ANSI INCITS ISO IEC 18028-3-2005 Information technology Security techniques IT network security Part 3 Securing communications between networks using security gateways.pdf

1、INCITS/ISO/IEC 18028-3:20052008(ISO/IEC 18028-3:2005, IDT) Information technology Security techniques IT network security Part 3: Securing communicationsbetween networks using security gatewaysINCITS/ISO/IEC 18028-3:20052008(ISO/IEC 18028-3:2005, IDT)INCITS/ISO/IEC 18028-3:20052008 ii ITIC 2008 All

2、rights reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloa

3、ding this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the Ge

4、neral Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address giv

5、en below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/1/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Indu

6、stry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resa

7、le. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America

8、 INCITS/ISO/IEC 18028-3:20052008 ITIC 2008 All rights reserved iii Contents Page Foreword iv Introduction .v 1 Scope 1 2 Normative references .1 3 Terms and definitions 1 4 Abbreviated terms 4 5 Security requirements 5 6 Techniques for security gateways .5 6.1 Packet filtering5 6.2 Stateful packet i

9、nspection .6 6.3 Application proxy .6 6.4 Network Address Translation (NAT) 6 6.5 Content analyzing and filtering 7 7 Security gateway components 7 7.1 Switches .7 7.2 Routers .8 7.3 Application Level Gateway 8 7.4 Security Appliances .8 8 Security Gateway Architectures 8 8.1 Structured approach 9 8

10、.1.1 Packet filter firewall architecture .9 8.1.2 Dual-homed gateway architecture . 10 8.1.3 Screened host architecture 11 8.1.4 Screened subnet architecture 12 8.2 Staged approach 13 8.2.1 Single and multi-staged security gateway architecture 14 9 Guidelines for selection and configuration . 16 9.1

11、 Selection of a security gateway architecture and appropriate components . 17 9.2 Hardware and software platform . 17 9.3 Configuration 17 9.4 Security features and settings . 18 9.5 Administration 19 9.6 Logging . 19 9.7 Documentation . 20 9.8 Audit 20 9.9 Training and education 20 9.10 Miscellaneo

12、us . 20 Bibliography 22 INCITS/ISO/IEC 18028-3:20052008 iv ITIC 2008 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are membe

13、rs of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international orga

14、nizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IE

15、C Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 %

16、 of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18028-3 was prepared by Joint Technical Commi

17、ttee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18028 consists of the following parts, under the general title Information technology Security techniques IT network security: Part 2: Network security architecture Part 3: Securing communications between

18、 networks using security gateways Part 4: Securing remote access The following parts are under preparation: Part 1: Network security management Part 5: Securing communications across networks using Virtual Private Networks INCITS/ISO/IEC 18028-3:20052008 ITIC 2008 All rights reserved v Introduction

19、The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions. A secure network should be protected against malicious and inadvertent attacks, and should meet the business requirements for confidentiality, integrity, availability, non-repudi

20、ation, accountability, authenticity and reliability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information as appropriate. Security capabilities in products are crucial to overall network security (including applications and ser

21、vices). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that promotes the interweaving o

22、f security capabilities in the overall end-to-end security solution. Thus, the purpose of ISO/IEC 18028 is to provide detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections. Those individuals within an organization that are responsi

23、ble for IT security in general, and IT network security in particular, should be able to adapt the material in ISO/IEC 18028 to meet their specific requirements. Its main objectives are as follows: in ISO/IEC 18028-1, to define and describe the concepts associated with, and provide management guidan

24、ce on, network security including on how to identify and analyse the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 1802

25、8); in ISO/IEC 18028-2, to define a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security; in ISO/IEC 18028-3, to define techniques for securing information flows between networks using security gateways; in ISO/

26、IEC 18028-4, to define techniques for securing remote access; in ISO/IEC 18028-5, to define techniques for securing inter-network connections that are established using virtual private networks (VPN). ISO/IEC 18028-1 is relevant to anyone involved in owning, operating or using a network. This includ

27、es senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for Information Security (IS) and/or network security, network operation, or who are responsible for an organizations overall security programme and security po

28、licy development. ISO/IEC 18028-2 is relevant to all personnel who are involved in the planning, design and implementation of the architectural aspects of network security (for example IT network managers, administrators, engineers, and IT network security officers). ISO/IEC 18028-3 is relevant to a

