TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &

Slides:

Advertisements

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Advertisements

Consultancy Infrastructure Requirements for Fast, Reliable and Secure HL7 V3 Messaging Andrew Hinchley CPL Consulting.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Secure Communication Architectures.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Unified Logs and Reporting for Hybrid Centralized Management

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Wired Equivalent Privacy (WEP)

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.

ISO 9001 Interpretation : Exclusions

Internet Protocol Security (IPSec)

Identity Management, what does it solve By Gautham Mudra.

Building a massively scalable serverless VPN using Any Source Multicast Athanasios Douitsis Dimitrios Kalogeras National Technical University of Athens.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

Security Policies Jim Stracka The Problem Today.

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH Protocol Security Date Submitted: December, 2007 Presented.

Cryptography and Network Security

UNIT – II ARCHITECTING WEB SERVICES. WHAT ARE WEB SERVICES ? Web Services are loosely coupled, contracted components that communicate via XML-based interfaces.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Assessing the influence on processes when evolving the software architecture By Larsson S, Wall A, Wallin P Parul Patel.

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

1 Virtual Private Network (VPN) Course: COSC513 Instructor: Professor M. Anvari Student: Xinguang Wang.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

Information Security What is Information Security?

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

TMN Workshop Antwerp, 27 May 1998 P PET Lab PAN EUROPEAN TMN LABORATORY TMN X Interface Studies & Experiments for SDH (P707) The X Interface for the Management.

Metadata By N.Gopinath AP/CSE Metadata and it’s role in the lifecycle. The collection, maintenance, and deployment of metadata Metadata and tool integration.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

Concerns with Network Research Funding S.Floyd & R. Atkinson, Editors Internet Architecture Board draft-iab-research-funding-02.txt.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

MOBILE IPv6 SECURITY ISSUES

Chapter Three Objectives

Introduction to Networking

draft-ipdvb-sec-01.txt ULE Security Requirements

AMI Security Roadmap April 13, 2007.

Topic 5: Communication and the Internet

ETSI Contribution to 3rd Meeting of EC Expert Group on RRS

Presentation transcript:

TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security & the P710 effort  Description of the P710 Security Solution  Possible future security capabilities (STASE-ROSE)  Summary and Conclusions Presentation Contents

TMN Workshop Antwerp, 27 May1998 Why is security important ?  TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack.  TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily manipulated and misused by an intruder.  Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it.  The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion:  Open interfaces are by nature vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the use and provision of management services.  The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe.

TMN Workshop Antwerp, 27 May1998 P710 Rationale  Commercial automated X-interfaces in Europe may become a reality in the very near future. A commercial driver for P710 is the planned ATM MoU.  Today there exist no common accepted (i.e. standardised) off-the- shelf security solution available for the protection of CMIP communications.  Any proposed security solution should be validated through practical implementation and experimentation before it is accepted and applied in a real environment. Theoretical studies are not sufficient.  EURESCOM is currently in a good position to provide important practical results in the area of X-interface security.

TMN Workshop Antwerp, 27 May1998 Some Important Considerations  P710 needed to select a solution that can operate in a multi-operator and multi-vendor environment.  P710 wanted to select a security solution that conforms to existing security standards to ensure a certain level of market acceptance.  The main security problem for CMIP environments is the lack of support for integrating security services within the OSI-stack.  P710 wanted to design a security solution that is flexible enough to be able to utilise existing management platform security capabilities as much as possible.  P710 has to select commercial products for the purpose of implementation and validation but has no intention to mandate one particular product for an operational phase.

TMN Workshop Antwerp, 27 May1998 Overall P710 Security Solution

TMN Workshop Antwerp, 27 May1998 Secure VPN based on IPsec

TMN Workshop Antwerp, 27 May1998 Application Level Security Architecture

TMN Workshop Antwerp, 27 May1998 Possible Add On Extensions  Local Security Alarm Reporting  “Data Origin Authentication” as in US. Electronic Bonding  X.741 conformant SMIB (M.O. based) for access control  Integrity protection of CMIS parameters at application level ?  STASE-ROSE for integrity and confidentiality protection

TMN Workshop Antwerp, 27 May1998 The use of STASE-ROSE (Q.813) with GSS-API

TMN Workshop Antwerp, 27 May1998 Considerations regarding STASE-ROSE  STASE-ROSE, if implemented, would become an option to the P710 IPsec solution.  In addition to integrity/confidentiality protection, STASE-ROSE will be able to provide a basis for non-repudiation.  STASE-ROSE with GSS-API support could be an add-on capability to the P710 application level architecture. In this case the same cryptographic module (GSS-API module) could be used to provide the entire range of cryptographic services.  The possibility of commercial implementation may seem promising, however yet very unclear (if, who and when?).  X-interface solutions may require multi-vendor support for STASE-ROSE.  Since P710 needs to implement and validate solutions that are available today, STASE-ROSE is not an option.

TMN Workshop Antwerp, 27 May1998 Summary and Conclusions (1)  Today there is no complete standardised off-the-shelf security solution available for CMIP.  Existing management platforms have either very little or no support at all for security. It is a goal for P710 to enable the use of platform supported capabilities (particularly access control) whenever available.  It should be possible to provide a secure CMIP solution today (apart from maybe non-repudiation) using existing “standard” security technology. A dividing of security functionality between application level and network level is however recommended to provide all the main security services.  The use of GSS-API provides for easy and standard way of integration (and easy replacement) of cryptographic services at application level.

TMN Workshop Antwerp, 27 May1998 Summary and Conclusions (2)  IP security (IPsec) should provide an investment guaranteed solution for creating a secure VPN (requires the use of CMIP over IP).  Host-integration of IPsec may be considered as a future option.  STASE-ROSE, if implemented with GSS-API support, would become an add-on capability to the P710 solution. It may, however, take a while before this solution is applicable for multi-vendor environments.  An “easy to use” manual public key management solution, appropriate for smaller user-groups, should be sufficient in a first phase. Full PKI functionality may be considered as a future option.  The P710 security solution is designed to be flexible and is not tailored to one specific X-interface environment.

TMN Workshop Antwerp, 27 May1998 Questions ?

TMN Workshop Antwerp, 27 May1998 Key Management Solution

TMN Workshop Antwerp, 27 May1998 Host Integration of IPsec

TMN Workshop Antwerp, 27 May1998 Application Level (P708 testing)  Peer-to-peer Authentication  Association Access Control  Local Security Audit Logging IP level (P707 testing)  IP level Authentication  Integrity  Confidentiality 1st. Priority Services (focus of implementation/testing) 2nd. Priority Services (possibly addressed theoretically)  Public Key Management  Data Origin Authentication  Local Security Alarm Reporting Lower Priority Services (for further study)  Access Control for Management Operations & Notifications  Non-repudiation  Inter-domain Security Audit Trail / Security Alarm Reporting

TMN Workshop Antwerp, 27 May1998 Why is security important ?  TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack.  TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily misused by an intruder.  Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it.  The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion:  Open interfaces are very vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the provisioning of management services to other operators/customers.  The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe.