draft-ietf-opsec-efforts-15.txt   draft-ietf-opsec-efforts-16.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Intended status: Informational Cisco Systems Intended status: Informational Cisco Systems
Expires: August 18, 2011 February 14, 2011 Expires: September 27, 2011 March 26, 2011
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-15.txt draft-ietf-opsec-efforts-16.txt
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 18, 2011. This Internet-Draft will expire on September 27, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6
3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7
3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7
3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7
3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7
3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8
3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8
3.7. NIST - Glossary of Key Information Security Terms . . . . 9 3.7. NIST - Glossary of Key Information Security Terms . . . . 8
4. Standards Developing Organizations . . . . . . . . . . . . . . 11 4. Standards Developing Organizations . . . . . . . . . . . . . . 10
4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10
4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10
4.3. ANSI - The American National Standards Institute . . . . . 12 4.3. ANSI - The American National Standards Institute . . . . . 11
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 12 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11
4.4. ATIS - Alliance for Telecommunications Industry 4.4. ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4.1. ATIS NPRQ - Network Performance, Reliability, and 4.4.1. ATIS NPRQ - Network Performance, Reliability, and
Quality of Service Committee, formerly T1A1 . . . . . 13 Quality of Service Committee, formerly T1A1 . . . . . 12
4.4.2. ATIS TMOC - Telecom Management and Operations 4.4.2. ATIS TMOC - Telecom Management and Operations
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 14 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13
4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13
4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13
4.7. ETSI - The European Telecommunications Standard 4.7. ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 15 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14
4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14
4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14
4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15
4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15
4.9. IEEE - The Institute of Electrical and Electronics 4.9. IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15
4.9.1. IEEE Computer Society's Technical Committee on 4.9.1. IEEE Computer Society's Technical Committee on
Security and Privacy . . . . . . . . . . . . . . . . . 17 Security and Privacy . . . . . . . . . . . . . . . . . 16
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16
4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16
4.11. INCITS - InterNational Committee for Information 4.11. INCITS - InterNational Committee for Information
Technology Standards . . . . . . . . . . . . . . . . . . . 17 Technology Standards . . . . . . . . . . . . . . . . . . . 16
4.11.1. Identification Cards and Related Devices (B10) . . . . 18 4.11.1. Identification Cards and Related Devices (B10) . . . . 17
4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17
4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17
4.12. ISO - The International Organization for 4.12. ISO - The International Organization for
Standardization . . . . . . . . . . . . . . . . . . . . . 18 Standardization . . . . . . . . . . . . . . . . . . . . . 17
4.13. ITU - International Telecommunication Union . . . . . . . 19 4.13. ITU - International Telecommunication Union . . . . . . . 18
4.13.1. ITU Telecommunication Standardization Sector - 4.13.1. ITU Telecommunication Standardization Sector -
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18
4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 20 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19
4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19
4.14. OASIS - Organization for the Advancement of 4.14. OASIS - Organization for the Advancement of
Structured Information Standards . . . . . . . . . . . . . 21 Structured Information Standards . . . . . . . . . . . . . 20
4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20
4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 22 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21
4.16. NRIC - The Network Reliability and Interoperability 4.16. NRIC - The Network Reliability and Interoperability
Council . . . . . . . . . . . . . . . . . . . . . . . . . 22 Council . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.17. National Security Telecommunications Advisory 4.17. National Security Telecommunications Advisory
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21
4.18. TIA - The Telecommunications Industry Association . . . . 23 4.18. TIA - The Telecommunications Industry Association . . . . 22
4.18.1. Critical Infrastructure Protection (CIP) and 4.18.1. Critical Infrastructure Protection (CIP) and
Homeland Security (HS) . . . . . . . . . . . . . . . . 23 Homeland Security (HS) . . . . . . . . . . . . . . . . 22
4.18.2. Commercial Encryption Source Code and Related 4.18.2. Commercial Encryption Source Code and Related
Information . . . . . . . . . . . . . . . . . . . . . 24 Information . . . . . . . . . . . . . . . . . . . . . 23
4.19. TTA - Telecommunications Technology Association . . . . . 24 4.19. TTA - Telecommunications Technology Association . . . . . 23
4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 24 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23
4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.21.1. Security Management . . . . . . . . . . . . . . . . . 25 4.21.1. Security Management . . . . . . . . . . . . . . . . . 24
5. Security Best Practices Efforts and Documents . . . . . . . . 27 5. Security Best Practices Efforts and Documents . . . . . . . . 26
5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 27 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26
5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 27 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26
