--- 1/draft-ietf-opsec-efforts-00.txt 2006-02-05 00:57:14.000000000 +0100 +++ 2/draft-ietf-opsec-efforts-01.txt 2006-02-05 00:57:14.000000000 +0100 @@ -1,158 +1,162 @@ Network Working Group C. Lonvick Internet-Draft D. Spak -Expires: July 23, 2005 Cisco Systems - January 22, 2005 +Expires: January 8, 2006 Cisco Systems + July 7, 2005 Security Best Practices Efforts and Documents - draft-ietf-opsec-efforts-00.txt + draft-ietf-opsec-efforts-01.txt Status of this Memo - This document is an Internet-Draft and is subject to all provisions - of section 3 of RFC 3667. By submitting this Internet-Draft, each - author represents that any applicable patent or other IPR claims of - which he or she is aware have been or will be disclosed, and any of - which he or she become aware will be disclosed, in accordance with - RFC 3668. + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. + other groups may also distribute working documents as Internet- + Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on July 23, 2005. + This Internet-Draft will expire on January 8, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2. Format of this Document . . . . . . . . . . . . . . . . . . 6 - 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 7 - 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 7 - 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 7 - 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 7 - 3.4 Compendium of Approved ITU-T Security Definitions . . . . 7 - 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 8 - 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 8 - 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 8 - 4. Standards Developing Organizations . . . . . . . . . . . . . 9 - 4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 9 - 4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 9 - 4.3 ANSI - The American National Standards Institute . . . . . 9 + 2. Format of this Document . . . . . . . . . . . . . . . . . . 7 + 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8 + 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 + 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8 + 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 + 3.4 Compendium of Approved ITU-T Security Definitions . . . . 9 + 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9 + 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9 + 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9 + 4. Standards Developing Organizations . . . . . . . . . . . . . 10 + 4.1 3GPP - Third Generation Partnership Project . . . . . . . 10 + 4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 + 4.3 ANSI - The American National Standards Institute . . . . . 10 4.4 ATIS - Alliance for Telecommunications Industry - Solutions . . . . . . . . . . . . . . . . . . . . . . . . 9 + Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10 4.4.1 ATIS Network Performance, Reliability and Quality - of Service Committee, formerly T1A1 . . . . . . . . . 10 + of Service Committee, formerly T1A1 . . . . . . . . . 11 4.4.2 ATIS Network Interface, Power, and Protection - Committee, formerly T1E1 . . . . . . . . . . . . . . . 10 + Committee, formerly T1E1 . . . . . . . . . . . . . . . 11 4.4.3 ATIS Telecom Management and Operations Committee, - formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 10 - 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 10 + formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11 + 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11 4.4.5 ATIS Wireless Technologies and Systems Committee, - formerly T1P1 . . . . . . . . . . . . . . . . . . . . 11 + formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12 4.4.6 ATIS Packet Technologies and Systems Committee, - regarding T1S1 . . . . . . . . . . . . . . . . . . . . 11 - 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 11 + formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12 + 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12 4.4.8 ATIS Optical Transport and Synchronization - Committee, formerly T1X1 . . . . . . . . . . . . . . . 11 - 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 11 - 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 12 + Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 + 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12 + 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13 4.7 ETSI - The European Telecommunications Standard - Institute . . . . . . . . . . . . . . . . . . . . . . . . 12 - 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 12 + Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 + 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 4.9 IEEE - The Institute of Electrical and Electronics - Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 12 - 4.10 IETF - The Internet Engineering Task Force . . . . . . . 13 + Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13 + 4.10 IETF - The Internet Engineering Task Force . . . . . . . 14 4.11 INCITS - InterNational Committee for Information - Technology Standards . . . . . . . . . . . . . . . . . . 13 - 4.12 ISO - The International Organization for - Standardization . . . . . . . . . . . . . . . . . . . . 13 - 4.13 ITU - International Telecommunication Union . . . . . . 