Security dalam Telecommunication and Information Technology
description
Transcript of Security dalam Telecommunication and Information Technology
Security dalam Telecommunication and Information Technology
「 Working Group QoS and Security 」Medan, 29 Juli 2011.
Agenda
Schedule/kegiatanTopik-topik penting pada security
dalam Telecommunication & IT 「 ICT 」
2
Kegiatan Step awal:
Melakukan kajian terhadap ICT security – SG 17 ITU-T
Pemahaman secara global ICT security dan standar-standar yang harus diadopsi
Step kedua: memilih topik-topik ICT security yang sesuai dengan kondisi NKRI
Step ketiga: break-down material per topik berikut isu-isu praktis dan QoS
Step keempat: mengidentifikasi permasalahan sesuai dengan kondisi yang ada
3
Topik-topik Penting pada Security dalam ICT[1] ① Security requirements② Security architectures③ Security management④ The Directory, authentication, and IdM⑤ Securing the network infrastructure ⑥ Some specific approaches to network
security⑦ Application security ⑧ Countering common network threats
4[1] source: SG Number 17 of ITU-T in the draft of security-related
Security Requirements
Pemahaman yg jelas secara menyeluruh meliputi: pemain-pemain yang terlibat di dalamnya; aset-aset yg perlu dilindungi; bentuk usaha-usaha yg mengancam aset tsb; kerentanan yg berkenaan dgn aset tsb; dan resiko secara keseluruhan thd kerentanan
dan ancaman thd aset tsb.
5
Threats, Risks, and Vulnerabilities
6
Perlindungan aset dari:Customers/subscribersPublic community/authoritiesNetwork operators/service providers
Aset yg dilindungi meliputi:Comm dan
computing services Informasi dan data,
termasuk softwarePersonnelPeralatan dan
fasilitas
Contoh ancaman meliputi: Unauthorized disclosure
terhadap informasi Modifikasi data, peralatan, dan
sumber daya lainnya Theft, removal/loss informasi
atau sumber daya lain Interruption atau DoS Impersonation, atau berpura-
pura sbg pemegang otoritas
General Security Objectives for ICT Networks
7
a. Hanya authorized users yg boleh akses & menggunakan telecommunication network
b. Authorized users mampu akses & menjalankan aset
c. Telecomm netw menjamin privasid. Semua user hrs accountable e. Utk memastikan availability,
telecomm netw hrs dilindungi…f. Adanya kemungkinan & jaminan
retrieve informasi yg secureg. Jika terjadi violation, dpt ditangani
dengan jalan yg bisa terkontrolh. Jika terjadi pelanggaran, dpt
dikembalikan ke security normali. Arch dr telecomm netw hrs fleksibel
Confidentiality Data, system and
program integrityAccountability,
termasuk di dlmnya: autentikasi, non-repudiation, akses kontrol
Availability
Other Requirements Rationale for security standards: dgn
memperhatikan current cybersecurity techniques: Cryptography: powerful tech: enkripsi data selama
transmisi & ketika dalam storage Access control: restrict the ability of users to access, use,
view, atau modifikasi informasi System integrity: menjamin sistem & datanya tdk berubah Audit, logging & monitoring: membantu sysadmin
mengevaluasi terjaminnya security Management: membantu sysadmin memverifikasi
keakuratan netw & setting Personnel and physical security requirements
8
Security Architecture
Arch, dan model & framework yg terkait sebuah struktur dan konteks yg berhubungan dgn
standar teknik dibangun dalam sebuah pola yg konsisten
Dalam bentuk layered communications arch., open system security arch. ITU-T X.800 in
collaboration with ISO Security arch. for systems providing end-to-end
communications (ITU-T X.805) (netw. management, P2P communication, mobile web servers)
9
In Consideration:
The open systems security arch & related standards
Security services Security arch for systems providing end-to-
end communications And some application-specific arch
P2P communications Security arch for message security in mobile web
services10
Security Arch. ITU-T X.805
SecMan(09)_F01A
cces
s C
ontr
ol
Infrastructure Security
Services Security
End User PlaneControl Plane
Management Plane
THREATS
VULNERABILITIES
8 Security Dimensions
ATTACKS
Dat
a C
onfid
entia
lity
Com
mun
icat
ion
Secu
rity
Dat
a In
tegr
ity
Ava
ilabi
lity
Priv
acy
Aut
hent
icat
ion
Non
-rep
udia
tion Destruction
Disclosure
Corruption
Removal
Interruption
Security LayersApplications Security
3 major concepts: security layers, planes, dan dimensions Hierarchical approach 11
P2P Service Architecture
12
SecMan(09)_F02
Peer 1 Peer 3
Peerdiscovery
andinformation
transfer
Peer 2
Arch Reference Model for P2P Network
13SecMan(09)_F03
...
