1 / 12

EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D

The need for TMN security & the P710 effort Description of the P710 Security Solution Possible future security capabilities (STASE-ROSE) Summary and Conclusions. EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D. Presentation Contents.

athena-boyd
Download Presentation

EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The need for TMN security & the P710 effort Description of the P710 Security Solution Possible future security capabilities (STASE-ROSE) Summary and Conclusions EURESCOM Project P710“Security for the TMN X-interface”by Pål Kristiansen, Telenor R&D Presentation Contents

  2. TMN X-interfaces may be carried over networks operated by different providers thereby offering potential intruders a broad selection of points of attack. TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily manipulated and misused by an intruder. Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it. The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable. Conclusion: Open interfaces are by nature vulnerable to various threats of attack. Security measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the use and provision of management services. The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe. Why is security important ?

  3. Commercial automated X-interfaces in Europe may become a reality in the very near future. A commercial driver for P710 is the planned ATM MoU. Today there exist no common accepted (i.e. standardised) off-the-shelf security solution available for the protection of CMIP communications. Any proposed security solution should be validated through practical implementation and experimentation before it is accepted and applied in a real environment. Theoretical studies are not sufficient. EURESCOM is currently in a good position to provide important practical results in the area of X-interface security. P710 Rationale

  4. P710 needed to select a solution that can operate in amulti-operatorandmulti-vendorenvironment. P710 wanted to select a security solution that conforms toexisting security standardsto ensure a certain level ofmarket acceptance. The mainsecurity problem for CMIPenvironments is the lack of support for integrating security services within the OSI-stack. P710 wanted to design a security solution that is flexible enough to be able toutilise existing management platform security capabilitiesas much as possible. P710 has to selectcommercial products for the purpose of implementationand validationbut has no intention to mandate one particular product for an operational phase. Some Important Considerations

  5. Overall P710 Security Solution

  6. Secure VPN based on IPsec

  7. Application Level Security Architecture

  8. The use of STASE-ROSE (Q.813) with GSS-API

  9. STASE-ROSE, if implemented, would become an option to the P710 IPsec solution. In addition to integrity/confidentiality protection, STASE-ROSE will be able to provide a basis for non-repudiation. STASE-ROSE with GSS-API support could be an add-on capability to the P710 application level architecture. In this case the same cryptographic module (GSS-API module) could be used to provide the entire range of cryptographic services. The possibility of commercial implementation may seem promising, however yet very unclear (if, who and when?). X-interface solutions may require multi-vendor support for STASE-ROSE. Since P710 needs to implement and validate solutions that are available today, STASE-ROSE is not an option. Considerations regarding STASE-ROSE

  10. Today there is no complete standardised off-the-shelf security solution available for CMIP. Existing management platforms have either very little or no support at all for security. It is a goal for P710 to enable the use of platform supported capabilities (particularly access control) whenever available. It should be possible to provide a secure CMIP solution today (apart from maybe non-repudiation) using existing “standard” security technology. A dividing of security functionality between application level and network level is however recommended to provide all the main security services. The use of GSS-API provides for easy and standard way of integration (and easy replacement) of cryptographic services at application level. Summary and Conclusions (1)

  11. IP security (IPsec) should provide an investment guaranteed solution for creating a secure VPN (requires the use of CMIP over IP). Host-integration of IPsec may be considered as a future option. STASE-ROSE, if implemented with GSS-API support, would become an add-on capability to the P710 solution. It may, however, take a while before this solution is applicable for multi-vendor environments. An “easy to use” manual public key management solution, appropriate for smaller user-groups, should be sufficient in a first phase. Full PKI functionality may be considered as a future option. The P710 security solution is designed to be flexible and is not tailored to one specific X-interface environment. Summary and Conclusions (2)

  12. e-mail : pal.kristiansen@fou.telenor.no Questions ?

More Related