ANSI INCITS ISO IEC TR 13335-5-2001 Information Technology - Guidelines for the Management of IT Security - Part 5 Management Guidance on Network Security (TECHNICAL REPORT).pdf

1、 INCITS/ISO/IEC TR 13335-5-2001 (R2007) (ISO/IEC TR 13335-5:2001, IDT) Information Technology - Guidelines for the Management of IT Security - Part 5: Management Guidance on Network Security (TECHNICAL REPORT) INCITS/ISO/IEC TR 13335-5-2001 (R2007) PDF disclaimer This PDF file may contain embedded t

2、ypefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not in

3、fringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were o

4、ptimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Registered by INCITS (InterNational Committee for Informa

5、tion Technology Standards) as an American National Standard. Date of Registration: 12/31/2006 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2006 by Information Technology Industry Council (ITI). All rights reserved. These materials are su

6、bject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form,

7、including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1101 K Street NW, Suite 610, Washington DC 20005. Printed in the United States of America ii ITIC 2006 All rights reserved Reference numberISO/I

8、EC TR 13335-5:2001(E)ISO/IEC 2001TECHNICAL REPORT ISO/IECTR13335-5First edition2001-11-01Information technology Guidelines for the management of IT Security Part 5: Management guidance on network securityTechnologies de linformation Lignes directrices pour la gestion de scurit IT Partie 5: Guide pou

9、r la gestion de scurit du rseau ISO/IEC TR 13335-5:2001(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the

10、computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to

11、create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform

12、 the Central Secretariat at the address given below. ISO/IEC 2001 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from

13、 either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii ISO/IEC 2001 All rights reservedISO/IEC TR 13335-5

14、:2001(E) ISO/IEC 2001 All rights reserved iiiTABLE OF CONTENTSForewordvIntroduction vi1.SCOPE12.REFERENCES13.DEFINITION 24.ABBREVIATION 25.STRUCTUR 26.AIM37.OVERVIEW37.1Background37.2Identification Process38REVIEW CORPORATE IT SECURITY POLICY REQUIREMENTS69REVIEW NETWORK ARCHITECTURES AND APPLICATIO

15、NS69.1Introductio 69.2Types of Network79.3Network Protocol 89.4Network Application 89.5Other Consideration 810IDENTIFY TYPES OF NETWORK CONNECTION 811 REVIEW NETWORKING CHARACTERISTICS AND RELATED TRUSTRELATIONSHIPS1111.1Network Characteristic 1111.2Trust Relationship 12ISO/IEC TR 13335-5:2001(E) iv

16、 ISO/IEC 2001 All rights reserved12DETERMINE THE TYPES OF SECURITY RISK1313IDENTIFY APPROPRIATE POTENTIAL SAFEGUARD AREAS1713.1Introductio 1713.2Secure Service Managemen 1813.2.1Introductio 1813.2.2Security Operating Procedures1913.2.3Security Compliance Checking1913.2.4 Security Conditions For Conn

17、ectio 1913.2.5Documented Security Conditions for Users of Network Services2013.2.6Incident Handlin 2013.3Identification and Authenticatio 2013.3.1Introductio 2013.3.2Remote Log-i 2013.3.3Authentication Enhancement 2113.3.4Remote System Identificatio 2113.3.5Secure Single Sign-o 2213.4Audit Trail 221

18、3.5Intrusion Detectio 2313.6Protection Against Malicious Code2413.7Network Security Managemen 2413.8Security Gateway 2513.9Data Confidentiality Over Networks2613.10Data Integrity Over Network 2613.1 Non-Repudiatio 2713.12 Virtual Private Network 2813.13Business Continuity/Disaster Recovery2814DOCUME

19、NT AND REVIEW SECURITY ARCHITECTURE OPTIONS2915 PREPARE FOR THE ALLOCATION OF SAFEGUARD SELECTION,DESIGN, IMPLEMENTATION AND MAINTENANCE2916SUMMARY29Bibliography 31ISO/IEC TR 13335-5:2001(E) ISO/IEC 2001 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (

20、the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with part

21、icular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have esta

22、blished a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint techn

23、ical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report of one of the

24、following types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility of an agreem

25、ent on an International Standard; type 3, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example). Technical Reports of types 1 and 2 are subject to review within three years of pub

26、lication, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this par

27、t of ISO/IEC TR 13335 may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 13335-5, which is a Technical Report of type 3, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee

28、 SC 27, IT Security techniques. ISO/IEC TR 13335 consists of the following parts, under the general title Information technology Guidelines for the management of IT Security: Part 1: Concepts and models for IT Security Part 2: Managing and planning IT Security Part 3: Techniques for the management o

29、f IT Security Part 4: Selection of safeguards Part 5: Management guidance on network security ISO/IEC TR 13335-5:2001(E) vi ISO/IEC 2001 All rights reservedIntroductionThe purpose of this Technical Report (ISO/IEC TR 13335) is to provide guidance, notsolutions, on management aspects of IT security.

