SlideShare a Scribd company logo

saag-3.ppt

Download as PPT, PDF
H
HazemElabed2

IETF 63 meeting

Engineering
1 of 20
ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications IETF 63 meeting Zachary Zeltsan, Bell Laboratories, Lucent Technologies Rapporteur of Question 5 SG 17
2 Outline  Origin of the ITU-T Recommendation X.805 - Security Architecture for Systems Providing End-to-End Communications  Three main issues that X.805 addresses  Security Dimensions  Security Layers  Security Planes  ITU-T X.805 Security Architecture  ITU-T Recommendation X.805 as a base for security work in FGNGN Security Capability WG
3 Origin of the ITU-T Recommendation X.805 • ITU-T Recommendation X.805 Security architecture for systems providing end-to-end communications had been developed by ITU-T SG 17 (ITU-T Lead Study Group on Telecommunication Security) and was published in October 2003. • The group has developed a set of the well-recognized Recommendations on security. Among them are X.800 Series of Recommendations on security and X.509 - Public-key and Attribute Certificate Frameworks.
4 Three main issues that X.805 addresses The security architecture addresses three essential issues: 1. What kind of protection is needed and against what threats? 2. What are the distinct types of network equipment and facility groupings that need to be protected? 3. What are the distinct types of network activities that need to be protected?
5 ITU-T X.800 Threat Model (simplified) X X 1 - Destruction (an attack on availability): – Destruction of information and/or network resources 2 - Corruption (an attack on integrity): – Unauthorized tampering with an asset 3 - Removal (an attack on availability): – Theft, removal or loss of information and/or other resources 4 - Disclosure (an attack on confidentiality): – Unauthorized access to an asset 5 - Interruption (an attack on availability): – Interruption of services. Network becomes unavailable or unusable
6 Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy • Limit & control access to network elements, services & applications • Examples: password, ACL, firewall • Prevent ability to deny that an activity on the network occurred • Examples: system logs, digital signatures • Ensure information only flows from source to destination • Examples: VPN, MPLS, L2TP • Ensure network elements, services and application available to legitimate users • Examples: IDS/IPS, network redundancy, BC/DR • Provide Proof of Identity • Examples: shared secret, PKI, digital signature, digital certificate • Ensure confidentiality of data • Example: encryption • Ensure data is received as sent or retrieved as stored • Examples: MD5, digital signature, anti-virus software • Ensure identification and network use is kept private • Examples: NAT, encryption Eight Security Dimensions Address the Breadth of Network Vulnerabilities Eight Security Dimensions applied to each Security Perspective (layer and plane)
7 How the Security Dimensions Map to the Security Threats Security Dimension X.800 Security Threats Destruction Corruption Removal Disclosure Interruption Access Control     Authentication   Non-Repudiation      Data Confidentiality   Communication Security   Data Integrity   Availability   Privacy 
8 Security Layers • Concept of Security Layers represents hierarchical approach to securing a network • Mapping of the network equipment and facility groupings to Security Layers could be instrumental for determining how the network elements in upper layers can rely on protection that the lower layers provide.
9 Three Security Layers • Each Security Layer has unique vulnerabilities, threats • Infrastructure security enables services security enables applications security Infrastructure Security Applications Security Services Security THREATS VULNERABILITIES ATTACKS Destruction Disclosure Corruption Removal Infrastructure Security Applications Security Services Security VULNERABILITIES Interruption Vulnerabilities Can Exist In Each Layer 1 - Infrastructure Security Layer: • Fundamental building blocks of networks services and applications • Examples: – Individual routers, switches, servers – Point-to-point WAN links – Ethernet links 2 - Services Security Layer: • Services Provided to End-Users • Examples: – Frame Relay, ATM, IP – Cellular, Wi-Fi, – VoIP, QoS, IM, Location services – Toll free call services 3 - Applications Security Layer: • Network-based applications accessed by end-users • Examples: – Web browsing – Directory assistance – Email – E-commerce
10 Example: Applying Security Layers to IP Networks Applying Security Layers to IP Networks Infrastructure Security Layer – Individual routers, servers – Communication links Services Security Layer – Basic IP transport – IP support services (e.g., AAA, DNS, DHCP) – Value-added services: (e.g., VPN, VoIP, QoS) Applications Security Layer – Basic applications (e.g. FTP, web access) – Fundamental applications (e.g., email) – High-end applications (e.g., e-commerce, e-training)
11 Security Planes • Concept of Security Planes could be instrumental for ensuring that essential network activities are protected independently (e.g. compromise of security at the End- user Security Plane does not affect functions associated with the Management Security Plane). • Concept of Security Planes allows to identify potential network vulnerabilities that may occur when distinct network activities depend on the same security measures for protection.
