idnits 2.17.1 draft-lonvick-sec-efforts-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1131. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1108. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1115. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1121. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 26 longer pages, the longest (page 13) being 74 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 30 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 20, 2004) is 7129 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 1071, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 1076, but no explicit reference was found in the text Summary: 6 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group C. Lonvick 2 Internet-Draft D. Spak 3 Expires: March 21, 2005 Cisco Systems 4 September 20, 2004 6 Security Best Practices Efforts and Documents 7 draft-lonvick-sec-efforts-01.txt 9 Status of this Memo 11 This document is an Internet-Draft and is subject to all provisions 12 of section 3 of RFC 3667. By submitting this Internet-Draft, each 13 author represents that any applicable patent or other IPR claims of 14 which he or she is aware have been or will be disclosed, and any of 15 which he or she become aware will be disclosed, in accordance with 16 RFC 3668. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as 21 Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on March 21, 2005. 36 Copyright Notice 38 Copyright (C) The Internet Society (2004). 40 Abstract 42 This document provides a snapshot of the current efforts to define or 43 apply security requirements in various Standards Developing 44 Organizations (SDO). 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 49 2. Format of this Document . . . . . . . . . . . . . . . . . . 6 50 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 7 51 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 7 52 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 7 53 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 7 54 3.4 Compendium of Approved ITU-T Security Definitions . . . . 7 55 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 8 56 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 8 57 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 8 58 4. Standards Developing Organizations . . . . . . . . . . . . . 9 59 4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 9 60 4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 9 61 4.3 ANSI - The American National Standards Institute . . . . . 9 62 4.4 ATIS - Alliance for Telecommunications Industry 63 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 9 64 4.4.1 ATIS Network Performance, Reliability and Quality 65 of Service Committee, formerly T1A1 . . . . . . . . . 10 66 4.4.2 ATIS Network Interface, Power, and Protection 67 Committee, formerly T1E1 . . . . . . . . . . . . . . . 10 68 4.4.3 ATIS Telecom Management and Operations Committee, 69 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 10 70 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 10 71 4.4.5 ATIS Wireless Technologies and Systems Committee, 72 formerly T1P1 . . . . . . . . . . . . . . . . . . . . 11 73 4.4.6 ATIS Packet Technologies and Systems Committee, 74 regarding T1S1 . . . . . . . . . . . . . . . . . . . . 11 75 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 11 76 4.4.8 ATIS Optical Transport and Synchronization 77 Committee, formerly T1X1 . . . . . . . . . . . . . . . 11 78 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 11 79 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 12 80 4.7 ETSI - The European Telecommunications Standard 81 Institute . . . . . . . . . . . . . . . . . . . . . . . . 12 82 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 12 83 4.9 IEEE - The Institute of Electrical and Electronics 84 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 12 85 4.10 IETF - The Internet Engineering Task Force . . . . . . . 12 86 4.11 INCITS - InterNational Committee for Information 87 Technology Standards . . . . . . . . . . . . . . . . . . 13 88 4.12 ISO - The International Organization for 89 Standardization . . . . . . . . . . . . . . . . . . . . 13 90 4.13 ITU - International Telecommunication Union . . . . . . 13 91 4.13.1 ITU Telecommunication Standardization Sector - 92 ITU-T . . . . . . . . . . . . . . . . . . . . . . . 13 93 4.13.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 13 94 4.13.3 ITU Telecom Development - ITU-D . . . . . . . . . . 13 95 4.14 OASIS - Organization for the Advancement of 96 Structured Information Standards . . . . . . . . . . . . 14 97 4.15 OIF - Optical Internetworking Forum . . . . . . . . . . 14 98 4.16 NRIC - The Network Reliability and Interoperability 99 Council . . . . . . . . . . . . . . . . . . . . . . . . 14 100 4.17 TIA - The Telecommunications Industry Association . . . 14 101 4.18 Web Services Interoperability Organization (WS-I) . . . 15 102 5. Security Best Practices Efforts and Documents . . . . . . . 16 103 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 16 104 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 16 105 5.3 American National Standard T1.276-2003 - Baseline 106 Security Requirements for the Management Plane . . . . . . 16 107 5.4 DMTF - Security Protection and Management (SPAM) 108 Working Group . . . . . . . . . . . . . . . . . . . . . . 17 109 5.5 DMTF - User and Security Working Group . . . . . . . . . . 17 110 5.6 ATIS Security & Emergency Preparedness Activities . . . . 17 111 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, 112 End-To-End Standards and Solutions . . . . . . . . . . . . 17 113 5.8 Common Criteria . . . . . . . . . . . . . . . . . . . . . 18 114 5.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 115 5.10 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 18 116 5.11 Information System Security Assurance Architecture . . . 