13 - 4.13.1 ITU Telecommunication Standardization Sector - - ITU-T . . . . . . . . . . . . . . . . . . . . . . . 13 - 4.13.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 13 - 4.13.3 ITU Telecom Development - ITU-D . . . . . . . . . . 14 - 4.14 OASIS - Organization for the Advancement of - Structured Information Standards . . . . . . . . . . . . 14 - 4.15 OIF - Optical Internetworking Forum . . . . . . . . . . 14 - 4.16 NRIC - The Network Reliability and Interoperability - Council . . . . . . . . . . . . . . . . . . . . . . . . 14 - 4.17 TIA - The Telecommunications Industry Association . . . 14 - 4.18 Web Services Interoperability Organization (WS-I) . . . 15 - 5. Security Best Practices Efforts and Documents . . . . . . . 16 - 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 16 - 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 16 + Technology Standards . . . . . . . . . . . . . . . . . . 14 + 4.12 INCITS Technical Committee T11 - Fibre Channel + Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14 + 4.13 ISO - The International Organization for + Standardization . . . . . . . . . . . . . . . . . . . . 14 + 4.14 ITU - International Telecommunication Union . . . . . . 14 + 4.14.1 ITU Telecommunication Standardization Sector - + ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15 + 4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15 + 4.15 OASIS - Organization for the Advancement of + Structured Information Standards . . . . . . . . . . . . 15 + 4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15 + 4.17 NRIC - The Network Reliability and Interoperability + Council . . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.18 National Security Telecommunications Advisory + Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16 + 4.19 TIA - The Telecommunications Industry Association . . . 16 + 4.20 Web Services Interoperability Organization (WS-I) . . . 16 + 5. Security Best Practices Efforts and Documents . . . . . . . 17 + 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17 + 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17 5.3 American National Standard T1.276-2003 - Baseline - Security Requirements for the Management Plane . . . . . . 16 + Security Requirements for the Management Plane . . . . . . 17 5.4 DMTF - Security Protection and Management (SPAM) - Working Group . . . . . . . . . . . . . . . . . . . . . . 17 - 5.5 DMTF - User and Security Working Group . . . . . . . . . . 17 - 5.6 ATIS Security & Emergency Preparedness Activities . . . . 17 + Working Group . . . . . . . . . . . . . . . . . . . . . . 18 + 5.5 DMTF - User and Security Working Group . . . . . . . . . . 18 + 5.6 ATIS Security & Emergency Preparedness Activities . . . . 18 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, - End-To-End Standards and Solutions . . . . . . . . . . . . 17 - 5.8 Common Criteria . . . . . . . . . . . . . . . . . . . . . 18 - 5.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 5.10 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 18 - 5.11 Information System Security Assurance Architecture . . . 19 - 5.12 Operational Security Requirements for IP Network - Infrastructure : Advanced Requirements . . . . . . . . . 19 - 5.13 INCITS Technical Committee T4 - Security Techniques . . 19 - 5.14 INCITS Technical Committee T11 - Fibre Channel - Interfaces . . . . . . . . . . . . . . . . . . . . . . . 19 - 5.15 ISO Guidelines for the Management of IT Security - - GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 5.16 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 20 - 5.17 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 21 - 5.18 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 21 - 5.19 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 22 - 5.20 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 22 - 5.21 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 22 - 5.22 Catalogue of ITU-T Recommendations related to - Communications System Security . . . . . . . . . . . . . 22 - 5.23 ITU-T Security Manual . . . . . . . . . . . . . . . . . 23 - 5.24 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 23 - 5.25 OASIS Security Joint Committee . . . . . . . . . . . . . 23 - 5.26 OASIS Security Services TC . . . . . . . . . . . . . . . 24 - 5.27 OIF Implementation Agreements . . . . . . . . . . . . . 24 - 5.28 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 5.29 WS-I Basic Security Profile . . . . . . . . . . . . . . 24 - 6. Security Considerations . . . . . . . . . . . . . . . . . . 26 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 27 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 28 - 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 29 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 - 10.1 Normative References . . . . . . . . . . . . . . . . . . . 30 - 10.2 Informative References . . . . . . . . . . . . . . . . . . 30 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 - Intellectual Property and Copyright Statements . . . . . . . 31 + End-To-End Standards and Solutions . . . . . . . . . . . . 