Telecommunication Security

About This Presentation

Title:

Telecommunication Security

Description:

SG 17: Security, languages and telecommunication software ... Other SGs are developing security Recommendations for specific technologies ... – PowerPoint PPT presentation

Number of Views:705

Avg rating:3.0/5.0

Slides: 114

Provided by: stephaniem1

Category:

more less

Transcript and Presenter's Notes

Title: Telecommunication Security

1
Telecommunication Security
SOURCE ITU-T
TITLE ITU-T Security Standardization
AGENDA ITEM GTSC, agenda item 5.5
CONTACT Herb Bertine, hbertine_at_lucent.com
GSC11(06)_GTSC_07

Herbert Bertine
Chairman, ITU-T SG 17

2
High Level Security Drivers

ITU Plenipotentiary Conference (PP-02)
Intensify efforts on security
World Telecommunications Standardization Assembly
(WTSA-04)
Security robustness of protocols
Combating/Countering spam
World Summit on the Information Society (WSIS-05)
Cyber security

3
ITU-T Study Groups

ITU-T work is divided up between Study Groups
(SGs).
SG 2 Operational aspects of service provision,
networks and performance
SG 4 Telecommunication management
SG 5 Protection against electromagnetic
environment effects
SG 6 Outside Plant and related indoor
installations
SG 9 Integrated broadband cable networks and
television and sound transmission
SG 11 Signaling requirements and protocols
SG 12 Performance and quality of service
SG 13 Next Generation Networks
SG 15 Optical and other transport networks
SG 16 Multimedia services, systems and terminals
SG 17 Security, languages and telecommunication
software
SG 19 Mobile Telecommunications Networks
SG17 is the Lead Study Group on
telecommunication security.

4
Overview of ITU-T Security StandardizationCollabo
ration is key factor
5
WP 2/17 Security Questions (2005-2008)
Q8/17
Telecom Systems Users
Telebiometrics Multimodal Model Fwk System
Mechanism Protection Procedure X.1081
TelecomSystems
Q5/17
Secure Communication Services Mobile Secure
Communications Home Network Security
Security Web Services X.1121, X.1122
Q7/17
SecurityManagement ISM Guideline for
Telecom Incident Management Risk
Assessment Methodology etc X.1051
SecurityArchitecture Framework Architecture,
Model, Concepts, Frameworks,etc X.800
seriesX.805
Q9/17
Cyber SecurityOverview of Cyber-securityVulner
ability Information Sharing Incident Handling
Operations
Q6/17
Countering spam Technical anti-spam measures
Q17/17
New
Q4/17
Communications System Security
Vision, Coordination, Roadmap, Compendia
6
Highlights of whats new since GSC-10

Two new ITU-T Questions
Q.15/13, NGN security
Q.17/17, Countering spam by technical means
38 security Recommendations are under development
in Study Group 17
Other SGs are developing security Recommendations
for specific technologies for example 5 on NGN
security
Focus Group on Security Baseline For Network
Operators
New Horizons for Security Standardization
Workshop
Security standards roadmap
Cybersecurity web portal

7
Q.15/13 NGN Security

Recognizing that security is one of the
defining features of NGN, it is essential to put
in place a set of standards that will guarantee,
to the maximum degree possible, the security of
the telecommunications infrastructure as PSTNs
evolve to NGNs.
The NGN Security studies must address
and develop network architectures that
- Provide for maximal network and end-user
resource protection
- Allow for highly-distributed intelligence
end-to-end
- Allow for co-existence of multiple
networking technologies
- Provide for end-to-end security mechanisms
- Provide for security solutions that apply
over multiple administrative domains

8
Q.17/17 Combating spam by technical means

Spam has become a widespread problem
causing a complex range of problems to users,
service providers, and network operators around
the globe. While spam was originally used to send
unsolicited commercial messages, increasingly
spam messages are being used to spread viruses,
worms, and other malicious code that negatively
impact the security and stability of the global
telecommunication network. Spam may include the
delivery of phishing and spyware. It is a global
problem that requires a multifaceted,
comprehensive approach.
Study items to be considered include,
but are not limited to
- What risks does spam pose to the
telecommunication network?
- What technical factors associated with
the telecommunication network contribute to the
difficulty of identifying the sources of spam?
- How can new technologies lead to
opportunities to counter spam and enhance the
security of the telecommunication network?
- Do advanced telecommunication network
technologies (for example, SMS, instant
messaging, VoIP) offer unique opportunities for
spam that require unique solutions?
- What technical work is already being
undertaken within the IETF, in other fora, and by
private sector entities to address the problem of
spam?
- What telecommunication network
standardization work, if any, is needed to
effectively counter spam as it relates to the
stability and robustness of the telecommunication
network?

9
SG 17 Security Recommendations under development
(1/3)

Summaries of all Study Group 17 Recommendations
under development are available on the Study
Group 17 web page at www.itu.int/itu-t/studygroup
s/com17
Communications Systems Security Project
X.sbno, Security baseline for network operators
Security Architecture and Framework
X.805, Division of the security features between
the network and the users
X.805nsa, Network security certification based on
ITU-T Recommendation X.805
X.ngn-akm, Framework for authentication and key
management for link layer security of NGN
X.pak, Password-authenticated key exchange (PAK)
X.spn, Framework for creation, storage,
distribution and enforcement of security policies
for networks

