Network Working Group C. Lonvick Internet-Draft D. Spak Expires: January 5, 2005 Cisco Systems July 7, 2004 Security Best Practices Efforts and Documents draft-lonvick-sec-efforts-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 5, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Lonvick & Spak Expires January 5, 2005 [Page 1] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Format of this Document . . . . . . . . . . . . . . . . . . 5 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 6 3.1 SANS Glossary of Security Terms . . . . . . . . . . . . . 6 3.2 Internet Security Glossary - RFC 2828 . . . . . . . . . . 6 3.3 Compendium of Approved ITU-T Security Definitions . . . . 6 4. Standards Developing Organizations . . . . . . . . . . . . . 7 4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 7 4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 7 4.3 ANSI - The American National Standards Institute . . . . . 7 4.4 ATIS - Alliance for Telecommunications Industry Solutions . . . . . . . . . . . . . . . . . . . . . . . . 7 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 8 4.6 ETSI - The European Telecommunications Standard Institute . . . . . . . . . . . . . . . . . . . . . . . . 8 4.7 IEEE - The Institute of Electrical and Electronics Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 8 4.8 IETF - The Internet Engineering Task Force . . . . . . . . 8 4.9 ISO - The International Organization for Standardization . 9 4.10 ITU - International Telecommunication Union . . . . . . 9 4.10.1 ITU Telecommunication Standardization Sector - ITU-T . . . . . . . . . . . . . . . . . . . . . . . 9 4.10.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 9 4.10.3 ITU Telecom Development - ITU-D . . . . . . . . . . 9 4.11 OIF - Optical Internetworking Forum . . . . . . . . . . 9 4.12 NRIC - The Network Reliability and Interoperability Council . . . . . . . . . . . . . . . . . . . . . . . . 10 4.13 T1 - Comittee T1 . . . . . . . . . . . . . . . . . . . . 10 4.13.1 T1A1: Performance, Reliability, and Signal Processing . . . . . . . . . . . . . . . . . . . . . 10 4.13.2 T1E1: Interfaces, Power & Protection of Networks . 10 4.13.3 T1M1: Management OAM&P (Internetwork Operations, Administration, Maintenance and Provisioning) . . . 11 4.13.4 T1M1 O&B . . . . . . . . . . . . . . . . . . . . . . 11 4.13.5 T1P1: Wireless/Mobile Services and Systems . . . . 11 4.13.6 T1S1: Signaling . . . . . . . . . . . . . . . . . . 11 4.13.7 T1S1: Packet Based Networks . . . . . . . . . . . . 11 4.13.8 T1X1: Digital Hierarchy and Synchronization . . . . 11 4.14 TIA - The Telecommunications Industry Association . . . 12 5. Security Best Practices Efforts and Documents . . . . . . . 13 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 13 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 13 5.3 American National Standard T1.276-2003 - Baseline Security Requirements for the Management Plane . . . . . . 13 5.4 ATIS Committee T1 Security & Emergency Preparedness Activities . . . . . . . . . . . . . . . . . . . . . . . . 14 Lonvick & Spak Expires January 5, 2005 [Page 2] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 5.5 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End Standards and Solutions . . . . . . . . . . . . 14 5.6 Common Criteria . . . . . . . . . . . . . . . . . . . . . 14 5.7 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.8 Security Certification and Accreditation of Information Systems (SCAISWG) . . . . . . . . . . . . . . . . . . . . 15 5.9 Operational Security Requirements for IP Network Infrastructure : Advanced Requirements . . . . . . . . . . 15 5.10 Guidelines for the management of IT Security . . . . . . 16 5.11 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 16 5.12 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 16 5.13 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 16 5.14 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 17 5.15 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 17 5.16 Catalogue of ITU-T Recommendations related to Communications System Security . . . . . . . . . . . . . 17 5.17 ITU-T Security Manual . . . . . . . . . . . . . . . . . 17 5.18 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 18 5.19 OIF Implementation Agreements . . . . . . . . . . . . . 18 5.20 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6. Security Considerations . . . . . . . . . . . . . . . . . . 20 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 21 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 22 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 23 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23 Intellectual Property and Copyright Statements . . . . . . . 