Beruflich Dokumente
Kultur Dokumente
805 Workshop
IMF 2007
Stuttgart, Germany
September 13, 2007
Suhasini Sabnis
Bell Labs Security Technology Application Research
Agenda
Security Drivers and Challenges
ITU-T X.805 Security Framework Overview
Using ITU-T X.805 for Security Assessment
Applying ITU-T X.805 A Case Study
Security Standards and Security Compliance
Questions
2 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Critical Market Concerns Security Drivers
Ensuring customer
privacy Identifying specific
Improving reliability
& service availability risks & quantifying
vulnerabilities
Defending against
Securing new increasingly
technologies & sophisticated attacks
applications
Managing limited
resources for
ongoing security
administration
3 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
The Security Challenge
t i o an d
productivity
Customer Churn
ns
olu m
Compliancy costs
s l de
Lessons learned Regulatory
ied il
t if s w
SOX Compliancy
e r t ie
Revenue Increase EU privacy regulation
c ar
re e p
More competitive offering Protection of Critical Infrastructures
cu al
through ISO certification
se oles
Financial segment: BASEL II
Wh
4 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Becoming a Security Best-in-Class Company
Manage
architecture
Design
Plan &
Testable business continuity program
Considers security in the design and
planning stage
Implement
6 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Introducing the ITU-T X.805 Framework
The framework provides the system-level thinking essential for the next-
generation approach to security
Applications Security
THREATS
Communication Security
Data Confidentiality
Confidentiality
Destruction
Non-repudiation
Control
Non-repudiation
Authentication
Access Control
Authentication
Data Integrity
Integrity
Availability
Availability
Services Security Corruption
Privacy
VULNERABILITIES
Privacy
Removal
Access
Data
Disclosure
Data
Vulnerabilities Interruption
can exist in Infrastructure Security
each:
Layer ATTACKS
Plane
End UserSecurity
End User Security
Security Control/SignalingSecurity
Control/Signaling Security
Security Dimensions
Planes ManagementSecurity
Management Security
Security Layers
8 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Threats*
Interruption
Disclosure of information
9 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.800 Threat Model
1. Destruction:
X
Destruction of information &/or other network resources
2. Corruption:
An unauthorized tampering with an asset
3. Removal:
4. Disclosure:
Applications Security
Applications Security
Applications Security
Applications Security
14 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805: Three Security Planes
Applications Security
15 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805: Three Security Planes
16 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Example: Applying Security Planes to Network Protocols
17 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Using X.805 Layers/Planes
Asset Identification
Assets are identified based on the network architecture or design and the scope of
work that needs to be secured; e.g., what services, applications, etc. need to be
secured. It is an iterative process.
18 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 for Asset Identification continued
Second step is to use the X.805 Planes to uncover additional assets by examining
the activities that must be protected at the management, control and end-user
plane for each asset listed in the First step :
For example in an IPTV study, as part of examining IP multicast service control plane,
PIM and MSDP protocols are assets that need protecting. Likewise, IGMP protocol is
another asset as part of examining the IP multicast service management plane.
Examining the video stream control plane, identified DSM-CC and RTSP protocols as
assets that need protecting.