10
SG 17 Security Recommendations under development
(2/3)

Cyber Security
X.cso, Overview of cybersecurity
X.sds, Guidelines for Internet Service Providers
and End-users for Addressing the Risk of Spyware
and Deceptive Software
X.cvlm, Guidelines on Cybersecurity Vulnerability
Life-cycle Management
X.vds, A vendor-neutral framework for automatic
checking of the presence of vulnerabilities
information update
Security Management
X.1051 (R), Information security management
guidelines for telecommunications based on
ISO/IEC 27002
X.rmg, Risk management guidelines for
telecommunications
X.sim, Security incident management guidelines
for telecommunications
Telebiometrics
X.bip, BioAPI interworking protocol
X.physiol, Telebiometrics related to human
physiology
X.tai, Telebiometrics authentication
infrastructure
X.tpp-1, A guideline of technical and managerial
countermeasures for biometric data security
X.tpp-2, A guideline for secure and efficient
transmission of multi-modal biometric data
X.tsm-1, General biometric authentication
protocol and profile on telecommunication systems
X.tsm-2, Profile of telecomunication device for
Telebiometrics System Mechanism (TSM)

11
SG 17 Security Recommendations under development
(2/3)

Secure Communication Services
X.crs, Correlative reacting system in mobile
network
X.homesec-1, Framework of security technologies
for home network
X.homesec-2, Certificate profile for the device
in the home network
X.homesec-3, User authentication mechanisms for
home network service
X.msec-3, General security value added service
(policy) for mobile data communication
X.msec-4, Authentication architecture in mobile
end-to-end data communication
X.p2p-1, Requirements of security for
peer-to-peer and peer-to-multi peer
communications
X.p2p-2, Security architecture and protocols for
peer to peer network
X.sap-1, Guideline on secure password-based
authentication protocol with key exchange
X.sap-2, Secure communication using TTP service
X.websec-1, Security Assertion Markup Language
(SAML) X.1141 now in AAP Last Call
X.websec-2, eXtensible Access Control Markup
Language (XACML) X.1142 now in AAP Last Call
X.websec-3, Security architecture for message
security in mobile web services
Countering spam by technical means
X.csreq, Requirement on countering spam
X.fcs, Technical framework for countering email
spam
X.gcs, Guideline on countering email spam
X.ocsip, Overview of countering spam for IP
multimedia application

12
SG 13 Security Recommendations under development

NGN Security
Security Requirements for NGN Release 1
Guidelines for NGN Security Release 1
Authentication requirements for NGN Release 1
AAA Service for Network Access to NGN
Security considerations for Pseudowire (PWE)
technology
Continuation of the work originated in the
ITU-T Focus Group on NGN

13
Focus Group Security Baseline for Network
Operators

Established October 2005 by SG 17
Objectives
Define a security baseline against which network
operators can assess their network and
information security posture in terms of what
security standards are available, which of these
standards should be used to meet particular
requirements, when they should be used, and how
they should be applied
Describe a network operators readiness and
ability to collaborate with other entities
(operators, users and law enforcement
authorities) to counteract information security
threats
Provide meaningful criteria that can be used by
network operators against which other network
operators can be assessed, if required.
Next Step
Survey network operators by means of a
questionnaire

14
New Horizons for Security Standardization Workshop

Workshop held in Geneva 3-4 October 2005
Objectives
Provide an overview of key international security
standardization activities
Seek to identify primary security concerns and
issues
Determine which issues are amenable to a
standards-based solution
Identify which SDOs are are best equipped to do
so and
Consider how SDOs can collaborate to improve the
timeliness and effectiveness of security
standards and avoid duplication of effort.
Results reported under following topics
What are the crucial problems in ICT security
standardization?
Meta issues and need for a global framework
Standards Requirements and Priorities
Liaison and information sharing
User issues
Technology and threat issues
Focus for future standardization work
Process issues
Follow-on issues
Report available at www.itu.int/ITU-T/worksem/sec
urity/200510/index.html

15
ICT Security Standards Roadmap

Four Part Roadmap
Part 1 contains information about organizations
working on ICT security standards
Part 2 is a database of existing security
standards
Presently includes ITU-T, ISO/IEC JTC1 and IETF
standards
Will be expanded to include other standards
Part 3 will be a list of standards in development
Part 4 will identify future needs and proposed
new standards
Publicly available under Special Projects and
Issues at
www.itu.int/ITU-T/studygroups/com17/index
We invite you to use the Roadmap, provide
feedback and help us develop it to meet your needs

16
The ITU Global Cybersecurity Gateway
LIVE at http//www.itu.int/cybersecurity Provides
an easy-to-use information resource on national,
regional and international cybersecurity-related
activities and initiatives worldwide.
17
Structure of the Cybersecurity Gateway

The portal is geared towards four specific
audiences Citizens Businesses
Governments, International Organizations
Database information collected within five main
themes
Information sharing of national approaches, good
practices and guidelines
Developing watch, warning and incident response
capabilities
Technical standards and industry solutions
Harmonizing national legal approaches and
international legal coordination and enforcement
Privacy, data and consumer protection.
Additional information resources on the following
topics spam, spyware, phishing, scams and
frauds, worms and viruses, denial of service
attacks, etc.