24 Lonvick & Spak Expires January 5, 2005 [Page 3] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 1. Introduction The Internet is being recognized as a critical infrastructure similar in nature to the power grid and a potable water supply. Just like those infrastructures, means are needed to provide resiliency and adaptability to the Internet so that it remains consistently available to the public throughout the world even during times of duress or attack. For this reason, many SDOs are developing standards with hopes of retaining an acceptable level, or even improving this availability, to its users. These SDO efforts usually define themselves as "security" efforts. It is the opinion of the authors that there are many different definitions of the term "security" and it may be applied in many diverse ways. As such, we offer no assurance that the term is applied consistently throughout this document. Many of these SDOs have diverse charters and goals and will take entirely different directions in their efforts to provide standards. However, even with that, there will be overlaps in their produced works. If there are overlaps then there is a potential for conflicts and confusion. This may result in: Vendors of networking equipment who are unsure of which standard to follow. Purchasers of networking equipment who are unsure of which standard will best apply to the needs of their business or ogranization. Network Administrators and Operators unsure of which standard to follow to attain the best security for their network. For these reasons, the authors wish to encourage all SDOs who have an interest in producing, or in consuming standards relating to good security practices to be consistent in their approach and their recommendations. In many cases, the authors are aware that the SDOs are making good efforts along these lines. However, the authors do not participate in all SDO efforts and cannot know everything that is happening. The authors of this document would like to keep it open as an Internet Draft for approximately 6 months for the date of the first submission. We hope that it will be spread far and wide and that the leaders of SDO efforts will contact us with updated information so that their own effort may be listed in this document, or so that corrections may be made. Comments on this document may be addressed to the authors. Lonvick & Spak Expires January 5, 2005 [Page 4] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 2. Format of this Document The body of this document has three sections. The first part of the body of this document, Section 3, contains a listing of online glossaries relating to networking and security. It is very important that the definitions of words relating to security and security events be consistent. Inconsistencies between the useage of words on standards is unacceptable as it would prevent a reader of two standards to appropriately relate their recommendations. The authors of this document have not reviewed the definitions of the words in the listed glossaries so can offer no assurance of their alignment. The second part, Section 4, contains a listing of SDOs that appear to be working on security standards. The third part, Section 5, lists the documents which have been found to offer good practices or recommendations for securing networks and networking devices. Lonvick & Spak Expires January 5, 2005 [Page 5] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 3. Online Security Glossaries This section contains references to glossaries of network and computer security terms 3.1 SANS Glossary of Security Terms http://www.sans.org/resources/glossary.php The SANS Institute (SysAdmin, Audit, Network, Security) was created in 1989 as, "a cooperative research and education organization." Updated in May 2003, SANS cites the NSA for their help in creating the online glossary of security terms. The SANS Institute is also home to many other resources including the SANS Intrusion Detection FAQ and the SANS/FBI Top 20 Vulnerabilities List. 3.2 Internet Security Glossary - RFC 2828 http://www.ietf.org/rfc/rfc2828.txt Created in May 2000, the document defines itself to be, "an internally consistent, complementary set of abbreviations, definitions, explanations, and recommendations for use of terminology related to information system security." The glossary makes the distinction of the listed definitions throughout the document as being: o a recommended Internet definition o a recommended non-Internet definition o not recommended as the first choice for Internet documents but something that an author of an Internet document would need to know o a definition that shouldn't be used in Internet documents o additional commentary or usage guidance 3.3 Compendium of Approved ITU-T Security Definitions http://www.itu.int/itudoc/itu-t/com17/activity/def004.html Addendum to the Compendium of the Approved ITU-T Security-related Definitions http://www.itu.int/itudoc/itu-t/com17/activity/add002.html These extensive materials were created from approved ITU-T Recommendations with a view toward establishing a common understanding and use of security terms within ITU-T. Lonvick & Spak Expires January 5, 2005 [Page 6] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 4. Standards Developing Organizations This section of this document lists the SDOs, or organizations that appear to be developing security related standards. These SDOs are listed in alphabetical order. Note: The authors would appreciate corrections and additions. This note will be removed before publication as an RFC. 4.1 3GPP - Third Generation P P http://www.3gpp.org The 3rd Generation Partnership Project (3GPP) is a collaboration agreement formed in December 1998. The collaboration agreement is comprised of several telecommunications standards bodies which are known as "Organizational Partners". The current Organizational Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 4.2 3GPP2 - Third Generation P P 2 http://www.3gpp2.org Third Generation Partnership Project 2 (3GPP2) is a collaboration among Organizational Partners much like its sister project 3GPP. The Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes the CDMA Development Group and IPv6 Forum as Market Representation Partners for market advice. 