CONTENTS

 1     Scope        
        1.1     Assumptions 
        1.2     Overview     
 2     References             
 3     Definitions
        3.1     Terms defined elsewhere      
        3.2     Terms defined in this Recommendation          
 4     Abbreviations and acronyms           
 5     Conventions           
 6     Security risks and threats   
 7     Security trust model           
        7.1     Single network trust model    
        7.2     Peering network trust model 
 8     Identification, authentication and authorization       
        8.1     Subscribers  
        8.2     Network element      
        8.3     Credential usage in the NGN security 
        8.4     Identification and authentication of subscribers           
        8.5     Identification and authentication of end-users
        8.6     Identification and authentication by TE-BE      
        8.7     Authenticator-SAA/TAA-FEs interface 
        8.8     Identification and authentication of bearer traffic       
 9     Transport security for signalling and OAMP
        9.1     TLS  
        9.2     IPsec in trusted and trusted-but-vulnerable zones        
        9.3     Key agreement protocol between untrusted and trusted-but-vulnerable zone   
        9.4     IPsec between untrusted and trusted-but-vulnerable zone        
10     Media security      
       10.1     SRTP            
11     OAMP      
       11.1     Network element interface to logging systems           
       11.2     Network element use of SNMP          
       11.3     Security patch management 
       11.4     Version management           
       11.5     Audit trail, trapping, and logging at TE-BE     
12     Provisioning of equipment in untrusted zone           
Appendix I – Examples of source-address assurance and its application to the mechanism of subscriber identification and authentication    
        I.1               Subscriber identification and authentication linked to access-line authentication  
        I.2               Subscriber identification and authentication linked to explicit access authentication at IP connectivity establishment    
Appendix II – Emergency telecommunications service (ETS) interconnection security    
       II.1     Background   
       II.2     Scope/purpose           
       II.3     Security objectives and guidelines for interconnection of ETS   
       II.4     Authentication and authorization        
       II.5     Transport security for signalling and OAMP     
       II.6     Media traffic
       II.7     Support of calling number ID and calling name ID restriction features  
       II.8     Non-traceability         
       II.9     End-to-end peer-to-peer encryption    
Appendix III – Security best practices    
      III.1     Introduction  
      III.2     Firewalls       
      III.3     Operating system hardening  
      III.4     Vulnerability assessment        
      III.5     Intrusion detection systems    
Bibliography