5.3. American National Standard T1.276-2003 - Baseline 5.3. ATIS-0300276.2008 - Operations, Administration,
Security Requirements for the Management Plane . . . . . . 27 Maintenance, and Provisioning Security Requirements
5.4. DMTF - Security Protection and Management (SPAM) for the Public Telecommunications Network: A Baseline
Working Group . . . . . . . . . . . . . . . . . . . . . . 28 of Security Requirements for the Management Plane . . . . 26
5.5. DMTF - User and Security Working Group . . . . . . . . . . 28 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27
5.6. ATIS Work-Plan to Achieve Interoperable, 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27
Implementable, End-To-End Standards and Solutions . . . . 28 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 28 5.7. Operational Security Requirements for IP Network
5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 29 Infrastructure : Advanced Requirements . . . . . . . . . . 29
5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 29 5.8. ISO JTC 1/SC 27 - Information security Technology
5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 techniques . . . . . . . . . . . . . . . . . . . . . . . . 29
5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 30 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29
5.11. Information System Security Assurance Architecture . . . . 30 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29
5.12. Operational Security Requirements for IP Network 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31
Infrastructure : Advanced Requirements . . . . . . . . . . 30 5.12. OASIS Security Technical Committees . . . . . . . . . . . 32
5.13. ISO Guidelines for the Management of IT Security - 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.14. TIA - Critical Infrastructure Protection (CIP) and
5.14. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 32 Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32
5.15. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 32 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33
5.16. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 32 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33
5.17. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 33 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33
5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 33 5.18. SANS Information Security Reading Room . . . . . . . . . . 33
5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 33 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35
5.20. Catalogue of ITU-T Recommendations related to 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36
Communications System Security . . . . . . . . . . . . . . 34 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37
5.21. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 34 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38
5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42
5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 35
5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 35
5.25. OASIS Security Services (SAML) TC . . . . . . . . . . . . 35
5.26. OIF Implementation Agreements . . . . . . . . . . . . . . 35
5.27. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.28. WS-I Basic Security Profile . . . . . . . . . . . . . . . 36
5.29. NIST Special Publications (800 Series) . . . . . . . . . . 36
5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 37
5.31. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 37
5.32. SANS Information Security Reading Room . . . . . . . . . . 37
6. Security Considerations . . . . . . . . . . . . . . . . . . . 38
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 6, line 8 skipping to change at page 6, line 8
described in the Working Group Charter. The authors have agreed to described in the Working Group Charter. The authors have agreed to
keep this document current and request that those who read it will keep this document current and request that those who read it will
submit corrections or comments. submit corrections or comments.
Comments on this document may be addressed to the OpSec Working Group Comments on this document may be addressed to the OpSec Working Group
or directly to the authors. or directly to the authors.
opsec@ops.ietf.org opsec@ops.ietf.org
This document will be updated in sections. The most recently updated This document will be updated in sections. The most recently updated
part of this document is Section 3. part of this document is Section 5.
2. Format of this Document 2. Format of this Document
The body of this document has three sections. The body of this document has three sections.
The first part of the body of this document, Section 3, contains a The first part of the body of this document, Section 3, contains a
listing of online glossaries relating to networking and security. It listing of online glossaries relating to networking and security. It
is very important that the definitions of words relating to security is very important that the definitions of words relating to security
and security events be consistent. Inconsistencies between the and security events be consistent. Inconsistencies between the
useage of words on standards is unacceptable as it would prevent a useage of words on standards is unacceptable as it would prevent a
skipping to change at page 8, line 5 skipping to change at page 7, line 26
definitions of the words in the listed glossaries so can offer no definitions of the words in the listed glossaries so can offer no
assurance of their alignment. assurance of their alignment.
The second part, Section 4, contains a listing of SDOs that appear to The second part, Section 4, contains a listing of SDOs that appear to
be working on security standards. be working on security standards.
The third part, Section 5, lists the documents which have been found The third part, Section 5, lists the documents which have been found
to offer good practices or recommendations for securing networks and to offer good practices or recommendations for securing networks and
networking devices. networking devices.
The text used in sections 3, 4, and 5 have been copied from their
referring web sites. The authors make no claim about the validity or
accuracy of the information listed.