18 + 5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19 + 5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19 + 5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19 + 5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19 + 5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20 + 5.12 Information System Security Assurance Architecture . . . 20 + 5.13 Operational Security Requirements for IP Network + Infrastructure : Advanced Requirements . . . . . . . . . 20 + 5.14 INCITS Technical Committee T4 - Security Techniques . . 21 + 5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21 + 5.16 ISO Guidelines for the Management of IT Security - + GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22 + 5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23 + 5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23 + 5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24 + 5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24 + 5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24 + 5.23 Catalogue of ITU-T Recommendations related to + Communications System Security . . . . . . . . . . . . . 24 + 5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25 + 5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25 + 5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25 + 5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26 + 5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26 + 5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26 + 5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27 + 6. Security Considerations . . . . . . . . . . . . . . . . . . 28 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30 + 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 + 10.1 Normative References . . . . . . . . . . . . . . . . . . 32 + 10.2 Informative References . . . . . . . . . . . . . . . . . 32 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32 + Intellectual Property and Copyright Statements . . . . . . . 33 1. Introduction The Internet is being recognized as a critical infrastructure similar in nature to the power grid and a potable water supply. Just like those infrastructures, means are needed to provide resiliency and adaptability to the Internet so that it remains consistently available to the public throughout the world even during times of duress or attack. For this reason, many SDOs are developing standards with hopes of retaining an acceptable level, or even @@ -216,26 +225,26 @@ 3. Online Security Glossaries This section contains references to glossaries of network and computer security terms 3.1 ATIS Telecom Glossary 2000 http://www.atis.org/tg2k/ - Under an approved T1 standards project (T1A1-20), an existing - 5800-entry, search-enabled hypertext telecommunications glossary - titled Federal Standard 1037C, Glossary of Telecommunication Terms - was updated and matured into this glossary, T1.523-2001, Telecom - Glossary 2000. This updated glossary was posted on the Web as a - American National Standard (ANS). + Under an approved T1 standards project (T1A1-20), an existing 5800- + entry, search-enabled hypertext telecommunications glossary titled + Federal Standard 1037C, Glossary of Telecommunication Terms was + updated and matured into this glossary, T1.523-2001, Telecom Glossary + 2000. This updated glossary was posted on the Web as a American + National Standard (ANS). 3.2 Critical Infrastructure Glossary of Terms and Acronyms http://www.ciao.gov/ciao_document_library/glossary/a.htm The Critical Infrastructure Assurance Office (CIAO) was created to coordinate the Federal Government's initiatives on critical infrastructure assurance. While the glossary was not created as a glossary specifically for security terms, it is populated with many security related definitions, abbreviations, organizations, and @@ -299,48 +313,48 @@ 4. Standards Developing Organizations This section of this document lists the SDOs, or organizations that appear to be developing security related standards. These SDOs are listed in alphabetical order. Note: The authors would appreciate corrections and additions. This note will be removed before publication as an RFC. -4.1 3GPP - Third Generation P P +4.1 3GPP - Third Generation Partnership Project http://www.3gpp.org The 3rd Generation Partnership Project (3GPP) is a collaboration agreement formed in December 1998. The collaboration agreement is comprised of several telecommunications standards bodies which are known as "Organizational Partners". The current Organizational Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. -4.2 3GPP2 - Third Generation P P 2 +4.2 3GPP2 - Third Generation Partnership Project 2 http://www.3gpp2.org Third Generation Partnership Project 2 (3GPP2) is a collaboration among Organizational Partners much like its sister project 3GPP. The Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes the CDMA Development Group and IPv6 Forum as Market Representation Partners for market advice. 4.3 ANSI - The American National Standards Institute http://www.ansi.org ANSI is a private, non-profit organization that organizes and - oversees the U.S. voluntary standardization and conformity - assessment system. ANSI was founded October 19, 1918. + oversees the U.S. voluntary standardization and conformity assessment + system. ANSI was founded October 19, 1918. 