19 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Applying X.805 Asset Identification
Example 1: Internet Service Provider
Layer
IPSec/PKI SMTP
Routing Tables
Control RSVP POP3
DNS Database
Plane
SIP HTTP
20 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Example 2: Large Enterprise
Layer
IPSec/PKI
Routing Tables LDAP
Control SIP
DNS Database SIP
Plane
LDAP
21 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Access Control:
Authentication
Authentication
Ensures access by authorized
personnel & devices only
Non-repudiation
Non-repudiation
Protects against unauthorized use of
network resources
Data Confidentiality
Data Confidentiality
Mechanisms:
Simple log-in/password
Communication Security Access Control Lists (ACL)
Intrusion Detection Systems (IDS)
Data Integrity
Data Integrity In addition, Role Based Access Control
(RBAC) provides different levels of access
Availability
Availability control to guarantee that only authorized
individuals & devices can only access
information
Privacy
Privacy
22 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication:
Authentication
Authentication Confirms the identity of
communicating entities (e.g., end-
Non-repudiation
Non-repudiation users, OA&M activity, network
elements)
Data Confidentiality
Data Confidentiality Ensures validity of claimed entities
Provide assurance that an entity is not
Communication Security masquerading
Mechanisms:
Data Integrity
Data Integrity Digital certificates
Digital Signatures
Availability
Availability SSL
SSO
Privacy
Privacy CHAP
23 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication Non-repudiation:
Prevents an individual or entity
Non-repudiation
Non-repudiation denying having performed an
unauthorized action
Data Confidentiality
Data Confidentiality Ensures availability of evidence that
can be presented to a third party, an
event/incident has taken place
Communication Security
Mechanisms:
Data Integrity
Data Integrity Logs
Role based access control
Availability
Availability Digital signatures
Privacy
Privacy
24 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication Data Confidentiality:
Protects data from unauthorized
Non-repudiation
Non-repudiation disclosure
Ensures data content cannot be
Data Confidentiality
Data Confidentiality
understood by unauthenticated
entities
Communication Security Mechanisms:
Encryption (3DES, AES)
Data Integrity
Data Integrity Access control lists
File permissions
Availability
Availability
Privacy
Privacy
25 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication Communication Security:
Ensures information only flows
Non-repudiation
Non-repudiation between the authorized end points
Ensures information is not diverted or
Data Confidentiality
Data Confidentiality intercepted as it flows between these
end points
Communication Security Mechanisms:
VPNs (IPSec, L2TP)
Data Integrity
Data Integrity MPLS tunnels
Private Lines
Availability
Availability Separate networks
Privacy
Privacy
26 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication Data Integrity:
Ensures the correctness or accuracy
Non-repudiation
Non-repudiation of information
Ensures data is protected from
Data Confidentiality
Data Confidentiality unauthorized modification, deletion,
creation & replication
Communication Security Provides an indication that this has
occurred
Data Integrity
Data Integrity Mechanisms:
IPSec HMACs (e.g. MD5, SHA-1)
Availability
Availability Cyclic redundancy checks
Anti-Virus Software
Privacy
Privacy
27 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication Availability:
Ensures no denial of authorized
Non-repudiation
Non-repudiation access to network elements, stored
information, information flows,
Data Confidentiality
Data Confidentiality
services, application
Disaster recovery solutions are
included in this category
Communication Security
Mechanisms:
Data Integrity
Data Integrity
Redundancy & back-up
DoS mechanisms
Availability
Availability Firewalls, IDS/IPS (for blocking DoS)
Business continuity
Privacy
Privacy Managed network & services with SLAs
28 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Dimensions
8 Security Dimensions Address the Breadth of Network Vulnerabilities
Access Control
Access Control
Authentication
Authentication
Non-repudiation
Privacy:
Non-repudiation
Provides protection of information that
Data Confidentiality
Data Confidentiality might be derived from network
activities
Mechanisms:
Communication Security
Proxies
Data Integrity
Integrity
Encryption of IP headers
Data
(for example: IPSec VPNs)
NAT
Availability
Availability
Privacy
Privacy
29 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Rationale for ITU-T X.805 Dimensions Relative to C-I-A
30 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Applying Security Dimensions An Example
Layers
Planes Control /
Signaling MODULE 2 MODULE 5 MODULE 8
Data
Authentication Confidentiality Data Integrity Privacy
31 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007 Slide 31
Applying Security Dimensions An Example
Layers
Planes Control /
Signaling MODULE 2 MODULE 5 MODULE 8
Data
Authentication Confidentiality Data Integrity Privacy
32 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007 Slide 32
Applying Security Dimensions An Example
Layers
Planes Control /
Signaling MODULE 2 MODULE 5 MODULE 8
Data
Authentication Confidentiality Data Integrity Privacy
Ensure that only authorized personnel & devices are allowed to perform,
or attempt to perform administrative or management activities of the
network-based application (e.g. administer user mailboxes for an email
application)
33 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007 Slide 33
VoCable Network Security Example Application of ITU-T X.805
34 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Life Cycle Objectives
How ITU-T X.805 assets be leveraged
Design
Plan &
management services & team to 3rd-party security gaps
Training ensure security Interoperability of 3rd
Process for adequately addressed
party
customer Reliability & security
communication test strategy
Incident response Secure coding
Implement
Product hardening
Security engineering guidelines for the customer
Technology deployment
35 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Role of Security Policy
3rd Party
Agreements
36 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Industry
Incident
Response
Coordination
Govt. Internet
Research Lab
37 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
High Level Key Definitions
38 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Relationship of Threat Classes and Threat Scenarios
The threat classes contained in the threat model are fixed regardless of what
technology and industry vertical the threat model is applied to.
