Network Working Group C. Lonvick
Internet-Draft D. Spak
Expires: January 5, 2005 Cisco Systems
July 7, 2004
Security Best Practices Efforts and Documents
draft-lonvick-sec-efforts-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 5, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing
Organizations (SDO).
Lonvick & Spak Expires January 5, 2005 [Page 1]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Format of this Document . . . . . . . . . . . . . . . . . . 5
3. Online Security Glossaries . . . . . . . . . . . . . . . . . 6
3.1 SANS Glossary of Security Terms . . . . . . . . . . . . . 6
3.2 Internet Security Glossary - RFC 2828 . . . . . . . . . . 6
3.3 Compendium of Approved ITU-T Security Definitions . . . . 6
4. Standards Developing Organizations . . . . . . . . . . . . . 7
4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 7
4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 7
4.3 ANSI - The American National Standards Institute . . . . . 7
4.4 ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 7
4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 8
4.6 ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 8
4.7 IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 8
4.8 IETF - The Internet Engineering Task Force . . . . . . . . 8
4.9 ISO - The International Organization for Standardization . 9
4.10 ITU - International Telecommunication Union . . . . . . 9
4.10.1 ITU Telecommunication Standardization Sector -
ITU-T . . . . . . . . . . . . . . . . . . . . . . . 9
4.10.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 9
4.10.3 ITU Telecom Development - ITU-D . . . . . . . . . . 9
4.11 OIF - Optical Internetworking Forum . . . . . . . . . . 9
4.12 NRIC - The Network Reliability and Interoperability
Council . . . . . . . . . . . . . . . . . . . . . . . . 10
4.13 T1 - Comittee T1 . . . . . . . . . . . . . . . . . . . . 10
4.13.1 T1A1: Performance, Reliability, and Signal
Processing . . . . . . . . . . . . . . . . . . . . . 10
4.13.2 T1E1: Interfaces, Power & Protection of Networks . 10
4.13.3 T1M1: Management OAM&P (Internetwork Operations,
Administration, Maintenance and Provisioning) . . . 11
4.13.4 T1M1 O&B . . . . . . . . . . . . . . . . . . . . . . 11
4.13.5 T1P1: Wireless/Mobile Services and Systems . . . . 11
4.13.6 T1S1: Signaling . . . . . . . . . . . . . . . . . . 11
4.13.7 T1S1: Packet Based Networks . . . . . . . . . . . . 11
4.13.8 T1X1: Digital Hierarchy and Synchronization . . . . 11
4.14 TIA - The Telecommunications Industry Association . . . 12
5. Security Best Practices Efforts and Documents . . . . . . . 13
5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 13
5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 13
5.3 American National Standard T1.276-2003 - Baseline
Security Requirements for the Management Plane . . . . . . 13
5.4 ATIS Committee T1 Security & Emergency Preparedness
Activities . . . . . . . . . . . . . . . . . . . . . . . . 14
Lonvick & Spak Expires January 5, 2005 [Page 2]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
5.5 ATIS Work-Plan to Achieve Interoperable, Implementable,
End-To-End Standards and Solutions . . . . . . . . . . . . 14
5.6 Common Criteria . . . . . . . . . . . . . . . . . . . . . 14
5.7 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.8 Security Certification and Accreditation of Information
Systems (SCAISWG) . . . . . . . . . . . . . . . . . . . . 15
5.9 Operational Security Requirements for IP Network
Infrastructure : Advanced Requirements . . . . . . . . . . 15
5.10 Guidelines for the management of IT Security . . . . . . 16
5.11 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 16
5.12 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 16
5.13 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 16
5.14 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 17
5.15 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 17
5.16 Catalogue of ITU-T Recommendations related to
Communications System Security . . . . . . . . . . . . . 17
5.17 ITU-T Security Manual . . . . . . . . . . . . . . . . . 17
5.18 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 18
5.19 OIF Implementation Agreements . . . . . . . . . . . . . 18
5.20 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6. Security Considerations . . . . . . . . . . . . . . . . . . 20
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 21
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 22
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 23
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23
Intellectual Property and Copyright Statements . . . . . . . 24
Lonvick & Spak Expires January 5, 2005 [Page 3]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
1. Introduction
The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even
improving this availability, to its users. These SDO efforts usually
define themselves as "security" efforts. It is the opinion of the
authors that there are many different definitions of the term
"security" and it may be applied in many diverse ways. As such, we
offer no assurance that the term is applied consistently throughout
this document.