4.4 ATIS - Alliance for Telecommunications Industry Solutions http://www.atis.org ATIS is a United States based body that is committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using pragmatic, flexible and open approach. Committee T1 as a group no longer exists as a result of the recent ATIS @@ -398,26 +412,29 @@ 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 http://www.atis.org/0160/index.asp ATIS Wireless Technologies and Systems Committee develops and recommends standards and technical reports related to wireless and/or mobile services and systems, including service descriptions and wireless technologies. -4.4.6 ATIS Packet Technologies and Systems Committee, regarding T1S1 +4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1 T1S1 was split into two separate ATIS committees: the ATIS Packet Technologies and Systems Committee and the ATIS Protocol Interworking - Committee. As a result of the reorganization of T1S1, these groups - will also probably have a new mission and scope. + Committee. PTSC is responsible for producing standards to secure + signalling. + + The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot + at this time. It is expected to move to an ANSI standard. 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 T1S1 was split into two separate ATIS committees: the ATIS Packet Technologies and Systems Committee and the ATIS Protocol Interworking Committee. As a result of the reorganization of T1S1, these groups will also probably have a new mission and scope. 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly T1X1 @@ -500,102 +518,131 @@ 4.11 INCITS - InterNational Committee for Information Technology Standards http://www.incits.org INCITS focuses upon standardization in the field of Information and Communications Technologies (ICT), encompassing storage, processing, transfer, display, management, organization, and retrieval of information. -4.12 ISO - The International Organization for Standardization +4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces + + http://www.t11.org/index.htm + + T11 is responsible for standards development in the areas of + Intelligent Peripheral Interface (IPI), High-Performance Parallel + Interface (HIPPI) and Fibre Channel (FC). T11 has a project called + FC-SP to define Security Protocols for Fibre Channel. + + FC-SP Project Proposal: + ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf + +4.13 ISO - The International Organization for Standardization http://www.iso.org ISO is a network of the national standards institutes of 148 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO officially began operations on February 23, 1947. -4.13 ITU - International Telecommunication Union +4.14 ITU - International Telecommunication Union http://www.itu.int/ The ITU is an international organization within the United Nations System headquartered in Geneva, Switzerland. The ITU is comprised of three sectors: -4.13.1 ITU Telecommunication Standardization Sector - ITU-T +4.14.1 ITU Telecommunication Standardization Sector - ITU-T http://www.itu.int/ITU-T/ ITU-T's mission is to ensure an efficient and on-time production of high quality standards covering all fields of telecommunications. -4.13.2 ITU Radiocommunication Sector - ITU-R +4.14.2 ITU Radiocommunication Sector - ITU-R http://www.itu.int/ITU-R/ The ITU-R plays a vital role in the management of the radio-frequency spectrum and satellite orbits. -4.13.3 ITU Telecom Development - ITU-D +4.14.3 ITU Telecom Development - ITU-D (also referred as ITU Telecommunication Development Bureau - BDT) http://www.itu.int/ITU-D/ The Telecommunication Development Bureau (BDT) is the executive arm of the Telecommunication Development Sector. Its duties and responsibilities cover a variety of functions ranging from programme supervision and technical advice to the collection, processing and publication of information relevant to telecommunication development. -4.14 OASIS - Organization for the Advancement of Structured +4.15 OASIS - Organization for the Advancement of Structured Information Standards http://www.oasis-open.org/ OASIS is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. -4.15 OIF - Optical Internetworking Forum +4.16 OIF - Optical Internetworking Forum http://www.oiforum.com/ On April 20, 1998 Cisco Systems and Ciena Corporation announced an industry-wide initiative to create the Optical Internetworking Forum, an open forum focused on accelerating the deployment of optical internetworks. -4.16 NRIC - The Network Reliability and Interoperability Council +4.17 NRIC - The Network Reliability and Interoperability Council http://www.nric.org/ - The purposes of the Committee are to give telecommunications industry leaders the opportunity to provide recommendations to the FCC and to the industry that assure optimal reliability and interoperability of telecommunications networks. The Committee addresses topics in the area of Homeland Security, reliability, interoperability, and broadband deployment. -4.17 TIA - The Telecommunications Industry Association +4.18 National Security Telecommunications Advisory Committee (NSTAC) + + http://www.ncs.gov/nstac/nstac.html + + President Ronald Reagan created the National Security + Telecommunications Advisory Committee (NSTAC) by Executive Order + 