29、ll personnel who are involved in the detailed planning, design and implementation of security gateways (for example IT network managers, administrators, engineers and IT network security officers). ISO/IEC 18028-4 is relevant to all personnel who are involved in the detailed planning, design and imp

30、lementation of remote access security (for example IT network managers, administrators, engineers, and IT network security officers). ISO/IEC 18028-5 is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example IT network managers, ad

31、ministrators, engineers, and IT network security officers). AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 18028-3:20052008 ITIC 2008 All rights reserved 1 Information technology Security techniques IT network security Part 3: Securing communications between networks using security gateways 1 Scope This

32、part of ISO/IEC 18028 provides an overview of different techniques of security gateways, of components and of different types of security gateway architectures. It also provides guidelines for selection and configuration of security gateways. Although Personal Firewalls make use of similar technique

33、s, they are outside the scope of this part of ISO/IEC 18028 because they do not serve as security gateways. The intended audiences for this part of ISO/IEC 18028 are technical and managerial personnel, e.g. IT managers, system administrators, network administrators and IT security personnel. It prov

34、ides guidance in helping the user choose the right type of architecture for a security gateway which best meets their security requirements. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited

35、applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 18028-4:2005, Information technology Security techniques IT network security Part 4: Securing remote access 3 Terms and definitions For the purposes of this document, the follow

36、ing terms and definitions apply. 3.1 alert instant indication that an information system and network may be under attack, or in danger because of accident, failure or people error 3.2 attacker any person deliberately exploiting vulnerabilities in technical and non-technical security controls in orde

37、r to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources INCITS/ISO/IEC 18028-3:20052008 2 ITIC 2008 All rights reserved 3.3 audit formal inquiry, formal examination, or verification of facts against expe

38、ctations, for compliance and conformity 3.4 audit logging gathering of data on information security events for the purpose of review and analysis, and ongoing monitoring 3.5 Demilitarised Zone DMZ security host or small network (also known as a screened sub-net or a perimeter network) inserted as a

39、neutral zone between networks NOTE It forms a security buffer zone. cf. security host 3.6 filtering process of accepting or rejecting data flows through a network, according to specified criteria 3.7 firewall type of security barrier placed between network environments consisting of a dedicated devi

40、ce or of a composite of several components and techniques through which all traffic from one network environment to another, and vice versa, traverses and only authorized traffic, as defined by the local security policy, is allowed to pass 3.8 Information Security Incident single or series of unwant

41、ed or unexpected information security events that have a significant probability of compromising business operations and threatening information security NOTE See ISO/IEC 18044. 3.9 Information Security Incident Management formal process of responding to and dealing with information security events

42、and incidents NOTE See ISO/IEC 18044. 3.10 Intrusion unauthorized access to a network or a network-connected system, i.e. deliberate or accidental unauthorized access to an information system, to include malicious activity against an information system, or unauthorized use of resources within an inf

43、ormation system 3.11 Intrusion Detection formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns as well as what, how, and which vulnerability has been exploited to include how and when it occurred 3.12 Intrusion Detection System IDS techn

44、ical system that is used to identify that an intrusion has been attempted, is occurring or has occurred, and possibly to respond to intrusions in IT systems and networks INCITS/ISO/IEC 18028-3:20052008 ITIC 2008 All rights reserved 3 3.13 port(1) endpoint to a connection 3.14 port(2) internet protoc

45、ol logical channel endpoint of a TCP or UDP connection NOTE Application protocols which are based on TCP or UDP have typically assigned default port numbers, e.g. port 80 for the HTTP protocol. 3.15 privacy the right of every individual that his/her private and family life, home and correspondence a

46、re treated confidentially, without interference by an authority except where it is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, the protecti

47、on of health or morals, or for the protection of the rights and freedoms of others 3.16 remote access process of accessing network resources from another network, or from a terminal device which is not permanently connected to the network it is accessing 3.17 router network device that is used to es

48、tablish and control the flow of data between different networks, which themselves can be based on different network protocols, by selecting paths or routes based upon routing protocol mechanisms and algorithms NOTE The routing information is kept in a routing table. 3.18 security dimension set of se

49、curity controls designed to address a particular aspect of network security NOTE The detailed description of security dimensions is given in ISO/IEC 18028-2. 3.19 security domain set of assets and resources subject to a common security policy 3.20 security gateway point of connection between networks, or between subgroups within networks, or between software applications within different security domains intended to protect a network according to a given security policy NOTE A security gateway c