4.3 ANSI - The American National Standards Institute http://www.ansi.org ANSI is a private, non-profit organization that organizes and oversees the U.S. voluntary standardization and conformity assessment system. ANSI was founded October 19, 1918. 4.4 ATIS - Alliance for Telecommunications Industry Solutions http://www.atis.org ATIS is a United States based body that is committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using pragmatic, flexible and open approach. ATIS is accredited by the American National Standards Institute. Lonvick & Spak Expires January 5, 2005 [Page 7] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 4.5 CC - Common Criteria http://csrc.nist.gov/cc/ Note: The URL for the Common Criteria organization was http://www.commoncriteria.org/ however, they have elected to take their web site offline for the time being. It is hoped that the proper URL will be available before this document becomes an RFC. This note will be removed prior to publication as an RFC. In June 1993, the sponsoring organizations of the existing US, Canadian, and European criterias (TCSEC, ITSEC, and similar) started the Common Criteria Project to align their separate criteria into a single set of IT security criteria. 4.6 ETSI - The European Telecommunications Standard Institute http://www.etsi.org ETSI is an independent, non-profit organization which produces telecommunications standards. ETSI is based in Sophia-Antipolis in the south of France and maintains a membership from 55 countries. Joint work between ETSI and ITU-T SG-17 http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ GSC9_Joint_011_Security_Standardization_in_ITU.ppt 4.7 IEEE - The Institute of Electrical and Electronics Engineers, Inc. http://www.ieee.org IEEE is a non-profit, technical professional association of more than 360,000 individual members in approximately 175 countries. The IEEE produces 30 percent of the world's published literature in electrical engineering, computers and control technology through its technical publishing, conferences and consensus-based standards activities. 4.8 IETF - The Internet Engineering Task Force http://www.ietf.org IETF is a large, international community open to any interested individual concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Lonvick & Spak Expires January 5, 2005 [Page 8] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 4.9 ISO - The International Organization for Standardization http://www.iso.org ISO is a network of the national standards institutes of 148 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO officially began operations on February 23, 1947. 4.10 ITU - International Telecommunication Union http://www.itu.int The ITU is an international organization within the United Nations System headquartered in Geneva, Switzerland. The ITU is comprised of three sectors: 4.10.1 ITU Telecommunication Standardization Sector - ITU-T http://www.itu.int/ITU-T/ ITU-T's mission is to ensure an efficient and on-time production of high quality standards covering all fields of telecommunications. 4.10.2 ITU Radiocommunication Sector - ITU-R http://www.itu.int/ITU-R/ The ITU-R plays a vital role in the management of the radio-frequency spectrum and satellite orbits. 4.10.3 ITU Telecom Development - ITU-D (also referred as ITU Telecommunication Development Bureau - BDT) http://www.itu.int/ITU-D/ The Telecommunication Development Bureau (BDT) is the executive arm of the Telecommunication Development Sector. Its duties and responsibilities cover a variety of functions ranging from programme supervision and technical advice to the collection, processing and publication of information relevant to telecommunication development. 4.11 OIF - Optical Internetworking Forum http://www.oiforum.com/ On April 20, 1998 Cisco Systems and Ciena Corporation announced an Lonvick & Spak Expires January 5, 2005 [Page 9] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 industry-wide initiative to create the Optical Internetworking Forum, an open forum focused on accelerating the deployment of optical internetworks. 4.12 NRIC - The Network Reliability and Interoperability Council http://www.nric.org/ The purposes of the Committee are to give telecommunications industry leaders the opportunity to provide recommendations to the FCC and to the industry that assure optimal reliability and interoperability of telecommunications networks. The Committee addresses topics in the area of Homeland Security, reliability, interoperability, and broadband deployment. 4.13 T1 - Comittee T1 http://www.t1.org Established in February 1984, Committee T1 develops technical standards and reports regarding interconnection and interoperability of telecommunications networks. T1 is sponsored by ATIS and is accredited by ANSI. Committee T1 had six technical subcommittees, T1A1, T1E1, T1M1, T1P1, T1S1, and T1X1. As a result of the recent ATIS reorganization on January 1, 2004 Committee T1 as a group no longer exists. The six committees mentioned still exist but there are 2 additional ones. T1M1 is now identified as T1M1 OAM&P and T1M1 O&B. The other group that has been split is T1S1 and they are T1S1 - signaling (interoperability) and T1S1- packet based networks which have now become stand-alone committees under ATIS. Due to the reorganization, some groups may have a new mission and scope statement as well as a name change. 4.13.1 T1A1: Performance, Reliability, and Signal Processing http://www.t1.org/t1a1/t1a1.htm T1A1 develops and recommends standards, requirements, and technical reports related to the performance, reliability, and associated security aspects of communications networks, as well as the processing of voice, audio, data, image, and video signals, and their multimedia integration. 