Many of these SDOs have diverse charters and goals and will take
entirely different directions in their efforts to provide standards.
However, even with that, there will be overlaps in their produced
works. If there are overlaps then there is a potential for conflicts
and confusion. This may result in:
Vendors of networking equipment who are unsure of which standard
to follow.
Purchasers of networking equipment who are unsure of which
standard will best apply to the needs of their business or
ogranization.
Network Administrators and Operators unsure of which standard to
follow to attain the best security for their network.
For these reasons, the authors wish to encourage all SDOs who have an
interest in producing, or in consuming standards relating to good
security practices to be consistent in their approach and their
recommendations. In many cases, the authors are aware that the SDOs
are making good efforts along these lines. However, the authors do
not participate in all SDO efforts and cannot know everything that is
happening.
The authors of this document would like to keep it open as an
Internet Draft for approximately 6 months for the date of the first
submission. We hope that it will be spread far and wide and that the
leaders of SDO efforts will contact us with updated information so
that their own effort may be listed in this document, or so that
corrections may be made.
Comments on this document may be addressed to the authors.
Lonvick & Spak Expires January 5, 2005 [Page 4]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
2. Format of this Document
The body of this document has three sections.
The first part of the body of this document, Section 3, contains a
listing of online glossaries relating to networking and security. It
is very important that the definitions of words relating to security
and security events be consistent. Inconsistencies between the
useage of words on standards is unacceptable as it would prevent a
reader of two standards to appropriately relate their
recommendations. The authors of this document have not reviewed the
definitions of the words in the listed glossaries so can offer no
assurance of their alignment.
The second part, Section 4, contains a listing of SDOs that appear to
be working on security standards.
The third part, Section 5, lists the documents which have been found
to offer good practices or recommendations for securing networks and
networking devices.
Lonvick & Spak Expires January 5, 2005 [Page 5]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
3. Online Security Glossaries
This section contains references to glossaries of network and
computer security terms
3.1 SANS Glossary of Security Terms
http://www.sans.org/resources/glossary.php
The SANS Institute (SysAdmin, Audit, Network, Security) was created
in 1989 as, "a cooperative research and education organization."
Updated in May 2003, SANS cites the NSA for their help in creating
the online glossary of security terms. The SANS Institute is also
home to many other resources including the SANS Intrusion Detection
FAQ and the SANS/FBI Top 20 Vulnerabilities List.
3.2 Internet Security Glossary - RFC 2828
http://www.ietf.org/rfc/rfc2828.txt
Created in May 2000, the document defines itself to be, "an
internally consistent, complementary set of abbreviations,
definitions, explanations, and recommendations for use of terminology
related to information system security." The glossary makes the
distinction of the listed definitions throughout the document as
being:
o a recommended Internet definition
o a recommended non-Internet definition
o not recommended as the first choice for Internet documents but
something that an author of an Internet document would need to
know
o a definition that shouldn't be used in Internet documents
o additional commentary or usage guidance
3.3 Compendium of Approved ITU-T Security Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html
Addendum to the Compendium of the Approved ITU-T Security-related
Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
These extensive materials were created from approved ITU-T
Recommendations with a view toward establishing a common
understanding and use of security terms within ITU-T.
Lonvick & Spak Expires January 5, 2005 [Page 6]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
4. Standards Developing Organizations
This section of this document lists the SDOs, or organizations that
appear to be developing security related standards. These SDOs are
listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC.
4.1 3GPP - Third Generation P P
http://www.3gpp.org
The 3rd Generation Partnership Project (3GPP) is a collaboration
agreement formed in December 1998. The collaboration agreement is
comprised of several telecommunications standards bodies which are
known as "Organizational Partners". The current Organizational
Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.
4.2 3GPP2 - Third Generation P P 2
http://www.3gpp2.org
Third Generation Partnership Project 2 (3GPP2) is a collaboration
among Organizational Partners much like its sister project 3GPP. The
Organizational Partners (OPs) currently involved with 3GPP2 are ARIB,
CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes
the CDMA Development Group and IPv6 Forum as Market Representation
Partners for market advice.
4.3 ANSI - The American National Standards Institute
http://www.ansi.org
ANSI is a private, non-profit organization that organizes and
oversees the U.S. voluntary standardization and conformity
assessment system. ANSI was founded October 19, 1918.
4.4 ATIS - Alliance for Telecommunications Industry Solutions
http://www.atis.org
ATIS is a United States based body that is committed to rapidly
developing and promoting technical and operations standards for the
communications and related information technologies industry
worldwide using pragmatic, flexible and open approach. ATIS is
accredited by the American National Standards Institute.