3. Online Security Glossaries 3. Online Security Glossaries
This section contains references to glossaries of network and This section contains references to glossaries of network and
computer security terms computer security terms.
3.1. ATIS Telecom Glossary 2007 3.1. ATIS Telecom Glossary 2007
http://www.atis.org/tg2k/ http://www.atis.org/tg2k/
This Glossary began as a 5800-entry, search-enabled hypertext This Glossary began as a 5800-entry, search-enabled hypertext
telecommunications glossary titled Federal Standard 1037C, Glossary telecommunications glossary titled Federal Standard 1037C, Glossary
of Telecommunication Terms . Federal Standard 1037C was updated and of Telecommunication Terms . Federal Standard 1037C was updated and
matured into an American National Standard (ANS): T1.523-2001, matured into an American National Standard (ANS): T1.523-2001,
Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523-
skipping to change at page 27, line 9 skipping to change at page 27, line 9
contributions, and multi-vendor technology demonstrations have jumped contributions, and multi-vendor technology demonstrations have jumped
started work efforts on industry hot topics Network Defense, Cyber started work efforts on industry hot topics Network Defense, Cyber
Security, and security for single and multi-regional enterprise Security, and security for single and multi-regional enterprise
application cloud bursting. Our aim is to produce Security application cloud bursting. Our aim is to produce Security
Management rich frameworks, best practices, and guidebooks. Management rich frameworks, best practices, and guidebooks.
5. Security Best Practices Efforts and Documents 5. Security Best Practices Efforts and Documents
This section lists the works produced by the SDOs. This section lists the works produced by the SDOs.
5.1. 3GPP - TSG SA WG3 (Security) 5.1. 3GPP - SA3 - Security
http://www.3gpp.org/TB/SA/SA3/SA3.htm http://www.3gpp.org/SA3-Security
TSG SA WG3 Security is responsible for the security of the 3GPP The WG is responsible for security in 3GPP systems, determining the
system, performing analyses of potential security threats to the security requirements, and specifying the security architectures and
system, considering the new threats introduced by the IP based protocols. The WG also ensures the availability of cryptographic
services and systems and setting the security requirements for the algorithms which need to be part of the specifications. The sub-WG
overall 3GPP system. SA3-LI provides the requirements and specifications for lawful
interception in 3GPP systems.
Specifications: Specifications:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm
Work Items:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm
3GPP Confidentiality and Integrity algorithms:
http://www.3gpp.org/TB/Other/algorithms.htm
5.2. 3GPP2 - TSG-S Working Group 4 (Security) 5.2. 3GPP2 - TSG-S Working Group 4 (Security)
http://www.3gpp2.org/Public_html/S/index.cfm http://www.3gpp2.org/Public_html/S/index.cfm
The Services and Systems Aspects TSG (TSG-S) is responsible for the The Services and Systems Aspects TSG (TSG-S) is responsible for the
development of service capability requirements for systems based on development of service capability requirements for systems based on
3GPP2 specifications. Among its responsibilities TSG-S is addressing 3GPP2 specifications. It is also responsible for high level
management, technical coordination, as well as architectural and architectural issues, as required, to coordinate service development
across the various TSGs. In this role, the Services and Systems TSG
shall track the activities within the various TSGs, as required, to
meet the above service requirements.
More specifically, TSG-S will address the following areas of work:
Management, technical coordination, as well as architectural and
requirements development associated with all end-to-end features, requirements development associated with all end-to-end features,
services and system capabilities including, but not limited to, services and system capabilities including, but not limited to,
security and QoS. security and QoS
TSG-S Specifications:
http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs
5.3. American National Standard T1.276-2003 - Baseline Security TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm
Requirements for the Management Plane
Abstract: This standard contains a set of baseline security 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and
requirements for the management plane. The President's National Provisioning Security Requirements for the Public
Security Telecommunications Advisory Committee Network Security Telecommunications Network: A Baseline of Security Requirements
Information Exchange (NSIE) and Government NSIE jointly established a for the Management Plane
Security Requirements Working Group (SRWG) to examine the security
requirements for controlling access to the public switched network,
in particular with respect to the emerging next generation network.
