--- 1/draft-ietf-opsec-efforts-15.txt 2011-03-28 18:16:20.000000000 +0200 +++ 2/draft-ietf-opsec-efforts-16.txt 2011-03-28 18:16:20.000000000 +0200 @@ -1,18 +1,18 @@ Network Working Group C. Lonvick Internet-Draft D. Spak Intended status: Informational Cisco Systems -Expires: August 18, 2011 February 14, 2011 +Expires: September 27, 2011 March 26, 2011 Security Best Practices Efforts and Documents - draft-ietf-opsec-efforts-15.txt + draft-ietf-opsec-efforts-16.txt Abstract This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the @@ -27,149 +27,134 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 18, 2011. + This Internet-Draft will expire on September 27, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 - 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 - 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 - 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 - 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 - 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 - 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 - 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 - 3.7. NIST - Glossary of Key Information Security Terms . . . . 9 - 4. Standards Developing Organizations . . . . . . . . . . . . . . 11 - 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 - 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 - 4.3. ANSI - The American National Standards Institute . . . . . 12 - 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 12 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 + 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 + 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 + 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 + 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 + 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 + 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8 + 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8 + 3.7. NIST - Glossary of Key Information Security Terms . . . . 8 + 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 + 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 + 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 + 4.3. ANSI - The American National Standards Institute . . . . . 11 + 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 4.4. ATIS - Alliance for Telecommunications Industry - Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 + Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 4.4.1. ATIS NPRQ - Network Performance, Reliability, and - Quality of Service Committee, formerly T1A1 . . . . . 13 + Quality of Service Committee, formerly T1A1 . . . . . 12 4.4.2. ATIS TMOC - Telecom Management and Operations - Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 14 - 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 - 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 + Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 + 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 + 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 4.7. ETSI - The European Telecommunications Standard - Institute . . . . . . . . . . . . . . . . . . . . . . . . 15 - 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 - 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 - 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 - 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 + Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 + 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14 + 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14 + 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15 + 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15 4.9. IEEE - The Institute of Electrical and Electronics - Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 + Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 4.9.1. IEEE Computer Society's Technical Committee on - Security and Privacy . . . . . . . . . . . . . . . . . 17 - 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 - 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 + Security and Privacy . . . . . . . . . . . . . . . . . 16 + 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16 + 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16 4.11. INCITS - InterNational Committee for Information - Technology Standards . . . . . . . . . . . . . . . . . . . 17 - 4.11.1. Identification Cards and Related Devices (B10) . . . . 18 - 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 - 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 + Technology Standards . . . . . . . . . . . . . . . . . . . 16 + 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 + 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17 + 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17 4.12. ISO - The International Organization for - Standardization . . . . . . . . . . . . . . . . . . . . . 18 - 4.13. ITU - International Telecommunication Union . . . . . . . 19 + Standardization . . . . . . . . . . . . . . . . . . . . . 17 + 4.13. ITU - International Telecommunication Union . . . . . . . 18 4.13.1. ITU Telecommunication Standardization Sector - - ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 - 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 20 - 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 + ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18 + 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 + 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19 4.14. OASIS - Organization for the Advancement of - Structured Information Standards . . . . . . . . . . . . . 