12 • Security Planes represent the types of activities that occur on a network. • Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) • Each security perspective has unique vulnerabilities and threats Three Security Planes Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security VULNERABILITIES Security Layers Security Planes Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security VULNERABILITIES Security Layers Security Planes Vulnerabilities Can Exist In Each Layer and Plane THREATS ATTACKS Destruction Disclosure Corruption Removal Interruption 1 - End-User Security Plane: • Access and use of the network by the customers for various purposes: – Basic connectivity/transport – Value-added services (VPN, VoIP, etc.) – Access to network-based applications (e.g., email) 2 - Control/Signaling Security Plane: • Activities that enable efficient functioning of the network • Machine-to-machine communications 3 - Management Security Plane: • The management and provisioning of network elements, services and applications • Support of the FCAPS functions
13 Example: Applying Security Planes to Network Protocols End User Security Plane Activities •End-user data transfer •End-user – application interactions Protocols • HTTP, RTP, POP, IMAP • TCP, UDP, FTP • IPsec, TLS Control/Signaling Security Plane Activities •Update of routing/switching tables •Service initiation, control, and teardown •Application control Protocols • BGP, OSPF, IS-IS, RIP, PIM • SIP, RSVP, H.323, SS7. • IKE, ICMP • PKI, DNS, DHCP, SMTP Management Security Plane •Operations •Administration •Management •Provisioning Activities Protocols •SNMP •Telnet •FTP •HTTP
14 Access Management Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security 8 Security Dimensions Data Confidentiality Communication Security Integrity Availability Privacy Authentication Non-repudiation Security Layers Security Planes Access Control Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security THREATS VULNERABILITIES 8 Security Dimensions ATTACKS Data Confidentiality Communication Security Data Integrity Availability Privacy Authentication Non-repudiation Security Layers Security Planes ITU-T X.805: Security Architecture for Systems Providing End-to-End Communications Vulnerabilities Can Exist In Each Layer, Plane Destruction Disclosure Corruption Removal Interruption
15 – Management Network: top row – Network Services: middle column – Security Module: Layer & Plane Intersection Access Control Authentication Non-repudiation Data Confidentiality Infrastructure Layer Services Layer Applications Layer Management Plane Module one Module four Module seven Control/Signaling Plane Module two Module five Module eight User Plane Module three Module six Module Nine Communication Security Data Integrity Availability Privacy The eight Security Dimensions Are Applied to Each Security Module Modular Form of X.805 Provides a systematic, organized way for performing network security assessments and planning
16 Module 3 – Infrastructure Layer – End- User Plane www.lucent.com/security Security Dimension Security Objectives Access Control Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Authentication Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device. Authentication techniques may be required as part of Access Control. Non-Repudiation Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data. Data Confidentiality Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data. Communication Security Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access) Data Integrity Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication. Availability Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Privacy Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.
17 Summary: X.805 Provides a Holistic Approach to Network Security  Comprehensive, end-to-end network view of security  Applies to any network technology – Wireless, wireline, optical networks – Voice, data, video, converged networks  Applies to variety of networks – Service provider networks – Enterprise (service provider’s customer) networks – Government networks – Management/operations, administrative networks – Data center networks  Is aligned with other security ITU-T Recommendations and ISO standards
18 ITU-T Recommendation X.805 is a Base for Security work in FGNGN Security Capability WG  Guidelines for NGN security and X.805  NGN threat model (based on ITU-T X.800 and X.805 Recommendations)  Security Dimensions and Mechanisms (based on ITU-T X.805) Access control Authentication Non-repudiation Data confidentiality Communication security Data integrity Availability Privacy  NGN security requirements for Release 1 and X.805  General considerations based on the concepts of X.805
19 Acronyms AAA Authentication, Authorization, Accounting ACL Access Control List ATM Asynchronous Transfer Mod BC Business Continuity BGP Border Gateway Protocol DHCP Dynamic Host Configuration Protocol DNS Domain Name Service DR Disaster Recovery FCAPS Fault-management, Configuration, Accounting, Performance, and Security FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IDS Intrusion Detection System IKE Internet Key Exchange protocol IM Instant Messaging IMAP Internet Message Access Protocol IPS Intrusion Prevention System IPsec IP security (set of protocols) IS-IS Intermediate System-to-Intermediate System (routing protocol) L2TP Layer Two Tunneling Protocol MPLS Multi-Protocol Label Switching NAT Network Address Translation OSPF Open Shortest Path First PIM Protocol-Independent Multicast PKI Public Key Infrastructure POP Post Office Protocol QoS Quality of Service RIP Routing Information Protocol RSVP Resource Reservation Setup Protocol RTP Real-time Transport Protocol SIP Session Initiation Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SS7 Signaling System 7 TCP Transmission Control Protocol TLS Transport Layer Security protocol UDP User Datagram Protocol VoIP Voice over IP VPN Virtual Private Network
20 Thank you!