A Threat Scenario is realized by a combination of threat classes (threats) on a
set of assets. For example, Invasion of Subscriber Privacy can be realized by:
Disclosure on the air interface asset,
Disclosure of the call detail record asset,
Disclosure of the customer billing record asset,
Example of the application of a threat class (threat) to an asset:
Threat Scenario: Invasion of Subscriber Privacy
Asset: Radio Air Interface
Disclosure Threat Class: Sniffing devices can be used to eavesdrop on
subscriber conversations.
Vulnerability: EV-DO air interface is not encrypted.
Countermeasure: Employ encryption at a higher protocol layer (e.g.,
TLS/SSL, IPsec).
39 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
High Level X.805-based Methodology for Threat Assessment
X.805 Asset
Data Collection and Background
Identification
X.805 Vulnerability
Analysis
Countermeasures and
Recommendations
40 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 Asset
Research
X.805 Threat Analysis
Data Collection & Background Research
X.805 Vulnerability
Analysis
Countermeasures and
Authentication Server
Recommendations
DHCPServer
Internal
Provider Network
Application Servers
Vulnerability DBs
Known
Vulnerabilities
Standards Orgs.
Known
Countermeasures
41 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 Asset
X.805 Vulnerability
Analysis
ers,
Applications Security
Countermeasures and THREATS
Communication Security
Recommendations
5L a
Data Confidentiality
Confidentiality
Destruction
Non-repudiation
Control
X.80 lanes
Non-repudiation
Authentication
Access Control
Integrity
Authentication
Data Integrity
Availability
Availability
Services Security Corruption
Privacy
VULNERABILITIES
Privacy
Removal
Access
p
Data
Disclosure
Data
Vulnerabilities Interruption
Infrastructure Security
Management Control End-User can exist in
each:
Layer
Asset Plane Plane Plane Plane
ATTACKS
IGMPv2/v3 Dimension
End User
UserSecurity
Security
Network 1.1
(Snooping) Security
Planes
Control/Signaling
ManagementSecurity
Management Security
Security
Control/Signaling Security
Security Dimensions
PIM (SM, SSM,
Architecture 1.2
Snooping) Security Layers
s
at
1.3 MBGP
r e
Th
ns
5
80
sio
X.
Perform X.805 Threat Analysis
en
Threat
im
Services Layer Threat Exposures (1) Scenarios
5D
S-1. A Interface
Threats+ Corruption:
Forged or altered messages 1,2,4,8
80
Malformed packets 7
X.
Replayed packets 2,3
Countermeasures+ Corruption Malformed IGMP packets best practices for secure software development.
2. Include security testing during DSLAM or STB
acceptance testing.
42 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
WLAN Reference Architecture
Authentication
Server
DHCP
Server
Access Point
Mobile Station
Application Servers
43 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
WLAN Network Security Domains
Authentication
Server
DHCP
Server
Access Point
Mobile Application Servers
Station Security
Domain 2
Security
Domain 1
44 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 Asset Identification -
Sample Asset Inventory
DHCP traffic
45 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
WLAN Reference Architecture
Sample Threats
Compromise of AP Admin/Management
Data:
DHCP Server Authentication
Server
Access Point
Mobile Station
Application Servers
46 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 Threat Analysis
Threats:
47 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Threat Analysis Summary
Threats:
48 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
X.805 Vulnerability Analysis
-Sample illustration
Asset/Threat Analysis
1. AP GUI
2. AP Management Traffic
3. Association Table in AP
Weak access control, lack of software integrity
Destruction
Disclosure
49 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Countermeasures and Recommendations
-Sample illustration
Asset/Threat
Analysis Countermeasures
1. AP GUI - Use secure HTTP (HTTPS). Password protection best
Use of HTTP for web-based practices. If AP does not support https, then use secure VPN
Disclosure access using an additional VPN gateway.
