[VOIPSEC] ITU Security Services
Andre Fucs de Miranda
afucs-listas at mandicmail.com
Tue Jun 20 18:35:13 CDT 2006
Mark,
I changed the subject of the message since your question was about "trust"
and I'm was writing about the so-called ITU Security Services. But before
answering your question Let me try to "explain" how the E.408 sees those
"Security Services".
For the ITU E.408 the Security Services makes use of Security Mechanisms in
order to comply with Security Requirements. The Security Requirements are
derived from both Threats and Security Objectives. It's something like this:
------- ------------ -------- ---------- ----------
|THREATS|->| Security |->|Security|->| Security |->|Security |
| | |Requirements| |Services| |Mechanisms| |Algorithms|
------- ------------ -------- ---------- ----------
^
|
------------
| Security |
| Objectives |
------------
As a good ITU standard it makes use of the good old layered approach.
The first layered structure of the document is the so-called Six Layers for
"Network" Security
6 Security Auditing
5 Security Tools
4 Software for Telecommunications
3 Monitoring
2 Physical Security
1 Network Administrator
That tells us what is already best practice. NO big surprise. By the end of
the document shows a mapping between the OSI Layers and the Security
Services.
I personally have mixed opinions about this mapping OSI model table to the
IP/DoD used by Voice over IP. But anyway, the standard says that none except,
the OSI Application Layer, will be able to provide the whole set of security
services. But providing all the futures on the Application is utopic...
Then it comes to your question. Which products or services would provide this
trust. The answer is simple. NONE. No product will ever provide you all the
Security Mechanisms. Some will be provided by protocols like IPSEC, some
others are related to your applications and some services are provided by
firewalls and SBCs.
Maybe we can use this thread to share opinions about what products will
provide each security service. I'm not sure if it is what you expect.
Best regards.
--
Andre Fucs, CISSP
http://www.fucs.org/
---- Mensagem Original ----
From: "Mark Teicher"
To: voipsec at voipsa.org
Sent: Ter, Junho 20, 2006 3:22 pm
Subject: Re: [VOIPSEC] An issue of trust?
> So what products or services offer this type of 'trust' ?
>
> -----Original Message-----
>>From: Andre Fucs de Miranda
>>Sent: Jun 20, 2006 2:00 PM
>>To: @unspecified-domain>
>>Cc: voipsec at voipsa.org
>>Subject: Re: [VOIPSEC] An issue of trust?
>>
>>David,
>>
>>Those terms had been on use for few years. Take a look on Lucent's intranet
>>for the ITU-T recommendations E.408 and X.800 (trust me) and if I'm not
>>mistaken you can get the ETR 336 from the ETSI website.The security
>> services
>>may differ on each document but they are basically the same.
>>
>>Using the ETR 336 lists we have:
>>
>>* User authentication
>>* Peer authentication
>>* Data origin authentication
>>* Access controls
>>* integrity
>>* security alarm, audit trail and recovery
>>* confidentiality
>>* non-repudiation of origin
>>* non repudiation of delivery
>>
>>The E.408 list is:
>>
>>* User authentication
>>* Peer authentication
>>* Data origin authentication
>>* Management association access control
>>* Management notification access control
>>* Managed resource access control
>>* security alarm, audit trail and recovery
>>* Selective field integrity
>>* Connection integrity with recovery
>>* Connection integrity without recovery
>>* Selective field confidentiality
>>* Connection/Connectionless confidentiality
>>* Traffic flow confidentiality
>>* Non-repudiation - proof of sending
>>* Non-repudiation - proof of delivery.
>>
>>BTW, I personally like ITU's E.408. It provides a very flexible security
>>framework for telephony (IP, ISDN, PSTN, etc). Sadly I think I'm the only
>> one
>>to think that. :-\ I posted an "article" (kind of superficial but...) in
>> the
>>website bellow.
>>
>>Best regards,
>>
>>--
>>Andre Fucs, CISSP
>>http://www.fucs.org/
>>
>>---- Mensagem Original ----
>>From: "Strand, David P (Dave)"
>>To: "'Geoff Devine'" , "stuart jacobs"
>>Sent: Ter, Junho 20, 2006 1:50 pm
>>Subject: Re: [VOIPSEC] An issue of trust?
>>> Accept the fact that there always will be the need for terminology at
>>> multiple levels, and, as we drill down further, the issues and methods
>>> of addressing them differ significantly. Another example of this lies
>>> in the management domain, where "configuration management" broadly refers
>>> to activities associated with modification of semi-permanent data within
>>> network elements. The first subdivision is what can be termed
>>> "engineering"
>>> and "subscriber" CM, each of which have significantly different
>>> considerations.
>>> Bottom line, the generic term CM is useful at one level, while a more
>>> pinpointed term is needed at more detailed levels.
>>>
>>> I like Stu's definitions to distinguish between the two fundamental types
>>> of authentication - peer-entity and data origin. I'd suggest using
>>> those,
>>> at least on an informal basis, if one doesn't wish to attempt to put the
>>> industry stamp of approval on them via a (lengthy) standards process.
>>>
>>> dps
>>>
>>> -----Original Message-----
>>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>>> Behalf Of Geoff Devine
>>> Sent: Tuesday, June 20, 2006 8:10 AM
>>> To: stuart jacobs
>>> Cc: Voipsec at voipsa.org
>>> Subject: Re: [VOIPSEC] An issue of trust?
>>>
>>>
>>> Right. But people use "authentication" to mean both things and it is
>>> often difficult to tell by context which one they are talking about.
>>> I've seen this happen fairly frequently on this email reflector.
>>>
>>> We live in an industry where our technical jargon is meant to be very
>>> precise. It would be useful to have two different terms. Does anyone
>>> have any suggestions?
>>>
>>> Geoff
>>>
>>> -----Original Message-----
>>> From: stuart jacobs [mailto:stu.jacobs at verizon.com]
>>> Sent: Tuesday, June 20, 2006 10:34 AM
>>> To: Geoff Devine
>>> Cc: Voipsec at voipsa.org
>>> Subject: Re: [VOIPSEC] An issue of trust?
>>>
>>> Logging in is user or peer-entity authentication
>>>
>>> per-packet trust mechanism is data origin authentication
>>>
>>> On Jun 20, 2006, at 9:34 AM, Geoff Devine wrote:
>>>
>>>> Andy Zmolek writes:
>>>>
>>>>> Splitting hairs about authentication vs. encryption
>>>>
>>>>
>>>>
>>>> I struggle with the terminology. The way I (mis?)use the term
>>>> authentication, it can mean both:
>>>>
>>>> Logging In: IKE, Kerberos, SIP digest... I guess this is "session
>>>> authentication"
>>>>
>>>> Per-packet trust mechanism: SHA1, MMH... I guess this is "packet
>>>> authentication"
>>>>
>>>>> From context, it's not always obvious to me which one someone is
>>>>> talking
>>>> about. Are there better terms to distinguish between these two very
>>>> different chunks of security technology?
>>>>
>>>> Geoff
>>>>
>>>> _______________________________________________
>>>> Voipsec mailing list
>>>> Voipsec at voipsa.org
>>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>
>>>>
>>> ========================================================
>>> Stuart Jacobs, CISM, CISSP
>>> PMTS - Sr. Technologist
>>> Network Security
>>> Verizon Laboratories
>>> 40 Sylvan Road
>>> Waltham MA 02451-1128
>>> (781) 466-3076
>>>
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list