18
(No Transcript)
19
Some useful web resources

ITU-T Home page www.itu.int/itu-t
Study Group 17 www.itu.int/itu-t/studygroups/com
17
LSG on Security http//www.itu.int/ITU-T/studygrou
ps/com17/tel-security.html
e-mail tsbsg17_at_itu.int
Recommendations www.itu.int/ITU-T/publications/re
cs.html
ITU-T Lighthouse www.itu.int/ITU-T/lighthouse
ITU-T Workshops www.itu.int/ITU-T/worksem
Security Roadmap http//www.itu.int/ITU-T/studygr
oups/com17/ict/index.html
Cybersecurity Portal http//www.itu.int/cybersecu
rity

20
Closing Observations

Security is everybody's business
Collaboration with other SDOs is necessary
Security needs to be designed in upfront
Security must be an ongoing effort
Systematically addressing vulnerabilities
(intrinsic properties of networks/systems) is
keyso that protection can be provided
independent of what the threats (which are
constantly changing and may be unknown) may be
X.805 is helpful here

21
Additional details on security work in ITU-T
Study Groups- Study Group 17- Study Group
4- Study Group 9- Study Group 13- Study
Group 16- Study Group 19
22

ITU-T SG 17 Work on Security

23
Study Group 17 Security, languages and
telecommunication software

SG 17 is the Lead Study Group on
telecommunication security - It is responsible
for coordination of security across all Study
Groups.
Subdivided into three Working Parties (WPs)
WP1 - Open systems technologies
WP2 - Telecommunications security and
WP3 - Languages and telecommunications software
Most (but not all) security Questions are in WP2
Summaries of all draft Recommendations under
development in SG 17 are available on the SG 17
web page at www.itu.int/itu-t/studygroups/com17

24
Current SG 17 security-related Questions

Working Party 1
1/17 End-to-end Multicast Communications with
QoS Managing Facility
2/17 Directory services, Directory systems, and
public- key/attribute certificates
3/17 Open Systems Interconnection (OSI)
16/17 Internationalized Domain Names (IDN)
Working Party 2
4/17 Communications Systems Security Project
5/17 Security Architecture and Framework
6/17 Cyber Security
7/17 Security Management
8/17 Telebiometrics
9/17 Secure Communication Services
17/17 Countering spam by technical means

ITU-T SG 17 Question 4Communications Systems
Security Project
Security Workshop
ICT Security Roadmap
Focus Group on Security Baseline For Network
Operators

26
New Horizons for Security Standardization Workshop

Workshop held in Geneva 3-4 October 2005
Hosted by ITU-T SG17 as part of security
coordination responsibility
ISO/IEC JTC1 played an important role in planning
the program and in providing speakers/panelists.
Speakers, panelists, chairs from
ITU-T
ISO/IEC
IETF
Consortia OASIS, 3GPP
Regional SDOs ATIS, ETSI, RAIS

27
Workshop Objectives

Provide an overview of key international security
standardization activities
Seek to find out from stakeholders (e.g., network
operators, system developers, manufacturers and
end-users) their primary security concerns and
issues (including possible issues of adoption or
implementation of standards)
Try to determine which issues are amenable to a
standards-based solution and how the SDOs can
most effectively play a role in helping address
these issues
Identify which SDOs are already working on these
issues or are best equipped to do so and
Consider how SDOs can collaborate to improve the
timeliness and effectiveness of security
standards and avoid duplication of effort.

28
Workshop Results

Excellent discussions, feedback and suggestions
Documented in detail in the Workshop report
Results are reported under following topics
What are the crucial problems in ICT security
standardization?
Meta issues and need for a global framework
Standards Requirements and Priorities
Liaison and information sharing
User issues
Technology and threat issues
Focus for future standardization work
Process issues
Follow-on issues
The report is available on-line at
www.itu.int/ITU-T/worksem/security/200510/index.ht
ml

29
ICT Security Standards Roadmap(An SG 17
Work-in-progress)

Part 1 contains information about organizations
working on ICT security standards
Part 2 is database of existing security standards
Part 3 will be a list of standards in development
Part 4 will identify future needs and proposed
new standards

30
Roadmap access

Part 2 includes ITU-T, ISO/IEC JTC1 and IETF
standards. It will be expanded to include other
standards (e.g. regional and consortia
specifications).
It will also be converted to a Database format to
allow searching and to allow organizations to
manage their own data
Publicly available under Special Projects and
Issues at
www.itu.int/ITU-T/studygroups/com17/index
We invite you to use the Roadmap, provide
feedback and help us develop it to meet your
needs

31
Other Q.4/17 projects

Security in Telecommunications and Information
Technology an overview of existing ITU-T
Recommendations for secure telecommunications.
www.itu.int/ITU-T/publications/index.html
Security compendium
catalogue of approved ITU-T Recommendations
related to telecommunication security
extract of ITU-T approved security definitions
listing of ITU-T security related Questions
www.itu.int/ITU-T/studygroups/com17/tel-security.h
tml
We are in the process of establishing a Security
Experts Network (SEN) to maintain on-going
dialogue on key issues of security
standardization.

32
Focus Group Security Baseline for Network
Operators

Established October 2005 by SG 17
Objectives
Define a security baseline against which network
operators can assess their network and
information security posture in terms of what
security standards are available, which of these
standards should be used to meet particular
requirements, when they should be used, and how
they should be applied
Describe a network operators readiness and
ability to collaborate with other entities
(operators, users and law enforcement
authorities) to counteract information security
threats
Provide meaningful criteria that can be used by
network operators against which other network
operators can be assessed, if required.
Next Step
Survey network operators by means of a
questionnaire

ITU-T SG 17 Question 5Security Architecture and
Framework
Brief description of Q.5
Milestones
Draft Recommendations under development

34
Brief description of Q.5/17

Motivation
The telecommunications and information technology
industries are seeking cost-effective
comprehensive security solutions that could be
applied to various types of networks, services
and applications. To achieve such solutions in
multi-vendor environment, network security should
be designed around the standard security
architectures and standard security technologies.
Major tasks
Development of a comprehensive set of
Recommendations for providing standard security
solutions for telecommunications in collaboration
with other Standards Development Organizations
and ITU-T Study Groups.
Maintenance and enhancements of Recommendations
in the X.800 series
X.800, X.802, X.803, X.805, X.810, X.811,
X.812, X.813, X.814, X.815, X.816, X.830, X.831,
X.832, X.833, X.834, X.835, X.841, X.842 and
X.843

35
Q.5/17 Milestones

ITU-T Recommendation X.805, Security Architecture
for Systems Providing End-to-end Communications,
was published in 2003.
ISO Standard 18028-2, Network security
architecture, was developed in collaboration
between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG
1. The Standard is technically aligned with
X.805. It was published in 2006.