Lonvick & Spak Expires January 5, 2005 [Page 7]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
4.5 CC - Common Criteria
http://csrc.nist.gov/cc/
Note: The URL for the Common Criteria organization was
http://www.commoncriteria.org/ however, they have elected to take
their web site offline for the time being. It is hoped that the
proper URL will be available before this document becomes an RFC.
This note will be removed prior to publication as an RFC.
In June 1993, the sponsoring organizations of the existing US,
Canadian, and European criterias (TCSEC, ITSEC, and similar) started
the Common Criteria Project to align their separate criteria into a
single set of IT security criteria.
4.6 ETSI - The European Telecommunications Standard Institute
http://www.etsi.org
ETSI is an independent, non-profit organization which produces
telecommunications standards. ETSI is based in Sophia-Antipolis in
the south of France and maintains a membership from 55 countries.
Joint work between ETSI and ITU-T SG-17
http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/
GSC9_Joint_011_Security_Standardization_in_ITU.ppt
4.7 IEEE - The Institute of Electrical and Electronics Engineers, Inc.
http://www.ieee.org
IEEE is a non-profit, technical professional association of more than
360,000 individual members in approximately 175 countries. The IEEE
produces 30 percent of the world's published literature in electrical
engineering, computers and control technology through its technical
publishing, conferences and consensus-based standards activities.
4.8 IETF - The Internet Engineering Task Force
http://www.ietf.org
IETF is a large, international community open to any interested
individual concerned with the evolution of the Internet architecture
and the smooth operation of the Internet.
Lonvick & Spak Expires January 5, 2005 [Page 8]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
4.9 ISO - The International Organization for Standardization
http://www.iso.org
ISO is a network of the national standards institutes of 148
countries, on the basis of one member per country, with a Central
Secretariat in Geneva, Switzerland, that coordinates the system. ISO
officially began operations on February 23, 1947.
4.10 ITU - International Telecommunication Union
http://www.itu.int
The ITU is an international organization within the United Nations
System headquartered in Geneva, Switzerland. The ITU is comprised of
three sectors:
4.10.1 ITU Telecommunication Standardization Sector - ITU-T
http://www.itu.int/ITU-T/
ITU-T's mission is to ensure an efficient and on-time production of
high quality standards covering all fields of telecommunications.
4.10.2 ITU Radiocommunication Sector - ITU-R
http://www.itu.int/ITU-R/
The ITU-R plays a vital role in the management of the radio-frequency
spectrum and satellite orbits.
4.10.3 ITU Telecom Development - ITU-D
(also referred as ITU Telecommunication Development Bureau - BDT)
http://www.itu.int/ITU-D/
The Telecommunication Development Bureau (BDT) is the executive arm
of the Telecommunication Development Sector. Its duties and
responsibilities cover a variety of functions ranging from programme
supervision and technical advice to the collection, processing and
publication of information relevant to telecommunication development.
4.11 OIF - Optical Internetworking Forum
http://www.oiforum.com/
On April 20, 1998 Cisco Systems and Ciena Corporation announced an
Lonvick & Spak Expires January 5, 2005 [Page 9]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
industry-wide initiative to create the Optical Internetworking Forum,
an open forum focused on accelerating the deployment of optical
internetworks.
4.12 NRIC - The Network Reliability and Interoperability Council
http://www.nric.org/
The purposes of the Committee are to give telecommunications industry
leaders the opportunity to provide recommendations to the FCC and to
the industry that assure optimal reliability and interoperability of
telecommunications networks. The Committee addresses topics in the
area of Homeland Security, reliability, interoperability, and
broadband deployment.
4.13 T1 - Comittee T1
http://www.t1.org
Established in February 1984, Committee T1 develops technical
standards and reports regarding interconnection and interoperability
of telecommunications networks. T1 is sponsored by ATIS and is
accredited by ANSI. Committee T1 had six technical subcommittees,
T1A1, T1E1, T1M1, T1P1, T1S1, and T1X1. As a result of the recent
ATIS reorganization on January 1, 2004 Committee T1 as a group no
longer exists. The six committees mentioned still exist but there
are 2 additional ones. T1M1 is now identified as T1M1 OAM&P and T1M1
O&B. The other group that has been split is T1S1 and they are T1S1 -
signaling (interoperability) and T1S1- packet based networks which
have now become stand-alone committees under ATIS. Due to the
reorganization, some groups may have a new mission and scope
statement as well as a name change.