19 117 5.12 Operational Security Requirements for IP Network 118 Infrastructure : Advanced Requirements . . . . . . . . . 19 119 5.13 INCITS Technical Committee T4 - Security Techniques . . 19 120 5.14 INCITS Technical Committee T11 - Fibre Channel 121 Interfaces . . . . . . . . . . . . . . . . . . . . . . . 19 122 5.15 ISO Guidelines for the Management of IT Security - 123 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 20 124 5.16 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 21 125 5.17 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 21 126 5.18 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 21 127 5.19 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 21 128 5.20 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 22 129 5.21 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 22 130 5.22 Catalogue of ITU-T Recommendations related to 131 Communications System Security . . . . . . . . . . . . . 22 132 5.23 ITU-T Security Manual . . . . . . . . . . . . . . . . . 22 133 5.24 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 23 134 5.25 OASIS Security Joint Committee . . . . . . . . . . . . . 23 135 5.26 OASIS Security Services TC . . . . . . . . . . . . . . . 23 136 5.27 OIF Implementation Agreements . . . . . . . . . . . . . 24 137 5.28 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 24 138 5.29 WS-I Basic Security Profile . . . . . . . . . . . . . . 24 139 6. Security Considerations . . . . . . . . . . . . . . . . . . 25 140 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 26 141 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 27 142 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 28 143 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 144 10.1 Normative References . . . . . . . . . . . . . . . . . . . 29 145 10.2 Informative References . . . . . . . . . . . . . . . . . . 29 146 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29 147 Intellectual Property and Copyright Statements . . . . . . . 30 149 1. Introduction 151 The Internet is being recognized as a critical infrastructure similar 152 in nature to the power grid and a potable water supply. Just like 153 those infrastructures, means are needed to provide resiliency and 154 adaptability to the Internet so that it remains consistently 155 available to the public throughout the world even during times of 156 duress or attack. For this reason, many SDOs are developing 157 standards with hopes of retaining an acceptable level, or even 158 improving this availability, to its users. These SDO efforts usually 159 define themselves as "security" efforts. It is the opinion of the 160 authors that there are many different definitions of the term 161 "security" and it may be applied in many diverse ways. As such, we 162 offer no assurance that the term is applied consistently throughout 163 this document. 165 Many of these SDOs have diverse charters and goals and will take 166 entirely different directions in their efforts to provide standards. 167 However, even with that, there will be overlaps in their produced 168 works. If there are overlaps then there is a potential for conflicts 169 and confusion. This may result in: 170 Vendors of networking equipment who are unsure of which standard 171 to follow. 172 Purchasers of networking equipment who are unsure of which 173 standard will best apply to the needs of their business or 174 ogranization. 175 Network Administrators and Operators unsure of which standard to 176 follow to attain the best security for their network. 177 For these reasons, the authors wish to encourage all SDOs who have an 178 interest in producing, or in consuming standards relating to good 179 security practices to be consistent in their approach and their 180 recommendations. In many cases, the authors are aware that the SDOs 181 are making good efforts along these lines. However, the authors do 182 not participate in all SDO efforts and cannot know everything that is 183 happening. 185 The authors of this document would like to keep it open as an 186 Internet Draft for approximately 6 months for the date of the first 187 submission. We hope that it will be spread far and wide and that the 188 leaders of SDO efforts will contact us with updated information so 189 that their own effort may be listed in this document, or so that 190 corrections may be made. 192 Comments on this document may be addressed to the authors. 194 2. Format of this Document 196 The body of this document has three sections. 198 The first part of the body of this document, Section 3, contains a 199 listing of online glossaries relating to networking and security. It 200 is very important that the definitions of words relating to security 201 and security events be consistent. Inconsistencies between the 202 useage of words on standards is unacceptable as it would prevent a 203 reader of two standards to appropriately relate their 204 recommendations. The authors of this document have not reviewed the 205 definitions of the words in the listed glossaries so can offer no 206 assurance of their alignment. 208 The second part, Section 4, contains a listing of SDOs that appear to 209 be working on security standards. 211 The third part, Section 5, lists the documents which have been found 212 to offer good practices or recommendations for securing networks and 213 networking devices. 215 3. Online Security Glossaries 217 This section contains references to glossaries of network and 218 computer security terms 220 3.1 ATIS Telecom Glossary 2000 222 http://www.atis.org/tg2k/ 224 Under an approved T1 standards project (T1A1-20), an existing 225 5800-entry, search-enabled hypertext telecommunications glossary 226 titled Federal Standard 1037C, Glossary of Telecommunication Terms 227 was updated and matured into this glossary, T1.523-2001, Telecom 228 Glossary 2000. This updated glossary was posted on the Web as a 229 American National Standard (ANS). 