36
ITU-T Recommendation X.805
X.805 defines a network security architecture for
providing end-to-end network security. The
architecture can be applied to various kinds of
networks where the end-to-end security is a
concern and independently of the networks
underlying technology.
37
Q.5/17 Draft Recommendations 1/2

Applications and further development of major
concepts of ITU-T Recommendation X.805
X.805, Division of the security features between
the network and the users. This Recommendation
specifies division of security features between
the networks and users. It provides guidance on
applying concepts of the X.805 architecture to
securing service providers, application
providers networks and the end users equipment.
X.805nsa, Network security certification based on
ITU-T Recommendation X.805. This Recommendation
describes the methodology, processes and controls
required for network security certification based
on ITU-T Recommendation X.805, Security
Architecture for Systems Providing End-to-End
Communications.

38
Q.5/17 Draft Recommendations 2/2

Standardization in support of Authentication
Security Dimension (defined in X.805)
X.pak, Password-authenticated Key Exchange
Protocol (PAK). This Recommendation specifies a
password-based protocol for authentication and
key exchange, which ensures mutual authentication
of both parties in the act of establishing a
symmetric cryptographic key via Diffie-Hellman
exchange.
X.ngn-akm, Framework for authentication and key
management for link layer security of NGN. This
Recommendation establishes a framework for
authentication and key management for securing
the link layer of NGN. It also provides guidance
on selection of the EAP methods for NGN.
Standardization of network security policies
X.spn, Framework for creation, storage,
distribution, and enforcement of security
policies for networks. This Recommendation
establishes security policies that are to drive
security controls of a system or service. It also
specifies a framework for creation, storage,
distribution, and enforcement of policies for
network security that can be applied to various
environmental conditions and network devices.

ITU-T SG 17 Question 6Cyber Security
Motivation
Objectives
Scope
Current area of focus
Draft Recommendations under development

40
Q.6/17 Motivation

Network connectivity and ubiquitous access is
central to todays IT systems
Wide spread access and loose coupling of
interconnected IT systems is a primary source of
widespread vulnerability
Threats such as denial of service, theft of
financial and personal data, network failures and
disruption of voice and data telecommunications
are on the rise
Network protocols in use today were developed in
an environment of trust.
Most new investments and development is dedicated
to building new functionality and not on securing
that functionality
An understanding of cybersecurity is needed in
order to build a foundation of knowledge that
can aid in securing the networks of tomorrow

41
Q.6/17 Objectives

Perform actions in accordance with Lead Study
Group (LSG) responsibility with the focus on
cybersecurity
Work with Q.1 of SG 2 on a definition of
Cybersecurity
Identify and develop standards required for
addressing the challenges in cybersecurity,
within the scope of Q.6/17
Provide assistance to other ITU-T Study Groups in
applying relevant cybersecurity Recommendations
for specific security solutions. Review
project-oriented security solutions for
consistency.
Maintain and update existing Recommendations
within the scope of Q.6/17.
Coordinate security activities with other ITU-T
SGs, ISO/IEC JTC 1 eg. SC6, SC27 and SC37), and
consortia as appropriate.
Provide awareness on new security technologies
related to cybersecurity

42
Q.6/17 Scope

Definition of Cybersecurity
Security of Telecommunications Network
Infrastructure
Security Knowledge and Awareness of Telecom
Personnel and Users
Security Requirements for Design of New
Communications Protocol and Systems
Communications relating to Cybersecurity
Security Processes Life-cycle Processes
relating to Incident and Vulnerability
Security of Identity in Telecommunication Network
Legal/Policy Considerations

43
Q.6/17 Current Area of Focus

Work with SG 2 on the definition and requirements
of cybersecurity.
Collaborate with Q5,7,9,17/17 and SG 2 in order
to achieve better understanding of various
aspects of network security.
Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C,
APEC-TEL and other standardization bodies on
cybersecurity.
Work on framework for secure network operations
to address how telecommunications network
providers secure their infrastructure and
maintain secure operations.
Work on Recommendation for standardization of
vulnerability data definition.
Study new cybersecurity issues How should ISPs
deal with botnets, evaluating the output of
appropriate bodies when available.
Call for contributions for the outstanding
questions identified in the revised scope.

