INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

ISO/IEC18028-1:2006(E)independent of the network's technology or location in the protocol stack. It addresses security concernsrelated to the management, control, and use of network infrastructure, services, and applications, andprovides a comprehensive, top down, end-to-end perspective of network security. The "Reference" securityarchitecture has three architectural components:— Security Dimensions (may also be known as 'Security Control Groups'),— Security Layers (may also be known as 'Network Security Elements'),— Security Planes may also be known as 'Security Domains').Security Dimensions are sets of security controls designed to address a particular aspect of network security.There are eight such sets identified in the "Reference" security architecture, and which extend to applicationsand end user information, for example:— Non-Repudiation,— Data Confidentiality,— Data Integrity,— Availability.In order to provide an end-to-end security solution, the Security Dimensions need to be applied to a hierarchyof network equipment and facility groupings, which are referred to as Security Layers:— Infrastructure Security Layer,— Services Security Layer,— Applications Security Layer.The Security Layers build on one another to provide network based solutions, i.e. the Infrastructure Layerenables the Services Security Layer and the Services Security Layer enables the Applications Security Layer,and identify where security should be addressed in products and solutions by providing a sequentialperspective of network security.The Infrastructure Security Layer consists of the network transmission facilities as well as individual networkparts protected by the mechanisms that are implemented for the Security Dimensions. Examples ofcomponents that belong to the Infrastructure Security Layer are individual routers, switches and servers aswell as the communication links between individual routers, switches and servers.The Services Security Layer addresses the security of services that Service Providers provide to theircustomers. These services range from basic transport and connectivity to service enablers like those that arenecessary for providing Internet access (e.g. authentication, authorization, and accountability services,dynamic host configuration services, domain name services, etc.) to value-added services such as free phoneservice, QoS, VPN, etc.The Applications Security Layer focuses on the security of the network-based applications accessed byService Provider customers. These applications are enabled by network services and include basic filetransport (e.g. FTP) and web browsing applications, fundamental applications such as directory assistance,network-based voice messaging, and e-mail, as well as high-end applications such as customer relationshipmanagement, electronic/mobile commerce, network-based training, video collaboration, etc.The Security Planes are certain types of network activity protected by the mechanisms that are implementedfor the Security Dimensions. The "Reference" security architecture defines three Security Planes to representthe types of protected activities that take place on a network. The Security Planes are the:— Management Plane,— Control Plane,— End-User Plane.28 © ISO/IEC 2006 - All rights reserved
ISO/IEC 18028-1:2006(E)These Security Planes address specific security needs associated with network management activities,network control and signaling activities, and end-user activities correspondingly. Networks should be designedin such a way that events in one Security Plane are kept as much as possible and as appropriate isolatedfrom the other Security Planes.The following clauses include an introduction to the actual different real-world technical security architectureaspects of the various areas of networking.It is emphasized that the technical security architecture for any project should be fully documented andagreed, before finalizing the list of controls for implementation.13.2.2 Local Area Networking13.2.2.1 BackgroundWhen LAN networks are used within physically protected areas, e.g. only within an organization's ownpremises, then the risks are likely to be such that only basic technical controls are required. However, for usein larger environments, and also when wireless technologies are used (also see Clause 13.2.4 below),physical protection alone is unlikely to guarantee any level of security. Furthermore, the shared mediatechnologies most commonly used within LANs do allow access to all network traffic from any system usingthe shared media.The desktop is a vulnerable area as it is the user interface. If the desktop is not locked down then it is possiblefor a user to install unauthorized software on the LAN. Server systems used within the corporate network, bothones exposed to the Internet and internal servers that have no direct connection to the Internet, represent apotential major security risk. While most IT departments would claim that they are diligent about applyingpatches as soon as they are available, this risk has to be taken very seriously as even large organizationshave failed to patch all servers in a timely manner, leading to disruption of internal network traffic by worms.13.2.2.2 Security RisksIn a wired LAN, security risks will arise from the nodes physically connected to the network. Overall, the keysecurity risks associated with LANs include:— unauthorized access and changes to desktop PCs, servers, and other LAN connected devices,— un patched servers,— poor quality passwords,— theft of hardware,— failure of power supplies,— import of malicious code through e-mail and Web access,— failure to back up local hard discs,— failure of hardware, such as hard discs,— unauthorized connections to the LAN (laptop),— unauthorized access to hubs and patch cabinets,— default passwords on the management ports of hubs and switches,— poor physical security.© ISO/IEC 2006 - All rights reserved 29
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33: ISO/IEC 18028-1:2006(E)13 Identify
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?