Security Architectures – or finding a framework “for dummies”

Posted: September 4, 2013 in technical
Tags: , , , , , , , ,

I have just had a series of talks the past weeks with a good friend of mine. He is a Security Architect for a large company up north. I’m curious about what he is doing there, so initially I was thinking of organising our discussions as some form of an interview. Later on, my proverbial laziness got the best of me, so I downgrade our nice chat to a short blog post (this one).

Bottom line: I’ve asked him what it means to be a Security Architect. It went somewhere along these lines:

What are you doing there? Is it cool? Is it nice? Do you do cool stuff? Cristina being a bit of a chipmunk at this point

You won’t find it that cool, most probably. I don’t get to dig into the GTPv2 as you do.

Absolutely unsatisfactory – I say. Nevertheless, our discussion digressed into an interesting side-area: security frameworks and how to do network architectures security assessments. I asked for a framework to do these assessment.

Ok I will recommend something – but I don’t usually stick to frameworks, as it depends on the assignment and other stuff more to me. Like experience. So I go by from my head – yueah I know it sounds bad, but it works for me, as long as I remember to include all the areas.

Again, completely unsatisfactory – I say. Still, continuing the discussion, I realise the guy is right: it _actually IS_ about experience. Whatever “framework” is just a nice area checklist to help you with not missing out on stuff. This guy has too much experience to use any frameworks at the moment, but I need something to start learning this stuff. I did find something, and my friend corroborated my findings. Fortunately, his examples and details from his experience nicely matched the framework that I also liked for my research: ITU-T X.805.

Now – before you start complaining about the 10 year old framework and this bunch of stuff – hold your horses.

1. First of all, the age of the framework hardly makes a difference when it comes to how well one can use it

2. To my observations, the frameworks are so bloody abstract that one can hardly make use of any of them, unless he/she knows what he/she is doing – which somehow seems to make sense: if you don’t know what you are doing, a nicely printed document listing a bunch of areas to look into does not solve your main thing: WHAT are you looking AT?

3. As far as I searched and could find, most of the frameworks are created by people with experience in Network design and security. And when I say network, I mean LAN + WAN. Or Datacenter. They seem to think about DNS and mail services, into Customer Service, remote access things, authentication or BYOD. Very pretty I would say. But I’m a telco chick. I think in terms of SS7, GTP, radio signals, multiple layers of encapsulation, continuously moving target, roaming IP addresses, reachability, mobile privacy and intercept. Talking about mailserver security is good, but it’s not enough for me. Or maybe I am just not applying them properly…

Given the above, and mostly #3, I refrained from looking into your traditional company network design best practices from Cisco, or datacenter stuff from Oracle – best practices, also not looking at NIST standards (for the record: I did actually look into those, but I don’t think it made a difference for my decision). I need something in between. And so far the only “in between” thing I know is ITU. The org which can talk DNS and mail, but can also make sense of mobile networks. The reason why I didn’t stop at ALU or Cisco, Ericsson or Tekelec is that, like it or not, whatever they say, it really is mapped on what they do as a business. They advertise independency and abstraction, but I’ve seen enough of them to know what’s behind the scenes. Not that ITU is 100% abstract, innocent, trustworthy or vendor-independent. But let’s say: it’s a good compromise for a dummy as myself.

So: to make a long story short:

ITU-T X.805 – Series X: Data networks and open system communications – Security architecture for systems providing end-to-end communications

Yes, I did expect it to be very generic and not bring anything new. Afterall, security is still a talk about CIA triangle, finding a good mix between usability, functionality and security, and a long-long talk about access control, authentication, non-repudiation, confidentiality, integrity, availability, privacy and so on.

No, I did NOT expect it to be overly helpful in getting me started.

What I DID expect and received is a glimpse of how the end-result should look like. Might seem too far-fetched and not a thing to consider as a dummy, but it did help me. Let me explain. It’s not about getting information on telcos in general (I would get that from engineers, architects etc. or my own experience). It’s about figuring out that whatever information you get must be useful input when you would end up discussing about the security of a network. X.805 shows you where you need to get. Yes, analyse how well-designed the Tracking Areas are. Yes, analyse how strong the encryption algorithm is. Yes, analyse management is monitored and audited on a per-session basis. BUT: in the end, you should be able to give people a measurable and actionable view of the security of their architecture. And I can say it’s good to use AES, when compared to DES. I can say it’s good or bad to use some firewall rules or the others, but that cannot measure an entire network.

This is why X.805 created the nice matrix – presented also in this slide. You look at control-plane, user-plane and management-plane, you look at security in infrastructure, services and applications, and then you talk about CIA and other fancy triangles. It may seem as common sense, but when you have the entire universe of technologies in front you, then tell me you don’t need a structure to give you a bit of a grasp on them, a starting point, something! 

Armed with the end-result framework, you would be able then to decide how to apply it. And in his ITU slides linked above, the presenter shows he would apply the X.805 in the world of telcos. I am not sure how far he would go with details, but at least I see somebody willing to look into protocols like H.323, SIP, SS7 stack, rather than just into SMTP or classical IPsec.

Grabbing it from the other end, the end where you start looking into technical stuff, I cannot say too many things at the moment, but I would start by reading a lot of documentation and talking to people, in order to understand how and why they did what they did. I would use there design best practices specific to each technology (ex.: how you do key management in 4G, how you define security domains, how is access control employed throughout the network, up to how many of the 3GPP SA 3 Security Requirements and Best Practices have actually been followed). For the curious folk, I have started with this part: TS 33.401 – System Architecture Evolution (SAE) – Security architecture. Nothing compares to the good old key hierarchy descriptions, requirements on how to store keys in volatile memory on the eNBs, how to handle Security Contexts consistently throughout the 4G access network, based on the strength and origin of a context or how to make the best out of the ASN.1 Packet Encoding Rules, unaligned option. Pleeeenty of playground security-wise there.

And to spice things up a bit, you cannot just analyse security. You need to be aware of the level of abstraction. If you start digging into eNB software security, then you need a lot of time to do it at that system-level throughout the network. If you start looking into security processes, you probably won’t end up digging through how the MME does key management or how _exactly_ is the user-plane vs. control-plane separation done in the non-direct-tunnelling-enabled SGSN software…

Now, tell me: is it just me stumbling upon this document and liking it for the lack of a better one? or does it make sense? If any of you worked on telcos, what kind of frameworks you used to assess and maybe improve the security of such an environment?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s