4.13.2 T1E1: Interfaces, Power & Protection of Networks http://www.t1.org/t1e1/t1e1.htm T1E1 develops and recommends standards and technical reports related Lonvick & Spak Expires January 5, 2005 [Page 10] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 to power systems, electrical and physical protection for the exchange and interexchange carrier networks, and interfaces associated with user access to telecommunications networks. 4.13.3 T1M1: Management OAM&P (Internetwork Operations, Administration, Maintenance and Provisioning) http://www.t1.org/t1m1/t1m1.htm T1M1 develops internetwork operations, administration, maintenance and provisioning standards, and technical reports related to interfaces for telecommunications networks. 4.13.4 T1M1 O&B There will be a new scope and mission differentiating this group from T1M1 OAM&P. The authors are unsure if they will use the same URL. The authors are investigating this and hope to provide a clear scope of their effort. 4.13.5 T1P1: Wireless/Mobile Services and Systems http://www.t1.org/t1p1/t1p1.htm T1P1 develops and recommends standards and technical reports related to wireless and/or mobile services and systems, including service descriptions and wireless technologies. 4.13.6 T1S1: Signaling http://www.t1.org/t1s1/t1s1.htm T1S1 develops and recommends standards and technical reports related to services, architectures, and signaling. As a result of the reorganization, this group may have a new scope and charter. 4.13.7 T1S1: Packet Based Networks As a result of the reorganization this group will also probably have a new mission and scope . The URL for the Signaling group of T1S1 will currently lead to both of the groups. 4.13.8 T1X1: Digital Hierarchy and Synchronization http://www.t1.org/t1x1/t1x1.htm T1X1 develops and recommends standards and prepares technical reports Lonvick & Spak Expires January 5, 2005 [Page 11] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 related to telecommunications network technology pertaining to network synchronization interfaces and hierarchical structures including optical technology. 4.14 TIA - The Telecommunications Industry Association http://www.tiaonline.org TIA is accredited by ANSI to develop voluntary industry standards for a wide variety of telecommunications products. TIA's Standards and Technology Department is composed of five divisions: Fiber Optics, User Premises Equipment, Network Equipment, Wireless Communications and Satellite Communications. Lonvick & Spak Expires January 5, 2005 [Page 12] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 5. Security Best Practices Efforts and Documents This section lists the works produced by the SDOs. 5.1 3GPP - TSG SA WG3 (Security) http://www.3gpp.org/TB/SA/SA3/SA3.htm TSG SA WG3 Security is responsible for the security of the 3GPP system, performing analyses of potential security threats to the system, considering the new threats introduced by the IP based services and systems and setting the security requirements for the overall 3GPP system. Specifications: http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm Work Items: http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 3GPP Confidentiality and Integrity algorithms: http://www.3gpp.org/TB/Other/algorithms.htm 5.2 3GPP2 - TSG-S Working Group 4 (Security) http://www.3gpp2.org/Public_html/S/index.cfm The Services and Systems Aspects TSG (TSG-S) is responsible for the development of service capability requirements for systems based on 3GPP2 specifications. Among its responsibilities TSG-S is addressing management, technical coordination, as well as architectural and requirements development associated with all end-to-end features, services and system capabilities including, but not limited to, security and QoS. TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 5.3 American National Standard T1.276-2003 - Baseline Security Requirements for the Management Plane Abstract: This standard contains a set of baseline security requirements for the management plane. The President's National Security Telecommunications Advisory Committee Network Security Information Exchange (NSIE) and Government NSIE jointly established a Security Requirements Working Group (SRWG) to examine the security requirements for controlling access to the public switched network, in particular with respect to the emerging next generation network. Lonvick & Spak Expires January 5, 2005 [Page 13] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 In the telecommunications industry, this access incorporates operation, administration, maintenance, and provisioning for network elements and various supporting systems and databases. Members of the SRWG, from a cross-section of telecommunications carriers and vendors, developed an initial list of security requirements that would allow vendors, government departments and agencies, and service providers to implement a secure telecommunications network management infrastructure. This initial list of security requirements was submitted as a contribution to Committee T1 - Telecommunications, Working Group T1M1.5 for consideration as a standard. The requirements outlined in this document will allow vendors, government departments and agencies, and service providers to implement a secure telecommunications network management infrastructure. Documents: http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 5.4 ATIS Committee T1 Security & Emergency Preparedness Activities http://www.atis.org/atis/atisinfo/emergency/ security_committee_activities_T1.htm The link above contains the description of the ATIS Committee T1 Communications Security Model, the scopes of the Technical Subcommittees in relation to the security model, and a list of published documents produced by ATIS Committee T1 addressed to various aspects of network security. Care should be taken in the future when citing T1 because that reference may go away as a result of the ATIS reorganization. 