44
Q.6/17 Draft Recommendations 1/2

Overview of Cybersecurity (X.cso)
This Recommendation provides a definition for
Cybersecurity. The Recommendation provides a
taxonomy of security threats from an operator
point of view. Cybersecurity vulnerabilities and
threats are presented and discussed at various
network layers.
Various Cybersecurity technologies that are
available to remedy the threats include Routers,
Firewalls, Antivirus protection, Intrusion
detection systems, Intrusion protection systems,
Secure computing, Audit and Monitoring. Network
protection principles such as defence in depth,
access and identity management with application
to Cybersecurity are discussed. Risk Management
strategies and techniques are discussed including
the value of training and education in protecting
the network. A discussion of Cybersecurity
Standards, Cybersecurity implementation issues
and certification are presented.
A vendor-neutral framework for automatic checking
of the presence of vulnerabilities information
update (X.vds)
This Recommendation provides a framework of
automatic notification on vulnerability
information. The key point of the framework is
that it is a vendor-neutral framework. Once users
register their software, updates on the
vulnerabilities and patches of the registered
software will automatically be made available to
the users. Upon notification, users can then apply

45
Q.6/17 Draft Recommendations 2/2

Guidelines for Internet Service Providers and
End-users for Addressing the Risk of Spyware and
Deceptive Software (X.sds)
This Recommendation provides guidelines for
Internet Service Providers (ISP) and end-users
for addressing the risks of spyware and deceptive
software. The Recommendation promotes best
practices around principles of clear notices, and
users consents and controls for ISP web hosting
services. The Recommendation also promotes best
practices to end-users on the Internet to secure
their computing devices and information against
the risks of spyware and deceptive software
Guidelines on Cybersecurity Vulnerability
Life-cycle Management(X.cvlm)
The Recommendation provides a framework for the
provision of monitoring, discovering, responding
and post-analysis of vulnerabilities. Service
providers can use this Recommendation to
complement their existing Information Security
Management System process in the aspect of
regular vulnerability assessment, vulnerability
management, incident handling and incident
management.

ITU-T SG 17 Question 7Security Management
Systems
Tasks
Recommendations planned
Revised X.1051
Approach for revised X.1051

47
Q.7/17 Tasks

Information Security Management Guidelines for
telecommunications (Existing X.1051,
Information security management system
Requirements for telecommunications (ISMS-T) )
Maintain and revise Recommendation X.1051,
Information Security Management Guidelines for
telecommunications based on ISO/IEC27002.Jointl
y develop a guideline of information security
management with ISO/IEC JTC 1/SC 27.
Risk Management MethodologyStudy and develop a
methodology of risk management for
telecommunications in line with Recommendation
X.1051.Produce and consent a new ITU-T
Recommendation for risk management methodology.
Incident ManagementStudy and develop a handling
and response procedure on security incidents for
the telecommunications in line with
Recommendation X.1051.Produce and consent a new
ITU-T Recommendation for incident management
methodology and procedures.

48
Recommendations planned in Q.7/17 (Security
Management)

X.1050 To be proposed
X.1051 In revision process Information Security
Management Guidelines for Telecommunications
based on ISO/IEC 27002
X.1052 To be proposed
X.1053 To be proposed (Implementation Guide for
Telecoms)
X.1054 To be proposed (Measurements and metrics
for Telecommunications)
X.1055 In the first stage of development Risk
Management Guidelines for Telecommunications
X.1056 In the first stage of development
Security Incident Management Guidelines for
Telecommunications
X.1057 To be proposed (Identity Management for
Telecoms)

49
Information security management guidelines for
Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security
Physical environmental security
Communications operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Compliance
50
Q.7/17 Approach to develop revised
Recommendation X.1051
27002
51

ITU-T SG 17 Question 8Telebiometrics
Objectives
Study areas on Biometric Processes
X.1081 and draft Recommendations under development

52
Q.8/17 Objectives

1)To define telebiometric multimodal model
framework
2)To specify biometric authentication mechanism
in open network
3)To provide protection procedures and
countermeasures for telebiometric systems

53
Q.8/17 Study areas on Biometric Processes
54
Q.8/17 Recommendations 1/4

X.1081 The telebiometric multimodal model
framework A framework for the specification of
security and safety aspects of telebiometrics
This Recommendation defines a telebiometric
multimodal model that can be used as a framework
for identifying and specifying aspects of
telebiometrics, and for classifying biometric
technologies used for identification (security
aspects).
X.physiol Telebiometrics related to human
physiology
This Recommendation gives names and symbols for
quantities and units concerned with emissions
from the human body that can be detected by a
sensor, and with effects on the human body
produced by the telebiometric devices in his
environments.

55
Q.8/17 Recommendations 2/4

X.tsm-1 General biometric authentication
protocol and profile on telecommunication system
This Recommendation defines communication
mechanism and protocols of biometric
authentication for unspecified end-users and
service providers on open network.
X.tsm-2 Profile of telecomunication device for
Telebiometrics System Mechanism (TSM)
This Recommendation defines the requirements,
security profiles of client terminals for
biometric authentication over the open network.

56
Q.8/17 Recommendations 3/4

X.tai Telebiometrics authentication
infrastructure
This Recommendation specifies a framework to
implement biometric identity authentication with
certificate issuance, management, usage and
revocation.
X.bip BioAPI interworking protocol
This Recommendation is common text of ITU-T and
ISO/IEC JTC1 SC37. It specifies the syntax,
semantics, and encodings of a set of messages
("BIP messages") that enable BioAPI-conforming
application in telebiometric systems.

57
Q.8/17 Recommendations 4/4

X.tpp-1 A guideline of technical and managerial
countermeasures for biometric data security
This Recommendation defines weakness and
threats in operating telebiometric systems and
proposes a general guideline of security
countermeasures from both technical and
managerial perspectives.
X.tpp-2 A guideline for secure and efficient
transmission of multi-modal biometric data
This Recommendation defines threat
characteristics of multi-modal biometric system,
and provides cryptographic methods and network
protocols for transmission of multi-modal
biometric data.

