Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.805  Word version:  12.0.0

Top   Top   Up   Prev   Next
1…   4…   A…
4 3GPP network products and threat model4.1 Considerations on definition of the term "network products"4.2 Sample 3GPP network products for the methodology study4.3 Threat and attacker model for the Security Assurance study4.4 3GPP network products subject to Security Assurance Specifications (SCAS)4.5 Roles and processes applicable to all methodologies5 Proposed methodologies5.1 Methodology 1: Common Criteria (CC)5.2 Methodology 26 Criteria for the evaluation of the methodologies7 Comparison of Proposed Methodologies8 Conclusions8.1 Chosen methodology description8.2 Next steps for the normative phase

 

4  3GPP network products and threat modelp. 11

4.1  Considerations on definition of the term "network products"p. 11

4.1.1  3GPP function specific requirements vs. platform/node requirementsp. 11

4.1.2  Distribution of 3GPP functions over nodesp. 11

4.1.3  Environment of functions and nodesp. 12

4.1.4  Relationship between network products classes, SCAS and 3GPP functionsp. 13

4.2  Sample 3GPP network products for the methodology studyp. 15

4.3  Threat and attacker model for the Security Assurance studyp. 16

4.3.1  Attacker potentialp. 16

4.3.2  Threats modelp. 16

4.4  3GPP network products subject to Security Assurance Specifications (SCAS)p. 17

4.4.1  Access networkp. 17

4.4.2  Core networkp. 17

4.5  Roles and processes applicable to all methodologiesp. 18

4.5.1  Introductionp. 18

4.5.2  Security assurance processp. 18

4.5.2.1  Overviewp. 18

4.5.2.2  Assurance levelp. 19

4.5.2.3  Security baselinep. 20

4.5.3  Rolesp. 22

4.5.3.1  Roles involved in the security assurance processp. 22

4.5.3.2  Implicit and existing rolesp. 22

4.5.3.3  New rolesp. 22

4.5.4  Sub-processes and documentationp. 23

4.5.4.1  Security Assurance Specification (SCAS)p. 23

4.5.4.2  Network productp. 23

4.5.4.3  Evaluation and evaluation reportp. 23

4.5.4.4  Certification and certificatep. 23

4.5.4.5  Operator security acceptance decisionp. 24

4.5.4.6  Revocation and dispute processp. 24

5  Proposed methodologiesp. 25

5.1  Methodology 1: Common Criteria (CC)p. 25

5.1.1  Introductionp. 25

5.1.1.2  Assurance paradigmp. 26

5.1.1.3  Assurance approachp. 26

5.1.1.4  CC evaluation assurance scalep. 27

5.1.1.5  CC assurance and the significance of vulnerabilitiesp. 27

5.1.1.6  Concept of ST and PPp. 28

5.1.1.7  Specific issues on Protection Profiles (PPs) and Security Targets (STs)p. 28

5.1.2  Content of a Security Assurance Specification (SCAS)p. 29

5.1.2.1  Overview of SCASp. 29

5.1.2.2  Description of the Protection Profile (PP) partp. 30

5.1.2.3  Hardeningp. 31

5.1.2.4  Description of the software hardening partp. 32

5.1.2.5  Description of the hardware hardening partp. 32

5.1.2.6  Definition of the expected environment of the network product class in the context of writing the 3GPP evaluation profilep. 32

5.1.3  Methodology for development of a SCASp. 33

5.1.3.1  Overviewp. 33

5.1.3.2  How to identify suitable SFRs and SARs for the PPp. 33

5.1.3.3  How to help vendors and evaluators to use the PPp. 34

5.1.4  Evaluation of a network product against a SCASp. 34

5.2  Methodology 2p. 36

5.2.1  Overviewp. 36

5.2.2  Methodology buildingp. 40

5.2.2.1  Overviewp. 40

5.2.2.2  Security assurance process document creationp. 41

5.2.2.3  Vendor network product development and network product lifecycle management process document creationp. 41

5.2.2.4  Security Assurance Specification (SCAS) creationp. 43

5.2.2.4.1  Writing process overviewp. 43
5.2.2.4.2  SCAS document structure and contentp. 45

5.2.2.5  Security Assurance Specification instantiation documents creationp. 52

5.2.2.6  Accreditation and monitoring rules creationp. 53

5.2.3  Vendors and third-party laboratories accreditationp. 53

5.2.3.1  Overviewp. 53

5.2.3.2  Methodology and quality accreditationp. 54

5.2.3.3  Audit and accreditation of Vendor network product development and network product lifecycle management processp. 55

5.2.3.4  Audit and accreditation of testing laboratoriesp. 56

5.2.3.5  Criteria on accreditation of security compliance testing laboratoriesp. 56

5.2.3.6  Criteria on accreditation of Basic Vulnerability testing laboratoriesp. 57

5.2.3.7  Criteria on accreditation of Enhanced Vulnerability Analysis (EVA) testing laboratoriesp. 57

5.2.4  Evaluation and evaluation reportp. 58

5.2.4.1  Network product development process and network product lifecycle managementp. 58

5.2.4.2  SCAS instantiation evaluationp. 58

5.2.4.2.1  Overviewp. 58
5.2.4.2.2  Contentp. 58
5.2.4.2.3  Processp. 63

5.2.4.3  Security Compliance testingp. 64

5.2.4.3.1  Inputsp. 64
5.2.4.3.2  Outputsp. 64
5.2.4.3.3  Activitiesp. 64

5.2.4.4  Basic Vulnerability Testingp. 65

5.2.4.5  Enhanced Vulnerability Analysis taskp. 65

5.3.4.4.1  Inputsp. 65
5.3.4.4.2  Outputsp. 66
5.3.4.4.3  Activitiesp. 66

5.2.5  Self-declarationp. 67

5.2.6  Operator security acceptance decisionp. 67

5.2.7  Administration of the accreditations and dispute resolutionp. 67

5.2.7.1  Monitoringp. 67

5.2.7.2  Dispute resolutionp. 67

5.2.8  Summary of SECAM deliverablesp. 68

5.2.9  General considerationsp. 69

5.2.9.1  Improvement of SCAS and new security requirementsp. 69

5.2.9.2  Partial compliance and use of SECAM requirements in network product development cyclep. 69

5.2.9.3  Comparison between two SECAM evaluationsp. 69

6  Criteria for the evaluation of the methodologiesp. 70

7  Comparison of Proposed Methodologiesp. 71

8  Conclusionsp. 72

8.1  Chosen methodology descriptionp. 72

8.2  Next steps for the normative phasep. 75

Up   Top   ToC