21 - 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 - 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 22 + Structured Information Standards . . . . . . . . . . . . . 20 + 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20 + 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 4.16. NRIC - The Network Reliability and Interoperability - Council . . . . . . . . . . . . . . . . . . . . . . . . . 22 + Council . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.17. National Security Telecommunications Advisory - Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 - 4.18. TIA - The Telecommunications Industry Association . . . . 23 + Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21 + 4.18. TIA - The Telecommunications Industry Association . . . . 22 4.18.1. Critical Infrastructure Protection (CIP) and - Homeland Security (HS) . . . . . . . . . . . . . . . . 23 + Homeland Security (HS) . . . . . . . . . . . . . . . . 22 4.18.2. Commercial Encryption Source Code and Related - Information . . . . . . . . . . . . . . . . . . . . . 24 - 4.19. TTA - Telecommunications Technology Association . . . . . 24 - 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 24 - 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 25 - 4.21.1. Security Management . . . . . . . . . . . . . . . . . 25 - 5. Security Best Practices Efforts and Documents . . . . . . . . 27 - 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 27 - 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 27 - 5.3. American National Standard T1.276-2003 - Baseline - Security Requirements for the Management Plane . . . . . . 27 - 5.4. DMTF - Security Protection and Management (SPAM) - Working Group . . . . . . . . . . . . . . . . . . . . . . 28 - 5.5. DMTF - User and Security Working Group . . . . . . . . . . 28 - 5.6. ATIS Work-Plan to Achieve Interoperable, - Implementable, End-To-End Standards and Solutions . . . . 28 - 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 28 - 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 29 - 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 29 - 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 - 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 30 - 5.11. Information System Security Assurance Architecture . . . . 30 - 5.12. Operational Security Requirements for IP Network - Infrastructure : Advanced Requirements . . . . . . . . . . 30 - 5.13. ISO Guidelines for the Management of IT Security - - GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 31 - 5.14. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 32 - 5.15. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 32 - 5.16. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 32 - 5.17. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 33 - 5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 33 - 5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 33 - 5.20. Catalogue of ITU-T Recommendations related to - Communications System Security . . . . . . . . . . . . . . 34 - 5.21. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 34 - 5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 34 - 5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 35 - 5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 35 - 5.25. OASIS Security Services (SAML) TC . . . . . . . . . . . . 35 - 5.26. OIF Implementation Agreements . . . . . . . . . . . . . . 35 - 5.27. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 5.28. WS-I Basic Security Profile . . . . . . . . . . . . . . . 36 - 5.29. NIST Special Publications (800 Series) . . . . . . . . . . 36 - 5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 37 - 5.31. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 37 - 5.32. SANS Information Security Reading Room . . . . . . . . . . 37 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 - 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 41 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 + Information . . . . . . . . . . . . . . . . . . . . . 23 + 4.19. TTA - Telecommunications Technology Association . . . . . 23 + 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23 + 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 + 4.21.1. Security Management . . . . . . . . . . . . . . . . . 24 + 5. Security Best Practices Efforts and Documents . . . . . . . . 26 + 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26 + 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26 + 5.3. ATIS-0300276.2008 - Operations, Administration, + Maintenance, and Provisioning Security Requirements + for the Public Telecommunications Network: A Baseline + of Security Requirements for the Management Plane . . . . 26 + 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27 + 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27 + 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 + 5.7. Operational Security Requirements for IP Network + Infrastructure : Advanced Requirements . . . . . . . . . . 29 + 5.8. ISO JTC 1/SC 27 - Information security Technology + techniques . . . . . . . . . . . . . . . . . . . . . . . . 29 + 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29 + 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29 + 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31 + 5.12. OASIS Security Technical Committees . . . . . . . . . . . 