BS-ISO-IEC-18028-3-2005.pdf

BRITISH STANDARD BS ISO/IEC 18028-3:2005 Information technology Security techniques IT network security Part 3: Securing communications between networks using security gateways ICS 35.040 ? Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 18028-3:2005 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 17 January 2006 © BSI 17 January 2006 ISBN 0 580 47593 X National foreword This British Standard reproduces verbatim ISO/IEC 18028-3:2005 and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/33, Information technology Security techniques, which has the responsibility to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publications referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to v, a blank page, pages 1 to 22, an inside back cover and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. Amendments issued since publication Amd. No. DateComments Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Reference number ISO/IEC 18028-3:2005(E) INTERNATIONAL STANDARD ISO/IEC 18028-3 First edition 2005-12-15 Information technology Security techniques IT network security Part 3: Securing communications between networks using security gateways Technologies de l'information Techniques de sécurité Sécurité de réseaux TI Partie 3: Communications de sécurité entre réseaux utilisant des portails de sécurité BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ii Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI iii Contents Page Foreword iv Introduction v 1 Scope 1 2 Normative references1 3 Terms and definitions .1 4 Abbreviated terms .4 5 Security requirements.5 6 Techniques for security gateways.5 6.1 Packet filtering.5 6.2 Stateful packet inspection6 6.3 Application proxy.6 6.4 Network Address Translation (NAT)6 6.5 Content analyzing and filtering7 7 Security gateway components.7 7.1 Switches .7 7.2 Routers .8 7.3 Application Level Gateway.8 7.4 Security Appliances 8 8 Security Gateway Architectures.8 8.1 Structured approach .9 8.1.1 Packet filter firewall architecture .9 8.1.2 Dual-homed gateway architecture.10 8.1.3 Screened host architecture 11 8.1.4 Screened subnet architecture12 8.2 Staged approach13 8.2.1 Single and multi-staged security gateway architecture 14 9 Guidelines for selection and configuration 16 9.1 Selection of a security gateway architecture and appropriate components.17 9.2 Hardware and software platform17 9.3 Configuration .17 9.4 Security features and settings .18 9.5 Administration19 9.6 Logging.19 9.7 Documentation.20 9.8 Audit20 9.9 Training and education .20 9.10 Miscellaneous 20 Bibliography22 BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI iv Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18028-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18028 consists of the following parts, under the general title Information technology Security techniques IT network security: Part 2: Network security architecture Part 3: Securing communications between networks using security gateways Part 4: Securing remote access The following parts are under preparation: Part 1: Network security management Part 5: Securing communications across networks using Virtual Private Networks BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI v Introduction The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions. A secure network should be protected against malicious and inadvertent attacks, and should meet the business requirements for confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information as appropriate. Security capabilities in products are crucial to overall network security (including applications and services). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that promotes the interweaving of security capabilities in the overall end-to-end security solution. Thus, the purpose of ISO/IEC 18028 is to provide detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections. Those individuals within an organization that are responsible for IT security in general, and IT network security in particular, should be able to adapt the material in ISO/IEC 18028 to meet their specific requirements. Its main objectives are as follows: in ISO/IEC 18028-1, to define and describe the concepts associated with, and provide management guidance on, network security including on how to identify and analyse the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028); in ISO/IEC 18028-2, to define a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security; in ISO/IEC 18028-3, to define techniques for securing information flows between networks using security gateways; in ISO/IEC 18028-4, to define techniques for securing remote access; in ISO/IEC 18028-5, to define techniques for securing inter-network connections that are established using virtual private networks (VPN). ISO/IEC 18028-1 is relevant to anyone involved in owning, operating or using a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for Information Security (IS) and/or network security, network operation, or who are responsible for an organization's overall security programme and security policy development. ISO/IEC 18028-2 is relevant to all personnel who are involved in the planning, design and implementation of the architectural aspects of network security (for example IT network managers, administrators, engineers, and IT network security officers). ISO/IEC 18028-3 is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example IT network managers, administrators, engineers and IT network security officers). ISO/IEC 18028-4 is relevant to all personnel who are involved in the detailed planning, design and implementation of remote access security (for example IT network managers, administrators, engineers, and IT network security officers). ISO/IEC 18028-5 is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example IT network managers, administrators, engineers, and IT network security officers). BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI blank Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 1 Information technology Security techniques IT network security Part 3: Securing communications between networks using security gateways 1 Scope This part of ISO/IEC 18028 provides an overview of different techniques of security gateways, of components and of different types of security gateway architectures. It also provides guidelines for selection and configuration of security gateways. Although Personal Firewalls make use of similar techniques, they are outside the scope of this part of ISO/IEC 18028 because they do not serve as security gateways. The intended audiences for this part of ISO/IEC 18028 are technical and managerial personnel, e.g. IT managers, system administrators, network administrators and IT security personnel. It provides guidance in helping the user choose the right type of architecture for a security gateway which best meets their security requirements. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 18028-4:2005, Information technology Security techniques IT network security Part 4: Securing remote access 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 alert instant indication that an information system and network may be under attack, or in danger because of accident, failure or people error 3.2 attacker any person deliberately exploiting vulnerabilities in technical and non-technical security controls in order to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 2 3.3 audit formal inquiry, formal examination, or verification of facts against expectations, for compliance and conformity 3.4 audit logging gathering of data on information security events for the purpose of review and analysis, and ongoing monitoring 3.5 Demilitarised Zone DMZ security host or small network (also known as a screened sub-net or a perimeter network) inserted as a neutral zone between networks NOTE It forms a security buffer zone. cf. security host 3.6 filtering process of accepting or rejecting data flows through a network, according to specified criteria 3.7 firewall type of security barrier placed between network environments consisting of a dedicated device or of a composite of several components and techniques through which all traffic from one network environment to another, and vice versa, traverses and only authorized traffic, as defined by the local security policy, is allowed to pass 3.8 Information Security Incident single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security NOTE See ISO/IEC 18044. 3.9 Information Security Incident Management formal process of responding to and dealing with information security events and incidents NOTE See ISO/IEC 18044. 3.10 Intrusion unauthorized access to a network or a network-connected system, i.e. deliberate or accidental unauthorized access to an information system, to include malicious activity against an information system, or unauthorized use of resources within an information system 3.11 Intrusion Detection formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns as well as what, how, and which vulnerability has been exploited to include how and when it occurred 3.12 Intrusion Detection System IDS technical system that is used to identify that an intrusion has been attempted, is occurring or has occurred, and possibly to respond to intrusions in IT systems and networks BS ISO/IEC 18028-3:2005 Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:15:36 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 3 3.13 port(1) endpoint to a connection 3.14 port(2) internet protocol logical channel endpoint of a TCP or UDP connection NOTE Application protocols which are based on TCP or UDP have typically assigned default port numbers, e.g. port 80 for the HTTP protocol. 3.15 privacy the right of every individual that his/her private and family life, home and correspondence are treated confidentially, without interference by an authority except where it is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, the protection of health or