5.5 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End Standards and Solutions ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf The ATIS TOPS Security Focus Group has made recommendations on work items needed to be performed by other SDOs. 5.6 Common Criteria http://csrc.nist.gov/cc/ Version 1.0 of the CC was completed in January 1996. Based on a number of trial evaluations and an extensive public review, Version 1.0 was extensively revised and CC Version 2.0 was produced in April of 1998. This became ISO International Standard 15408 in 1999. The CC Project subsequently incorporated the minor changes that had resulted in the ISO process, producing CC version 2.1 in August 1999. Lonvick & Spak Expires January 5, 2005 [Page 14] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 Common Criteria v2.1 contains: Part 1 - Intro & General Model Part 2 - Functional Requirements (including Annexes) Part 3 - Assurance Requirements Documents: Common Criteria V2.1 http://csrc.nist.gov/cc/CC-v2.1.html 5.7 ETSI http://www.etsi.org The ETSI hosted the ETSI Global Security Conference in late November, 2003, which could lead to a standard. Groups related to security located from the ETSI Groups Portal: OCG Security 3GPP SA3 TISPAN WG7 5.8 Security Certification and Accreditation of Information Systems (SCAISWG) IEEE Working Group - http://ieeeia.org/scaiswg/ Purpose of Proposed Project: Activities critical to societal infrastructure are highly dependent on information systems for continuity and survival. This standard will improve confidence that a system's controls are adequate and effective in protecting information and that interconnecting systems can be trusted. Documents: P1700 Project Authorization Request (PAR) NIST Security C&A Project 5.9 Operational Security Requirements for IP Network Infrastructure : Advanced Requirements IETF Internet-Draft Abstract: This document defines a list of operational security requirements for the infrastructure of large IP networks (routers and switches) which are considered to be best current practice (BCP). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a Lonvick & Spak Expires January 5, 2005 [Page 15] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 clear, concise way of communicating their security requirements to vendors. Documents: http://www.ietf.org/internet-drafts/draft-jones-opsec-info-00.txt http://www.ietf.org/internet-drafts/draft-jones-opsec-03.txt 5.10 Guidelines for the management of IT Security Guidelines for the management of IT Security - Part 5: Management guidance on network security http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM BER=31142&ICS1=35&ICS2=40&ICS3= Open Systems Interconnection -- Network layer security protocol http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM BER=22084&ICS1=35&ICS2=100&ICS3=30 5.11 ITU-T Study Group 2 http://www.itu.int/ITU-T/studygroups/com02/index.asp Security related recommendations currently under study: E.408 Telecommunication networks security requirements Q.5/2 (was E.sec1) E.409 Incident Organisation and Security Incident Handling Q.5/ 2 (was E.sec2) Note: Access requires TIES account. 5.12 ITU-T Recommendation M.3016 http://www.itu.int/itudoc/itu-t/com4/contr/068.html This recommendation provides an overview and framework that identifies security threats to a TMN and outlines how available security services can be applied within the context of the TMN functional architecture. 5.13 ITU-T Recommendation X.805 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html This Recommendation defines the general security-related architectural elements that, when appropriately applied, can provide end-to-end network security. Lonvick & Spak Expires January 5, 2005 [Page 16] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 5.14 ITU-T Study Group 16 http://www.itu.int/ITU-T/studygroups/com16/index.asp Security of Multimedia Systems and Services - Question G/16 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html 5.15 ITU-T Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp ITU-T Study Group 17 is the Lead Study Group on Communication System Security http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html Study Group 17 Security Project: http://www.itu.int/ITU-T/studygroups/com17/security/index.html During its November 2002 meeting, Study Group 17 agreed to establish a new project entitled "Security Project" under the leadership of Q.10/17 to coordinate the ITU-T standardization effort on security. An analysis of the status on ITU-T Study Group action on information and communication network security may be found in TSB Circular 147 of 14 February 2003. 5.16 Catalogue of ITU-T Recommendations related to Communications System Security http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html The Catalogue of the approved security Recommendations include those, designed for security purposes and those, which describe or use of functions of security interest and need. Although some of the security related Recommendations includes the phrase "Open Systems Interconnection", much of the information contained in them is pertinent to the establishment of security functionality in any communicating system. 