231 3.2 Critical Infrastructure Glossary of Terms and Acronyms 233 http://www.ciao.gov/ciao_document_library/glossary/a.htm 235 The Critical Infrastructure Assurance Office (CIAO) was created to 236 coordinate the Federal Government's initiatives on critical 237 infrastructure assurance. While the glossary was not created as a 238 glossary specifically for security terms, it is populated with many 239 security related definitions, abbreviations, organizations, and 240 concepts. 242 3.3 Internet Security Glossary - RFC 2828 244 http://www.ietf.org/rfc/rfc2828.txt 246 Created in May 2000, the document defines itself to be, "an 247 internally consistent, complementary set of abbreviations, 248 definitions, explanations, and recommendations for use of terminology 249 related to information system security." The glossary makes the 250 distinction of the listed definitions throughout the document as 251 being: 252 o a recommended Internet definition 253 o a recommended non-Internet definition 254 o not recommended as the first choice for Internet documents but 255 something that an author of an Internet document would need to 256 know 257 o a definition that shouldn't be used in Internet documents 258 o additional commentary or usage guidance 260 3.4 Compendium of Approved ITU-T Security Definitions 262 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 263 Addendum to the Compendium of the Approved ITU-T Security-related 264 Definitions 265 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 267 These extensive materials were created from approved ITU-T 268 Recommendations with a view toward establishing a common 269 understanding and use of security terms within ITU-T. 271 3.5 Microsoft Solutions for Security Glossary 273 http://www.microsoft.com/security/glossary/ 275 The Microsoft Solutions for Security Glossary was created to explain 276 the concepts, technologies, and products associated with computer 277 security. This glossary contains several definitions specific to 278 Microsoft proprietary technologies and product solutions. 280 3.6 SANS Glossary of Security Terms 282 http://www.sans.org/resources/glossary.php 284 The SANS Institute (SysAdmin, Audit, Network, Security) was created 285 in 1989 as, "a cooperative research and education organization." 286 Updated in May 2003, SANS cites the NSA for their help in creating 287 the online glossary of security terms. The SANS Institute is also 288 home to many other resources including the SANS Intrusion Detection 289 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 291 3.7 USC InfoSec Glossary 293 http://www.usc.edu/org/infosec/resources/glossary_a.html 295 A glossary of Information Systems security terms compiled by the 296 University of Southern California Office of Information Security. 298 4. Standards Developing Organizations 300 This section of this document lists the SDOs, or organizations that 301 appear to be developing security related standards. These SDOs are 302 listed in alphabetical order. 304 Note: The authors would appreciate corrections and additions. This 305 note will be removed before publication as an RFC. 307 4.1 3GPP - Third Generation P P 309 http://www.3gpp.org 311 The 3rd Generation Partnership Project (3GPP) is a collaboration 312 agreement formed in December 1998. The collaboration agreement is 313 comprised of several telecommunications standards bodies which are 314 known as "Organizational Partners". The current Organizational 315 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 317 4.2 3GPP2 - Third Generation P P 2 319 http://www.3gpp2.org 321 Third Generation Partnership Project 2 (3GPP2) is a collaboration 322 among Organizational Partners much like its sister project 3GPP. The 323 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 324 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 325 the CDMA Development Group and IPv6 Forum as Market Representation 326 Partners for market advice. 328 4.3 ANSI - The American National Standards Institute 330 http://www.ansi.org 332 ANSI is a private, non-profit organization that organizes and 333 oversees the U.S. voluntary standardization and conformity 334 assessment system. ANSI was founded October 19, 1918. 336 4.4 ATIS - Alliance for Telecommunications Industry Solutions 338 http://www.atis.org 340 ATIS is a United States based body that is committed to rapidly 341 developing and promoting technical and operations standards for the 342 communications and related information technologies industry 343 worldwide using pragmatic, flexible and open approach. Committee T1 344 as a group no longer exists as a result of the recent ATIS 345 reorganization on January 1, 2004. ATIS has restructured the former 346 T1 technical subcommittees into full ATIS standards committees to 347 easily identify and promote the nature of standards work each 348 committee performs. Due to the reorganization, some groups may have 349 a new mission and scope statement. 351 4.4.1 ATIS Network Performance, Reliability and Quality of Service 352 Committee, formerly T1A1 354 http://www.atis.org/0010/index.asp 356 ATIS Network Performance, Reliability and Quality of Service 357 Committee develops and recommends standards, requirements, and 358 technical reports related to the performance, reliability, and 359 associated security aspects of communications networks, as well as 360 the processing of voice, audio, data, image, and video signals, and 361 their multimedia integration. 363 4.4.2 ATIS Network Interface, Power, and Protection Committee, formerly 364 T1E1 366 http://www.atis.org/0050/index.asp 368 ATIS Network Interface, Power, and Protection Committee develops and 369 recommends standards and technical reports related to power systems, 370 electrical and physical protection for the exchange and interexchange 371 carrier networks, and interfaces associated with user access to 372 telecommunications networks. 