INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)The different areas that should be considered include:— types of network,— network protocols,— network applications,— technologies used to implement networks.Some of the issues for review for each of these areas are discussed in Clauses 9.2 to 9.6 below. Clause 10provides guidance on how to identify the types of network connection, and Clause 11 provides guidance onhow to determine the networking characteristics and related trust relationships. Clause 12 provides guidanceon identifying the security risks. (General guidance on network and application architectures can be found inISO/IEC7498.)9.2 Types of NetworkDepending on the area they cover, networks can be categorized as:— Local Area Networks (LANs), which are used to interconnect systems locally, and— Wide Area Networks (WANs), which are used to interconnect systems up to a world-wide coverage.(Some sources also define the term Metropolitan Area Network (MAN) for a locally restricted WAN, e.g. withina city. However, nowadays the same technologies are used as for WANs and thus there are no significantdifferences between MAN and WAN any more. Further, for the purposes of this standard Personal AreaNetworks (PANs) will be categorized as LANs.)9.3 Network ProtocolsDifferent protocols have different security characteristics and should be afforded special consideration. Forexample:— shared media protocols are mainly used in LANs and provide mechanisms to regulate the use of sharedmedia among the systems connected. As a shared media is used, all information on the network isphysically accessible by all connected systems,— routing protocols are used to define the route through the different nodes on which information travelswithin WANs. Information is physically accessible for all systems along the route, and routing may bechanged, either accidentally or intentionally, and— MPLS protocols, on which many carrier networks are based, allows a carrier core network to be sharedby multiple private networks without any member of one private network being aware that there are otherprivate networks sharing the core network. The major application is the implementation of VPNs, wheredifferent labels are used to identify and segregate traffic belonging to different VPNs (an MPLS basedVPN is not based on data encryption mechanisms). This enables corporate customers to outsource theirinternal network to a service provider and thus avoid the need to deploy and manage their own core IPnetwork. A key benefit is the ability to converge network services, such as voice and data over onnetwork, using QoS mechanisms to ensure real time performance.Many of the protocols used in networks do not provide any security. For example, tools to acquire passwordsfrom network traffic are commonly used by attackers. This makes applications sending unencryptedpasswords over a public network highly vulnerable.Many protocols may be used in conjunction with different network topologies and media, and by using wiredas well as wireless technologies. In many cases this has further impact on the security characteristics.16 ©ISO/IEC 2006-All rights reserved
ISO/IEC FDIS 18028-1:2006(E)9.4 Networked ApplicationsThe type of applications used over a network should be considered in the context of security. Types caninclude:— thin client applications,— desktop applications,— terminal emulation based applications,— messaging infrastructures and applications,— store and forward or spooler based applications, and— client server applications.The following examples show how application characteristics influence the security requirements for thenetwork environments they may use:— messaging applications (such as encryption and digital signatures for messages) may provide anadequate security level without the implementation of dedicated security controls on the network,— thin client applications may need to download mobile code for proper functionality. Whereasconfidentiality may not be a major issue in this context, integrity is important and the network shouldprovide appropriate mechanisms for this. Alternatively, if higher requirements need to be fulfilled, digitalsigning of mobile code will provide integrity and additional authentication. Often this is done within anapplication framework itself, and therefore there may be no need to provide these services in the network,— store and forward or spooler based applications typically temporarily store important data on intermediatenodes for further processing. If there are integrity and confidentiality requirements, appropriate controlswill be needed in the network to protect the data in transit. However, due to the temporary storage of dataon intermediate hosts, these controls may not be sufficient. Thus, additional controls may need to beapplied to also protect data stored on intermediate nodes.9.5 Technologies Used to Implement NetworksNetworks may be delivered via a variety of means. A common structuring of these means is based ongeographical areas which are covered by a network.9.5.1 Local Area NetworksA LAN is a network to interconnect computers and servers in a small geographic area. The size ranges from afew interconnected systems, e.g. forming a home network, to a few thousands, e.g. in a campus network.Typical services implemented include the sharing of resources like printers, and the sharing of files andapplications. LANs typically also provide central services like messaging or calendar services. In some casesLANs are also used to substitute the traditional function of other networks, e.g. when VoIP protocols andservices are provided as a substitute for a PBX based phone network. Small LANs are most commonlyimplemented by using shared media technologies. The Ethernet protocol is the standard technology used inthis context, and has been extended for providing higher bandwidth as well as for supporting wirelessenvironments. Since shared media technologies, and also Ethernet in particular, have limitations in greatersize networks, typical WAN technologies such as routable protocols are also often used in LAN environments.A LAN can be wired, or wireless based.9.5.1.1 Wired LANA wired LAN usually consists of nodes connected in a network via a network switch or hub using networkingcables, which can provide high-speed data networking capabilities. Well-known wired LAN technologiesinclude Ethernet (IEEE 802.3) and Token Ring (IEEE 802.5).FOJIOBHIIH (J)OH,H© ISO/IEC 2006 - All rights reserved 17
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?