ITU-T SG 17 Question 9
Secure Communication Services
Focus
Position of each topic
Mobile security
Home network security
Web services security
Secure applications services

59
Q.9/17 Focus

Develop a set of standards of secure application
services, including
Mobile security Under study
Home network security Under study
Web Services security Under study
Secure application services Under study
Privacy protection for RFID and multimedia
content and digital Identity management To be
studied

60
Position of each topic
Web Services security
Application Server
Home Network
Mobile Terminal
Open Network
Mobile Network
Home network security
Mobile security
Secure application services
61
Q.9/17 - Mobile Security

X.1121, Framework of security technologies for
mobile end-to-end data communications Approved
2004
X.1122, Guideline for implementing secure mobile
systems based on PKI Approved 2004
X.msec-3, General security value added service
(policy) for mobile data communication
Develops general security service as value added
service for secure mobile end-to-end data
communication.
X.msec-4, Authentication architecture in mobile
end-to-end data communication
Constructs generic authentication architecture
for mobile data communication between mobile
users and application servers.
X.crs, Correlative reacting system in mobile
network
Develops the generic architecture of a
correlative reactive system to protect the mobile
terminal against Virus, worms, Trojan-Horses or
other network attacks to both the mobile network
and its mobile users.

62
Q.9/17 - Home network security

X.homesec-1, Framework for security technologies
for home network
Framework of security technologies for home
network
Define security threats and security
requirements, security functions, security
function requirements for each entity in the
network, and possible implementation layer
X.homesec-2, Certificate profile for the device
in the home network
Device certificate profile for the home network
Develops framework of home network device
certificate.
X.homesec-3, User authentication mechanisms for
home network service
User authentication mechanisms for home network
service.
Provides the user authentication mechanism in the
home network, which enables various
authentication means such as password,
certificate, biometrics and so on.

63
Q.9/17 - Web Services security

X.websec-1, Security Assertion Markup Language
(SAML)
Security assertion markup language
Adoption of OASIS SAML v2.0 into ITU-T
Recommendation X.1141 - Consented April 2006
Define XML-based framework for exchanging
security information.
The security information expressed in the form of
assertions about subjects, where a subject is an
entity (either human or computer) that has an
identity in some security domain.
X.websec-2, eXtensible Access Control Markup
Language (XACML)
eXtensible Access Control Markup Language
Adoption of OASIS XACML v2.0 into ITU-T
Recommendation X.1142 - Consented April 2006
Provides an XML vocabulary for expressing access
control policies and the syntax of the language
and the rules for evaluating policies.
X.websec-3, Security architecture for message
security in mobile Web Services
Develops a guideline on message security
architecture and service scenarios for securing
messages for mobile Web Services.

64
Q.9/17 - Secure applications services

X.sap-1, Guideline on strong password
authentication protocols
Guideline on secure password-based authentication
protocol with key exchange.
Define a set of requirements for password-based
protocol with key exchange and a selection
guideline by setting up criteria that can be used
in choosing an optimum authentication protocol
for each application.
X.sap-2, Secure communication using TTP service
Secure end-to-end data communication techniques
using TTP services
Specifies secure end-to-end data communication
techniques using TTP services that are services
defined in X.842 or other services.
X.p2p-1, Anonymous authentication architecture in
community communication
Requirements of security for peer-to-peer and
peer-to-multi peer communications
Investigates threat analysis for P2P and P2MP
communication services and describes security
requirements for secure P2P and P2MP
communication services.
X.p2p-2, Security architecture and protocols for
peer to peer network
Security architecture and protocols for peer to
peer network
Describes the security techniques and protocols
in the P2P environment.

ITU-T SG 17 Question 17
Countering spam by technical means
Objectives
Set of Recommendations

66
Q.17/17 Objectives

The aim of this Question is to develop a set of
Recommendations on countering spam by technical
means for ITU-T, taking into account the need for
collaboration with ITU-T other Study Groups and
cooperation with other SDOs. The Question focuses
particularly on technical requirement, frameworks
and new technologies for countering spam.
Guidelines on countering spam by technical means
are also studied.

67
Q.17/17 Set of Recommendations
68
Q.17/17 Brief Summaries of draft Recommendations
under development 1/2

X.csreq, Requirement on countering spamThis
Recommendation provides the general
characteristics of spam, elicits generic
objectives and provides an overview of the
technical requirements on countering spam. In
addition, this Recommendation provides checklist
to evaluate the solution on countering spam.
X.fcs, Technical framework for countering email
spam
This Recommendation specifies the technical
framework for network structure for the
countering spam. Functions inside the framework
are defined. It also includes the commonsensible
characteristics of email spam, the universal
rules of judgement and the common methods of
countering email spam.

69
Q.17/17 Brief Summaries of draft Recommendations
under development 2/2

X.gcs, Guideline on countering email spam
(X.gcs)
This Recommendation specifies technical
issues on countering email spam. It provides the
current technical solutions and related
activities from various SDOs and relevant
organizations on countering email spam. It will
be used as a basis for further development of
technical Recommendations on countering email
spam.
X.ocsip, Overview of countering spam for IP
multimedia applicationThis Recommendation
specifies basic concepts, characteristics, and
effects of spam in IP multimedia applications
such as IP Telephony, video on demand, IP TV,
instant messaging, multimedia conference, etc. It
will provide basis and guideline for developing
further technical solutions on countering spam.