30、Those individuals within an organizationthat are responsible for IT security should be able to adapt the material in this report tomeet their specific needs. The main objectives of this Technical Report are: to define and describe the concepts associated with the management of IT security, to identi

31、fy the relationships between the management of IT security and managementof IT in general, to present several models which can be used to explain IT security, and to provide general guidance on the management of IT security.ISO/IEC TR 13335 is organized into five parts. Part 1 provides an overview o

32、f thefundamental concepts and models used to describe the management of IT security. Thismaterial is suitable for managers responsible for IT security and for those who areresponsible for an organizations overall security programme.Part 2 describes management and planning aspects. It is relevant to

33、managers withresponsibilities relating to an organizations IT systems. They may be: IT managers who are responsible for overseeing the design, implementation, testing,procurement, or operation of IT systems, or managers who are responsible for activities that make substantial use of IT systems.Part

34、3 describes security techniques relevant to those involved with management activitiesduring a project life cycle, such as planning, designing, implementing, testing, acquisitionor operations.Part 4 provides guidance for the selection of safeguards, and how this can be supported bythe use of baseline

35、 models and controls. It also describes how this complements thesecurity techniques described in Part 3, and how additional assessment methods can beused for the selection of safeguards.Part 5 provides guidance with respect to networks and communications to thoseresponsible for the management of IT

36、security. This guidance supports the identificationand analysis of the communications related factors that should be taken into account toestablish network security requirements. It also contains a brief introduction to the possiblesafeguard areas.TECHNICAL REPORT ISO/IEC TR 13335-5:2001(E) ISO/IEC

37、2001 All rights reserved 1Information technology Guidelines for the management of IT Security Part 5: Management guidance on network security 1. ScopeISO/IEC TR 13335-5 provides guidance with respect to networks and communications tothose responsible for the management of IT security. This guidance

38、supports theidentification and analysis of the communications related factors that should be taken intoaccount to establish network security requirements.This part of ISO/IEC TR 13335 builds upon Part 4 of this Technical Report by providingan introduction on how to identify appropriate safeguard are

39、as with respect to securityassociated with connections to communications networks.It is not within the scope of this TR to provide advice on the detailed design andimplementation aspects of the technical safeguard areas. That advice will be dealt with infuture ISO documents.2. ReferencesISO/IEC TR 1

40、3335-1:1996, Information technology Guidelines for the management of IT Security Part 1: Concepts and models for IT Security ISO/IEC TR 13335-2:1997, Information technology Guidelines for the management of IT Security Part 2: Managing and planning IT Security ISO/IEC TR 13335-3:1998, Information tec

41、hnology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security ISO/IEC TR 13335-4:2000, Information technology Guidelines for the management of IT Security Part 4: Selection of safeguards ISO/IEC TR 14516:1), Information technology Guidelines on the use and

42、 management of Trusted Third Party (TTP) services ISO/IEC 13888 (all parts), Information technology Security techniques Non-repudiation ISO/IEC 15947:1), Information technology Security techniques IT intrusion detection framework ISO/IEC 7498-1:1994, Information technology Open Systems Interconnecti

43、on Basic Reference Model: The Basic Model _ 1) To be published. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture ISO/IEC TR 13335-5:2001(E) 2 ISO/IEC 2001 All rights reservedISO/IEC 7498-3:1997, Information technology Op

44、en Systems Interconnection Basic Reference Model: Naming and addressing (Other relevant, non ISO/IEC, references are given in the Bibliography.)3. DefinitionsFor the purposes of this part of ISO/IEC TR 13335, the definitions given in Part 1 ofISO/IEC TR 13335 apply: accountability, asset, authentici

45、ty, availability, baselinecontrols, confidentiality, data integrity, impact, integrity, IT security, IT security policy,non-repudiation, reliability, risk, risk analysis, risk management, safeguard, threat,vulnerability.4. AbbreviationsEDI - Electronic Data InterchangeIP - Internet ProtocolIT - Info

46、rmation TechnologyPC - Personal ComputerPIN - Personal Identification NumberSecOPs - Security Operating ProceduresTR - Technical Report5. StructureThe approach taken in TR 13335-5 is to first summarize the overall process foridentification and analysis of the communications related factors that shou

47、ld be taken intoaccount to establish network security requirements, and then provide an indication of thepotential safeguard areas (in doing so indicating where relevant content of other parts ofTR 13335 may be used).This document describes three simple criteria to aid those persons responsible for

48、ITsecurity to identify potential safeguard areas. These criteria identify (1) the different typesof network connections, (2) the different networking characteristics and related trustrelationships, and (3) the potential types of security risk associated with networkconnections (and the use of servic

49、es provided via those connections). The results ofcombining these criteria are then utilised to indicate potential safeguard areas.Subsequently, a brief introductory description is provided of the potential safeguard areas,with indications to sources of more detail.ISO/IEC 7498-4:1989, Information processing systems Open Systems Interconnection Basic Ref