4.13.1 T1A1: Performance, Reliability, and Signal Processing
http://www.t1.org/t1a1/t1a1.htm
T1A1 develops and recommends standards, requirements, and technical
reports related to the performance, reliability, and associated
security aspects of communications networks, as well as the
processing of voice, audio, data, image, and video signals, and their
multimedia integration.
4.13.2 T1E1: Interfaces, Power & Protection of Networks
http://www.t1.org/t1e1/t1e1.htm
T1E1 develops and recommends standards and technical reports related
Lonvick & Spak Expires January 5, 2005 [Page 10]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
to power systems, electrical and physical protection for the exchange
and interexchange carrier networks, and interfaces associated with
user access to telecommunications networks.
4.13.3 T1M1: Management OAM&P (Internetwork Operations,
Administration, Maintenance and Provisioning)
http://www.t1.org/t1m1/t1m1.htm
T1M1 develops internetwork operations, administration, maintenance
and provisioning standards, and technical reports related to
interfaces for telecommunications networks.
4.13.4 T1M1 O&B
There will be a new scope and mission differentiating this group from
T1M1 OAM&P. The authors are unsure if they will use the same URL.
The authors are investigating this and hope to provide a clear scope
of their effort.
4.13.5 T1P1: Wireless/Mobile Services and Systems
http://www.t1.org/t1p1/t1p1.htm
T1P1 develops and recommends standards and technical reports related
to wireless and/or mobile services and systems, including service
descriptions and wireless technologies.
4.13.6 T1S1: Signaling
http://www.t1.org/t1s1/t1s1.htm
T1S1 develops and recommends standards and technical reports related
to services, architectures, and signaling. As a result of the
reorganization, this group may have a new scope and charter.
4.13.7 T1S1: Packet Based Networks
As a result of the reorganization this group will also probably have
a new mission and scope . The URL for the Signaling group of T1S1
will currently lead to both of the groups.
4.13.8 T1X1: Digital Hierarchy and Synchronization
http://www.t1.org/t1x1/t1x1.htm
T1X1 develops and recommends standards and prepares technical reports
Lonvick & Spak Expires January 5, 2005 [Page 11]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
related to telecommunications network technology pertaining to
network synchronization interfaces and hierarchical structures
including optical technology.
4.14 TIA - The Telecommunications Industry Association
http://www.tiaonline.org
TIA is accredited by ANSI to develop voluntary industry standards for
a wide variety of telecommunications products. TIA's Standards and
Technology Department is composed of five divisions: Fiber Optics,
User Premises Equipment, Network Equipment, Wireless Communications
and Satellite Communications.
Lonvick & Spak Expires January 5, 2005 [Page 12]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
5. Security Best Practices Efforts and Documents
This section lists the works produced by the SDOs.
5.1 3GPP - TSG SA WG3 (Security)
http://www.3gpp.org/TB/SA/SA3/SA3.htm
TSG SA WG3 Security is responsible for the security of the 3GPP
system, performing analyses of potential security threats to the
system, considering the new threats introduced by the IP based
services and systems and setting the security requirements for the
overall 3GPP system.
Specifications:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm
Work Items:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm
3GPP Confidentiality and Integrity algorithms:
http://www.3gpp.org/TB/Other/algorithms.htm
5.2 3GPP2 - TSG-S Working Group 4 (Security)
http://www.3gpp2.org/Public_html/S/index.cfm
The Services and Systems Aspects TSG (TSG-S) is responsible for the
development of service capability requirements for systems based on
3GPP2 specifications. Among its responsibilities TSG-S is addressing
management, technical coordination, as well as architectural and
requirements development associated with all end-to-end features,
services and system capabilities including, but not limited to,
security and QoS.
TSG-S Specifications:
http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs
5.3 American National Standard T1.276-2003 - Baseline Security
Requirements for the Management Plane
Abstract: This standard contains a set of baseline security
requirements for the management plane. The President's National
Security Telecommunications Advisory Committee Network Security
Information Exchange (NSIE) and Government NSIE jointly established a
Security Requirements Working Group (SRWG) to examine the security
requirements for controlling access to the public switched network,
in particular with respect to the emerging next generation network.
