SANS 18028-3-2009 Information technology - Security techniques - IT network security Part 3 Securing communications between networks using security gateways《信息技术 安全技术 信息技术网络安全 第3部分.pdf

1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA

2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any

3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22050-1 SANS 18028-3:2009Edition 1 ISO/IEC 18028-3:2Edition 1 005 SOUTH AFRICAN NATIONAL STANDARD Information technology Security techniqu

4、es IT network security Part 3: Securing communications between networks using security gateways This national standard is the identical implementation of ISO/IEC 18028-3:2005 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnic

5、al Commission. Published by SABS Standards Division 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 18028-3:2009 Edit

6、ion 1 ISO/IEC 18028-3:2005 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS SC 71F, Information technology Information security, in accordance with procedures of the SABS Standards Division, in compliance with anne

7、x 3 of the WTO/TBT agreement. This SANS document was published in March 2009. This standard may only be used and printed by approved subscription and freemailing clients of the SABS. Reference number ISO/IEC 18028-3:2005(E) ISO/IEC 2005INTERNATIONAL STANDARD ISO/IEC 18028-3 First edition 2005-12-15

8、Information technology Security techniques IT network security Part 3: Securing communications between networks using security gateways Technologies de linformation Techniques de scurit Scurit de rseaux TI Partie 3: Communications de scurit entre rseaux utilisant des portails de scurit SANS 18928-3:

9、2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO/IEC 18028-3:2005(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unle

10、ss the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark

11、 of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

12、 the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2005 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,

13、 including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org P

14、ublished in Switzerland ii ISO/IEC 2005 All rights reservedSANS 18928-3:2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO/IEC 18028-3:2005(E) ISO/IEC 2005 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope 1 2 Normat

15、ive references 1 3 Terms and definitions .1 4 Abbreviated terms .4 5 Security requirements.5 6 Techniques for security gateways.5 6.1 Packet filtering .5 6.2 Stateful packet inspection 6 6.3 Application proxy.6 6.4 Network Address Translation (NAT)6 6.5 Content analyzing and filtering 7 7 Security g

16、ateway components.7 7.1 Switches .7 7.2 Routers .8 7.3 Application Level Gateway .8 7.4 Security Appliances 8 8 Security Gateway Architectures.8 8.1 Structured approach .9 8.1.1 Packet filter firewall architecture .9 8.1.2 Dual-homed gateway architecture .10 8.1.3 Screened host architecture 11 8.1.4

17、 Screened subnet architecture 12 8.2 Staged approach13 8.2.1 Single and multi-staged security gateway architecture 14 9 Guidelines for selection and configuration 16 9.1 Selection of a security gateway architecture and appropriate components.17 9.2 Hardware and software platform17 9.3 Configuration

18、17 9.4 Security features and settings .18 9.5 Administration19 9.6 Logging.19 9.7 Documentation.20 9.8 Audit20 9.9 Training and education .20 9.10 Miscellaneous 20 Bibliography 22 SANS 18928-3:2009This standard may only be used and printed by approved subscription and freemailing clients of the SAB

19、S.ISO/IEC 18028-3:2005(E) iv ISO/IEC 2005 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate

20、 in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and

21、non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The ma

22、in task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies cast

23、ing a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18028-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informat

24、ion technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18028 consists of the following parts, under the general title Information technology Security techniques IT network security: Part 2: Network security architecture Part 3: Securing communications between networks using security gat

25、eways Part 4: Securing remote access The following parts are under preparation: Part 1: Network security management Part 5: Securing communications across networks using Virtual Private Networks SANS 18928-3:2009This standard may only be used and printed by approved subscription and freemailing clie

26、nts of the SABS.ISO/IEC 18028-3:2005(E) ISO/IEC 2005 All rights reserved v Introduction The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions. A secure network should be protected against malicious and inadvertent attacks, and should

27、 meet the business requirements for confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information as appropriate. Security capabili

28、ties in products are crucial to overall network security (including applications and services). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for eac