374 4.4.3 ATIS Telecom Management and Operations Committee, formerly T1M1 375 OAM&P 377 http://www.atis.org/0130/index.asp 379 ATIS Telecom Management and Operations Committee develops 380 internetwork operations, administration, maintenance and provisioning 381 standards, and technical reports related to interfaces for 382 telecommunications networks. 384 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B 386 http://www.atis.org/obf/index.asp 388 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 389 Billing Forum. The authors are investigating this and hope to 390 provide a clear scope of their effort. 392 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 394 http://www.atis.org/0160/index.asp 396 ATIS Wireless Technologies and Systems Committee develops and 397 recommends standards and technical reports related to wireless and/or 398 mobile services and systems, including service descriptions and 399 wireless technologies. 401 4.4.6 ATIS Packet Technologies and Systems Committee, regarding T1S1 403 T1S1 was split into two separate ATIS committees: the ATIS Packet 404 Technologies and Systems Committee and the ATIS Protocol Interworking 405 Committee. As a result of the reorganization of T1S1, these groups 406 will also probably have a new mission and scope. 408 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 410 T1S1 was split into two separate ATIS committees: the ATIS Packet 411 Technologies and Systems Committee and the ATIS Protocol Interworking 412 Committee. As a result of the reorganization of T1S1, these groups 413 will also probably have a new mission and scope. 415 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly 416 T1X1 418 http://www.atis.org/0240/index.asp 420 ATIS Optical Transport and Synchronization Committee develops and 421 recommends standards and prepares technical reports related to 422 telecommunications network technology pertaining to network 423 synchronization interfaces and hierarchical structures including 424 optical technology. 426 4.5 CC - Common Criteria 428 http://csrc.nist.gov/cc/ 430 Note: The URL for the Common Criteria organization was 431 http://www.commoncriteria.org/ however, they have elected to take 432 their web site offline for the time being. It is hoped that the 433 proper URL will be available before this document becomes an RFC. 434 This note will be removed prior to publication as an RFC. 436 In June 1993, the sponsoring organizations of the existing US, 437 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 438 the Common Criteria Project to align their separate criteria into a 439 single set of IT security criteria. 441 4.6 DMTF - Distributed Management Task Force, Inc. 443 http://www.dmtf.org/ 445 Founded in 1992, the DMTF brings the technology industry's customers 446 and top vendors together in a collaborative, working group approach 447 that involves DMTF members in all aspects of specification 448 development and refinement. 450 4.7 ETSI - The European Telecommunications Standard Institute 452 http://www.etsi.org/ 454 ETSI is an independent, non-profit organization which produces 455 telecommunications standards. ETSI is based in Sophia-Antipolis in 456 the south of France and maintains a membership from 55 countries. 458 Joint work between ETSI and ITU-T SG-17 460 http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ 461 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 463 4.8 GGF - Global Grid Forum 465 http://www.gridforum.org 467 The Global Grid Forum (GGF) is a community-initiated forum of 468 thousands of individuals from industry and research leading the 469 global standardization effort for grid computing. GGF's primary 470 objectives are to promote and support the development, deployment, 471 and implementation of Grid technologies and applications via the 472 creation and documentation of "best practices" - technical 473 specifications, user experiences, and implementation guidelines. 475 4.9 IEEE - The Institute of Electrical and Electronics Engineers, Inc. 477 http://www.ieee.org 479 IEEE is a non-profit, technical professional association of more than 480 360,000 individual members in approximately 175 countries. The IEEE 481 produces 30 percent of the world's published literature in electrical 482 engineering, computers and control technology through its technical 483 publishing, conferences and consensus-based standards activities. 485 4.10 IETF - The Internet Engineering Task Force 487 http://www.ietf.org 488 IETF is a large, international community open to any interested 489 individual concerned with the evolution of the Internet architecture 490 and the smooth operation of the Internet. 492 4.11 INCITS - InterNational Committee for Information Technology 493 Standards 495 http://www.incits.org 497 INCITS focuses upon standardization in the field of Information and 498 Communications Technologies (ICT), encompassing storage, processing, 499 transfer, display, management, organization, and retrieval of 500 information. 502 4.12 ISO - The International Organization for Standardization 504 http://www.iso.org 506 ISO is a network of the national standards institutes of 148 507 countries, on the basis of one member per country, with a Central 508 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 509 officially began operations on February 23, 1947. 511 4.13 ITU - International Telecommunication Union 513 http://www.itu.int/ 515 The ITU is an international organization within the United Nations 516 System headquartered in Geneva, Switzerland. The ITU is comprised of 517 three sectors: 519 4.13.1 ITU Telecommunication Standardization Sector - ITU-T 521 http://www.itu.int/ITU-T/ 523 ITU-T's mission is to ensure an efficient and on-time production of 524 high quality standards covering all fields of telecommunications. 526 4.13.2 ITU Radiocommunication Sector - ITU-R 528 http://www.itu.int/ITU-R/ 530 The ITU-R plays a vital role in the management of the radio-frequency 531 spectrum and satellite orbits. 