32 + 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32 + 5.14. TIA - Critical Infrastructure Protection (CIP) and + Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32 + 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33 + 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33 + 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33 + 5.18. SANS Information Security Reading Room . . . . . . . . . . 33 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 + 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 1. Introduction The Internet is being recognized as a critical infrastructure similar in nature to the power grid and a potable water supply. Just like those infrastructures, means are needed to provide resiliency and adaptability to the Internet so that it remains consistently available to the public throughout the world even during times of duress or attack. For this reason, many SDOs are developing standards with hopes of retaining an acceptable level, or even @@ -209,21 +194,21 @@ described in the Working Group Charter. The authors have agreed to keep this document current and request that those who read it will submit corrections or comments. Comments on this document may be addressed to the OpSec Working Group or directly to the authors. opsec@ops.ietf.org This document will be updated in sections. The most recently updated - part of this document is Section 3. + part of this document is Section 5. 2. Format of this Document The body of this document has three sections. The first part of the body of this document, Section 3, contains a listing of online glossaries relating to networking and security. It is very important that the definitions of words relating to security and security events be consistent. Inconsistencies between the useage of words on standards is unacceptable as it would prevent a @@ -232,24 +217,28 @@ definitions of the words in the listed glossaries so can offer no assurance of their alignment. The second part, Section 4, contains a listing of SDOs that appear to be working on security standards. The third part, Section 5, lists the documents which have been found to offer good practices or recommendations for securing networks and networking devices. + The text used in sections 3, 4, and 5 have been copied from their + referring web sites. The authors make no claim about the validity or + accuracy of the information listed. + 3. Online Security Glossaries This section contains references to glossaries of network and - computer security terms + computer security terms. 3.1. ATIS Telecom Glossary 2007 http://www.atis.org/tg2k/ This Glossary began as a 5800-entry, search-enabled hypertext telecommunications glossary titled Federal Standard 1037C, Glossary of Telecommunication Terms . Federal Standard 1037C was updated and matured into an American National Standard (ANS): T1.523-2001, Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- @@ -1054,525 +1043,389 @@ contributions, and multi-vendor technology demonstrations have jumped started work efforts on industry hot topics Network Defense, Cyber Security, and security for single and multi-regional enterprise application cloud bursting. Our aim is to produce Security Management rich frameworks, best practices, and guidebooks. 5. Security Best Practices Efforts and Documents This section lists the works produced by the SDOs. -5.1. 3GPP - TSG SA WG3 (Security) +5.1. 3GPP - SA3 - Security - http://www.3gpp.org/TB/SA/SA3/SA3.htm + http://www.3gpp.org/SA3-Security - TSG SA WG3 Security is responsible for the security of the 3GPP - system, performing analyses of potential security threats to the - system, considering the new threats introduced by the IP based - services and systems and setting the security requirements for the - overall 3GPP system. + The WG is responsible for security in 3GPP systems, determining the + security requirements, and specifying the security architectures and + protocols. The WG also ensures the availability of cryptographic + algorithms which need to be part of the specifications. The sub-WG + SA3-LI provides the requirements and specifications for lawful + interception in 3GPP systems. Specifications: http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm - Work Items: - http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm - - 3GPP Confidentiality and Integrity algorithms: - http://www.3gpp.org/TB/Other/algorithms.htm - 5.2. 3GPP2 - TSG-S Working Group 4 (Security) http://www.3gpp2.org/Public_html/S/index.cfm The Services and Systems Aspects TSG (TSG-S) is responsible for the development of service capability requirements for systems based on - 3GPP2 specifications. Among its responsibilities TSG-S is addressing - management, technical coordination, as well as architectural and + 3GPP2 specifications. It is also responsible for high level + architectural issues, as required, to coordinate service development + across the various TSGs. In this role, the Services and Systems TSG + shall track the activities within the various TSGs, as required, to + meet the above service requirements. + + More specifically, TSG-S will address the following areas of work: + Management, technical coordination, as well as architectural and requirements development associated with all end-to-end features, services and system capabilities including, but not limited to, - security and QoS. - - TSG-S Specifications: - http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs + security and QoS -5.3. American National Standard