Security Functions in Telecommunications – Placement & Achievable Security

The placement of security functions determines which kinds of data they can protect against which kinds of attackers. Firstly, security functions are classified regarding their sphere of influence, e.g. between end points of communication associations (end-to-end) or end points of transmission lines (link-by-link). Next, we derive and illustrate restrictions and implications that limit the free choice concerning the placement of security functions. The general results are applied to interconnected telecommunication systems structured according to the OSI reference model. We investigate placement alternatives within user domains, network operators’ domains, and service providers’ domains and related implications on achievable security. We classify existing security solutions and describe the security that can be achieved by the respective solutions in order to promote the application of theoretical results. 1 Classification of security functions The functionality of telecommunication networks can be classified according to the placement of co-operating functions in specific components and layers. There are two basic degrees of freedom concerning the placement of functions within telecommunication networks (see also Fig. 1): ■ horizontal degree of freedom: choices for the placement of functions along different components ■ vertical degree of freedom: choices for the placement of functions along different layers of single components Security functions are functions that contribute to the security of a system, i.e. to the achievement of security goals. Voydock and Kent [8] differentiate between end-to-end (ete) and link-by-link (lbl) functionality and apply respective security functions as follows: lbl oriented security mechanisms offer security for information that is transmitted via an individual communication channel between two network nodes. The final source or destination of this information is not taken into account regarding lbl security. Ete oriented security functions consider the network as a medium for the exchange of protocol data units (PDUs) in a secure way between source and desti-