In the telecommunications industry, this access incorporates This document contains both the published and redline versions of
operation, administration, maintenance, and provisioning for network ATIS-0300276.2008. This standard contains a set of baseline security
elements and various supporting systems and databases. Members of requirements for the management plane. The requirements outlined in
the SRWG, from a cross-section of telecommunications carriers and this standard allow equipment/system suppliers, government
vendors, developed an initial list of security requirements that
would allow vendors, government departments and agencies, and service
providers to implement a secure telecommunications network management
infrastructure. This initial list of security requirements was
submitted as a contribution to Committee T1 - Telecommunications,
Working Group T1M1.5 for consideration as a standard. The
requirements outlined in this document will allow vendors, government
departments and agencies, and service providers to implement a secure departments and agencies, and service providers to implement a secure
telecommunications network management infrastructure. telecommunications management infrastructure.
Documents:
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003
5.4. DMTF - Security Protection and Management (SPAM) Working Group
http://www.dmtf.org/about/committees/spamWGCharter.pdf
The Working Group will define a CIM Common Model that addresses
security protection and detection technologies, which may include
devices and services, and classifies security information, attacks,
and responses.
5.5. DMTF - User and Security Working Group
http://www.dmtf.org/about/committees/userWGCharter.pdf
The User and Security Working Group defines objects and access
methods required for principals - where principals include users,
groups, software agents, systems, and organizations.
5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
Standards and Solutions
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
The ATIS TOPS Security Focus Group has made recommendations on work
items needed to be performed by other SDOs.
5.6.1. ATIS Work on Packet Filtering Documents: http://www.atis.org/docstore/product.aspx?id=24660
A part of the ATIS Work Plan was to define how disruptions may be 5.4. DMTF - Security Modeling Working Group
prevented by filtering unwanted traffic at the edges of the network.
ATIS is developing this work in a document titled, "Traffic Filtering
for the Prevention of Unwanted Traffic".
5.7. ATIS Work on the NGN http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf
http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ The Security Modeling Working Group of the Schema Subcommittee is
Part%20I/ATIS_NGN_Part_1_Issue1.pdf responsible for developing the models and profiles required to
provide interoperable security management interfaces for
implementations, including the enabling of configuration and
management of authentication, authorization, and auditing services.
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts The operational security requirements for protocols and management
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN initiatives are not addressed by this work group and should be
Definitions, Requirements, and Architecture, Issue 1.0, November addressed by the working groups responsible for them. Management of
2004." the underlying security capabilities utilized by such protocols and
initiatives are addressed by this work group, (for example:
interfaces for the management of keys and certificates).
5.8. Common Criteria 5.5. Common Criteria
http://www.commoncriteriaportal.org/ http://www.commoncriteriaportal.org/
Version 1.0 of the CC was completed in January 1996. Based on a The Common Criteria for Information Technology Security Evaluation
number of trial evaluations and an extensive public review, Version (CC), and the companion Common Methodology for Information Technology
1.0 was extensively revised and CC Version 2.0 was produced in April Security Evaluation (CEM) are the technical basis for an
of 1998. This became ISO International Standard 15408 in 1999. The international agreement, the Common Criteria Recognition Agreement
CC Project subsequently incorporated the minor changes that had (CCRA), which ensures that:
resulted in the ISO process, producing CC version 2.1 in August 1999.
Version 3.0 was published in June 2005 and is available for comment.
The official version of the Common Criteria and of the Common
Evaluation Methodology is v2.3 which was published in August 2005.
All Common Criteria publications contain:
Part 1: Introduction and general model
Part 2: Security functional components
Part 3: Security assurance components Products can be evaluated by competent and independent licensed
laboratories so as to determine the fulfilment of particular
security properties, to a certain extent or assurance;
Documents: Common Criteria V2.3 Supporting documents, are used within the Common Criteria
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 certification process to define how the criteria and evaluation
methods are applied when certifying specific technologies;
5.9. ETSI The certification of the security properties of an evaluated
product can be issued by a number of Certificate Authorizing
Schemes, with this certification being based on the result of
their evaluation;
http://www.etsi.org/ These certificates are recognized by all the signatories of the
CCRA.
The ETSI hosted the ETSI Global Security Conference in late November, The CC is the driving force for the widest available mutual
2003, which could lead to a standard. recognition of secure IT products. This web portal is available to
support the information on the status of the CCRA, the CC and the
certification schemes, licensed laboratories, certified products and
related information, news and events.