Recommended

Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
Kirti Ahirrao
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
Avirot Mitamura
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
ssuserec53e73
 
computer architecture.ppt
computer architecture.pptcomputer architecture.ppt
computer architecture.ppt
Pandiya Rajan
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
Tamer Nadeem
 
SYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionSYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introduction
Afna Crcs
 
Intro-2013.pptIntro-2013.pptIntro-2013.ppt
Intro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.ppt
Intro-2013.pptIntro-2013.pptIntro-2013.ppt
tahirnaquash2
 
Types of Networks Week7 Part4-IS RevisionSu2013 .docx
Types of Networks Week7 Part4-IS RevisionSu2013 .docxTypes of Networks Week7 Part4-IS RevisionSu2013 .docx
Types of Networks Week7 Part4-IS RevisionSu2013 .docx
willcoxjanay
 

Recommended

Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
Kirti Ahirrao
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
Avirot Mitamura
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
ssuserec53e73
 
computer architecture.ppt
computer architecture.pptcomputer architecture.ppt
computer architecture.ppt
Pandiya Rajan
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
Tamer Nadeem
 
SYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionSYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introduction
Afna Crcs
 
Intro-2013.pptIntro-2013.pptIntro-2013.ppt
Intro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.pptIntro-2013.ppt
Intro-2013.pptIntro-2013.pptIntro-2013.ppt
tahirnaquash2
 
Types of Networks Week7 Part4-IS RevisionSu2013 .docx
Types of Networks Week7 Part4-IS RevisionSu2013 .docxTypes of Networks Week7 Part4-IS RevisionSu2013 .docx
Types of Networks Week7 Part4-IS RevisionSu2013 .docx
willcoxjanay
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
Alan Tatourian
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
network security / information security
network security / information securitynetwork security / information security
network security / information security
Rohan Choudhari
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
Università Degli Studi Di Salerno
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Network security
Network securityNetwork security
Network security
quest university nawabshah
 
fundamental of network security
fundamental of network securityfundamental of network security
fundamental of network security
Manish Tiwari
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Jyoshna Cec Cse Staf bejjam
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
Universitas Pembangunan Panca Budi
 
Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)
Alexander Decker
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
Chuck Speicher
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
Usman Arshad
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Edureka!
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
Satish Chavan
 