P2P overlay stratum
Transportation stratum
Join
Overlay serviceSearch
Peer
Peer (Server)Peer (Device) Peer (Device)
(1)
(2)
(3)
User User
Intra-domain peer
Inter-domain peera service provider peer located in another network domain
Framework for Secure P2P Communications Ancaman di P2P comm meliputi:
Eavesdropping, jamming, injection & modification, unauthorized access, repudiation, man-in-the-middle attacks, and Sybil attacks
Functions
Requirements
Encipherment
Key exchange
Digital
signatur
e
Trust
managemen
t
Access control
Data
integrity
mechanism
Authentication exchange
Notarizatio
n Secure routing
Traffic
control mechanism
ID assign
ment
User authentication X X X X X X XAnonymity X X XPrivacy X X X Data integrity X X X X X X Data confidentiality X X X X Access control X X XNon-repudiation X X X XUsability X Availability X X X X Traceability X X XTraffic control X X 14
Security Arch for Mobile Web Services
SecMan(09)_F04
Mobileweb
servicessecuritygateway
Policyserver
Applicationservice
(WS provider)
Mobileterminal
(WS client)
Externalapplication
service
Resources in mobile network operator
Registryserver
Discoveryservice
WSDL, securitypolicy, etc
WSDL, security policy, access control policy...
Mobileterminal
(non-WS client)
Applicationservice
(non WS)
Resourcesof serviceproviders
Resourcesof serviceproviders
Resourcesof serviceproviders
OFS
OIGW
OIGN
OPG
OFSP
OCP
OIWS
OINWS
OIXGOFT
OFAP
15
Aspects of Security Management
Adalah topik luas yg mencakup banyak aktivitas yg berhubungan dgn: kontrol dan perlindungan akses ke sistem dan
network, monitor kejadian, laporan, kebijakan, dan audit
Related-topics yg perlu diperhatikan: Information security management Risk management Incident handling
16
Information Security Management
17
Organization of information security
Asset managementHuman resources securityPhysical and environmental
securityCommunications and operations
managementAccess control Information systems acquisitionDevelopment and maintenance Incident managementBusiness continuity management
Informasi harus dilindungi
Instalasi dan penggunaan fasilitas telecomm harus terkontrol
Semua akses layanan hrs ter-authorized
Risk Management Process
18
S ecM an(09)_F05
R is k a sse ss m e n t, risk tre a tm e n t a n d th e
s e lec tio n o f c o n tro ls
Im ple m en ta t io n a nd d ep loy m e n t o f r isk
c on tro ls
M o n ito r, rev iew an d c om m u nica te th e risk s
a nd th e eff ec t iv en e ss o f th e r is k c on tro ls
U p d ate an d im p ro v e th e ris k co n tro ls o r de p lo y
n ew c on tro ls
The Directory, Authentication, and IdM
Merupakan kumpulan dari informasi/file yg dpt membantu dlm memperoleh informasi tertentu
ITU-T X.500: menyediakan layanan directory utk memfasilitasi komunikasi & pertukaran informasi antar entity, people, terminal, list terdistribusi, dll.
Conventional: naming, name-to-address mapping dan membiarkan binding antara objek dan lokasinya Directory memainkan peranan penting dalam
mendukung security services19
In Consideration:
Protection of directory information Directory protection, authentication of directory users, directory
access control, privacy protection Strong authentication: public key security mechanisms
Secret key and public key crypto, public key cert, public key infra Authentication guidelines
Secure password based auth protocol with key exchange (SPAK), EAP
Identity management Telebiometrics
Telebiometric auth, digital key & protection, security & safety, standards
20
Securing The Network Infrastructure
Data yg digunakan utk memonitor dan mengontrol telecommunication network management traffic selalu ditransmisikan dlm jaringan yg terpisah yg hanya membawa netw management traffic Telecomm management network (TMN) ITU-T M.3010 Untuk menyediakan security bagi end-to-end solution,
security measures (access control, authentication) harus diaplikasikan ke setiap tipe aktivitas network dlm infrastruktur network, layanan, & aplikasi.