Interruption Physical access of AP or - Physical access to the AP should be limited and protected by
password compromise using site surveillance
2. AP
Management Forged management -Since the AP is primarily a bridge device, the management
Traffic commands (protocol port for the AP can be on a separate subnet (assign it a
weakness) different network from the users) Use ACLs to control access.
Corruption
Spoofed ARP Response (low - Encryption of the community string while in-transit forces
Removal probability vulnerability) the attacker to know the encryption key in addition to
successfully guessing the password in order to gain access.
Disclosure Eavesdropping (SNMP v1, v2) SNMPv3 should be configured with community string
encryption enabled.
Interruption DoS attack on the
management port of the AP
3. Association
Table in AP
-Change default AP configuration, such as SSID
Weak access control, lack of
-Disable SSID broadcasts
Destruction software integrity
-Software integrity checks
Disclosure
50 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Industry
Business Leadership
Continuity/ Professional
Standards
Disaster Recovery Services
Incident
Response
Coordination
Govt. Internet
Research Lab
51 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Standardization Issues
Key Distribution (for end-users and network elements) and Public Key Infrastructure
Network Privacy topology hiding and NAT/Firewall traversal for real-time applications
Security for supporting access: DSL, WLAN, and cable access scenarios
52 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Regulatory Compliance
The ISO 17799/ISO 27002 standard prepares organizations for industry specific regulations
and standards:
Financial: BASEL II; GLBA
Health Care: eHealth; HIPAA
Government: CSE;
A common framework to
Sarbanes Oxley adapt to emerging
ISO 17799 to be ISO 27002 industry requirements
ITU-T X.805 / ISO 18028-2
HIPAA Health Insurance Portability and Accountability Act
GLBA Gramm-Leach Bliley Act
CSE - Communications Security Establishment
53 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Framework
Regulatory requirements
objectives
54 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Synergy Between ISO/IEC 27001:27005 & ITU-T X.805 / ISO,IEC 18028-2
The combination of ITU-T X.805 / ISO/IEC 18028-2 and ISO 27000 address business, and
technical risks associated with information and network security
Communication Security
Data Confidentiality
Confidentiality
Destruction
Non-repudiation
Control
Non-repudiation
Authentication
Access Control
Integrity
Authentication
Data Integrity
Availability
Availability
Services Security Corruption
Privacy
VULNERABILITIES
Privacy
Removal
Access
Data
Disclosure
Data
Vulnerabilities Interruption
can exist in Infrastructure Security
each:
Layer ATTACKS
Plane
Dimension
End UserSecurity
End User Security
55 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
ISO/IEC 27001 enhanced by ITU-T X.805 / ISO 18028-2
Communications &
Ops Mgmt
Compliance
56 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Security Implementation in Health Sector
How:
By maintaining reasonable and appropriate administrative, physical, and technical
safeguards to protect against any threats to the security and integrity of ePHI
Why:
To protect confidentiality, integrity and availability of ePHI when it is stored,
maintained or transmitted.
57 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Utilizing ITU-T X.805 for Security Safeguards in Health Sector
End-users are:
Plan Provider ITU-T X.805 Safeguards in depth
Clearinghouse
Caregiver
Privacy -
Securing the patient data IPSec VPNs
Electronic provided to the network-based HIPAA Safeguards
Protected Health Information Access Control
(ePHI)
application (social security Communications Security -
Unique User Identification
number etc.) Emergency Access Procedure Use VPNs
58 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Regulatory Compliance & Network Security
Using ITU T X.805/ISO 18028-2 as your overall network security model will
Drive common security policies & requirements for your customer service
offerings
Build in quantification of security threats and associated risk
Ensure security is built in from service concept through deployment.
Continue to drive the end-to-end network security
60 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Using ITU-T X.805 for Measuring Security
Release n
Release n
Release n+1
Access Control
Access Control
Privacy Authentication Privacy Authentication
Access Control
Comm Security
62 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
Backup
63 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007
What ITU T X.805 is Not by Itself?
X.805 can be used as an enabler for any of the items and more
64 | X.805 Training | April 2007 All Rights Reserved Alcatel-Lucent 2006, 2007