Content for TR 33.805 Word version: 12.0.0
1 Scope p. 7
The present document studies methodologies for specifying network product security assurance and hardening requirements, with associated test cases when feasible, of 3GPP network products. Network product security assurance and hardening refers to protection against unwanted access to a 3GPP network product, its Operating System, and main running Application(s). The suitability of industry standard methodologies and the potential need for collaboration with bodies such as GSMA, CCRA, ISO and ITU will be assessed. The study will also consider regulatory aspects and the potential need for security certification. The suitability of the candidate methodologies will be assessed with reference to real world examples.
Part of the scope of this work is to conclude which 3GPP network products, if not all, would be subject to 3GPP network product security assurance and hardening requirements. There is likely to be a long list with the result that prioritisation will be required. LTE network product classes will be the first priority. The work will also study exactly what should constitute a 3GPP network product in the context of this study e.g. whether it should be an individual 3GPP functional entity, a group of 3GPP functional entities or some other realisation.
The study will also include assessing the extent to which individual 3GPP network products need to be hardened beyond a common baseline and should take into consideration network vs. environment.
2 References p. 7
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
GISFI_SP_201206260: "Report on Common Criteria".
[3]
The CC and CEM documents: http://www.commoncriteriaportal.org/cc/
[4]
The CCRA introduction: http://www.commoncriteriaportal.org/ccra
[5]
CCRA Licensed Laboratories: http://www.commoncriteriaportal.org/labs/
[6]
On Certificate Authorizing and Consuming nation: http://www.commoncriteria-india.gov.in/Pages/InternationalPartners.aspx
[7]
CCRA certified products and PPs: http://www.commoncriteriaportal.org/products/ ; http://www.commoncriteriaportal.org/pps/
[8]
TS 33.401: "3GPP System Architecture Evolution (SAE); Security architecture".
[9]
TS 33.402: "3GPP System Architecture Evolution (SAE); Security aspects of non-3GPP accesses".
[10]
TS 23.401: "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access".
[11]
TS 23.402: "Architecture enhancements for non-3GPP accesses".
[12]
TS 33.310: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network Domain Security (NDS); Authentication Framework (AF)".
[13]
TS 33.320: "Security of Home Node B (HNB) / Home evolved Node B (HeNB)".
[14]
CCRA Supporting documents: http://www.commoncriteriaportal.org/supporting/
[15]
Common Criteria for Information Technology Security Evaluation, Version 3.1 Release 4, September 2012; http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf ; http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R4.pdf
[16]
General-Purpose Operating System Protection Profile, DRAFT, Version 3.9; http://www.niap-ccevs.org/pp/pp_gpos_v3.9.pdf
[17]
U.S. Government Approved Protection Profile - Protection Profile for Network Devices (NDPP), 08 June 2012. http://www.niap-ccevs.org/pp/pp_nd_v1.1.pdf
[18]
CPA Build Standard v1.2- http://www.cesg.gov.uk/Publications/Documents/the_cpa_build_standard.pdf
[19]
TS 33.210: "3G security; Network Domain Security (NDS); IP network layer security".
[20]
TR 33.821: "Rationale and track of security decisions in Long Term Evolution (LTE) RAN / 3GPP System Architecture Evolution (SAE)".
[21]
TS 33.102: "3G security; Security architecture".
3 Definitions and abbreviations p. 8
3.1 Definitions p. 8
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply.
A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Security Assurance Specification (SCAS):
The SCAS for a given network product class provides a description of the security requirements (which are including test cases) pertaining to that network product class.
3GPP Security Assurance Methodology (SECAM):
The SECAM is a process used to measure the security features of 3GPP network products studied and described in the present document.
Accreditation:
Formal recognition by an accreditation body that a testing laboratory is impartial and competent to carry out specific tests or types of assessments. In the context of SECAM, it would be recognition that a testing laboratory is competent to assess the 3GPP network product against the requirements from the 3GPP SCAS and to produce an evaluation report.
Self-declaration:
Self-declaration is a declaration of the claims made on the network product by the vendor. It means that a vendor provides a self-declaration of its network product based on the evaluation report required by SECAM to the operator without any review of a certification authority of these reports before.
Evaluation without accreditation:
Evaluation as defined below in self-evaluation or third-party evaluation but without accreditation of the labs in the country where the Security Assurance process is required.