Multilayer security mechanism in computer networks
Multilayer security mechanism in computer networksMultilayer security mechanism in computer networks
Multilayer security mechanism in computer networks
Alexander Decker
 
5033467 (1).ppt
5033467 (1).ppt5033467 (1).ppt
5033467 (1).ppt
HazemElabed2
 
3G.ppt
3G.ppt3G.ppt
3G.ppt
HazemElabed2
 

More Related Content

Similar to saag-3.ppt

Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
Universitas Pembangunan Panca Budi
 
Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)
Alexander Decker
 
Multilayer security mechanism in computer networks
Multilayer security mechanism in computer networksMultilayer security mechanism in computer networks
Multilayer security mechanism in computer networks
Alexander Decker
 

Similar to saag-3.ppt (20)

Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
network security / information security
network security / information securitynetwork security / information security
network security / information security
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
Network security
Network securityNetwork security
Network security
 
fundamental of network security
fundamental of network securityfundamental of network security
fundamental of network security
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Network security
Network security Network security
Network security
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
 
Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)Multilayer security mechanism in computer networks (2)
Multilayer security mechanism in computer networks (2)
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
Multilayer security mechanism in computer networks
Multilayer security mechanism in computer networksMultilayer security mechanism in computer networks
Multilayer security mechanism in computer networks
 

More from HazemElabed2

fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
HazemElabed2
 

More from HazemElabed2 (6)

5033467 (1).ppt
5033467 (1).ppt5033467 (1).ppt
5033467 (1).ppt
 
3G.ppt
3G.ppt3G.ppt
3G.ppt
 
3G.ppt
3G.ppt3G.ppt
3G.ppt
 
ASN1_intro.pdf
ASN1_intro.pdfASN1_intro.pdf
ASN1_intro.pdf
 
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
 
lecture23.ppt
lecture23.pptlecture23.ppt
lecture23.ppt
 

Recently uploaded

(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 

Recently uploaded (20)

(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdf
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 