Groups related to security located from the ETSI Groups Portal: 5.6. ETSI
OCG Security TC SEC
3GPP SA3
TISPAN WG7 http://portal.etsi.org/portal/server.pt/gateway/
PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp
5.10. GGF Security Area (SEC) Board#38 confirmed the closure of TC SEC.
https://forge.gridforum.org/projects/sec/ At the same time it approved the creation of an OCG Ad Hoc group OCG
Security
The Security Area (SEC) is concerned with various issues relating to TC SEC documents can be found in the SEC archive (members login
authentication and authorization in Grid environments. required)
Working groups: The SEC Working groups (ESI and LI) were closed and TC ESI and a TC
LI were created to continue the work.
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - All documents and information relevant to ESI and LI are available
https://forge.gridforum.org/projects/authz-wg from the TC ESI and TC LI sites
Certificate Authority Operations Working Group (CAOPS-WG) - TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307
https://forge.gridforum.org/projects/caops-wg
OGSA Authorization Working Group (OGSA-AUTHZ) - TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318
https://forge.gridforum.org/projects/ogsa-authz
Grid Security Infrastructure (GSI-WG) - OCG SEC
https://forge.gridforum.org/projects/gsi-wg
5.11. Information System Security Assurance Architecture http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp
IEEE Working Group - http://issaa.org/ The group's primary role is to provide a light-weight horizontal co-
ordination structure for security issues that will ensure this work
is seriously considered in each ETSI TB and that any duplicate or
conflicting work is detected. To achieve this aim the group should
mainly conduct its work via email and, where appropriate, co-sited
"joint security" technical working meetings.
Formerly the Security Certification and Accreditation of Information OCG documents may be found here:
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
Standard for Information System Security Assurance Architecture for
ballot and during the process begin development of a suite of
associated standards for components of that architecture.
Documents: http://issaa.org/documents/index.html http://portal.etsi.org/ocg/Summary.asp (members login required)
5.12. Operational Security Requirements for IP Network Infrastructure : 5.7. Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements Advanced Requirements
IETF RFC 3871 IETF RFC 3871
Abstract: This document defines a list of operational security Abstract: This document defines a list of operational security
requirements for the infrastructure of large ISP IP networks (routers requirements for the infrastructure of large ISP IP networks (routers
and switches). A framework is defined for specifying "profiles", and switches). A framework is defined for specifying "profiles",
which are collections of requirements applicable to certain network which are collections of requirements applicable to certain network
topology contexts (all, core-only, edge-only...). The goal is to topology contexts (all, core-only, edge-only...). The goal is to
provide network operators a clear, concise way of communicating their provide network operators a clear, concise way of communicating their
security requirements to vendors. security requirements to vendors.
Documents: Documents:
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt http://www.rfc-editor.org/rfc/rfc3871.txt
5.13. ISO Guidelines for the Management of IT Security - GMITS
Guidelines for the Management of IT Security -- Part 1: Concepts and
models for IT Security
http://www.iso.ch/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35
Guidelines for the Management of IT Security -- Part 2: Managing and
planning IT Security
http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security -- Part 3: Techniques
for the management of IT Security
http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security -- Part 4: Selection of
safeguards
http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security - Part 5: Management
guidance on network security
http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
ICS3=
Open Systems Interconnection -- Network layer security protocol
http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
ICS3=30
5.14. ISO JTC 1/SC 27 5.8. ISO JTC 1/SC 27 - Information security Technology techniques
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ http://www.iso.org/iso/iso_catalogue/catalogue_tc/
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 catalogue_tc_browse.htm?commid=45306
Several security related ISO projects under JTC 1/SC 27 are listed Several security related ISO projects under JTC 1/SC 27 are listed
here such as: here such as:
IT security techniques -- Entity authentication IT security techniques -- Message Authentication Codes (MACs)
Security techniques -- Key management
Security techniques -- Evaluation criteria for IT security
Security techniques -- A framework for IT security assurance IT Security techniques -- Key management
IT Security techniques -- Code of practice for information IT Security techniques -- Entity authentication
security management
Security techniques -- IT network security IT Security techniques -- Hash-functions
Guidelines for the implementation, operation and management of IT Security techniques -- Non-repudiation
Intrusion Detection Systems (IDS)
International Security, Trust, and Privacy Alliance -- Privacy IT Security techniques -- IT network security
Framework
5.15. ITU-T Study Group 2 5.9. ITU-T Study Group 2
http://www.itu.int/ITU-T/studygroups/com02/index.asp http://www.itu.int/ITU-T/studygroups/com02/index.asp
Security related recommendations currently under study: Security related recommendations currently under study:
http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2
E.408 Telecommunication networks security requirements Q.5/2 (was 5.10. ITU-T Study Group 17
E.sec1)
E.409 Incident Organisation and Security Incident Handling Q.5/2
(was E.sec2)
Note: Access requires TIES account.