533 4.13.3 ITU Telecom Development - ITU-D 535 (also referred as ITU Telecommunication Development Bureau - BDT) 536 http://www.itu.int/ITU-D/ 538 The Telecommunication Development Bureau (BDT) is the executive arm 539 of the Telecommunication Development Sector. Its duties and 540 responsibilities cover a variety of functions ranging from programme 541 supervision and technical advice to the collection, processing and 542 publication of information relevant to telecommunication development. 544 4.14 OASIS - Organization for the Advancement of Structured 545 Information Standards 547 http://www.oasis-open.org/ 549 OASIS is a not-for-profit, international consortium that drives the 550 development, convergence, and adoption of e-business standards. 552 4.15 OIF - Optical Internetworking Forum 554 http://www.oiforum.com/ 556 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 557 industry-wide initiative to create the Optical Internetworking Forum, 558 an open forum focused on accelerating the deployment of optical 559 internetworks. 561 4.16 NRIC - The Network Reliability and Interoperability Council 563 http://www.nric.org/ 565 The purposes of the Committee are to give telecommunications industry 566 leaders the opportunity to provide recommendations to the FCC and to 567 the industry that assure optimal reliability and interoperability of 568 telecommunications networks. The Committee addresses topics in the 569 area of Homeland Security, reliability, interoperability, and 570 broadband deployment. 572 4.17 TIA - The Telecommunications Industry Association 574 http://www.tiaonline.org 576 TIA is accredited by ANSI to develop voluntary industry standards for 577 a wide variety of telecommunications products. TIA's Standards and 578 Technology Department is composed of five divisions: Fiber Optics, 579 User Premises Equipment, Network Equipment, Wireless Communications 580 and Satellite Communications. 582 4.18 Web Services Interoperability Organization (WS-I) 584 http://www.ws-i.org/ 586 WS-I is an open, industry organization chartered to promote Web 587 services interoperability across platforms, operating systems, and 588 programming languages. The organization works across the industry 589 and standards organizations to respond to customer needs by providing 590 guidance, best practices, and resources for developing Web services 591 solutions. 593 5. Security Best Practices Efforts and Documents 595 This section lists the works produced by the SDOs. 597 5.1 3GPP - TSG SA WG3 (Security) 599 http://www.3gpp.org/TB/SA/SA3/SA3.htm 601 TSG SA WG3 Security is responsible for the security of the 3GPP 602 system, performing analyses of potential security threats to the 603 system, considering the new threats introduced by the IP based 604 services and systems and setting the security requirements for the 605 overall 3GPP system. 607 Specifications: 608 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 610 Work Items: 611 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 613 3GPP Confidentiality and Integrity algorithms: 614 http://www.3gpp.org/TB/Other/algorithms.htm 616 5.2 3GPP2 - TSG-S Working Group 4 (Security) 618 http://www.3gpp2.org/Public_html/S/index.cfm 620 The Services and Systems Aspects TSG (TSG-S) is responsible for the 621 development of service capability requirements for systems based on 622 3GPP2 specifications. Among its responsibilities TSG-S is addressing 623 management, technical coordination, as well as architectural and 624 requirements development associated with all end-to-end features, 625 services and system capabilities including, but not limited to, 626 security and QoS. 628 TSG-S Specifications: 629 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 631 5.3 American National Standard T1.276-2003 - Baseline Security 632 Requirements for the Management Plane 634 Abstract: This standard contains a set of baseline security 635 requirements for the management plane. The President's National 636 Security Telecommunications Advisory Committee Network Security 637 Information Exchange (NSIE) and Government NSIE jointly established a 638 Security Requirements Working Group (SRWG) to examine the security 639 requirements for controlling access to the public switched network, 640 in particular with respect to the emerging next generation network. 642 In the telecommunications industry, this access incorporates 643 operation, administration, maintenance, and provisioning for network 644 elements and various supporting systems and databases. Members of 645 the SRWG, from a cross-section of telecommunications carriers and 646 vendors, developed an initial list of security requirements that 647 would allow vendors, government departments and agencies, and service 648 providers to implement a secure telecommunications network management 649 infrastructure. This initial list of security requirements was 650 submitted as a contribution to Committee T1 - Telecommunications, 651 Working Group T1M1.5 for consideration as a standard. The 652 requirements outlined in this document will allow vendors, government 653 departments and agencies, and service providers to implement a secure 654 telecommunications network management infrastructure. 656 Documents: 657 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 659 5.4 DMTF - Security Protection and Management (SPAM) Working Group 661 http://www.dmtf.org/about/committees/spamWGCharter.pdf 663 The Working Group will define a CIM Common Model that addresses 664 security protection and detection technologies, which may include 665 devices and services, and classifies security information, attacks 666 and responses. 668 5.5 DMTF - User and Security Working Group 670 http://www.dmtf.org/about/committees/userWGCharter.pdf 672 The User and Security Working Group defines objects and access 673 methods required for principals - where principals include users, 674 groups, software agents, systems, and organizations. 