Self-evaluation:
Self-evaluation is an assessment of the network product by the vendor. It means that the vendor has an accredited evaluation lab in its organization that performs the evaluation of the network product. The evaluation lab assesses the network product against defined criteria and produces an evaluation report according to a formalized and standardized procedure.
Third-party evaluation:
Third-party-evaluation is an assessment of the network product by an independent third-party. It means that a third-party has an accredited evaluation lab that performs the evaluation of the network product. The evaluation lab assesses the network product against defined criteria and produces an evaluation report according to a formalized and standardized procedure. Third-party evaluation is similar to self-evaluation. The only difference is that the party performing the evaluation is different from the vendor.
Certification:
Certification is the confirmation by an independent Certification Authority (CA) that the evaluation has been properly carried out. That is, a confirmation that the evaluation criteria, evaluation methods and other procedures have been correctly applied and that the conclusions of the evaluation report are consistent with the evidence adduced. The CA does not test the network product or verify the security functionality of the network product. The CA examines the evaluation report. If the CA finds the evaluation report satisfactory, it issues a certificate stating this fact.
Certificate:
The certificate is the official document attesting that the evaluation of the 3GPP network product against the 3GPP Security Assurance Specifications (SCAS) was conducted correctly and was successful. This document is provided by the third-party certification authority. The certificate provides the value that an operator that trusts the Certification Authority (CA) can feel more assured about that the network product fulfils the claimed security level.
Evaluator:
evaluates the network product and produces an evaluation report. The vendor, the operator, GSMA, NVIOT, 3GPP, GCF or some other party, could take the evaluator role.
Auditee:
The Auditee is the 3GPP network product vendor who is to be evaluated. The Auditee is responsible for supplying all necessary information to the evaluators at the beginning of the evaluation.
Certification Authority (CA):
the entity responsible for the certification process.
Accreditation Authority:
the entity responsible for the accreditation process.
Assurance:
is the confidence that a network product meets its specific security objectives. Assurance is usually verified by performing an evaluation.
Assurance level:
is related to evaluation effort in terms of scope, depth and rigor. For higher assurance level, more information with more details is typically required, and this information will be analysed more rigorously.
Hardening:
contributes to the security baseline of a network product, achieved for example by configurations, settings, and protocol restrictions, to decrease the attack surface for a network product. The difference in hardening is one aspect that influences the security baseline of a network product.
Security baseline:
The security baseline of an evaluated network product is a set of security requirements and environmental assumptions defining its capacity to resist a given attack potential.
Vulnerability:
An exploitable issue in a network product rendering it unable to withstand attacks. Vulnerabilities create the risk of successful attacks.
Vulnerability Assessment (VA):
The process of assessing the output of SCT or BVT activities to classify the found issues by severity in order to identify those which are relevant vulnerabilities.
Security Compliance Testing (SCT):
Evaluation process step used in Methodology 2 to describe activities for checking the compliance of a network product with applicable Security Assurance Specifications (SCAS).
Basic Vulnerability Testing (BVT):
The process of running security tools against a network product. In Methodology 2, BVT is defined by the use of Free and Open Source Software (FOSS) and Commercial off-the-shelf (COTS) security testing tools on the external interfaces of the network product. Details on these tools can be found in Annex A.2.1.
Enhanced Vulnerability Testing (EVA):
Evaluation process step used in Methodology 2 and described in clause 5.2.4.5. This activity takes the output of the earlier Security Compliance Testing (SCT) and Basic Vulnerability Testing (BVT) into account.
Network product class:
A network product class, in the context of SECAM, is the class of products that all implements a common set of 3GPP defined functionalities.
Network product:
A network product is the instantiation of one or more network product class(es).
3.2 Abbreviations p. 10
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply.
An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
BVT
Basic Vulnerability Testing
CA
Certification Authority
CC
Common Criteria
COTS
Commercial off-the-shelf
EAL
Evaluation Assurance Level
EVA
Enhanced Vulnerability Testing
FOSS
Free and Open Source Software
GSF
Generic Security Functionality
ITSEF
Information Technology Security Evaluation Facility
PP
Protection Profile
SCAS
3GPP Security Assurance Specification
SAR
Security Assurance Requirements
SFR
Security Functional Requirements
SGSN
Serving GPRS Support Node
SCT
Security Compliance Testing
SECAM
Security Assurance Methodology
ST
Security Target
TCSEC
Trusted Computer System Evaluation Criteria
TOE
Target Of Evaluation
VA
Vulnerability Assessment