T1.276-2003 - Baseline Security - Requirements for the Management Plane + TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm - Abstract: This standard contains a set of baseline security - requirements for the management plane. The President's National - Security Telecommunications Advisory Committee Network Security - Information Exchange (NSIE) and Government NSIE jointly established a - Security Requirements Working Group (SRWG) to examine the security - requirements for controlling access to the public switched network, - in particular with respect to the emerging next generation network. +5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and + Provisioning Security Requirements for the Public + Telecommunications Network: A Baseline of Security Requirements + for the Management Plane - In the telecommunications industry, this access incorporates - operation, administration, maintenance, and provisioning for network - elements and various supporting systems and databases. Members of - the SRWG, from a cross-section of telecommunications carriers and - vendors, developed an initial list of security requirements that - would allow vendors, government departments and agencies, and service - providers to implement a secure telecommunications network management - infrastructure. This initial list of security requirements was - submitted as a contribution to Committee T1 - Telecommunications, - Working Group T1M1.5 for consideration as a standard. The - requirements outlined in this document will allow vendors, government + This document contains both the published and redline versions of + ATIS-0300276.2008. This standard contains a set of baseline security + requirements for the management plane. The requirements outlined in + this standard allow equipment/system suppliers, government departments and agencies, and service providers to implement a secure - telecommunications network management infrastructure. - - Documents: - http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 - -5.4. DMTF - Security Protection and Management (SPAM) Working Group - - http://www.dmtf.org/about/committees/spamWGCharter.pdf - - The Working Group will define a CIM Common Model that addresses - security protection and detection technologies, which may include - devices and services, and classifies security information, attacks, - and responses. - -5.5. DMTF - User and Security Working Group - - http://www.dmtf.org/about/committees/userWGCharter.pdf - - The User and Security Working Group defines objects and access - methods required for principals - where principals include users, - groups, software agents, systems, and organizations. - -5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End - Standards and Solutions - - ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf - - The ATIS TOPS Security Focus Group has made recommendations on work - items needed to be performed by other SDOs. + telecommunications management infrastructure. -5.6.1. ATIS Work on Packet Filtering + Documents: http://www.atis.org/docstore/product.aspx?id=24660 - A part of the ATIS Work Plan was to define how disruptions may be - prevented by filtering unwanted traffic at the edges of the network. - ATIS is developing this work in a document titled, "Traffic Filtering - for the Prevention of Unwanted Traffic". +5.4. DMTF - Security Modeling Working Group -5.7. ATIS Work on the NGN + http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf - http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ - Part%20I/ATIS_NGN_Part_1_Issue1.pdf + The Security Modeling Working Group of the Schema Subcommittee is + responsible for developing the models and profiles required to + provide interoperable security management interfaces for + implementations, including the enabling of configuration and + management of authentication, authorization, and auditing services. - In November 2004, ATIS released Part I of the ATIS NGN-FG efforts - entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN - Definitions, Requirements, and Architecture, Issue 1.0, November - 2004." + The operational security requirements for protocols and management + initiatives are not addressed by this work group and should be + addressed by the working groups responsible for them. Management of + the underlying security capabilities utilized by such protocols and + initiatives are addressed by this work group, (for example: + interfaces for the management of keys and certificates). -5.8. Common Criteria +5.5. Common Criteria http://www.commoncriteriaportal.org/ - Version 1.0 of the CC was completed in January 1996. Based on a - number of trial evaluations and an extensive public review, Version - 1.0 was extensively revised and CC Version 2.0 was produced in April - of 1998. This became ISO International Standard 15408 in 1999. The - CC Project subsequently incorporated the minor changes that had - resulted in the ISO process, producing CC version 2.1 in August 1999. - Version 3.0 was published in June 2005 and is available for comment. - - The official version of the Common Criteria and of the Common - Evaluation Methodology is v2.3 which was published in August 2005. - - All Common Criteria publications contain: - - Part 1: Introduction and general model - - Part 2: Security functional components + The Common Criteria for Information Technology Security Evaluation + (CC), and the companion Common Methodology for Information Technology + Security Evaluation (CEM) are the technical basis for an + international agreement, the Common Criteria Recognition Agreement + (CCRA), which ensures that: - Part 3: Security assurance components + Products can be evaluated by competent and independent licensed + laboratories so as to determine the fulfilment of particular + security properties, to a certain extent or assurance; - Documents: Common Criteria V2.3 - http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 + Supporting documents, are used within the Common Criteria + certification process to define how the criteria and evaluation + methods are applied when certifying specific technologies; -5.9. ETSI + The certification of the security properties of an evaluated + product can be issued by a number of Certificate Authorizing + Schemes, with this certification being based on the result of + their evaluation; - http://www.etsi.org/ + These certificates are recognized by all the signatories of the + CCRA. - The ETSI hosted the ETSI Global Security Conference in late November, - 2003, which could lead to a standard. + The CC is the driving force for the widest available mutual + recognition of secure IT products. This web portal is available to + support the information on the status of the CCRA, the CC and the + certification schemes, licensed laboratories, certified products and + related information, news and events. - Groups related to security located from the ETSI Groups Portal: +5.6. ETSI - OCG Security - 3GPP SA3 + TC SEC - TISPAN WG7 + http://portal.etsi.org/portal/server.pt/gateway/ + PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp -5.10. GGF Security Area (SEC) + Board#38 confirmed the closure of TC SEC. - https://forge.gridforum.org/projects/sec/ + At the same time it approved the creation of an OCG Ad Hoc group OCG + Security - The Security Area (SEC) is concerned with various issues relating to - authentication and authorization in Grid environments. + TC SEC documents can be found in the SEC archive (members login + required) - Working groups: + The SEC Working groups (ESI and LI) were closed and TC ESI and a TC + LI were created to continue the work. - Authorization Frameworks and Mechanisms WG (AuthZ-WG) - - https://forge.gridforum.org/projects/authz-wg + All documents and information relevant to ESI and LI are available + from the TC ESI and TC LI sites - Certificate Authority Operations Working Group (CAOPS-WG) - - https://forge.gridforum.org/projects/caops-wg + TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307 - OGSA Authorization Working Group (OGSA-AUTHZ) - - https://forge.gridforum.org/projects/ogsa-authz + TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318 - Grid Security Infrastructure (GSI-WG) - - https://forge.gridforum.org/projects/gsi-wg + OCG SEC -5.11. Information System Security Assurance Architecture + http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp - IEEE Working Group - http://issaa.org/ + The group's primary role is to provide a light-weight horizontal co- + ordination structure for security issues that will ensure this work + is seriously considered in each ETSI TB and that any duplicate or + conflicting work is detected. To achieve this aim the group should + mainly conduct its work via email and, where appropriate, co-sited + "joint security" technical working meetings. - Formerly the Security Certification and Accreditation of Information - Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft - Standard for Information System Security Assurance Architecture for - ballot and during the process begin development of a suite of - associated standards for components of that architecture. + OCG documents may be found here: - Documents: http://issaa.org/documents/index.html + http://portal.etsi.org/ocg/Summary.asp (members login required) -5.12. Operational Security Requirements for IP Network Infrastructure : +5.7. Operational Security Requirements for IP Network Infrastructure : Advanced Requirements IETF RFC 3871 Abstract: This document defines a list of operational security requirements for the infrastructure of large ISP IP networks (routers and switches). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a clear, concise way of communicating their security requirements to vendors. Documents: - ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt - -5.13. ISO Guidelines for the Management of IT Security - GMITS - - Guidelines for the Management of IT Security -- Part 1: Concepts and - models for IT Security - - http://www.iso.ch/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 - - Guidelines for the Management of IT Security -- Part 2: Managing and - planning IT Security - - http://www.iso.org/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& - ICS3= - - Guidelines for the Management of IT Security -- Part 3: Techniques - for the management of IT Security - - http://www.iso.org/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& - ICS3= - - Guidelines for the Management of IT Security -- Part 4: Selection of - safeguards - - http://www.iso.org/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& - ICS3= - - Guidelines for the Management of IT Security - Part 5: Management - guidance on network security - - http://www.iso.org/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& - ICS3= - - Open Systems Interconnection -- Network layer security protocol - - http://www.iso.org/iso/en/ - CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& - ICS3=30 + http://www.rfc-editor.org/rfc/rfc3871.txt -5.14. ISO JTC 1/SC 27 +5.8. ISO JTC 1/SC 27 - Information security Technology techniques - http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ - TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 + http://www.iso.org/iso/iso_catalogue/catalogue_tc/ + catalogue_tc_browse.htm?commid=45306 Several security related ISO projects under JTC 1/SC 27 are listed here such as: - IT security techniques -- Entity authentication - - Security techniques -- Key management - - Security techniques -- Evaluation criteria for IT security + IT security techniques -- Message Authentication Codes (MACs) - Security techniques -- A framework for IT security assurance + IT Security techniques -- Key management - IT Security techniques -- Code of practice for information - security management + IT Security techniques -- Entity authentication - Security techniques -- IT network security + IT Security techniques -- Hash-functions - Guidelines for the implementation, operation and management of - Intrusion Detection Systems (IDS) + IT Security techniques -- Non-repudiation - International Security, Trust, and Privacy Alliance -- Privacy - Framework + IT Security techniques -- IT network security -5.15. ITU-T Study Group 2 +5.9. ITU-T Study Group 2 http://www.itu.int/ITU-T/studygroups/com02/index.asp Security related recommendations currently under study: + http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2 - E.408 Telecommunication networks security requirements Q.5/2 (was - E.sec1) - - E.409 Incident Organisation and Security Incident Handling Q.5/2 - (was E.sec2) - - Note: Access requires TIES account. - -5.16. ITU-T Recommendation M.3016 - - http://www.itu.int/itudoc/itu-t/com4/contr/068.html - - This recommendation provides an overview and framework that - identifies the security requirements of a TMN and outlines how - available security services and mechanisms can be applied within the - context of the TMN functional architecture. - - Question 18 of Study Group 3 is revising Recommendation M.3016. They - have taken the original document and are incorporating thoughts from - ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has - produced a new series of documents. - - M.3016.0 - Overview - - M.3016.1 - Requirements - - M.3016.2 - Services - - M.3016.3 - Mechanisms - - M.3016.4 - Profiles - -5.17. ITU-T Recommendation X.805 - - http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html - - This Recommendation defines the general security-related - architectural elements that, when appropriately applied, can provide - end-to-end network security. - -5.18. ITU-T Study Group 16 - - http://www.itu.int/ITU-T/studygroups/com16/index.asp - - Multimedia Security in Next-Generation Networks (NGN-MM-SEC) - - http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html - -5.19. ITU-T Study Group 17 +5.10. ITU-T Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp + Security related recommendations currently under study: + http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17 - ITU-T Study Group 17 is the Lead Study Group on Communication System - Security - - http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html - - Study Group 17 Security Project: + The ICT Security Standards Roadmap + http://www.itu.int/ITU-T/studygroups/com17/ict/index.html - http://www.itu.int/ITU-T/studygroups/com17/security/index.html + This ICT Security Standards Roadmap has been developed to assist in + the development of security standards by bringing together + information about existing standards and current standards work in + key standards development organizations. - During its November 2002 meeting, Study Group 17 agreed to establish - a new project entitled "Security Project" under the leadership of - Q.10/17 to coordinate the ITU-T standardization effort on security. - An analysis of the status on ITU-T Study Group action on information - and communication network security may be found in TSB Circular 147 - of 14 February 2003. + In addition to aiding the process of standards development, the + Roadmap will provide information that will help potential users of + security standards, and other standards stakeholders, gain an + understanding of what standards are available or under development as + well as the key organizations that are working on these standards. -5.20. Catalogue of ITU-T Recommendations related to Communications - System Security + The Roadmap was initiated by ITU-T Study Group 17. In January 2007 + the initiative became a collaborative effort when the European + Network and Information Security Agency (ENISA) and the Network and + Information Security Steering Group (NISSG) joined Study Group 17 in + the project. - http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html + The Roadmap is in five parts: - The Catalogue of the approved security Recommendations include those, - designed for security purposes and those, which describe or use of - functions of security interest and need. Although some of the - security related Recommendations includes the phrase "Open Systems - Interconnection", much of the information contained in them is - pertinent to the establishment of security functionality in any - communicating system. + Part 1: ICT Standards Development Organizations and Their Work + http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html -5.21. ITU-T Security Manual + Part 1 contains information about the Roadmap structure