676 5.6 ATIS Security & Emergency Preparedness Activities 678 http://www.atis.org/atis/atisinfo/emergency/ 679 security_committee_activities_T1.htm 681 The link above contains the description of the ATIS Communications 682 Security Model, the scopes of the Technical Subcommittees in relation 683 to the security model, and a list of published documents produced by 684 ATIS addressed to various aspects of network security. 686 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 687 Standards and Solutions 689 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 690 The ATIS TOPS Security Focus Group has made recommendations on work 691 items needed to be performed by other SDOs. 693 5.8 Common Criteria 695 http://csrc.nist.gov/cc/ 697 Version 1.0 of the CC was completed in January 1996. Based on a 698 number of trial evaluations and an extensive public review, Version 699 1.0 was extensively revised and CC Version 2.0 was produced in April 700 of 1998. This became ISO International Standard 15408 in 1999. The 701 CC Project subsequently incorporated the minor changes that had 702 resulted in the ISO process, producing CC version 2.1 in August 1999. 704 Common Criteria v2.1 contains: 705 Part 1 - Intro & General Model 706 Part 2 - Functional Requirements (including Annexes) 707 Part 3 - Assurance Requirements 709 Documents: Common Criteria V2.1 710 http://csrc.nist.gov/cc/CC-v2.1.html 712 5.9 ETSI 714 http://www.etsi.org 716 The ETSI hosted the ETSI Global Security Conference in late November, 717 2003, which could lead to a standard. 719 Groups related to security located from the ETSI Groups Portal: 720 OCG Security 721 3GPP SA3 722 TISPAN WG7 724 5.10 GGF Security Area (SEC) 726 https://forge.gridforum.org/projects/sec/ 728 The Security Area (SEC) is concerned with various issues relating to 729 authentication and authorization in Grid environments. 731 Working groups: 732 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 733 https://forge.gridforum.org/projects/authz-wg 734 Certificate Authority Operations Working Group (CAOPS-WG) - 735 https://forge.gridforum.org/projects/caops-wg 736 OGSA Authorization Working Group (OGSA-AUTHZ) - 737 https://forge.gridforum.org/projects/ogsa-authz 738 Grid Security Infrastructure (GSI-WG) - 739 https://forge.gridforum.org/projects/gsi-wg 741 5.11 Information System Security Assurance Architecture 743 IEEE Working Group - http://issaa.org/ 745 Formerly the Security Certification and Accreditation of Information 746 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 747 Standard for Information System Security Assurance Architecture for 748 ballot and during the process begin development of a suite of 749 associated standards for components of that architecture. 751 Documents: http://issaa.org/documents/index.html 753 5.12 Operational Security Requirements for IP Network Infrastructure : 754 Advanced Requirements 756 IETF Internet-Draft 758 Abstract: This document defines a list of operational security 759 requirements for the infrastructure of large ISP IP networks (routers 760 and switches). A framework is defined for specifying "profiles", 761 which are collections of requirements applicable to certain network 762 topology contexts (all, core-only, edge-only...). The goal is to 763 provide network operators a clear, concise way of communicating their 764 security requirements to vendors. 766 Documents: 767 http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt 769 5.13 INCITS Technical Committee T4 - Security Techniques 771 http://www.incits.org/tc_home/t4.htm 773 Technical Committee T4, Security Techniques, participates in the 774 standardization of generic methods for information technology 775 security. This includes development of: security techniques and 776 mechanisms; security guidelines; security evaluation criteria; and 777 identification of generic requirements for information technology 778 system security services. 780 5.14 INCITS Technical Committee T11 - Fibre Channel Interfaces 782 http://www.t11.org/index.htm 784 T11 is responsible for standards development in the areas of 785 Intelligent Peripheral Interface (IPI), High-Performance Parallel 786 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 787 FC-SP to define Security Protocols for Fibre Channel. 789 FC-SP Project Proposal: 790 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 792 5.15 ISO Guidelines for the Management of IT Security - GMITS 794 Guidelines for the Management of IT Security -- Part 1: Concepts and 795 models for IT Security 797 http://www.iso.ch/iso/en/ 798 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 800 Guidelines for the Management of IT Security -- Part 2: Managing and 801 planning IT Security 803 http://www.iso.org/iso/en/ 804 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&ICS3= 806 Guidelines for the Management of IT Security -- Part 3: Techniques 807 for the management of IT Security 809 http://www.iso.org/iso/en/ 810 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&ICS3= 812 Guidelines for the Management of IT Security -- Part 4: Selection of 813 safeguards 815 http://www.iso.org/iso/en/ 816 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&ICS3= 818 Guidelines for the Management of IT Security - Part 5: Management 819 guidance on network security 821 http://www.iso.org/iso/en/ 822 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&ICS3= 824 Open Systems Interconnection -- Network layer security protocol 826 http://www.iso.org/iso/en/ 827 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&ICS3=30 829 5.16 ISO JTC 1/SC 27 831 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 832 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 834 Several security related ISO projects under JTC 1/SC 27 are listed 835 