Presentation is loading. Please wait.

Presentation is loading. Please wait.

TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &"— Presentation transcript:

1 TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security & the P710 effort  Description of the P710 Security Solution  Possible future security capabilities (STASE-ROSE)  Summary and Conclusions Presentation Contents

2 TMN Workshop Antwerp, 27 May1998 Why is security important ?  TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack.  TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily manipulated and misused by an intruder.  Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it.  The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion:  Open interfaces are by nature vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the use and provision of management services.  The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe.

3 TMN Workshop Antwerp, 27 May1998 P710 Rationale  Commercial automated X-interfaces in Europe may become a reality in the very near future. A commercial driver for P710 is the planned ATM MoU.  Today there exist no common accepted (i.e. standardised) off-the- shelf security solution available for the protection of CMIP communications.  Any proposed security solution should be validated through practical implementation and experimentation before it is accepted and applied in a real environment. Theoretical studies are not sufficient.  EURESCOM is currently in a good position to provide important practical results in the area of X-interface security.

4 TMN Workshop Antwerp, 27 May1998 Some Important Considerations  P710 needed to select a solution that can operate in a multi-operator and multi-vendor environment.  P710 wanted to select a security solution that conforms to existing security standards to ensure a certain level of market acceptance.  The main security problem for CMIP environments is the lack of support for integrating security services within the OSI-stack.  P710 wanted to design a security solution that is flexible enough to be able to utilise existing management platform security capabilities as much as possible.  P710 has to select commercial products for the purpose of implementation and validation but has no intention to mandate one particular product for an operational phase.

5 TMN Workshop Antwerp, 27 May1998 Overall P710 Security Solution

6 TMN Workshop Antwerp, 27 May1998 Secure VPN based on IPsec

7 TMN Workshop Antwerp, 27 May1998 Application Level Security Architecture

8 TMN Workshop Antwerp, 27 May1998 Possible Add On Extensions  Local Security Alarm Reporting  “Data Origin Authentication” as in US. Electronic Bonding  X.741 conformant SMIB (M.O. based) for access control  Integrity protection of CMIS parameters at application level ?  STASE-ROSE for integrity and confidentiality protection

9 TMN Workshop Antwerp, 27 May1998 The use of STASE-ROSE (Q.813) with GSS-API

10 TMN Workshop Antwerp, 27 May1998 Considerations regarding STASE-ROSE  STASE-ROSE, if implemented, would become an option to the P710 IPsec solution.  In addition to integrity/confidentiality protection, STASE-ROSE will be able to provide a basis for non-repudiation.  STASE-ROSE with GSS-API support could be an add-on capability to the P710 application level architecture. In this case the same cryptographic module (GSS-API module) could be used to provide the entire range of cryptographic services.  The possibility of commercial implementation may seem promising, however yet very unclear (if, who and when?).  X-interface solutions may require multi-vendor support for STASE-ROSE.  Since P710 needs to implement and validate solutions that are available today, STASE-ROSE is not an option.

11 TMN Workshop Antwerp, 27 May1998 Summary and Conclusions (1)  Today there is no complete standardised off-the-shelf security solution available for CMIP.  Existing management platforms have either very little or no support at all for security. It is a goal for P710 to enable the use of platform supported capabilities (particularly access control) whenever available.  It should be possible to provide a secure CMIP solution today (apart from maybe non-repudiation) using existing “standard” security technology. A dividing of security functionality between application level and network level is however recommended to provide all the main security services.  The use of GSS-API provides for easy and standard way of integration (and easy replacement) of cryptographic services at application level.

12 TMN Workshop Antwerp, 27 May1998 Summary and Conclusions (2)  IP security (IPsec) should provide an investment guaranteed solution for creating a secure VPN (requires the use of CMIP over IP).  Host-integration of IPsec may be considered as a future option.  STASE-ROSE, if implemented with GSS-API support, would become an add-on capability to the P710 solution. It may, however, take a while before this solution is applicable for multi-vendor environments.  An “easy to use” manual public key management solution, appropriate for smaller user-groups, should be sufficient in a first phase. Full PKI functionality may be considered as a future option.  The P710 security solution is designed to be flexible and is not tailored to one specific X-interface environment.

13 TMN Workshop Antwerp, 27 May1998 Questions ? e-mail : pal.kristiansen@fou.telenor.no

14 TMN Workshop Antwerp, 27 May1998 Key Management Solution

15 TMN Workshop Antwerp, 27 May1998 Host Integration of IPsec

16 TMN Workshop Antwerp, 27 May1998 Application Level (P708 testing)  Peer-to-peer Authentication  Association Access Control  Local Security Audit Logging IP level (P707 testing)  IP level Authentication  Integrity  Confidentiality 1st. Priority Services (focus of implementation/testing) 2nd. Priority Services (possibly addressed theoretically)  Public Key Management  Data Origin Authentication  Local Security Alarm Reporting Lower Priority Services (for further study)  Access Control for Management Operations & Notifications  Non-repudiation  Inter-domain Security Audit Trail / Security Alarm Reporting

17 TMN Workshop Antwerp, 27 May1998 Why is security important ?  TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack.  TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily misused by an intruder.  Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it.  The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion:  Open interfaces are very vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the provisioning of management services to other operators/customers.  The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe.

Download ppt "TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &"

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
Consultancy Infrastructure Requirements for Fast, Reliable and Secure HL7 V3 Messaging Andrew Hinchley CPL Consulting.

Consultancy Infrastructure Requirements for Fast, Reliable and Secure HL7 V3 Messaging Andrew Hinchley CPL Consulting.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Secure Communication Architectures.

Secure Communication Architectures.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.

IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google