CC Certification for Telecom Products

Transcription

1 CC Certification for Telecom Products Huawei Technologies Co., Ltd th ICCC In Malaysia HUAWEI TECHNOLOGIES CO., LTD. Page 1

2 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 2

3 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 3

4 Introduction Holland Germany Mexico Hungary Romania Bahrain UAE India China Huawei Headquarters Brazil Malaysia Accounting share center Biding center (Planning) Supply center & Hub R&D center Training center Technical support center Argentina Mauritius 120,000+ employees with 150+ nationalities worldwide 15 Regional Headquarters, operations in 140+ countries Localized operation powered by global resources HUAWEI TECHNOLOGIES CO., LTD. Page 4

5 Cyber Security an Increasing Global Threat Government Operator End User XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX HUAWEI TECHNOLOGIES CO., LTD. Page 5

6 Challenges for All Participants Government Operator High-efficiency and low cost security entry control and supervision systems Balance between security assurance and cost of business operation End User Cyber Security Vendor More risk aware and discerning Secure and trusted delivery & enhanced security assurance Common Criteria (CC) HUAWEI TECHNOLOGIES CO., LTD. Page 6

7 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 7

8 Security Goal Enter Take away Understand Change Get away HUAWEI TECHNOLOGIES CO., LTD. Page 8

9 Independent ISMS Audit Huawei has been BS7799 certified since 2004 The certificate was updated to ISO27001 in 2007 The current ISO27001 certificate was released in July, 2010 Certified Headquarters Beijing Representative Office Shanghai Research Institute Huawei Germany Offices Huawei Belgium Offices France Offices UK Office Spain Office Italy Offices Ongoing Portugal Office Singapore Office Switzerland Offices HUAWEI TECHNOLOGIES CO., LTD. Page 9

10 Our Security Policy Compliance to a series of standards ITU x.805 and 3GPP standards for telecom products Global cyber security organization with branches in 4 countries, UK, U.S., France and India. In UK, a security lab has been established. Great efforts to local regulations and laws on cyber security, especially for telecom products HUAWEI TECHNOLOGIES CO., LTD. Page 10

11 Huawei s Perspective Privacy Separation of duties Access Control Threats Protection against various attacks, risk analysis Vulnerability Security designed in solution Security embedded in process Issues Solutions HUAWEI TECHNOLOGIES CO., LTD. Page 11

12 Management an Control Establishing the Company Level Cyber Security Vision & Policy Vision: Establish an E2E customer-facing cyber security assurance system, which is transparent, mutual-trust, and neutral, to ensure customer's long-term security trust. Proactive Protection Proactively analyze cyber security requirements and risks, prevent and respond to security threats. Integrate security assurance activities into business processes such as IPD, Procurement, Supply Chain, and Delivery & Service process, and develop management regulations and technical standards to ensure the effective execution of the activities. Regulations Compliance All the security management documents, processes and activities must be compliant with local laws and regulations concerning cyber security. Traceability Through professional management, process deployment, records storing and IT technical support, ensure that the products, solutions and services offered by Huawei are traceable throughout the whole lifecycle. Open and Transparent Communicate with stakeholders of different countries including governments, customers, industry partners, and employees through various organizations, channels and platforms to encounter the threats and challenges of global telecommunication network in common. HUAWEI TECHNOLOGIES CO., LTD. Page 12

13 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 13

14 Cooperation with Authorized Labs for CC We actively cooperate with authorized LAB to do evaluation, hope that we can get the disinterested result according to the Common Criteria (CC) standards Common Criteria (CC) Certification obtained recently, a couple of telecom products are under evaluation, based on ST HUAWEI TECHNOLOGIES CO., LTD. Page 14

15 CC Certified Products CC Certified Products Distribution Up to Sep #Certified Products Huawei s Telecom Products # PP HUAWEI TECHNOLOGIES CO., LTD. Page 15

16 Typical Telecom Network Architecture HLR/HSS 2G 3G 3.9G GERAN UTRAN E-UTRAN Gb Iu S12 S1-C SGSN S3 MME S1-U Gr S6a S11 S4 PDSN SWn Gn GGSN S-GW HUAWEI TECHNOLOGIES CO., LTD. Page 16 S5 PCRF Gx PDN-GW S6b Untrusted non-3gpp IP access epdg 3GPP-AAA e.g. WLAN The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system. Remote clients are available for management access to the server. S7c S2b Gx SWa Gxb Gi SWx SGi Rx Carrier Grade Platform (TOE: software) Operator s IP service

17 Long Term Evolution Security Overview Uu Interface: Authentication: USIM+EPS AKA Encryption: AES/SNOW 3G/ZUC Backhaul Security: Certificate-Based authentication (802.1x, IKE, PKI) IPSec TLS/SSL UGW HSS OMC Security: OM data encryption Account management Log management Security alarm OM Network NMS SSL UE Terminal enb enb Backhaul Third Party Network SecGW Service IP Network Billing Signaling MME Firewall Firewall Internet Non-trusted Zone Trusted Zone enodeb Security: Embedded firewall (ACL) IPsec for protection of signaling and user data. Authentication/Encryption Core Security: Huawei USC security solution Traffic segregation, CN firewall IPsec SSL HUAWEI TECHNOLOGIES CO., LTD. Page 17

18 Huawei Security Solution Architecture Comprehensive, top-down, end-to-end security design methodology Based on ITU-T X.805 recommendation architecture HUAWEI TECHNOLOGIES CO., LTD. Page 18