12382 in September 1982. Since then, the NSTAC has served four + presidents. Composed of up to 30 industry chief executives + representing the major communications and network service providers + and information technology, finance, and aerospace companies, the + NSTAC provides industry-based advice and expertise to the President + on issues and problems related to implementing national security and + emergency preparedness (NS/EP) communications policy. Since its + inception, the NSTAC has addressed a wide range of policy and + technical issues regarding communications, information systems, + information assurance, critical infrastructure protection, and other + NS/EP communications concerns. + +4.19 TIA - The Telecommunications Industry Association http://www.tiaonline.org TIA is accredited by ANSI to develop voluntary industry standards for a wide variety of telecommunications products. TIA's Standards and Technology Department is composed of five divisions: Fiber Optics, User Premises Equipment, Network Equipment, Wireless Communications and Satellite Communications. -4.18 Web Services Interoperability Organization (WS-I) +4.20 Web Services Interoperability Organization (WS-I) http://www.ws-i.org/ WS-I is an open, industry organization chartered to promote Web services interoperability across platforms, operating systems, and programming languages. The organization works across the industry and standards organizations to respond to customer needs by providing guidance, best practices, and resources for developing Web services solutions. @@ -677,36 +724,53 @@ 5.5 DMTF - User and Security Working Group http://www.dmtf.org/about/committees/userWGCharter.pdf The User and Security Working Group defines objects and access methods required for principals - where principals include users, groups, software agents, systems, and organizations. 5.6 ATIS Security & Emergency Preparedness Activities - http://www.atis.org/atis/atisinfo/emergency/security_committee_activi - ties_T1.htm + http://www.atis.org/atis/atisinfo/emergency/ + security_committee_activities_T1.htm The link above contains the description of the ATIS Communications Security Model, the scopes of the Technical Subcommittees in relation to the security model, and a list of published documents produced by ATIS addressed to various aspects of network security. 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End Standards and Solutions ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf The ATIS TOPS Security Focus Group has made recommendations on work items needed to be performed by other SDOs. -5.8 Common Criteria +5.7.1 ATIS Work on Packet Filtering + + A part of the ATIS Work Plan was to define how disruptions may be + prevented by filtering unwanted traffic at the edges of the network. + ATIS is developing this work in a document titled, "Traffic Filtering + for the Prevention of Unwanted Traffic". + +5.8 ATIS Work on the NGN + + http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ + Part%20I/ATIS_NGN_Part_1_Issue1.pdf + + In November 2004, ATIS released Part I of the ATIS NGN-FG efforts + entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN + Definitions, Requirements, and Architecture, Issue 1.0, November + 2004." + +5.9 Common Criteria http://csrc.nist.gov/cc/ Version 1.0 of the CC was completed in January 1996. Based on a number of trial evaluations and an extensive public review, Version 1.0 was extensively revised and CC Version 2.0 was produced in April of 1998. This became ISO International Standard 15408 in 1999. The CC Project subsequently incorporated the minor changes that had resulted in the ISO process, producing CC version 2.1 in August 1999. @@ -704,260 +768,305 @@ http://csrc.nist.gov/cc/ Version 1.0 of the CC was completed in January 1996. Based on a number of trial evaluations and an extensive public review, Version 1.0 was extensively revised and CC Version 2.0 was produced in April of 1998. This became ISO International Standard 15408 in 1999. The CC Project subsequently incorporated the minor changes that had resulted in the ISO process, producing CC version 2.1 in August 1999. Common Criteria v2.1 contains: + Part 1 - Intro & General Model + Part 2 - Functional Requirements (including Annexes) + Part 3 - Assurance Requirements Documents: Common Criteria V2.1 http://csrc.nist.gov/cc/CC-v2.1.html -5.9 ETSI +5.10 ETSI http://www.etsi.org The ETSI hosted the ETSI Global Security Conference in late November, 2003, which could lead to a standard. Groups related to security located from the ETSI Groups Portal: + OCG Security + 3GPP SA3 + TISPAN WG7 -5.10 GGF Security Area (SEC) +5.11 GGF Security Area (SEC) https://forge.gridforum.org/projects/sec/ The Security Area (SEC) is concerned with various issues relating to authentication and authorization in Grid environments. Working groups: + Authorization Frameworks and Mechanisms WG (AuthZ-WG) - https://forge.gridforum.org/projects/authz-wg + Certificate Authority Operations Working Group (CAOPS-WG) - https://forge.gridforum.org/projects/caops-wg + OGSA Authorization Working Group (OGSA-AUTHZ) - https://forge.gridforum.org/projects/ogsa-authz + Grid Security Infrastructure (GSI-WG) - https://forge.gridforum.org/projects/gsi-wg -5.11 Information System Security Assurance Architecture +5.12 Information System Security Assurance Architecture IEEE Working Group - http://issaa.org/ Formerly the Security Certification and Accreditation of Information Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft Standard for Information System Security Assurance Architecture for ballot and during the process begin development of a suite of associated standards for components of that architecture. Documents: http://issaa.org/documents/index.html -5.12 Operational Security Requirements for IP Network Infrastructure : +5.13 Operational Security Requirements for IP Network Infrastructure : Advanced Requirements IETF Internet-Draft - Abstract: This document defines a list of operational security requirements for the infrastructure of large ISP IP networks (routers and switches). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a clear, concise way of communicating their security requirements to vendors. Documents: + http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt -5.13 INCITS Technical Committee T4 - Security Techniques +5.14 INCITS Technical Committee T4 - Security Techniques http://www.incits.org/tc_home/t4.htm Technical Committee T4, Security Techniques, participates in the standardization of generic methods for information technology security. This includes development of: security techniques and mechanisms; security guidelines; security evaluation criteria; and identification of generic requirements for information technology system security services. -5.14 INCITS Technical Committee T11 - Fibre Channel Interfaces +5.15 INCITS CS1 - Cyber Security - http://www.t11.org/index.htm + http://www.incits.org/tc_home/cs1.htm - T11 is responsible for standards development in the areas of - Intelligent Peripheral Interface (IPI), High-Performance Parallel - Interface (HIPPI) and Fibre Channel (FC). T11 has a project called - FC-SP to define Security Protocols for Fibre Channel. + INCITS/CS1 was established in April 2005 to serve as the US TAG for + ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 + (INCITS/T4 serves as the US TAG to SC 27/WG 2). - FC-SP Project Proposal: - ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf + The scope of CS1 explicitly excludes the areas of work on cyber + security standardization presently underway in INCITS B10, M1 and T3; + as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and + X9. INCITS T4's area of work would be narrowed to cryptography + projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and + mechanisms). -5.15 ISO Guidelines for the Management of IT Security - GMITS +5.16 ISO Guidelines for the Management of IT Security - GMITS Guidelines for the Management of IT Security -- Part 1: Concepts and models for IT Security - http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER - =21733&ICS1=35 + http://www.iso.ch/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 Guidelines for the Management of IT Security -- Part 2: Managing and planning IT Security - http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE - R=21755&ICS1=35&ICS2=40&ICS3= + http://www.iso.org/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& + ICS3= Guidelines for the Management of IT Security -- Part 3: Techniques for the management of IT Security - http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE - R=21756&ICS1=35&ICS2=40&ICS3= + http://www.iso.org/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& + ICS3= Guidelines for the Management of IT Security -- Part 4: Selection of safeguards - http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE - R=29240&ICS1=35&ICS2=40&ICS3= + http://www.iso.org/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& + ICS3= Guidelines for the Management of IT Security - Part 5: Management guidance on network security - http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE - R=31142&ICS1=35&ICS2=40&ICS3= + http://www.iso.org/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& + ICS3= Open Systems Interconnection -- Network layer security protocol - http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE - R=22084&ICS1=35&ICS2=100&ICS3=30 + http://www.iso.org/iso/en/ + CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& + ICS3=30 -5.16 ISO JTC 1/SC 27 +5.17 ISO JTC 1/SC 27 + + http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ + TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 - http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/TechnicalP - rogrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 Several security related ISO projects under JTC 1/SC 27 are listed here such as: + IT security techniques -- Entity authentication + Security techniques -- Key management + Security techniques -- Evaluation criteria for IT security Security techniques -- A framework for IT security assurance + IT Security techniques -- Code of practice for information security management + Security techniques -- IT network security + Guidelines for the implementation, operation and management of Intrusion Detection Systems (IDS) + International Security, Trust, and Privacy Alliance -- Privacy Framework -5.17 ITU-T Study Group 2 +5.18 ITU-T Study Group 2 