Security Work in other ITU-T Study Groups
SG 4 Security of Management plane
SG 9 IPCablecom
SG 13 NGN security
SG 16 Multimedia security
SG 19 Security in IMT-2000

ITU-T SG 4 Work on Security

72
SG 4 Security of the Management Plane (M.3016
series)

Approved last year, the M.3016 series is viewed
as a key aspect of NGN Management it is included
in the NGN Management Roadmap issued by the
NGNMFG
In M.3060 on the Principles of NGN Management
The M.3016 series consists of 5 parts
M.3016.0 Overview
M.3016.1 Requirements
M.3016.2 Services
M.3016.3 Mechanisms
M.3016.4 Profile proforma
The role of M.3016.4 is unique in that it
provides a template for other SDOs and forums to
indicate for their membership what parts of
M.3016 are mandatory or optional

ITU-T SG 9 Work on Security

74
SG 9 IPCablecom Evolution

Enhance cables existing IP service environment
to accelerate the convergence of voice, video,
data, and mobility
Define an application agnostic architecture that
allows cable operators to rapidly innovate new
services
Provide a suite of Recommendations that define
the elements and interfaces needed to facilitate
multi-vendor interoperability
Incorporate leading communications technologies
from the IETF and 3GPP IMS

75
SG 9 IPCablecom Evolution
76
SG 9 Targeted Applications

Enhanced Cable Voice and Video IP Telephony
Support for new media and client types (e.g.,
video telephony, soft clients)
Call treatment based on presence, device
capability, identity
Maintain support for cable telephony features
enabled by current IPCablecom Recommendations
Fixed-mobile Convergence over Cable
Support for dual mode cellular/WiFi handsets over
DOCSIS
Call handover between IPCablecom VoIP networks
and cellular networks
Integrated features and call control between
cellular and VoIP platforms
Cable Cross-Platform Features
Cross platform notification, messaging (e.g.,
Caller-ID on TV)
Third-party call control features, such as Click
to dial

77
SG 9 Design Approach

Incorporate new IP communication technologies
Focus on the Session Initiation Protocol (SIP)
and supporting protocols
Leverage the 3GPP IMS as a service delivery
platform
Develop a modular and extensible architecture
that allows new services to be added without
impacting the core IPCablecom infrastructure
Ensure backward compatibility with existing
IPCablecom Recommendations
Support a wide variety of client devices

78
SG 9 IPCablecom Security Requirements Under
Consideration

Support a range of authentication schemes
UICCs (similar to SIM card)
Digital Certificates (existing IPCablecom EMTAs)
SIP digest (software clients)
Support a range of secure signaling options
IPsec
TLS
Disabled
Support secure configuration before registration
Support TLS for intra-domain security
Minimize changes to IMS
Reuse existing standards

79
SG 9 DOCSIS Base Line Privacy Plus

The primary goals of DOCSIS BPI are to provide
privacy of customer traffic, integrity of
software downloads, and prevent theft of service.
DOCSIS BPI provides a number of tools to support
these goals
Traffic encryption for privacy/confidentiality.
Secure Software Download to assure a valid CM
image.
Configuration file authentication to help secure
the provisioning process.
Focus is on the link layer between the CMTS and
CM. Security outside the DOCSIS network is
provided by applications and other networks.

80
SG 9 DOCSIS BPI Security Algorithms

A Cable Modem Terminations System (CMTS)
authenticates cable modems (CM) using X.509
certificates and RSA public key cryptography.
Subscriber Traffic encryption
3DES used for key exchange
DES used for traffic encryption. AES being
considered for future DOCSIS versions.
SW download image validation is performed using
X.509 certificates and digital signatures using
RSA public key cryptography.
Message integrity checks (MIC) with keyed MD5
hash used for CM configuration file security.

ITU-T SG 13 Work on Security

82
SG 13 NGN Security Outline

Why NGN security?
The ITU-T work on NGN Security
Relationship to other SDOs
Output of the NGN Focus Group
Recent developmentsstarting the SG 13 Security
work
Top NGN security issues that need resolution

Security is among the key differentiators of the
NGN. It is also among its biggest challenges!..
83
SG 13 Why Security?(Threat examples)

Providers perspective
Theft of service
Denial of service
Disclosure of network topology
Non-audited configuration changes
Additional related risks to the PSTN

Subscribers perspective
Eavesdropping, theft of PIN codes
Tele-spam
Identity theft
Infection by viruses, worms, and spyware
Loss of privacy (call patterns, location, etc.)
Flooding attacks on the end point

In NGN, known IP security vulnerabilities can
make PSTN vulnerable, too!
84
SG 13 The ITU-T work on NGN Security

SG 13 Lead Study Group on the NGN
standardization. (Question 15/13 is responsible
for X.805-based NGN security)
SG 17 Lead Study Group on Telecommunication
Securitythe fundamental X.800 series, PKI, etc.
SG 4 Lead Study Group on Telecommunication
ManagementManagement Plane security
SG 11 Lead Study Group on signaling and
protocolssecurity of the Control and Signaling
planes
SG 16 Lead Study Group on multimedia terminals,
systems and applicationsMultimedia security

FGNGN has concluded its work has moved to SG 13
85
Collaboration of ITU-T with other bodies on NGN
security Recommendations
ATIS
ISO/IEC JTC1 SC 27,
ITU-T SG 13, 17, 4, 11, 16
IETF
3GPP
3GPP2
Fora (such as OASIS)
ETSI TISPAN
TIA
SG 13 is the Lead Study Group for NGN SG 17 is
the Lead Study Group for Security
86
SG 13 Question 15, NGN security