5.17 ITU-T Security Manual http://www.itu.int/ITU-T/edh/files/security-manual.pdf TSB is preparing an "ITU-T Security Manual" to provide an overview on security in telecommunications and information technologies, describe practical issues, and indicate how the different aspects of security Lonvick & Spak Expires January 5, 2005 [Page 17] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 in today's applications are addressed by ITU-T Recommendations. This manual has a tutorial character: it collects security related material from ITU-T Recommendations into one place and explains the respective relationships. The intended audience for this manual is engineers and product managers, students and academia, as well as regulators who want to better understand security aspects in practical applications. 5.18 NRIC VI Focus Groups http://www.nric.org/fg/index.html The Network Reliability and Interoperability Council (NRIC) was formed with the purpose to provide recommendations to the FCC and to the industry to assure the reliability and interoperability of wireless, wireline, satellite, and cable public telecommunications networks. These documents provide general information and guidance on NRIC Focus Group 1B (Cybersecurity) Best Practices for the prevention of cyberattack and for restoration following a cyberattack. Documents: Homeland Defense - Recommendations Published 14-Mar-03 Preventative Best Practices - Recommendations Published 14-Mar-03 Recovery Best Practices - Recommendations Published 14-Mar-03 Best Practice Appendices - Recommendations Published 14-Mar-03 5.19 OIF Implementation Agreements The OIF has 2 approved Implementation Agreements (IAs) relating to security. They are: OIF-SMI-01.0 - Security Management Interfaces to Network Elements This Implementation Agreement lists objectives for securing OAM&P interfaces to a Network Element and then specifies ways of using security systems (e.g., IPsec or TLS) for securing these interfaces. It summarizes how well each of the systems, used as specified, satisfies the objectives. OIF - SEP - 01.1 - Security Extension for UNI and NNI This Implementation Agreement defines a common Security Extension for securing the protocols used in UNI 1.0, UNI 2.0, and NNI. Documents: http://www.oiforum.com/public/documents/Security-IA.pdf Lonvick & Spak Expires January 5, 2005 [Page 18] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 5.20 TIA The TIA has produced the "Compendium of Emergency Communications and Communications Network Security-related Work Activities". This document identifies standards, or other technical documents and ongoing Emergency/Public Safety Communications and Communications Network Security-related work activities within TIA and it's Engineering Committees. Many P25 documents are specifically detailed. This "living document" is presented for information, coordination and reference. Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf Lonvick & Spak Expires January 5, 2005 [Page 19] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 6. Security Considerations This document describes efforts to standardize security practices and documents. As such this document offers no security guidance whatsoever. Readers of this document should be aware of the date of publication of this document. It is feared that they may assume that the efforts, on-line material, and documents are current whereas they may not be. Please consider this when reading this document. Lonvick & Spak Expires January 5, 2005 [Page 20] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 7. IANA Considerations This Internet Draft does not propose a standard but is trying to pull together information about the security related efforts of all Standards Developing Organizations and some other efforts which provide good secuirty methods, practices or recommendations. Lonvick & Spak Expires January 5, 2005 [Page 21] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 8. Acknowledgments The following people have contributed to this document. Listing their names here does not mean that they endorse the document, but that they have contributed to its substance. John McDonough, Art Reilly, Chip Sharp. Lonvick & Spak Expires January 5, 2005 [Page 22] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 9. Changes from Prior Drafts -00 : This is the -00 draft. Others may not consider it perfect yet but that's their opinion. :-) Note: This section will be removed before publication as an RFC. 10 References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, STD 14, March 1997. [2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA Considerations Section in RFCs", RFC 2869, BCP 26, October 1998. Authors' Addresses Chris Lonvick Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US Phone: +1 512 378 1182 EMail: clonvick@cisco.com David Spak Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US Phone: +1 512 378 1720 EMail: dspak@cisco.com Lonvick & Spak Expires January 5, 2005 [Page 23] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Lonvick & Spak Expires January 5, 2005 [Page 24] Internet-Draft Security Best Practices Efforts and DocumentsJuly 2004 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Lonvick & Spak Expires January 5, 2005 [Page 25]