http://www.itu.int/ITU-T/studygroups/com02/index.asp Security related recommendations currently under study: + E.408 Telecommunication networks security requirements Q.5/2 (was E.sec1) + E.409 Incident Organisation and Security Incident Handling Q.5/2 (was E.sec2) Note: Access requires TIES account. -5.18 ITU-T Recommendation M.3016 +5.19 ITU-T Recommendation M.3016 http://www.itu.int/itudoc/itu-t/com4/contr/068.html This recommendation provides an overview and framework that identifies the security requirements of a TMN and outlines how available security services and mechanisms can be applied within the context of the TMN functional architecture. Question 18 of Study Group 3 is revising Recommendation M.3016. They have taken the original document and are incorporating thoughts from - ITU-T Recommendation X.805 and from ANSI T1.276-2003. This will - produce a series of documents. - Overview - Requirements - Services - Mechanisms - Profiles + ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has + produced a new series of documents. - This document will be discussed at the ITU meetings in February 2005. + M.3016.0 - Overview -5.19 ITU-T Recommendation X.805 + M.3016.1 - Requirements + + M.3016.2 - Services + M.3016.3 - Mechanisms + + M.3016.4 - Profiles + +5.20 ITU-T Recommendation X.805 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html This Recommendation defines the general security-related architectural elements that, when appropriately applied, can provide end-to-end network security. -5.20 ITU-T Study Group 16 +5.21 ITU-T Study Group 16 http://www.itu.int/ITU-T/studygroups/com16/index.asp Security of Multimedia Systems and Services - Question G/16 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html -5.21 ITU-T Study Group 17 +5.22 ITU-T Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp ITU-T Study Group 17 is the Lead Study Group on Communication System Security http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html Study Group 17 Security Project: http://www.itu.int/ITU-T/studygroups/com17/security/index.html During its November 2002 meeting, Study Group 17 agreed to establish a new project entitled "Security Project" under the leadership of Q.10/17 to coordinate the ITU-T standardization effort on security. An analysis of the status on ITU-T Study Group action on information and communication network security may be found in TSB Circular 147 of 14 February 2003. -5.22 Catalogue of ITU-T Recommendations related to Communications +5.23 Catalogue of ITU-T Recommendations related to Communications System Security http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html The Catalogue of the approved security Recommendations include those, designed for security purposes and those, which describe or use of functions of security interest and need. Although some of the security related Recommendations includes the phrase "Open Systems Interconnection", much of the information contained in them is pertinent to the establishment of security functionality in any communicating system. -5.23 ITU-T Security Manual +5.24 ITU-T Security Manual http://www.itu.int/ITU-T/edh/files/security-manual.pdf TSB is preparing an "ITU-T Security Manual" to provide an overview on security in telecommunications and information technologies, describe practical issues, and indicate how the different aspects of security in today's applications are addressed by ITU-T Recommendations. This manual has a tutorial character: it collects security related material from ITU-T Recommendations into one place and explains the respective relationships. The intended audience for this manual is engineers and product managers, students and academia, as well as regulators who want to better understand security aspects in practical applications. -5.24 NRIC VI Focus Groups +5.25 ITU-T NGN Effort + + http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html + + During its January 2002 meeting, SG13 decided to undertake the + preparation of a new ITU-T Project entitled "NGN 2004 Project". At + the November 2002 SG13 meeting, a preliminary description of the + Project was achieved and endorsed by SG13 with the goal to launch the + Project. It is regularly updated since then. + + The role of the NGN 2004 Project is to organize and to coordinate + ITU-T activities on Next Generation Networks. Its target is to + produce a first set of Recommendations on NGN by the end of this + study period, i.e. mid-2004. + +5.26 NRIC VI Focus Groups http://www.nric.org/fg/index.html The Network Reliability and Interoperability Council (NRIC) was formed with the purpose to provide recommendations to the FCC and to the industry to assure the reliability and interoperability of wireless, wireline, satellite, and cable public telecommunications networks. These documents provide general information and guidance on NRIC Focus Group 1B (Cybersecurity) Best Practices for the prevention of cyberattack and for restoration following a @@ -957,86 +1066,90 @@ The Network Reliability and Interoperability Council (NRIC) was formed with the purpose to provide recommendations to the FCC and to the industry to assure the reliability and interoperability of wireless, wireline, satellite, and cable public telecommunications