saag-3.ppt

  • 1. ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications IETF 63 meeting Zachary Zeltsan, Bell Laboratories, Lucent Technologies Rapporteur of Question 5 SG 17
  • 2. 2 Outline  Origin of the ITU-T Recommendation X.805 - Security Architecture for Systems Providing End-to-End Communications  Three main issues that X.805 addresses  Security Dimensions  Security Layers  Security Planes  ITU-T X.805 Security Architecture  ITU-T Recommendation X.805 as a base for security work in FGNGN Security Capability WG
  • 3. 3 Origin of the ITU-T Recommendation X.805 • ITU-T Recommendation X.805 Security architecture for systems providing end-to-end communications had been developed by ITU-T SG 17 (ITU-T Lead Study Group on Telecommunication Security) and was published in October 2003. • The group has developed a set of the well-recognized Recommendations on security. Among them are X.800 Series of Recommendations on security and X.509 - Public-key and Attribute Certificate Frameworks.
  • 4. 4 Three main issues that X.805 addresses The security architecture addresses three essential issues: 1. What kind of protection is needed and against what threats? 2. What are the distinct types of network equipment and facility groupings that need to be protected? 3. What are the distinct types of network activities that need to be protected?
  • 5. 5 ITU-T X.800 Threat Model (simplified) X X 1 - Destruction (an attack on availability): – Destruction of information and/or network resources 2 - Corruption (an attack on integrity): – Unauthorized tampering with an asset 3 - Removal (an attack on availability): – Theft, removal or loss of information and/or other resources 4 - Disclosure (an attack on confidentiality): – Unauthorized access to an asset 5 - Interruption (an attack on availability): – Interruption of services. Network becomes unavailable or unusable
  • 6. 6 Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy • Limit & control access to network elements, services & applications • Examples: password, ACL, firewall • Prevent ability to deny that an activity on the network occurred • Examples: system logs, digital signatures • Ensure information only flows from source to destination • Examples: VPN, MPLS, L2TP • Ensure network elements, services and application available to legitimate users • Examples: IDS/IPS, network redundancy, BC/DR • Provide Proof of Identity • Examples: shared secret, PKI, digital signature, digital certificate • Ensure confidentiality of data • Example: encryption • Ensure data is received as sent or retrieved as stored • Examples: MD5, digital signature, anti-virus software • Ensure identification and network use is kept private • Examples: NAT, encryption Eight Security Dimensions Address the Breadth of Network Vulnerabilities Eight Security Dimensions applied to each Security Perspective (layer and plane)
  • 7. 7 How the Security Dimensions Map to the Security Threats Security Dimension X.800 Security Threats Destruction Corruption Removal Disclosure Interruption Access Control     Authentication   Non-Repudiation      Data Confidentiality   Communication Security   Data Integrity   Availability   Privacy 
  • 8. 8 Security Layers • Concept of Security Layers represents hierarchical approach to securing a network • Mapping of the network equipment and facility groupings to Security Layers could be instrumental for determining how the network elements in upper layers can rely on protection that the lower layers provide.
  • 9. 9 Three Security Layers • Each Security Layer has unique vulnerabilities, threats • Infrastructure security enables services security enables applications security Infrastructure Security Applications Security Services Security THREATS VULNERABILITIES ATTACKS Destruction Disclosure Corruption Removal Infrastructure Security Applications Security Services Security VULNERABILITIES Interruption Vulnerabilities Can Exist In Each Layer 1 - Infrastructure Security Layer: • Fundamental building blocks of networks services and applications • Examples: – Individual routers, switches, servers – Point-to-point WAN links – Ethernet links 2 - Services Security Layer: • Services Provided to End-Users • Examples: – Frame Relay, ATM, IP – Cellular, Wi-Fi, – VoIP, QoS, IM, Location services – Toll free call services 3 - Applications Security Layer: • Network-based applications accessed by end-users • Examples: – Web browsing – Directory assistance – Email – E-commerce
  • 10. 10 Example: Applying Security Layers to IP Networks Applying Security Layers to IP Networks Infrastructure Security Layer – Individual routers, servers – Communication links Services Security Layer – Basic IP transport – IP support services (e.g., AAA, DNS, DHCP) – Value-added services: (e.g., VPN, VoIP, QoS) Applications Security Layer – Basic applications (e.g. FTP, web access) – Fundamental applications (e.g., email) – High-end applications (e.g., e-commerce, e-training)
  • 11. 11 Security Planes • Concept of Security Planes could be instrumental for ensuring that essential network activities are protected independently (e.g. compromise of security at the End- user Security Plane does not affect functions associated with the Management Security Plane). • Concept of Security Planes allows to identify potential network vulnerabilities that may occur when distinct network activities depend on the same security measures for protection.