5.16. ITU-T Recommendation M.3016
http://www.itu.int/itudoc/itu-t/com4/contr/068.html
This recommendation provides an overview and framework that
identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the
context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from
ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has
produced a new series of documents.
M.3016.0 - Overview
M.3016.1 - Requirements
M.3016.2 - Services
M.3016.3 - Mechanisms
M.3016.4 - Profiles
5.17. ITU-T Recommendation X.805
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
This Recommendation defines the general security-related
architectural elements that, when appropriately applied, can provide
end-to-end network security.
5.18. ITU-T Study Group 16
http://www.itu.int/ITU-T/studygroups/com16/index.asp
Multimedia Security in Next-Generation Networks (NGN-MM-SEC)
http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html
5.19. ITU-T Study Group 17
http://www.itu.int/ITU-T/studygroups/com17/index.asp http://www.itu.int/ITU-T/studygroups/com17/index.asp
Security related recommendations currently under study:
http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17
ITU-T Study Group 17 is the Lead Study Group on Communication System The ICT Security Standards Roadmap
Security http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
Study Group 17 Security Project:
http://www.itu.int/ITU-T/studygroups/com17/security/index.html This ICT Security Standards Roadmap has been developed to assist in
the development of security standards by bringing together
information about existing standards and current standards work in
key standards development organizations.
During its November 2002 meeting, Study Group 17 agreed to establish In addition to aiding the process of standards development, the
a new project entitled "Security Project" under the leadership of Roadmap will provide information that will help potential users of
Q.10/17 to coordinate the ITU-T standardization effort on security. security standards, and other standards stakeholders, gain an
An analysis of the status on ITU-T Study Group action on information understanding of what standards are available or under development as
and communication network security may be found in TSB Circular 147 well as the key organizations that are working on these standards.
of 14 February 2003.
5.20. Catalogue of ITU-T Recommendations related to Communications The Roadmap was initiated by ITU-T Study Group 17. In January 2007
System Security the initiative became a collaborative effort when the European
Network and Information Security Agency (ENISA) and the Network and
Information Security Steering Group (NISSG) joined Study Group 17 in
the project.
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html The Roadmap is in five parts:
The Catalogue of the approved security Recommendations include those, Part 1: ICT Standards Development Organizations and Their Work
designed for security purposes and those, which describe or use of http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html
functions of security interest and need. Although some of the
security related Recommendations includes the phrase "Open Systems
Interconnection", much of the information contained in them is
pertinent to the establishment of security functionality in any
communicating system.
5.21. ITU-T Security Manual Part 1 contains information about the Roadmap structure and about
each of the listed standards organizations, their structure and the
security standards work being undertaken. In addition it contains
information on terminology by providing links to existing security
glossaries and vocabularies.
http://www.itu.int/ITU-T/edh/files/security-manual.pdf Part 2: Approved ICT Security Standards
http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html
TSB is preparing an "ITU-T Security Manual" to provide an overview on Part 2 contains a summary catalogue of approved standards.
security in telecommunications and information technologies, describe
practical issues, and indicate how the different aspects of security
in today's applications are addressed by ITU-T Recommendations. This
manual has a tutorial character: it collects security related
material from ITU-T Recommendations into one place and explains the
respective relationships. The intended audience for this manual are
engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in
practical applications.
5.22. ITU-T NGN Effort Part 3: Security standards under development
http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html Part 3 is structured with the same taxonomy as Part 2 but contains
work in progress, rather than standards that have already been
approved and published. Part 3 will also contain information on
inter-relationships between groups undertaking the work and on
potential overlaps between existing projects.
During its January 2002 meeting, SG13 decided to undertake the Part 4: Future needs and proposed new security standards
preparation of a new ITU-T Project entitled "NGN 2004 Project". At http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html
the November 2002 SG13 meeting, a preliminary description of the
Project was achieved and endorsed by SG13 with the goal to launch the
Project. It is regularly updated since then.
The role of the NGN 2004 Project is to organize and to coordinate Part 4 is intended to capture possible future areas of security
ITU-T activities on Next Generation Networks. Its target is to standards work where gaps or needs have been identified as well as
produce a first set of Recommendations on NGN by the end of this areas where proposals have been made for specific new standards work.
study period, i.e. mid-2004.