Lonvick & Spak Expires January 5, 2005 [Page 13]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
In the telecommunications industry, this access incorporates
operation, administration, maintenance, and provisioning for network
elements and various supporting systems and databases. Members of
the SRWG, from a cross-section of telecommunications carriers and
vendors, developed an initial list of security requirements that
would allow vendors, government departments and agencies, and service
providers to implement a secure telecommunications network management
infrastructure. This initial list of security requirements was
submitted as a contribution to Committee T1 - Telecommunications,
Working Group T1M1.5 for consideration as a standard. The
requirements outlined in this document will allow vendors, government
departments and agencies, and service providers to implement a secure
telecommunications network management infrastructure.
Documents:
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003
5.4 ATIS Committee T1 Security & Emergency Preparedness Activities
http://www.atis.org/atis/atisinfo/emergency/
security_committee_activities_T1.htm
The link above contains the description of the ATIS Committee T1
Communications Security Model, the scopes of the Technical
Subcommittees in relation to the security model, and a list of
published documents produced by ATIS Committee T1 addressed to
various aspects of network security. Care should be taken in the
future when citing T1 because that reference may go away as a result
of the ATIS reorganization.
5.5 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
Standards and Solutions
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
The ATIS TOPS Security Focus Group has made recommendations on work
items needed to be performed by other SDOs.
5.6 Common Criteria
http://csrc.nist.gov/cc/
Version 1.0 of the CC was completed in January 1996. Based on a
number of trial evaluations and an extensive public review, Version
1.0 was extensively revised and CC Version 2.0 was produced in April
of 1998. This became ISO International Standard 15408 in 1999. The
CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999.
Lonvick & Spak Expires January 5, 2005 [Page 14]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
Common Criteria v2.1 contains:
Part 1 - Intro & General Model
Part 2 - Functional Requirements (including Annexes)
Part 3 - Assurance Requirements
Documents: Common Criteria V2.1
http://csrc.nist.gov/cc/CC-v2.1.html
5.7 ETSI
http://www.etsi.org
The ETSI hosted the ETSI Global Security Conference in late November,
2003, which could lead to a standard.
Groups related to security located from the ETSI Groups Portal:
OCG Security
3GPP SA3
TISPAN WG7
5.8 Security Certification and Accreditation of Information Systems
(SCAISWG)
IEEE Working Group - http://ieeeia.org/scaiswg/
Purpose of Proposed Project:
Activities critical to societal infrastructure are highly dependent
on information systems for continuity and survival. This standard
will improve confidence that a system's controls are adequate and
effective in protecting information and that interconnecting systems
can be trusted.
Documents: P1700 Project Authorization Request (PAR)
NIST Security C&A Project
5.9 Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements
IETF Internet-Draft
Abstract: This document defines a list of operational security
requirements for the infrastructure of large IP networks (routers and
switches) which are considered to be best current practice (BCP). A
framework is defined for specifying "profiles", which are collections
of requirements applicable to certain network topology contexts (all,
core-only, edge-only...). The goal is to provide network operators a
Lonvick & Spak Expires January 5, 2005 [Page 15]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
clear, concise way of communicating their security requirements to
vendors.
Documents:
http://www.ietf.org/internet-drafts/draft-jones-opsec-info-00.txt
http://www.ietf.org/internet-drafts/draft-jones-opsec-03.txt
5.10 Guidelines for the management of IT Security
Guidelines for the management of IT Security - Part 5: Management
guidance on network security
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM
BER=31142&ICS1=35&ICS2=40&ICS3=
Open Systems Interconnection -- Network layer security protocol
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM
BER=22084&ICS1=35&ICS2=100&ICS3=30
5.11 ITU-T Study Group 2
http://www.itu.int/ITU-T/studygroups/com02/index.asp
Security related recommendations currently under study:
E.408 Telecommunication networks security requirements Q.5/2
(was E.sec1)
E.409 Incident Organisation and Security Incident Handling Q.5/
2 (was E.sec2)
Note: Access requires TIES account.
5.12 ITU-T Recommendation M.3016
http://www.itu.int/itudoc/itu-t/com4/contr/068.html
This recommendation provides an overview and framework that
identifies security threats to a TMN and outlines how available
security services can be applied within the context of the TMN
functional architecture.
5.13 ITU-T Recommendation X.805
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
This Recommendation defines the general security-related
architectural elements that, when appropriately applied, can provide
end-to-end network security.