Question 15 (NGN security) of SG 13 ITU-T lead
study group for NGN and satellite matters - will
continue standards work started by FGNGN WG 5.
Q.15/13 major tasks are
Lead the NGN-specific security project-level
issues within SG 13 and with other Study Groups.
Recognizing SG 17s overall role as the Lead
Study Group for Telecommunication Security,
advise and assist SG 17 on NGN security
coordination issues.
Apply the X.805 Security architecture for systems
providing end-to-end communication within the
context of an NGN environment
Ensure that
the developed NGN architecture is consistent with
accepted security principles
Ensure that AAA principles are integrated as
required throughout the NGN

87
SG 13 FGNGN output Security Requirements for
NGN Release 1 (highlights)

Security requirements for the Transport Stratum
NGN customer network domain
Customer network to IP-Connectivity Access
Network (IP-CAN) interface
Core network functions
NGN customer network to NGN customer network
interface

Security requirements for the Service Stratum
IMS security
Transport domain to NGN core network interface
Open service platforms and applications security
VoIP
Emergency Telecommunication Services and
Telecommunications for Disaster Relief

88
SG 13 FGNGN output Guidelines for NGN Security
Release 1 (highlights)

General
General principles and guidelines for building
secure Next Generation Networks
Detailed examination of IMS access security and
NAT and firewall traversal
NGN Security Models
Security Associations model for NGN

Security of the NGN subsystems
IP-Connectivity Access Network
IMS Network domain and IMS-to-non-IMS network
security
IMS access
Framework for open platform for services and
applications in NGN
Emergency Telecommunications Service (ETS) and
Telecommunications for Disaster Relief (TDR)
Security
Overview of the existing standard solutions
related to NAT and firewall traversal

89
SG 13 Focus of the current work of Question 15,
NGN security

Security Requirements for NGN Release 1
Authentication requirements for NGN Release 1
AAA Service for Network Access to NGN
Guidelines for NGN Security Release 1
Security considerations for Pseudowire (PWE)
technology

At the heart of securing network protocols, the
biggest challenge is authentication.
90
SG 13 Major Issues for NGN Security
Standardization

Key distribution (for end-users and network
elements) and Public Key Infrastructure
Network privacytopology hiding and
NAT/Firewall traversal for real-time applications
Convergence with IT security
Management of security functions (e.g., policy)
Guidelines on the implementation of the IETF
protocols (e.g., IPsec options)
Security for supporting access DSL, WLAN, and
cable access scenarios
Guidelines for handling 3GPP vs. 3GPP2
differences in IMS Security

Bothnetwork assets and network trafficmust be
protected. Proper management procedures will help
prevent attacks from within.
91
SG 13 NGN Architecture
92

ITU-T SG 16 Work on Security

93
Question 25/16 Multimedia Security
inNext-Generation Networks (NGN-MM-SEC)

Study Group 16 concentrates on Multimedia
systems.
Q.25/16 focuses on the application-security
issues of MM applications in next generation
networks
Standardizes Multimedia Security
So far Q.25 has been standardizing MM-security
for the 1st generation MM/pre-NGN?-systems
H.323/H.248-based systems.

94
Evolution of H.235
Improvement and Additions
Consolidation
1st Deployment
Core SecurityFrameworkEngineering
H.235V3 Amd1 Annex H
H.235V3 Amd1
H.235V3 Annex I
H.235 Annex G
H.235V2 Annex D Annex E approved
Security Profiles Annex D Annex E started
Annex F H.530 consent
H.235V1 approved
Initial Draft
H.323V5
H.323V2
H.323V4
1997
1998
1999
2000
2001
2002
2003
2004
1996
gt 2005
95
H.235 V4 Subseries Recommendations

Major restructuring of H.235v3 Amd1 and annexes
in stand-alone subseries Recommendations
H.235.x subseries specify scenario-specific
MM-security procedures as H.235-profiles for
H.323
Some new parts added
Some enhancements and extensions
Incorporated corrections
Approved in Sept. 2005

96
H.323 Security Recommendations (1)

H.235.0 Security framework for H-series (H.323
and other H.245-based) multimedia systems
Overview of H.235.x subseries and common
procedures with baseline text
H.235.1 "Baseline Security Profile
Authentication integrity for H.225.0 signaling
using shared secrets
H.235.2 "Signature Security Profile
Authentication integrity for H.225.0 signaling
using X.509 digital certificates and signatures

97
H.323 Security Recommendations (2)

H.235.3 "Hybrid Security Profile"
Authentication integrity for H.225.0 signaling
using an optimized combination of X.509 digital
certificates, signatures and shared secret key
managementspecification of an optional
proxy-based security processor
H.235.4 "Direct and Selective Routed Call
Security"
Key management procedures in corporate and in
interdomain environments to obtain key material
for securing H.225.0 call signaling in GK
direct-routed/selective routed scenarios

enhanced
extended
98
H.323 Security Recommendations (3)

H.235.5 "Framework for secure authentication in
RAS using weak shared secrets"
Secured password (using EKE/SPEKE approach) in
combination with Diffie-Hellman key agreement for
stronger authentication during H.225.0 signaling
H.235.6 "Voice encryption profile with native
H.235/H.245 key management"
Key management and encryption mechanisms for RTP

enhanced
modified
99
H.323 Security Recommendations (4)

H.235.7 "Usage of the MIKEY Key Management
Protocol for the Secure Real Time Transport
Protocol (SRTP) within H.235"
Usage of the MIKEY key management for SRTP
H.235.8 "Key Exchange for SRTP using secure
Signalling Channels"
SRTP keying parameter transport over secured
signaling channels (IPsec, TLS, CMS)
H.235.9 "Security Gateway Support for H.323"
Discovery of H.323 Security Gateways(SG H.323
NAT/FW ALG) and key management for H.225.0
signaling