and about + each of the listed standards organizations, their structure and the + security standards work being undertaken. In addition it contains + information on terminology by providing links to existing security + glossaries and vocabularies. - http://www.itu.int/ITU-T/edh/files/security-manual.pdf + Part 2: Approved ICT Security Standards + http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html - TSB is preparing an "ITU-T Security Manual" to provide an overview on - security in telecommunications and information technologies, describe - practical issues, and indicate how the different aspects of security - in today's applications are addressed by ITU-T Recommendations. This - manual has a tutorial character: it collects security related - material from ITU-T Recommendations into one place and explains the - respective relationships. The intended audience for this manual are - engineers and product managers, students and academia, as well as - regulators who want to better understand security aspects in - practical applications. + Part 2 contains a summary catalogue of approved standards. -5.22. ITU-T NGN Effort + Part 3: Security standards under development + http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html - http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html + Part 3 is structured with the same taxonomy as Part 2 but contains + work in progress, rather than standards that have already been + approved and published. Part 3 will also contain information on + inter-relationships between groups undertaking the work and on + potential overlaps between existing projects. - During its January 2002 meeting, SG13 decided to undertake the - preparation of a new ITU-T Project entitled "NGN 2004 Project". At - the November 2002 SG13 meeting, a preliminary description of the - Project was achieved and endorsed by SG13 with the goal to launch the - Project. It is regularly updated since then. + Part 4: Future needs and proposed new security standards + http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html - The role of the NGN 2004 Project is to organize and to coordinate - ITU-T activities on Next Generation Networks. Its target is to - produce a first set of Recommendations on NGN by the end of this - study period, i.e. mid-2004. + Part 4 is intended to capture possible future areas of security + standards work where gaps or needs have been identified as well as + areas where proposals have been made for specific new standards work. -5.23. NRIC VI Focus Groups + Part 4 includes provision for direct feedback, comments and + suggestions. - http://www.nric.org/fg/index.html + Part 5: Best practices + http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html - The Network Reliability and Interoperability Council (NRIC) was - formed with the purpose to provide recommendations to the FCC and to - the industry to assure the reliability and interoperability of - wireless, wireline, satellite, and cable public telecommunications - networks. These documents provide general information and guidance - on NRIC Focus Group 1B (Cybersecurity) Best Practices for the - prevention of cyberattack and for restoration following a - cyberattack. + Part 5 is a recent addition to the Roadmap (May 2007). It is + intended to be a repository of security-related best practices + contributed by our community of members. - Documents: + This section will be based on contributions from the security + community. - Homeland Defense - Recommendations Published 14-Mar-03 + Where possible contributions should refer to best practices relating + to standards-based security but other best practices will be + considered for inclusion. - Preventative Best Practices - Recommendations Published 14-Mar-03 + It is important to note that the Roadmap is a work-in-progress. It + is intended that it be developed and enhanced to include other + standards organizations as well as a broader representation of the + work from organizations already included. It is hoped that standards + organizations whose work is not represented in this version of the + Roadmap will provide information to ITU-T about their work so that it + may be included in future editions. - Recovery Best Practices - Recommendations Published 14-Mar-03 + In May 2007, Part 2 of the Roadmap was converted to a searchable + database format that allows direct links to the information of + participating standards organizations. The database format will + allow each participating organization to manage its own data within + the Roadmap. This will enable more timely updating of the + information and will also reduce the overhead in maintaining the + information. - Best Practice Appendices - Recommendations Published 14-Mar-03 + http://www.itu.int/ITU-T/security/main_table.aspx -5.24. OASIS Security Joint Committee +5.11. NRIC VII Focus Groups - http://www.oasis-open.org/committees/ - tc_home.php?wg_abbrev=security-jc + http://www.nric.org/fg/index.html - The purpose of the Security JC is to coordinate the technical - activities of multiple security related TCs. The SJC is advisory - only, and has no deliverables. The Security JC will promote the use - of consistent terms, promote re-use, champion an OASIS security - standards model, provide consistent PR, and promote mutuality, - operational independence and ethics. + By December 16, 2005, the Council shall present a final report that + describes, in detail, any additions, deletions, or