5.23. NRIC VI Focus Groups Part 4 includes provision for direct feedback, comments and
suggestions.
http://www.nric.org/fg/index.html Part 5: Best practices
http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html
The Network Reliability and Interoperability Council (NRIC) was Part 5 is a recent addition to the Roadmap (May 2007). It is
formed with the purpose to provide recommendations to the FCC and to intended to be a repository of security-related best practices
the industry to assure the reliability and interoperability of contributed by our community of members.
wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a
cyberattack.
Documents: This section will be based on contributions from the security
community.
Homeland Defense - Recommendations Published 14-Mar-03 Where possible contributions should refer to best practices relating
to standards-based security but other best practices will be
considered for inclusion.
Preventative Best Practices - Recommendations Published 14-Mar-03 It is important to note that the Roadmap is a work-in-progress. It
is intended that it be developed and enhanced to include other
standards organizations as well as a broader representation of the
work from organizations already included. It is hoped that standards
organizations whose work is not represented in this version of the
Roadmap will provide information to ITU-T about their work so that it
may be included in future editions.
Recovery Best Practices - Recommendations Published 14-Mar-03 In May 2007, Part 2 of the Roadmap was converted to a searchable
database format that allows direct links to the information of
participating standards organizations. The database format will
allow each participating organization to manage its own data within
the Roadmap. This will enable more timely updating of the
information and will also reduce the overhead in maintaining the
information.
Best Practice Appendices - Recommendations Published 14-Mar-03 http://www.itu.int/ITU-T/security/main_table.aspx
5.24. OASIS Security Joint Committee 5.11. NRIC VII Focus Groups
http://www.oasis-open.org/committees/ http://www.nric.org/fg/index.html
tc_home.php?wg_abbrev=security-jc
The purpose of the Security JC is to coordinate the technical By December 16, 2005, the Council shall present a final report that
activities of multiple security related TCs. The SJC is advisory describes, in detail, any additions, deletions, or modifications that
only, and has no deliverables. The Security JC will promote the use should be made to the Homeland Security Best Practices that were
of consistent terms, promote re-use, champion an OASIS security adopted by the preceding Council.
standards model, provide consistent PR, and promote mutuality,
operational independence and ethics.
5.25. OASIS Security Services (SAML) TC Documents in Focus Group 2: Homeland Security, Subcommittee 2.B:
Cyber Security:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security Focus Group 2B Report - Homeland Security Cyber Security Best
Practices Published 06-Dec-2004
The Security Services TC is working to advance the Security Assertion Focus Group 2B Report Appendices Published 06-Dec-2004
Markup Language (SAML) as an OASIS standard. SAML is an XML
framework for exchanging authentication and authorization
information.
5.26. OIF Implementation Agreements Focus Group 2B Final Report - Summary of Activities, Guidance and
Cybersecurity Issues Published 16-Dec-2005
The OIF has 2 approved Implementation Agreements (IAs) relating to Focus Group 2B Final Best Practices Published 16-Dec-2005
security. They are:
OIF-SMI-01.0 - Security Management Interfaces to Network Elements 5.12. OASIS Security Technical Committees
This Implementation Agreement lists objectives for securing OAM&P Many Technical Committees have produced standards.
interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified,
satisfies the objectives.
OIF - SEP - 01.1 - Security Extension for UNI and NNI http://www.oasis-open.org/committees/tc_cat.php?cat=security
This Implementation Agreement defines a common Security Extension for 5.13. OIF Implementation Agreements
securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf The OIF has 3 approved, and in-force Implementation Agreements (IAs)
relating to security. They are:
5.27. TIA OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010)
http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf
The TIA has produced the "Compendium of Emergency Communications and OIF-SMI-01.0 - Security for Management Interfaces to Network Elements
Communications Network Security-related Work Activities". This (September 2003)
document identifies standards, or other technical documents and http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf
ongoing Emergency/Public Safety Communications and Communications
Network Security-related work activities within TIA and it's
Engineering Committees. Many P25 documents are specifically
detailed. This "living document" is presented for information,
coordination and reference.