here such as: 836 IT security techniques -- Entity authentication 837 Security techniques -- Key management 838 Security techniques -- Evaluation criteria for IT security 839 Security techniques -- A framework for IT security assurance 840 IT Security techniques -- Code of practice for information 841 security management 842 Security techniques -- IT network security 843 Guidelines for the implementation, operation and management of 844 Intrusion Detection Systems (IDS) 845 International Security, Trust, and Privacy Alliance -- Privacy 846 Framework 848 5.17 ITU-T Study Group 2 850 http://www.itu.int/ITU-T/studygroups/com02/index.asp 852 Security related recommendations currently under study: 853 E.408 Telecommunication networks security requirements Q.5/2 854 (was E.sec1) 855 E.409 Incident Organisation and Security Incident Handling Q.5/ 856 2 (was E.sec2) 858 Note: Access requires TIES account. 860 5.18 ITU-T Recommendation M.3016 862 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 864 This recommendation provides an overview and framework that 865 identifies security threats to a TMN and outlines how available 866 security services can be applied within the context of the TMN 867 functional architecture. 869 5.19 ITU-T Recommendation X.805 871 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 873 This Recommendation defines the general security-related 874 architectural elements that, when appropriately applied, can provide 875 end-to-end network security. 877 5.20 ITU-T Study Group 16 879 http://www.itu.int/ITU-T/studygroups/com16/index.asp 881 Security of Multimedia Systems and Services - Question G/16 883 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html 885 5.21 ITU-T Study Group 17 887 http://www.itu.int/ITU-T/studygroups/com17/index.asp 889 ITU-T Study Group 17 is the Lead Study Group on Communication System 890 Security 892 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 894 Study Group 17 Security Project: 896 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 898 During its November 2002 meeting, Study Group 17 agreed to establish 899 a new project entitled "Security Project" under the leadership of 900 Q.10/17 to coordinate the ITU-T standardization effort on security. 901 An analysis of the status on ITU-T Study Group action on information 902 and communication network security may be found in TSB Circular 147 903 of 14 February 2003. 905 5.22 Catalogue of ITU-T Recommendations related to Communications 906 System Security 908 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 910 The Catalogue of the approved security Recommendations include those, 911 designed for security purposes and those, which describe or use of 912 functions of security interest and need. Although some of the 913 security related Recommendations includes the phrase "Open Systems 914 Interconnection", much of the information contained in them is 915 pertinent to the establishment of security functionality in any 916 communicating system. 918 5.23 ITU-T Security Manual 920 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 922 TSB is preparing an "ITU-T Security Manual" to provide an overview on 923 security in telecommunications and information technologies, describe 924 practical issues, and indicate how the different aspects of security 925 in today's applications are addressed by ITU-T Recommendations. This 926 manual has a tutorial character: it collects security related 927 material from ITU-T Recommendations into one place and explains the 928 respective relationships. The intended audience for this manual is 929 engineers and product managers, students and academia, as well as 930 regulators who want to better understand security aspects in 931 practical applications. 933 5.24 NRIC VI Focus Groups 935 http://www.nric.org/fg/index.html 937 The Network Reliability and Interoperability Council (NRIC) was 938 formed with the purpose to provide recommendations to the FCC and to 939 the industry to assure the reliability and interoperability of 940 wireless, wireline, satellite, and cable public telecommunications 941 networks. These documents provide general information and guidance 942 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 943 prevention of cyberattack and for restoration following a 944 cyberattack. 946 Documents: 947 Homeland Defense - Recommendations Published 14-Mar-03 948 Preventative Best Practices - Recommendations Published 14-Mar-03 949 Recovery Best Practices - Recommendations Published 14-Mar-03 950 Best Practice Appendices - Recommendations Published 14-Mar-03 952 5.25 OASIS Security Joint Committee 954 http://www.oasis-open.org/committees/ 955 tc_home.php?wg_abbrev=security-jc 957 The purpose of the Security JC is to coordinate the technical 958 activities of multiple security related TCs. The SJC is advisory 959 only, and has no deliverables. The Security JC will promote the use 960 of consistent terms, promote re-use, champion an OASIS security 961 standards model, provide consistent PR, and promote mutuality, 962 operational independence and ethics. 964 5.26 OASIS Security Services TC 966 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 968 The Security Services TC is working to advance the Security Assertion 969 Markup Language (SAML) as an OASIS standard. SAML is an XML 970 framework for exchanging authentication and authorization 971 information. 973 5.27 OIF Implementation Agreements 975 The OIF has 2 approved Implementation Agreements (IAs) relating to 976 security. They are: 978 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 980 This Implementation Agreement lists objectives for securing OAM&P 981 interfaces to a Network Element and then specifies ways of using 982 security systems (e.g., IPsec or TLS) for securing these interfaces. 983 It summarizes how well each of the systems, used as specified, 984 satisfies the objectives. 