modifications that + should be made to the Homeland Security Best Practices that were + adopted by the preceding Council. -5.25. OASIS Security Services (SAML) TC + Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: + Cyber Security: - http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security + Focus Group 2B Report - Homeland Security Cyber Security Best + Practices Published 06-Dec-2004 - The Security Services TC is working to advance the Security Assertion - Markup Language (SAML) as an OASIS standard. SAML is an XML - framework for exchanging authentication and authorization - information. + Focus Group 2B Report Appendices Published 06-Dec-2004 -5.26. OIF Implementation Agreements + Focus Group 2B Final Report - Summary of Activities, Guidance and + Cybersecurity Issues Published 16-Dec-2005 - The OIF has 2 approved Implementation Agreements (IAs) relating to - security. They are: + Focus Group 2B Final Best Practices Published 16-Dec-2005 - OIF-SMI-01.0 - Security Management Interfaces to Network Elements +5.12. OASIS Security Technical Committees - This Implementation Agreement lists objectives for securing OAM&P - interfaces to a Network Element and then specifies ways of using - security systems (e.g., IPsec or TLS) for securing these interfaces. - It summarizes how well each of the systems, used as specified, - satisfies the objectives. + Many Technical Committees have produced standards. - OIF - SEP - 01.1 - Security Extension for UNI and NNI + http://www.oasis-open.org/committees/tc_cat.php?cat=security - This Implementation Agreement defines a common Security Extension for - securing the protocols used in UNI 1.0, UNI 2.0, and NNI. +5.13. OIF Implementation Agreements - Documents: http://www.oiforum.com/public/documents/Security-IA.pdf + The OIF has 3 approved, and in-force Implementation Agreements (IAs) + relating to security. They are: -5.27. TIA + OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010) + http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf - The TIA has produced the "Compendium of Emergency Communications and - Communications Network Security-related Work Activities". This - document identifies standards, or other technical documents and - ongoing Emergency/Public Safety Communications and Communications - Network Security-related work activities within TIA and it's - Engineering Committees. Many P25 documents are specifically - detailed. This "living document" is presented for information, - coordination and reference. + OIF-SMI-01.0 - Security for Management Interfaces to Network Elements + (September 2003) + http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf - Documents: http://www.tiaonline.org/standards/technology/ciphs/ - documents/EMTEL_sec.pdf + OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to + Network Elements (March 2006) + http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf -5.28. WS-I Basic Security Profile +5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland + Security (HS) - http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html + This TIA webpage identifies and links to many standards, other + technical documents and ongoing activity involving or supporting + TIA's role in Public Safety and Homeland Security, Network Security, + Critical Infrastructure Protection and Assurance, National Security/ + Emergency Preparedness, Emergency Communications Services, Emergency + Calling and Location Identification Services, and the Needs of First + Responders. - The WS-I Basic Security Profile 1.0 consists of a set of non- - proprietary Web services specifications, along with clarifications - and amendments to those specifications which promote - interoperability. + http://www.tiaonline.org/standards/technology/ciphs/ -5.29. NIST Special Publications (800 Series) +5.15. NIST Special Publications (800 Series) http://csrc.nist.gov/publications/PubsSPs.html Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. -5.30. NIST Interagency or Internal Reports (NISTIRs) +5.16. NIST Interagency or Internal Reports (NISTIRs) http://csrc.nist.gov/publications/PubsNISTIRs.html NIST Interagency or Internal Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form. -5.31. NIST ITL Security Bulletins +5.17. NIST ITL Security Bulletins http://csrc.nist.gov/publications/PubsITLSB.html ITL Bulletins are published by NIST's Information Technology Laboratory, with most bulletins written by the Computer Security Division. These bulletins are published on the average of six times a year. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Not all of ITL Bulletins that are published relate to computer / network security. Only the computer security ITL Bulletins are found here. -5.32. SANS Information Security Reading Room +5.18. SANS Information Security Reading Room http://www.sans.org/reading_room/ Featuring over 1,885 original computer security white papers in 75 different categories. Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts @@ -1744,20 +1597,25 @@ -15 : Fifteenth revision of the WG ID. Updated the date and reviewed the accuracy of Section 4. Several changes made. Removed WS-I as they have merged with OASIS. Added TM Forum. + -16 : Sixteenth revision of the WG ID. + + Updated the date and reviewed the accuracy of Section 5. Several + changes made. + Note: This section will be removed before publication as an RFC. Authors' Addresses Chris Lonvick Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US