidelines and supplements to support Recommendation ITU-T X.805
• Other networks: NGN (Next Generation Network), Internet protocol
based networks, SDN (Software-defined Networking), etc.
• New topics: NFV (Network Function Virtualization), LTE/SAE (Long-Term
Evolution/System Architecture Evolution), etc.
 Q.2/17 will endeavour to improve the relationship with other
groups dealing with work related to security architecture and
framework.
• Questions in SG17: SDN, Mobile, P2P, IdM, etc.
• Other SGs: NGN, FN, IPCablecom, Multimedia, etc.
• External SDOs: IEO/IEC JTC 1/SC 27, IETF, 3GPP/3GPP2, etc.
20
Thank you very much
for your attention!
Rapporteur: Patrick MWESIGWA
Associate Rapporteur: Heung-Ryong OH and
Zhiyuan HU