networks. These documents provide general information and guidance on NRIC Focus Group 1B (Cybersecurity) Best Practices for the prevention of cyberattack and for restoration following a cyberattack. Documents: + Homeland Defense - Recommendations Published 14-Mar-03 + Preventative Best Practices - Recommendations Published 14-Mar-03 + Recovery Best Practices - Recommendations Published 14-Mar-03 + Best Practice Appendices - Recommendations Published 14-Mar-03 -5.25 OASIS Security Joint Committee +5.27 OASIS Security Joint Committee - http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security-j - c + http://www.oasis-open.org/committees/ + tc_home.php?wg_abbrev=security-jc The purpose of the Security JC is to coordinate the technical activities of multiple security related TCs. The SJC is advisory only, and has no deliverables. The Security JC will promote the use of consistent terms, promote re-use, champion an OASIS security standards model, provide consistent PR, and promote mutuality, operational independence and ethics. -5.26 OASIS Security Services TC +5.28 OASIS Security Services TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security The Security Services TC is working to advance the Security Assertion Markup Language (SAML) as an OASIS standard. SAML is an XML framework for exchanging authentication and authorization information. -5.27 OIF Implementation Agreements +5.29 OIF Implementation Agreements The OIF has 2 approved Implementation Agreements (IAs) relating to security. They are: OIF-SMI-01.0 - Security Management Interfaces to Network Elements This Implementation Agreement lists objectives for securing OAM&P interfaces to a Network Element and then specifies ways of using security systems (e.g., IPsec or TLS) for securing these interfaces. It summarizes how well each of the systems, used as specified, satisfies the objectives. OIF - SEP - 01.1 - Security Extension for UNI and NNI This Implementation Agreement defines a common Security Extension for securing the protocols used in UNI 1.0, UNI 2.0, and NNI. Documents: http://www.oiforum.com/public/documents/Security-IA.pdf -5.28 TIA +5.30 TIA The TIA has produced the "Compendium of Emergency Communications and Communications Network Security-related Work Activities". This document identifies standards, or other technical documents and ongoing Emergency/Public Safety Communications and Communications Network Security-related work activities within TIA and it's Engineering Committees. Many P25 documents are specifically detailed. This "living document" is presented for information, coordination and reference. Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf -5.29 WS-I Basic Security Profile +5.31 WS-I Basic Security Profile http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html - The WS-I Basic Security Profile 1.0 consists of a set of - non-proprietary Web services specifications, along with - clarifications and amendments to those specifications which promote + The WS-I Basic Security Profile 1.0 consists of a set of non- + proprietary Web services specifications, along with clarifications + and amendments to those specifications which promote interoperability. 6. Security Considerations This document describes efforts to standardize security practices and documents. As such this document offers no security guidance whatsoever. Readers of this document should be aware of the date of publication of this document. It is feared that they may assume that the @@ -1061,38 +1174,50 @@ 9. Changes from Prior Drafts -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt -01 : Security Glossaries: Added ATIS Telecom Glossary 2000, Critical Infrastructure Glossary of Terms and Acronyms, Microsoft Solutions for Security Glossary, and USC InfoSec Glossary. + Standards Developing Organizations: + Added DMTF, GGF, INCITS, OASIS, and WS-I + Removal of Committee T1 and modifications to ATIS and former T1 technical subcommittees due to the recent ATIS reorganization. + Efforts and Documents: + Added DMTF User and Security WG, DMTF SPAM WG, GGF Security Area (SEC), INCITS Technical Committee T4 - Security Techniques, INCITS Technical Committee T11 - Fibre Channel Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint Committee, OASIS Security Services TC, and WS-I Basic Security Profile. + Updated Operational Security Requirements for IP Network Infrastructure : Advanced Requirements. -00 : as the WG ID + Added more information about the ITU-T SG3 Q18 effort to modify ITU-T Recommendation M.3016. + -01 : First revision as the WG ID. + + Added information about the NGN in the sections about ATIS, the + NSTAC, and ITU-T. + Note: This section will be removed before publication as an RFC. 10. References 10.1 Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, STD 14, March 1997. 10.2 Informative References @@ -1102,30 +1227,30 @@ Authors' Addresses Chris Lonvick Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US Phone: +1 512 378 1182 - EMail: clonvick@cisco.com + Email: clonvick@cisco.com David Spak Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US Phone: +1 512 378 1720 - EMail: dspak@cisco.com + Email: dspak@cisco.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be