29、h product or service, but must be developed in a manner that promotes the interweaving of security capabilities in the overall end-to-end security solution. Thus, the purpose of ISO/IEC 18028 is to provide detailed guidance on the security aspects of the management, operation and use of IT networks,

30、 and their inter-connections. Those individuals within an organization that are responsible for IT security in general, and IT network security in particular, should be able to adapt the material in ISO/IEC 18028 to meet their specific requirements. Its main objectives are as follows: in ISO/IEC 180

31、28-1, to define and describe the concepts associated with, and provide management guidance on, network security including on how to identify and analyse the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible contro

32、l areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028); in ISO/IEC 18028-2, to define a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security; in ISO/IEC 18028-3, to define tec

33、hniques for securing information flows between networks using security gateways; in ISO/IEC 18028-4, to define techniques for securing remote access; in ISO/IEC 18028-5, to define techniques for securing inter-network connections that are established using virtual private networks (VPN). ISO/IEC 180

34、28-1 is relevant to anyone involved in owning, operating or using a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for Information Security (IS) and/or network security, network operation

35、 or who are responsible for an organizations overall security programme and security policy development. ISO/IEC 18028-2 is relevant to all personnel who are involved in the planning, design and implementation of the architectural aspects of network security (for example IT network managers, admini

36、strators, engineers, and IT network security officers). ISO/IEC 18028-3 is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example IT network managers, administrators, engineers and IT network security officers). ISO/IEC 18028-

37、4 is relevant to all personnel who are involved in the detailed planning, design and implementation of remote access security (for example IT network managers, administrators, engineers, and IT network security officers). ISO/IEC 18028-5 is relevant to all personnel who are involved in the detailed

38、planning, design and implementation of VPN security (for example IT network managers, administrators, engineers, and IT network security officers). SANS 18928-3:2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 18928-3:2009This standard

39、may only be used and printed by approved subscription and freemailing clients of the SABS.INTERNATIONAL STANDARD ISO/IEC 18028-3:2005(E) ISO/IEC 2005 All rights reserved 1 Information technology Security techniques IT network security Part 3: Securing communications between networks using security g

40、ateways 1 Scope This part of ISO/IEC 18028 provides an overview of different techniques of security gateways, of components and of different types of security gateway architectures. It also provides guidelines for selection and configuration of security gateways. Although Personal Firewalls make use

41、 of similar techniques, they are outside the scope of this part of ISO/IEC 18028 because they do not serve as security gateways. The intended audiences for this part of ISO/IEC 18028 are technical and managerial personnel, e.g. IT managers, system administrators, network administrators and IT securi

42、ty personnel. It provides guidance in helping the user choose the right type of architecture for a security gateway which best meets their security requirements. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, on

43、ly the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 18028-4:2005, Information technology Security techniques IT network security Part 4: Securing remote access 3 Terms and definitions For the purposes of this

44、 document, the following terms and definitions apply. 3.1 alert instant indication that an information system and network may be under attack, or in danger because of accident, failure or people error 3.2 attacker any person deliberately exploiting vulnerabilities in technical and non-technical secu

45、rity controls in order to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources SANS 18928-3:2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO/I

46、EC 18028-3:2005(E) 2 ISO/IEC 2005 All rights reserved3.3 audit formal inquiry, formal examination, or verification of facts against expectations, for compliance and conformity 3.4 audit logging gathering of data on information security events for the purpose of review and analysis, and ongoing monit

47、oring 3.5 Demilitarised Zone DMZ security host or small network (also known as a screened sub-net or a perimeter network) inserted as a neutral zone between networks NOTE It forms a security buffer zone. cf. security host 3.6 filtering process of accepting or rejecting data flows through a network,

48、according to specified criteria 3.7 firewall type of security barrier placed between network environments consisting of a dedicated device or of a composite of several components and techniques through which all traffic from one network environment to another, and vice versa, traverses and only auth

49、orized traffic, as defined by the local security policy, is allowed to pass 3.8 Information Security Incident single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security NOTE See ISO/IEC 18044. 3.9 Information Security Incident Management formal process of responding to and dealing with information security events and incidents NOTE See ISO/IEC 18044. 3.10 Intrusi