21
In Consideration: The telecommunications management network Network management arch Securing the infrastructure elements of a network Securing monitoring and control activities Securing network based applications Common security management services:
Securing alarm reporting function Securing audit trail function Access control for managed entities CORBA based security services
22
Some Specific Approaches to Network Security
①Pendekatan utk melindungi berbagai tipe jaringan. Misal persyaratan security di NGN
②Diikuti dgn mobile comm networks yg merupakan transisi dari mobility based dalam sebuah single technology (CDMA or GSM) ke mobility lintas platform dgn IP.
③Kemudian, security requirements utk home network dan TV kabel dievaluasi
④Terakhir, tantangan dlm security utk ubiquitous sensor network
23
In Consideration:
NGN security Mobile communication security Security for home networks IPCablecom Security for ubiquitous sensor networks
24
Network & service provider infrastructure, its assets, its resources, its communication, and its services NGN services & capabilities End-user communication & information
Security of Comm Across Multiple Networks
25
SecMan(09)_F23
Transport
CSCF
TransportTransit
UNI
NNI
UNI
ANIANI
NNI NNI
CSCF
TE TE
Application servers Application servers
Softswitch Softswitch
Service stratum Service stratum
Access(xDSL, Cable,FTTP, WiFi,
WiMAX)
Otherprovider
Usernetworks
Usernetworks
TEs TEs
Users Users
Users Users
Signalling Media/bearer
Corporate networks
Corporate networks
Network-provided security on network domain by networkdomain basis for end-to-end communications
Access(xDSL, Cable,FTTP, WiFi,
WiMAX)
Gateway Model of Mobile end-to-end Data Communication
26
SecMan(09)_F24Mobile network Open network
Data communication Applicationserver
ASPMobileterminal
Mobile user
SecMan(09)_F25
SecuritygatewayMobile
network
Datacommunication Application
serverASPMobile
terminalMobile user
Opennetwork
Datacommunication
ASP menyediakan services ke mobile users melalui application server Security GW relays packets dari mobile terminal ke application server dan transform mobile network-based comm protocol ke open netw-based proto
Threats in The Mobile end-to-end Communication
27
SecMan(09)_F26
Application ServerMobile Terminal
•Eavesdropping•Communication Jamming
•Insertion or modification of data•Interruption•Unauthorized access•Repudiation•Masquerade
Open + Mobile Network
•Shoulder surfing•Loss of terminal•Stolen mobile terminal•Misreading•Input error•Unprepared communication shutdown
•Communication Jamming (DOS)•Unprepared communication shutdown
Threats related to open and mobile networks
Threat related to mobile terminal only
Threats related to application servers only
Security Function Required for Each Entity
28
SecMan(09)_F27
MobileNetwork
OpenNetwork Application ServerMobile Terminal
•Encipherment•Key exchange•Digital signature•Access control•Data integrity•Authentication exchange
•Encipherment•Key exchange•Digital signature•Access control•Data integrity•Authentication exchange
•Encipherment•Key exchange•Digital signature•Access control•Data integrity•Authentication exchange•Notarization
MobileUser
•Authentication exchange•Access control
SecurityGateway
General Home Network Model for Security
29
SecMan(09)_F31
Type A home device
Legacy homedevices
Remote user
Remote terminal
Home
Wired/wirelesshome network
Secure homegateway
Home application server Application server
OPEN NETWORK
Home user
Type c home device
Type B home device
Berbagai macam media transmisi dapat digunakan dalam network Berbagai macam tipe home network devices dgn level security yg berbeda-beda
Device Authentication Model for The Secure Home Netw
30
SecMan(09)_F32
Type A home device
Legacy homedevices
Remote user
Remote terminal
Home
Wired/wireless home network
Secure homegateway
Home application server Application server
OPEN NETWORK
Home user
Type Chome device
Type B home device
Root certificate authority
CA
IPCablecom Component Reference Model