986 OIF - SEP - 01.1 - Security Extension for UNI and NNI 988 This Implementation Agreement defines a common Security Extension for 989 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 991 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 993 5.28 TIA 995 The TIA has produced the "Compendium of Emergency Communications and 996 Communications Network Security-related Work Activities". This 997 document identifies standards, or other technical documents and 998 ongoing Emergency/Public Safety Communications and Communications 999 Network Security-related work activities within TIA and it's 1000 Engineering Committees. Many P25 documents are specifically 1001 detailed. This "living document" is presented for information, 1002 coordination and reference. 1004 Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf 1006 5.29 WS-I Basic Security Profile 1008 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1010 The WS-I Basic Security Profile 1.0 consists of a set of 1011 non-proprietary Web services specifications, along with 1012 clarifications and amendments to those specifications which promote 1013 interoperability. 1015 6. Security Considerations 1017 This document describes efforts to standardize security practices and 1018 documents. As such this document offers no security guidance 1019 whatsoever. 1021 Readers of this document should be aware of the date of publication 1022 of this document. It is feared that they may assume that the 1023 efforts, on-line material, and documents are current whereas they may 1024 not be. Please consider this when reading this document. 1026 7. IANA Considerations 1028 This Internet Draft does not propose a standard but is trying to pull 1029 together information about the security related efforts of all 1030 Standards Developing Organizations and some other efforts which 1031 provide good secuirty methods, practices or recommendations. 1033 8. Acknowledgments 1035 The following people have contributed to this document. Listing 1036 their names here does not mean that they endorse the document, but 1037 that they have contributed to its substance. 1039 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1040 McDonough, Art Reilly, Chip Sharp, Dane Skow. 1042 9. Changes from Prior Drafts 1044 -00 : Initial draft 1046 -01 : Security Glossaries: 1048 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1049 Glossary of Terms and Acronyms, Microsoft Solutions for 1050 Security Glossary, and USC InfoSec Glossary. 1051 Standards Developing Organizations: 1052 Added DMTF, GGF, INCITS, OASIS, and WS-I 1053 Removal of Committee T1 and modifications to ATIS and former T1 1054 technical subcommittees due to the recent ATIS reorganization. 1055 Efforts and Documents: 1056 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1057 Area (SEC), INCITS Technical Committee T4 - Security 1058 Techniques, INCITS Technical Committee T11 - Fibre Channel 1059 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1060 Committee, OASIS Security Services TC, and WS-I Basic Security 1061 Profile. 1062 Updated Operational Security Requirements for IP Network 1063 Infrastructure : Advanced Requirements. 1065 Note: This section will be removed before publication as an RFC. 1067 10. References 1069 10.1 Normative References 1071 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1072 Levels", RFC 2119, STD 14, March 1997. 1074 10.2 Informative References 1076 [2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA 1077 Considerations Section in RFCs", RFC 2869, BCP 26, October 1998. 1079 Authors' Addresses 1081 Chris Lonvick 1082 Cisco Systems 1083 12515 Research Blvd. 1084 Austin, Texas 78759 1085 US 1087 Phone: +1 512 378 1182 1088 EMail: clonvick@cisco.com 1090 David Spak 1091 Cisco Systems 1092 12515 Research Blvd. 1093 Austin, Texas 78759 1094 US 1096 Phone: +1 512 378 1720 1097 EMail: dspak@cisco.com 1099 Intellectual Property Statement 1101 The IETF takes no position regarding the validity or scope of any 1102 Intellectual Property Rights or other rights that might be claimed to 1103 pertain to the implementation or use of the technology described in 1104 this document or the extent to which any license under such rights 1105 might or might not be available; nor does it represent that it has 1106 made any independent effort to identify any such rights. Information 1107 on the procedures with respect to rights in RFC documents can be 1108 found in BCP 78 and BCP 79. 1110 Copies of IPR disclosures made to the IETF Secretariat and any 1111 assurances of licenses to be made available, or the result of an 1112 attempt made to obtain a general license or permission for the use of 1113 such proprietary rights by implementers or users of this 1114 specification can be obtained from the IETF on-line IPR repository at 1115 http://www.ietf.org/ipr. 1117 The IETF invites any interested party to bring to its attention any 1118 copyrights, patents or patent applications, or other proprietary 1119 rights that may cover technology that may be required to implement 1120 this standard. Please address the information to the IETF at 1121 ietf-ipr@ietf.org. 1123 Disclaimer of Validity 1125 This document and the information contained herein are provided on an 1126 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1127 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1128 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1129 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1130 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1131 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1133 Copyright Statement 1135 Copyright (C) The Internet Society (2004). This document is subject 1136 to the rights, licenses and restrictions contained in BCP 78, and 1137 except as set forth therein, the authors retain all their rights. 1139 Acknowledgment 1141 Funding for the RFC Editor function is currently provided by the 1142 Internet Society.