Documents: http://www.tiaonline.org/standards/technology/ciphs/ OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to
documents/EMTEL_sec.pdf Network Elements (March 2006)
http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf
5.28. WS-I Basic Security Profile 5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland
Security (HS)
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html This TIA webpage identifies and links to many standards, other
technical documents and ongoing activity involving or supporting
TIA's role in Public Safety and Homeland Security, Network Security,
Critical Infrastructure Protection and Assurance, National Security/
Emergency Preparedness, Emergency Communications Services, Emergency
Calling and Location Identification Services, and the Needs of First
Responders.
The WS-I Basic Security Profile 1.0 consists of a set of non- http://www.tiaonline.org/standards/technology/ciphs/
proprietary Web services specifications, along with clarifications
and amendments to those specifications which promote
interoperability.
5.29. NIST Special Publications (800 Series) 5.15. NIST Special Publications (800 Series)
http://csrc.nist.gov/publications/PubsSPs.html http://csrc.nist.gov/publications/PubsSPs.html
Special Publications in the 800 series present documents of general Special Publications in the 800 series present documents of general
interest to the computer security community. The Special Publication interest to the computer security community. The Special Publication
800 series was established in 1990 to provide a separate identity for 800 series was established in 1990 to provide a separate identity for
information technology security publications. This Special information technology security publications. This Special
Publication 800 series reports on ITL's research, guidelines, and Publication 800 series reports on ITL's research, guidelines, and
outreach efforts in computer security, and its collaborative outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations. activities with industry, government, and academic organizations.
5.30. NIST Interagency or Internal Reports (NISTIRs) 5.16. NIST Interagency or Internal Reports (NISTIRs)
http://csrc.nist.gov/publications/PubsNISTIRs.html http://csrc.nist.gov/publications/PubsNISTIRs.html
NIST Interagency or Internal Reports (NISTIRs) describe research of a NIST Interagency or Internal Reports (NISTIRs) describe research of a
technical nature of interest to a specialized audience. The series technical nature of interest to a specialized audience. The series
includes interim or final reports on work performed by NIST for includes interim or final reports on work performed by NIST for
outside sponsors (both government and nongovernment). NISTIRs may outside sponsors (both government and nongovernment). NISTIRs may
also report results of NIST projects of transitory or limited also report results of NIST projects of transitory or limited
interest, including those that will be published subsequently in more interest, including those that will be published subsequently in more
comprehensive form. comprehensive form.
5.31. NIST ITL Security Bulletins 5.17. NIST ITL Security Bulletins
http://csrc.nist.gov/publications/PubsITLSB.html http://csrc.nist.gov/publications/PubsITLSB.html
ITL Bulletins are published by NIST's Information Technology ITL Bulletins are published by NIST's Information Technology
Laboratory, with most bulletins written by the Computer Security Laboratory, with most bulletins written by the Computer Security
Division. These bulletins are published on the average of six times Division. These bulletins are published on the average of six times
a year. Each bulletin presents an in-depth discussion of a single a year. Each bulletin presents an in-depth discussion of a single
topic of significant interest to the information systems community. topic of significant interest to the information systems community.
Not all of ITL Bulletins that are published relate to computer / Not all of ITL Bulletins that are published relate to computer /
network security. Only the computer security ITL Bulletins are found network security. Only the computer security ITL Bulletins are found
here. here.
5.32. SANS Information Security Reading Room 5.18. SANS Information Security Reading Room
http://www.sans.org/reading_room/ http://www.sans.org/reading_room/
Featuring over 1,885 original computer security white papers in 75 Featuring over 1,885 original computer security white papers in 75
different categories. different categories.
Most of the computer security white papers in the Reading Room have Most of the computer security white papers in the Reading Room have
been written by students seeking GIAC certification to fulfill part been written by students seeking GIAC certification to fulfill part
of their certification requirements and are provided by SANS as a of their certification requirements and are provided by SANS as a
resource to benefit the security community at large. SANS attempts resource to benefit the security community at large. SANS attempts
skipping to change at page 44, line 7 skipping to change at page 42, line 7
-15 : Fifteenth revision of the WG ID. -15 : Fifteenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 4. Several Updated the date and reviewed the accuracy of Section 4. Several
changes made. changes made.
Removed WS-I as they have merged with OASIS. Removed WS-I as they have merged with OASIS.
Added TM Forum. Added TM Forum.
-16 : Sixteenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 5. Several
changes made.
Note: This section will be removed before publication as an RFC. Note: This section will be removed before publication as an RFC.
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
 End of changes. 117 change blocks. 
450 lines changed or deleted 308 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/