31
SecMan(09)_F35
CMTS CMTS EmbeddedMTA
MTA
EmbeddedMTA
CablemodemMTA
Call managementserver
Call Agent
Gate controller
Announcementcontroller
Mediaservers
Announcementplayer
Media gatewaycontroller(MGC)
Signalinggateway (SG)
PSTNgateways
PSTN
OSSservers
RKSDNS
DHCPSNMPTFTP
SYSLOGKDC
Managed IP backbone
Cablemodem
Mediagateway (MG)
Router Router
Router
Router
Trusted network elements biasanya berada di sisi backbone network operator
Untrusted network di sisi cable modem & MTA
Sensor node compromise, eavesdropping, Compromise or exposure of sensed data, DoS attack, malicious use / misuse of network sensors
Potential Ubiquitous Sensor Network Applications
32
Application Security
Dengan kesadaran betapa pentingnya security: app developer saat ini menaruh perhatian
besar atas kebutuhan security ke dlm produk-produknya daripada menambah security setelah aplikasi diproduksi
Sehingga perlu dipertimbangkan ttg kerentanan security dlm produk2 tsb, dst perlu rekomendasi ttg security dari ITU-T
33
In Consideration:
Voice over IP (VoIP) and multimedia IPTV Secure fax Tag based services
34
Corporate comm: IP-PBX, IP-centrex, voice VPN, integrated voice & data system, WiFi phones, imple of call center, and mobility services
Professional comm: voice, vcon, voice/data/video collaboration, and distance learning
Resident env: audiovisula access, PC-to-phone, PC-to-PC calling
H.323 System: Deployment Scenarios
35
PBX
SecMan(09)_F37
H.323 internet client
Internet
Intranet (LAN)H.323 client via PPP Gateway
(Access server)
IP
Firewall
Multicast unit
Gatekeeper
PSTN
Gateway(H.323/ISDN/H.320)
IP phone (SET)
Analogue and digital phones
H.323 intranet client
Security Threats in Multimedia Communication
36
SecMan(09)_F38
Masquerade
Internet PC PDANotebook Telephone TV
Telephone DataVideo
WAN
Internet
LAN
Intranet
Repudiation (Data, Service)
Traffic Analysis
Insider Threats
Online-Services
Manipulation of DataReplay
PrivateNetworkPublic
Network
KioskTerminal
Radio/TelevisionData
PC
Unauthorized Access to Resources and Services
Intrusion
Eavesdropping, Disclosure
Billing FraudDenial of Service Misuse of Data
Misuse of Services
General Security Arch for IPTV
37SecMan(09)_F42
Content and metadata sources
Delivery networkgateway functions
Terminal functions
End-user network functions
Content providerfunctions
Network functions
End-user functions
Access networkfunctions
Service control functions
Application functions
Out of scope
Content functionsdelivery
SCP client functions
Service protectionclient
Content protection client
Authentication and IPallocation functional block
SCP functions
Content protection functions
Service protectionfunctions
Content enc Watermarking Content tracing
identification & information
Content labelling Secure
transcoding
Device user as the customer: identifier ID tag as the customer: entrance check, passport, license Customer as both ID tag and a device user
Basic Model of B2C using Tag Based ID
38
SecMan(09)_F44
Public Network
IDresolutionserver
App.serverID tagPoster
Countering Common Network Threats
Ancaman thd sistem komputer & jaringan sangat banyak & bervariasi
Meskipun banyak serangan dimulai secara lokal, saat ini serangan secara luas dilakukan lewat comm networks
Kenyataannya jumlah PC dan network devices yg terhubung ke Internet dan dioperasikan dari rumah dan tempat kerja
Spam, spyware, virus dan bentuk serangan lain disebar dlm jumlah yg besar
39
In Consideration:
Countering spam Email spam IP multimedia spam sms spam
Malicious code, spyware, and deceptive software
Notification and dissemination of software updates
40
General Model for Countering Spam
41
SecMan(09)_F46
Filtering strategies Feedback strategies
Service strategies
Equipment strategies Network strategies
Application layer
Service layer
Infrastructure layer
General Structure of Email Anti-Spam Processing
42SecMan(09)_F47
Anti-spamprocessing entity
Anti-spamprocessing sub-entity
Anti-spamprocessing sub-entity
Email Server Email Server
Email Client Email Client