19 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 19

20 Our Achievements In July 2011 we gain the EAL3 certificates from CCN, other products on going evaluation. EAL3: methodically tested and checked 1 CGP platform Security Target: Huawei Carrier Grade Platform (CGP) Version 1 Release 5 Security Target. v /03/09. Protection Profile: No conformance to a Protection Profile is claimed. 2 NetEngine40E/CX600 running VRP(V500R007) platform Security Target: Huawei NetEngine40E/CX600 Universal Service Router V600R001 Security Target. V0.68, 2011/02/24. Protection Profile: No conformance to a Protection Profile is claimed. HUAWEI TECHNOLOGIES CO., LTD. Page 20

21 Evaluation Process Security Problem Definition: What is the threat? Threats Org.Sec.Policies Assumptions Security Solution Definition: How to solve the problem? Security Objectives: What is the security objective? Security Requirements: How to achieve security goal? TOE Sec. Objectives TOE SFRs Environ. Objectives TOE SARs Solution Implementation Definition: How to implement those solutions? TOE Summary Specification TOE Sec. Function HUAWEI TECHNOLOGIES CO., LTD. Page 21

22 Threats & Assumptions, Objectives Threats T.AccountabilityLoss T.Eavesdrop T.UnauthenticatedAccess T.UnauthorizedAccess Assumptions A.PhysicalProtection A.TrustworthyUsers A.NetworkSegregation A.Support TOE Sec. Objectives O.Audit O.Communication O.Authentication O.Authorization Environment Objectives OE.Administration OE.Support OE.Users HUAWEI TECHNOLOGIES CO., LTD. Page 22

23 Security Functional Requirements(SFR) Security Functional Class Security Audit (FAU) Security Functional Requirement FAU_GEN.1: Audit data generation FAU_GEN.2: User identity association FAU_SAR.3: Selectable audit review FAU_STG.3: Action in case of possible audit data loss Cryptographic Support (FCS) FCS_COP.1: Cryptographic operation FDP_ACC.1: Subset access control User Data Protection (FDP) FDP_ACF.1: Security attribute based access control FIA_AFL.1: Authentication failure handling FIA_ATD.1: User attribute definition Identification and FIA_SOS.1: Verification of secrets Authentication(FIA) FIA_UAU.2: User authentication before any action FIA_UID.2: User identification before any action FMT_MSA.1: Management of security attributes FMT_MSA.3: Static attribute initialization Security Management(FMT) FMT_MSA.3: Static attribute initialization FMT_SMF.1: Specification of Management Functions FMT_SMR.1: Security roles Component FAU_GEN.1 FAU_GEN.2 FAU_SAR.3 FAU_STG.3 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UID.2 FMT_MSA.1 FMT_MSA.3a FMT_MSA.3b FMT_SMF.1 FMT_SMR.1 Protection of the TSF (FPT) FPT_ITT.1: Basic internal TSF data transfer protection FPT_ITT.1 TOE Access (FTA) FTA_TSE.1: TOE session establishment FTA_TSE.1 Trusted Path/Channels (FTP) FTP_TRP.1: Trusted path FTP_TRP.1 HUAWEI TECHNOLOGIES CO., LTD. Page 23

24 Security Assurance Requirements(SAR): EAL3 Security Assurance Level Assurance Class ADV: Development AGD: Guidance documents ALC: Life-cycle support ASE: Security Target evaluation ATE: Tests AVA: Vulnerability assessment Assurance Components ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary ADV_TDS.2 Architectural design AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_CMC.3 Authorisation controls ALC_CMS.3 Implementation representation CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA_VAN.2 Vulnerability analysis HUAWEI TECHNOLOGIES CO., LTD. Page 24

25 Testing TOE Testing: Developed by manufacturer Verifying each unit test, identifying security functionality Testing method is appropriate to the function to be tested Penetration Testing: The independent penetration testing devised several test cases, no exploitable vulnerabilities nor residual vulnerabilities have been found, covering attacks including, SQL Injection, Xpath injection, cross-site Scripting, cross-site request forgery, buffer overflows, race conditions, replay attacks, MiTM attacks, brute force, IP spoofing. HUAWEI TECHNOLOGIES CO., LTD. Page 25

26 Evaluation Results The product Huawei Carrier Grade Platform (CGP) software (Unique version identifier: CGP V100R005C00) with the following patch V100R005C00SPC604 has been evaluated in front of the Huawei Carrier Grade Platform (CGP) Version 1 Release 5 Security Target, Security Target, v0.28, 2011/03/09 All the assurance components required by the level EAL3 have been assigned a PASS verdict. Consequently, the laboratory (LGAI-APPLUS) assigns the PASS VERDICT to the whole evaluation due all the evaluator actions are satisfied for the EAL3 methodology, as define by of the Common Criteria and the Common Methodology HUAWEI TECHNOLOGIES CO., LTD. Page 26

27 Agenda 1 Introduction 2 Cyber Security Policy 3 Best Development Practices 4 Our Achievements 5 Concluding Remarks HUAWEI TECHNOLOGIES CO., LTD. Page 27

28 Future Plan Huawei product lines can be classified as follows: Application and Software Optical Network Core Network We plan to incorporate the Common Criteria certification to the following product lines: Core Network Enterprise Data Communication Wireless Product Access Network Terminals Storage & Network Security Enterprise HUAWEI TECHNOLOGIES CO., LTD. Page 28

29 Concluding Remarks We are increasing our market position,present and future security will be a key factor! Certification for telecom products will become more and more important along with the development of CC standardization. Taking on an open, transparent and sincere attitude, Huawei is willing to cooperate with all governments, customers and partners through various channels to jointly cope with threats and challenges from cyber security. HUAWEI TECHNOLOGIES CO., LTD. Page 29

30 Thank you