Lonvick & Spak Expires January 5, 2005 [Page 16]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
5.14 ITU-T Study Group 16
http://www.itu.int/ITU-T/studygroups/com16/index.asp
Security of Multimedia Systems and Services - Question G/16
http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html
5.15 ITU-T Study Group 17
http://www.itu.int/ITU-T/studygroups/com17/index.asp
ITU-T Study Group 17 is the Lead Study Group on Communication System
Security
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
Study Group 17 Security Project:
http://www.itu.int/ITU-T/studygroups/com17/security/index.html
During its November 2002 meeting, Study Group 17 agreed to establish
a new project entitled "Security Project" under the leadership of
Q.10/17 to coordinate the ITU-T standardization effort on security.
An analysis of the status on ITU-T Study Group action on information
and communication network security may be found in TSB Circular 147
of 14 February 2003.
5.16 Catalogue of ITU-T Recommendations related to Communications
System Security
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html
The Catalogue of the approved security Recommendations include those,
designed for security purposes and those, which describe or use of
functions of security interest and need. Although some of the
security related Recommendations includes the phrase "Open Systems
Interconnection", much of the information contained in them is
pertinent to the establishment of security functionality in any
communicating system.
5.17 ITU-T Security Manual
http://www.itu.int/ITU-T/edh/files/security-manual.pdf
TSB is preparing an "ITU-T Security Manual" to provide an overview on
security in telecommunications and information technologies, describe
practical issues, and indicate how the different aspects of security
Lonvick & Spak Expires January 5, 2005 [Page 17]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
in today's applications are addressed by ITU-T Recommendations. This
manual has a tutorial character: it collects security related
material from ITU-T Recommendations into one place and explains the
respective relationships. The intended audience for this manual is
engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in
practical applications.
5.18 NRIC VI Focus Groups
http://www.nric.org/fg/index.html
The Network Reliability and Interoperability Council (NRIC) was
formed with the purpose to provide recommendations to the FCC and to
the industry to assure the reliability and interoperability of
wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a
cyberattack.
Documents:
Homeland Defense - Recommendations Published 14-Mar-03
Preventative Best Practices - Recommendations Published 14-Mar-03
Recovery Best Practices - Recommendations Published 14-Mar-03
Best Practice Appendices - Recommendations Published 14-Mar-03
5.19 OIF Implementation Agreements
The OIF has 2 approved Implementation Agreements (IAs) relating to
security. They are:
OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified,
satisfies the objectives.
OIF - SEP - 01.1 - Security Extension for UNI and NNI
This Implementation Agreement defines a common Security Extension for
securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf
Lonvick & Spak Expires January 5, 2005 [Page 18]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
5.20 TIA
The TIA has produced the "Compendium of Emergency Communications and
Communications Network Security-related Work Activities". This
document identifies standards, or other technical documents and
ongoing Emergency/Public Safety Communications and Communications
Network Security-related work activities within TIA and it's
Engineering Committees. Many P25 documents are specifically
detailed. This "living document" is presented for information,
coordination and reference.
Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf
Lonvick & Spak Expires January 5, 2005 [Page 19]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
6. Security Considerations
This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance
whatsoever.
Readers of this document should be aware of the date of publication
of this document. It is feared that they may assume that the
efforts, on-line material, and documents are current whereas they may
not be. Please consider this when reading this document.
Lonvick & Spak Expires January 5, 2005 [Page 20]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
7. IANA Considerations
This Internet Draft does not propose a standard but is trying to pull
together information about the security related efforts of all
Standards Developing Organizations and some other efforts which
provide good secuirty methods, practices or recommendations.
Lonvick & Spak Expires January 5, 2005 [Page 21]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
8. Acknowledgments
The following people have contributed to this document. Listing
their names here does not mean that they endorse the document, but
that they have contributed to its substance.
John McDonough, Art Reilly, Chip Sharp.
Lonvick & Spak Expires January 5, 2005 [Page 22]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
9. Changes from Prior Drafts
-00 : This is the -00 draft. Others may not consider it perfect yet
but that's their opinion. :-)
Note: This section will be removed before publication as an RFC.
10 References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, STD 14, March 1997.
[2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA
Considerations Section in RFCs", RFC 2869, BCP 26, October 1998.
Authors' Addresses
Chris Lonvick
Cisco Systems
12515 Research Blvd.
Austin, Texas 78759
US
Phone: +1 512 378 1182
EMail: clonvick@cisco.com
David Spak
Cisco Systems
12515 Research Blvd.
Austin, Texas 78759
US
Phone: +1 512 378 1720
EMail: dspak@cisco.com
Lonvick & Spak Expires January 5, 2005 [Page 23]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Lonvick & Spak Expires January 5, 2005 [Page 24]
Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Lonvick & Spak Expires January 5, 2005 [Page 25]