The ITU - T NGN Security Standards
advertisement
ITU-T / ATIS Workshop “Next Generation Network Technology and Standardization” Las Vegas, 19-20 March 2006 The ITU-T NGN Security Standards—Status and Challenges Igor Faynberg, Ph.D. Technical Manager, Lucent Technologies ITU-T SG 13 Security (Q.15) Rapporteur ITU-T Outline o o o o o o Why NGN security? The ITU-T work on NGN Security Relationship to other SDOs Output of the NGN Focus Group Recent developments—starting the SG 13 Security work Top NGN security issues that need resolution Security is among the key differentiators of the NGN. It is also among its biggest challenges!.. ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Why Security? (Threat examples) o Subscriber’s perspective • Eavesdropping, theft of PIN codes • Tele-spam • Identity theft • Infection by viruses, worms, and spyware • Loss of privacy (call patterns, location, etc.) • Flooding attacks on the end point o Provider’s perspective • Theft of service • Denial of service • Disclosure of network topology • Non-audited configuration changes • Additional related risks to the PSTN… In NGN, known IP security vulnerabilities can make PSTN vulnerable, too! ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 The ITU-T work on NGN Security o SG 13: Lead Study Group on the NGN standardization. o o o o (Question 15/13 is responsible for X.805-based NGN security) SG 17: Lead Study Group on Telecommunication Security—the fundamental X.800 series, PKI, etc. SG 4: Lead Study Group on Telecommunication Management— Management Plane security SG 11: Lead Study Group on signaling and protocols—security of the Control and Signaling planes SG 16: Lead Study Group on multimedia terminals, systems and applications—Multimedia security FGNGN has concluded; its work has moved to SG 13 ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Collaboration of ITU-T with other SDOs and fora on NGN security Recommendations ISO/IEC JTC1 SC 27, … IETF ATIS ITU-T SG 13, 17, 4, 11, 16 … 3GPP ETSI TISPAN Fora (such as OASIS) TIA SG 13 is the Lead Study Group for NGN SG 17 is the Lead Study Group for Security ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 3GPP2 Question 15 SG 13, NGN security o Question 15 (NGN security) of SG 13 – ITU-T lead study group for NGN and satellite matters - will continue standards work started by FGNGN WG 5. o Q.15/13 major tasks are: • Lead the NGN-specific security project-level issues within SG 13 and with other Study Groups. Recognizing SG 17’s overall role as the Lead Study Group for Telecommunication Security, advise and assist SG 17 on NGN security coordination issues. • Apply the X.805 Security architecture for systems providing end-toend communication within the context of an NGN environment • Ensure that — the developed NGN architecture is consistent with accepted security principles — Ensure that AAA principles are integrated as required throughout the NGN ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 FGNGN output: Security Requirements for NGN Release 1 (highlights) o Security requirements for the Service Stratum • IMS securty • Transport domain to NGN core network interface • Open service platforms and applications security • VoIP • Emergency Telecommunication Services and Telecommunications for Disaster Relief ITU-T o Security requirements for the Transport Stratum • NGN customer network domain • Customer network to IPConnectivity Access Network (IP-CAN) interface • Core network functions • NGN customer network to NGN customer network interface ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 FGNGN output: Guidelines for NGN Security Release 1 (highlights) o General o Security of the NGN subsystems • General principles and guidelines for building secure Next Generation Networks • Detailed examination of IMS access security and NAT and firewall traversal • NGN Security Models • Security Associations model for NGN ITU-T • IP-Connectivity Access Network • IMS Network domain and IMSto-non-IMS network security • IMS access • Framework for open platform for services and applications in NGN • Emergency Telecommunications Service (ETS) and Telecommunications for Disaster Relief (TDR) Security • Overview of the existing standard solutions related to NAT and firewall traversal ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Focus of the current work of Question 15 SG 13, NGN security o Security Requirements for NGN Release 1 o Authentication requirements for NGN Release 1 o AAA Service for Network Access to NGN o Guidelines for NGN Security Release 1 o Security considerations for Pseudowire (PWE) technology At the heart of securing network protocols, the biggest challenge is authentication. ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Major Issues for NGN Security Standardization o Key distribution (for end-users and network elements) and Public Key o o o o o o Infrastructure “Network privacy”—topology hiding and NAT/Firewall traversal for real-time applications Convergence with IT security Management of security functions (e.g., policy) Guidelines on the implementation of the IETF protocols (e.g., IPsec options) Security for supporting access: DSL, WLAN, and cable access scenarios Guidelines for handling 3GPP vs. 3GPP2 differences in IMS Security Both—network assets and network traffic—must be protected. Proper management procedures will help prevent attacks from within. ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Backup ITU-T ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Standard NGN Architecture T h ir d P a r ty A p p lic a tio n s S e r v ic e S t r a t u m A p p lic a t ioAnp/S e r vaic u pu pn oc ti r toFnus n c tio n s p lic t ioe nS F S . U ser P r o file F u n c tio n s O th e r M u ltim e d ia S e r v ic e C o m p o n e n ts … S e r v ic e C o n tr o l F u n c tio n s S tr e a m i n g S e r v ic e C om ponent I P M u ltim e d ia Com IP M u ltim e dp oian e n t & PSSeTrNv /IS D N S im ic e C o m p uola n etion nt Legacy T e r m in a ls Legacy T e r m i n a ls GW GW T . UUsseerr P Pr or ofile file ti onnss FFuunncctio C u sto m er N e tw o rk s A A cccceesss sTN r aen tw s p oor rt k FFuunncctio n tio n ss NGN T e r m i n a ls E n d -U ser F u n c tio n s ITU-T N eNtwe tw o r ko rAk tta A cc chems se n t A tC taocnhtr moelnFt uFnucnticotinosn s (N A A CF) Edge F u n c tio n s R e s o u r c e a n d A d m is s io n C o n tr o l F u n c tio n s (R A C F ) CCoorree Tt rraannssppoorrtt FFuunncctio tionnss T ra n sp o rt S tra tu m * N o te : G a te w a y ( G W ) m a y e x is t in e ith e r T ra n s p o rt S tra tu m o r E n d - U s e r F u n c tio n s . ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006 Other Networks P S T N / IS D N E m u la tio n S e r v ic e C o m p o n e n t Acronyms o o o o o o o o o o o o o o o o 3GPP 3GPP2 AAA DSL IETF IP CAN ETSI IMS ISO IT NAT NGN PWE RACF SIP WLAN ITU-T 3rd Generation Partnership Project 3rd Generation Partnership Project 2 Authentication, Authorization, Accounting Digital Subscriber Line Internet Engineering Task Force IP Connectivity Access Network European Telecommunications Standards Institute IP Multimedia Subsystem International Organization for Standardization Information Technology Network Address Translation Next Generation Networks PseudoWire Emulation Resource and Admission Control Function Session Initiation Protocol Wireless LAN ITU-T / ATIS Workshop “Next Generation Technology and Standardization“ Las Vegas, 19-20 March 2006