  • 12. 12 • Security Planes represent the types of activities that occur on a network. • Each Security Plane is applied to every Security Layer to yield nine security Perspectives (3 x 3) • Each security perspective has unique vulnerabilities and threats Three Security Planes Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security VULNERABILITIES Security Layers Security Planes Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security VULNERABILITIES Security Layers Security Planes Vulnerabilities Can Exist In Each Layer and Plane THREATS ATTACKS Destruction Disclosure Corruption Removal Interruption 1 - End-User Security Plane: • Access and use of the network by the customers for various purposes: – Basic connectivity/transport – Value-added services (VPN, VoIP, etc.) – Access to network-based applications (e.g., email) 2 - Control/Signaling Security Plane: • Activities that enable efficient functioning of the network • Machine-to-machine communications 3 - Management Security Plane: • The management and provisioning of network elements, services and applications • Support of the FCAPS functions
  • 13. 13 Example: Applying Security Planes to Network Protocols End User Security Plane Activities •End-user data transfer •End-user – application interactions Protocols • HTTP, RTP, POP, IMAP • TCP, UDP, FTP • IPsec, TLS Control/Signaling Security Plane Activities •Update of routing/switching tables •Service initiation, control, and teardown •Application control Protocols • BGP, OSPF, IS-IS, RIP, PIM • SIP, RSVP, H.323, SS7. • IKE, ICMP • PKI, DNS, DHCP, SMTP Management Security Plane •Operations •Administration •Management •Provisioning Activities Protocols •SNMP •Telnet •FTP •HTTP
  • 14. 14 Access Management Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security 8 Security Dimensions Data Confidentiality Communication Security Integrity Availability Privacy Authentication Non-repudiation Security Layers Security Planes Access Control Infrastructure Security Applications Security Services Security End User Security Control/Signaling Security Management Security THREATS VULNERABILITIES 8 Security Dimensions ATTACKS Data Confidentiality Communication Security Data Integrity Availability Privacy Authentication Non-repudiation Security Layers Security Planes ITU-T X.805: Security Architecture for Systems Providing End-to-End Communications Vulnerabilities Can Exist In Each Layer, Plane Destruction Disclosure Corruption Removal Interruption
  • 15. 15 – Management Network: top row – Network Services: middle column – Security Module: Layer & Plane Intersection Access Control Authentication Non-repudiation Data Confidentiality Infrastructure Layer Services Layer Applications Layer Management Plane Module one Module four Module seven Control/Signaling Plane Module two Module five Module eight User Plane Module three Module six Module Nine Communication Security Data Integrity Availability Privacy The eight Security Dimensions Are Applied to Each Security Module Modular Form of X.805 Provides a systematic, organized way for performing network security assessments and planning
  • 16. 16 Module 3 – Infrastructure Layer – End- User Plane www.lucent.com/security Security Dimension Security Objectives Access Control Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Authentication Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device. Authentication techniques may be required as part of Access Control. Non-Repudiation Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data. Data Confidentiality Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data. Communication Security Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access) Data Integrity Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication. Availability Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Privacy Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.
  • 17. 17 Summary: X.805 Provides a Holistic Approach to Network Security  Comprehensive, end-to-end network view of security  Applies to any network technology – Wireless, wireline, optical networks – Voice, data, video, converged networks  Applies to variety of networks – Service provider networks – Enterprise (service provider’s customer) networks – Government networks – Management/operations, administrative networks – Data center networks  Is aligned with other security ITU-T Recommendations and ISO standards
  • 18. 18 ITU-T Recommendation X.805 is a Base for Security work in FGNGN Security Capability WG  Guidelines for NGN security and X.805  NGN threat model (based on ITU-T X.800 and X.805 Recommendations)  Security Dimensions and Mechanisms (based on ITU-T X.805) Access control Authentication Non-repudiation Data confidentiality Communication security Data integrity Availability Privacy  NGN security requirements for Release 1 and X.805  General considerations based on the concepts of X.805
  • 19. 19 Acronyms AAA Authentication, Authorization, Accounting ACL Access Control List ATM Asynchronous Transfer Mod BC Business Continuity BGP Border Gateway Protocol DHCP Dynamic Host Configuration Protocol DNS Domain Name Service DR Disaster Recovery FCAPS Fault-management, Configuration, Accounting, Performance, and Security FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IDS Intrusion Detection System IKE Internet Key Exchange protocol IM Instant Messaging IMAP Internet Message Access Protocol IPS Intrusion Prevention System IPsec IP security (set of protocols) IS-IS Intermediate System-to-Intermediate System (routing protocol) L2TP Layer Two Tunneling Protocol MPLS Multi-Protocol Label Switching NAT Network Address Translation OSPF Open Shortest Path First PIM Protocol-Independent Multicast PKI Public Key Infrastructure POP Post Office Protocol QoS Quality of Service RIP Routing Information Protocol RSVP Resource Reservation Setup Protocol RTP Real-time Transport Protocol SIP Session Initiation Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SS7 Signaling System 7 TCP Transmission Control Protocol TLS Transport Layer Security protocol UDP User Datagram Protocol VoIP Voice over IP VPN Virtual Private Network