etsi tispan ngn security standardizationetsi tispan ngn: wg7 and the security standardization threat...
TRANSCRIPT
ETSI Tispan NGN security standardizationstandardization
Paolo De Lutiis, ETSI TISPAN WG7 Chairman
Telecom Italia SpA, Security Innovation© ETSI 2010. All rights reserved
6th ETSI Security Workshop 19-20 Jan. 2011
ETSI TISPAN NGN and its security: background
Main NGN Security deliverables
Main NGN release 3 security topics
Summary
Main NGN Security deliverables
Possible hot topics for future work
2
Application layer
ETSI TISPAN NGN: the architecture
IP Transport layer
Service layerExternal Networks
3
Intra-OperatorSecurityInterconnection
Security
ETSI TISPAN NGN: the security areas
NGN
Access Security
4
• TISPAN WG7 is responsible for the management and co-ordination of the development of security specifications for the ETSI TISPAN NGN:
• Defines security requirements,
• Defines the security architecture.
• The TISPAN WG7 activities are risk based. WG7 Conducts
ETSI TISPAN NGN: WG7 and the security standardization
• The TISPAN WG7 activities are risk based. WG7 Conducts threat and risk analyses for specific NGN use cases (e.g. NASS, IPTV, CPN) and uses the results of such analysis in order to define requirements and security mechanisms
• Threat Vulnerability Risk Assessment (TVRA) has been defined to assess the security of the NGN. It allows a systematic identification of assets and threats and weaknesses, computes a weighted risk level.
5
During the standardization of NGN release 3, the main topics addressed by WG7 were:
• IPTV Security
• Service Protection & Content Protection
Main NGN release 3 security topics
6
• Service Protection & Content Protection
• CPN Security
• NNI Interconnection security
• Prevention of Unsolicited Communications (PUC)
• Application layer security
IPTV Security, two mechanisms:
• OMA BCAST
• Service protection and content protection are kept as separated issues
• Two profiles: Smart Card and DRM (UICC-less)
• User Authentication and Service Authorization and any
Main NGN release 3 security topics: IPTV
• User Authentication and Service Authorization and any Content Protection
• “Early deployment scenario” without clear distinction between service and content protection
• Based on the authentication and authorization mechanisms defined by TISPAN (e.g. DIGEST authentication) to be used in conjunction with the content protection mechanism defined by the provider (e.g. Conditional access)
7
• Service Protection/Content Protection Interoperability of CPE with a IPTV Service Providers offering means that an end user can switch to another Service Provider (using a different SPCP system) to obtain service from whilst retaining his CPE equipment
• It is introduced a mechanism for a “secure” update of the SP and CP engines implemented within the CPE
Main NGN release 3 security topics: SP & CP
8
and CP engines implemented within the CPE
Legacy TV IPTV STBWAN Gateway
IPTV enabled TV
IPTV Provider 2
IPTV Provider 1
Access Provider
DLNA devices
Change of
IPTV Provider
Firewalling
• TISPAN “endorsed” the HGI spec by defining:
• Stateful inspection
• Two default profiles: High , Low
Main NGN release 3 security topics: CPN 1/2
• Two default profiles: High , Low
• Remote management (TR-069)
• NAT-T
• IPv6
• SIP B2BUA (for IMS support)
9
Network Access Control:
• NAC is able to gather all the methods linked to the network’s access
• RFC5209 Network Endpoint Assessment (NEA)
Main NGN release 3 security topics: CPN 2/2
10
• RFC5209 Network Endpoint Assessment (NEA)
• Posture assessment of the client devices:
• Patches
• Anti-Virus
• Firewall and software configuration
• Centralized Security policy compliance
Security Gateway Function (SEGF)
• Firewall + IPSEC gateway
• Strong emphasis on the protection of the signalling (e.g. the IPSEC tunnels are mandatory only for the signalling)
• Commercially available as “Session Border Controller” for the Interworking of session-based services (e.g. voice).
Main NGN release 3 security topics: NNI interconnection
the Interworking of session-based services (e.g. voice).
• The main security mechanisms are:
• THIG (topology hiding)
• NAT-T
• Firewall (and related pinholing)
• Lawful Interception
• VPN (IPSEC and TLS)
11
• The NGN should manage the UC
• TISPAN defines a network architecture: Identification, Marking, Handling
• The customer is directly involved in the UC management (e.g. «SPIT button»)
• SIP header extension to carry SPIT information directly in
Main NGN release 3 security topics: PUC
12
• SIP header extension to carry SPIT information directly in band (draft-wing-sipping-spam-score-02)
PUC identifier Indicating the PUC element making the claim mandatory
PIF identifier The name of the agreed PIF mandatory
Strength An integer indicating the confidence of the score optional
Info A text field containing any arbitrary information optional
Param[1..3] 3 general purpose parameters for future proofing optional
IsSpam A boolean for convenience purposes alone mandatory
• Main user authentication mechanisms assumes the UICC is available on the device. Unfortunately fixed line devices available on the market are without SC reader.
• SIP digest and NBA have been defined for IMS authentication only.
• A new functional element has been introduced to enable the HTTP digest authentication and the re-using of the SIP digest
Main NGN release 3 security topics: application layer security
13
• A new functional element has been introduced to enable the HTTP digest authentication and the re-using of the SIP digest credentials stored in the UPSF:
• Support for legacy devices
• Simplified provisioning
• Enable SSO
TS 187 001Requirements
TS 187 003Architecture
TR 187 019(NNI)
Main NGN release 3 security deliverables
Main Reports Main Specifications
14
TS 187 021(CPN)
TS 187 015(PUC)
(NNI)
TR 187 013(IPTV)
TR 187 002(TVRA)
TS 187 005(LI)
TS 187 017(DR)
Downgrade to TR pending
• TS 187 001 v3 Security Architectures
• TS 187 001 v3 Security requirements
• TR 187 013 Feasibility study on IPTV security architecture
• TS 187 015 Prevention of Unsolicited Communication in the NGN
• TR 187 002 v3 Threat, Vulnerability and Risk Analysis
Main NGN release 3 security deliverables
15
• TR 187 002 v3 Threat, Vulnerability and Risk Analysis
• TR 187 019 Interconnection security
• TS 187 005 v3 Lawful Interception; Stage 1 and Stage 2 definition;
• TS 187 017 v3 Data Retention in the NGN.
• TR 187 021 Security services and mechanisms for customer premises networks connected to TISPAN NGN
TISPAN WG7 identified the following topics (under discussion):
• Full IPTV stage 3 definition (OMA BCAST)
• Content protection for IPTV services
• NGA security
• IdM and SSO to enable a “full" FMC
Possible hot topics for NGN security beyond release 3
16
• IdM and SSO to enable a “full" FMC
• Smart Metering Security
• Enhanced mechanisms for the NNI Security
• Enhanced RACS Security
• Enhanced NASS Security
• DIAMETER profile for TISPAN NGN