INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)13.2.6.3 Security ControlsThere are a number of technical security controls to manage the risks from identified threats to broadbandcommunications, including:— Small Office/Home Office (SOHO) Firewalls,— anti-malicious code (including viruses) software,— IDS, including IPS,— VPNs,— Software Updates/Patching.13.2.7 Security Gateways13.2.7.1 BackgroundA suitable security gateway arrangement should protect the organization's internal systems and securelymanage and control the traffic flowing across it, in accordance with a documented security gateway serviceaccess policy (see Clause 13.2.7.3 below).13.2.7.2 Security RisksEvery day, hackers become more sophisticated in their attempts to breach business networks and thegateway is a centre of interest. Attempts at unauthorized access can be malicious, such as that leading to aDoS attack, they may be to misuse resources, or could be to gain valuable information. The gateway needs toprotect the organization from such intrusions from the outside world, such as from the Internet or third partynetworks. Unmonitored content leaving the organization introduces legal issues and a potential loss ofintellectual property. In addition, as more organizations are connecting to the Internet to meet theirorganizational requirements, they are faced with the need to control access to inappropriate or objectionableWeb sites. Without that control, organizations risk productivity losses, liability exposure, and misallocation ofbandwidth due to non-productive Web surfing. If these threats are not addressed then there is a risk theconnections to the outside world could become unavailable, data could become corrupted, or valuablecompany assets could be subject to unauthorized disclosure. Data placed on websites or otherwisetransmitted without proper authority may also incur legal penalties - e.g. insider trading.13.2.7.3 Security ControlsA security gateway should:— separate logical networks,— provide restricting and analyzing functions on the information which passes between the logical networks,— be used by an organization as a means of controlling access to and from the organization's network,— provide a controlled and manageable single point of entry to a network,— enforce an organization's security policy, regarding network connections,— provide a single point for logging.For each security gateway a separate service access (security) policy document should be developed and thecontent implemented to ensure that only the traffic authorized is allowed to pass. This document shouldcontain the details of the ruleset that the gateway is required to administer, and the configuration of thegateway. It should be possible to define permitted connections separately according to communicationsprotocol and other details. Thus, in order to ensure that only valid users and traffic gain access fromcommunications connections, the policy should define and record in detail the constraints and rules applied totraffic passing into and out of the security gateway, and the parameters for its management and configuration.36 ©ISO/IEC 2006-All rights reserved
ISO/IEC 18028-1:2006(E)With all security gateways, full use should be made of available identification and authentication, logicalaccess control and audit facilities. In addition, they should be checked regularly for unauthorized softwareand/or data and, if such is found, incident reports should be produced in accordance with the organizationand/or community's information security incident management scheme (see ISO/IEC 18044).It is emphasized that the connection to a network should only take place after it is checked that the selectedsecurity gateway suits the requirements of the organization and/or community, and that all risks resulting fromsuch a connection can be managed securely. It should be ensured that by-passing the security gateway is notpossible.A firewall is a good example of a security gateway. Firewalls should normally be those that have achieved anappropriate assurance level commensurate with the assessed risks, with the standard firewall ruleset usuallybeginning by denying all access between the internal and external networks, and adding explicit rules tosatisfy only the required communications paths.Further detail on security gateways is provided in ISO/IEC 18028-3 (as well as in ISO/IEC 17799), and will beprovided in ISO/IEC 13335-2 when published).It should be noted that whilst the network security aspects of personal firewalls, a special type of firewall, arenot discussed in Part 3, they should also be considered. Unlike most central sites which are protected bydedicated firewalls, remote systems may not warrant the expense and specialist skills to support thesedevices. Instead, a personal firewall may be used which controls the flow of communications into (andsometimes out of) the remote computer. The administration of the rules (policies) of the firewall may becarried out remotely by personnel at the central site, relieving the remote system user of the requirement oftechnical understanding. However if this is not possible, care should be taken to ensure effectiveconfiguration, especially if those at the remote site are not IT literate. Some personal firewalls can also restrictthe ability to transmit over the network to authorized programs (or even libraries), restricting the ability ofmalware to spread.13.2.8 Remote Access Services13.2.8.1 BackgroundThe aim of RAS is to allow data to be exchanged between a remote site and the central service. There are avariety of solutions for this, including:— communications via the Internet,— dial-up IP service.Communications via the Internet increasingly uses ISP-provided ADSL links to provide high bandwidth fromthe central site and a lower bandwidth from the remote to the central site. Except for the lowest sensitivity ofdata, some form of VPN (see Clause 13.2.9 below) should be used to provide security for the exchanged datastreams.Dial-up IP services allow a remote site (usually a single user) to dial up a modem bank at a central location.After authentication, the connection is opened between the remote site and central service. Unless theapplication implements a security protocol, this mode of communications would normally be in the clear. RASaccess may be implemented using ISDN or analogue lines. In either case, the user dials into a central pointwhere some level of authentication occurs. RAS access only offers transfer of clear data.13.2.8.2 Security RisksThere are a number of security risks that may be associated with RAS, including:— unauthorized access to an organization's systems, services and information (including viaeavesdropping), leading to the disclosure of, unauthorized changes to, or destruction of, informationand/or service,©ISO/IEC 2006-All rights reserved 37
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?