ImageVerifierCode 换一换
格式:PDF , 页数:34 ,大小:1.38MB ,
资源ID:588451      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-588451.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS ISO IEC 27033-4-2014 Information technology Security techniques Network security Securing communications between networks using security gateways《信息技术 安全技术 网络安全 使用安全网关的网间安全通信》.pdf)为本站会员(medalangle361)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS ISO IEC 27033-4-2014 Information technology Security techniques Network security Securing communications between networks using security gateways《信息技术 安全技术 网络安全 使用安全网关的网间安全通信》.pdf

1、BSI Standards PublicationBS ISO/IEC 27033-4:2014Information technology Security techniques NetworksecurityPart 4: Securing communications betweennetworks using security gatewaysBS ISO/IEC 27033-4:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC27033-4:2

2、014. It supersedes BS ISO/IEC 18028-3:2005 which iswithdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport

3、 to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 65101 4ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This

4、British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedBS ISO/IEC 27033-4:2014Information technology Security techniques Network security Part 4: Securing communications between network

5、s using security gatewaysTechnologies de linformation Techniques de scurit - Scurit de rseau Partie 4: Scurisation des communications entre rseaux en utilisant des portails de scurit ISO/IEC 2014INTERNATIONAL STANDARDISO/IEC27033-4First edition2014-03-01Reference numberISO/IEC 27033-4:2014(E)BS ISO/

6、IEC 27033-4:2014ISO/IEC 27033-4:2014(E)ii ISO/IEC 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including pho

7、tocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 4

8、7E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E) ISO/IEC 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 25 Structure . 46 Overview . 47 Se

9、curity threats 58 Security requirements 69 Security controls . 89.1 Overview 89.2 Stateless packet filtering. 89.3 Stateful packet inspection . 99.4 Application firewall . 99.5 Content filtering 109.6 Intrusion prevention system and intrusion detection system 109.7 Security management API 1110 Desig

10、n techniques 1110.1 Security gateway components 1110.2 Deploying security gateway controls 1211 Guidelines for product selection 1611.1 Overview . 1611.2 Selection of a security gateway architecture and appropriate components 1711.3 Hardware and software platform. 1711.4 Configuration . 1711.5 Secur

11、ity features and settings . 1811.6 Administration capability . 1911.7 Logging capability . 1911.8 Audit capability 2011.9 Training and education . 2011.10 Implementation types 2011.11 High availability and operation mode 2011.12 Other considerations 20Bibliography .22BS ISO/IEC 27033-4:2014ISO/IEC 2

12、7033-4:2014(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards t

13、hrough technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, a

14、lso take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to pre

15、pare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility t

16、hat some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security tech

17、niques.This first edition of ISO/IEC 27033-4 cancels and replaces ISO/IEC 18028-3:2005, which has been technically revised.ISO/IEC 27033 consists of the following parts, under the general title Information technology Security techniques Network security: Part 1: Overview and concepts Part 2: Guideli

18、nes for the design and implementation of network security Part 3: Reference networking scenarios Threats, design techniques and control issues Part 4: Securing communications between networks using security gateways Part 5: Securing communications across networks using Virtual Private Networks (VPNs

19、) Part 6: Securing wireless IP network access(Note that there may be other Parts. Examples of possible topics to be covered by Parts include local area networks, wide area networks, broadband networks, web hosting, Internet email, and routed access to third party organizations. The main clauses of a

20、ll such Parts should be Risks, Design Techniques and Control Issues.)iv ISO/IEC 2014 All rights reservedBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)IntroductionThe majority of both commercial and government organizations have their information systems connected by networks, with the network connec

21、tions being one or more of the following: within the organization. between different organizations. between the organization and the general public.Further, with the rapid developments in publicly available network technology (in particular with the Internet) offering significant business opportunit

22、ies, organizations are increasingly conducting electronic business on a global scale and providing online public services. The opportunities include the provision of lower cost data communications, using the Internet simply as a global connection medium, through to more sophisticated services provid

23、ed by Internet Service Providers (ISPs). This can mean the use of relatively low cost local attachment points at each end of a circuit to full scale online electronic trading and service delivery systems, using web-based applications and services. Further, the new technology (including the integrati

24、on of data, voice and video) increases the opportunities for remote working (also known as teleworking or telecommuting). Telecommuters are able to keep in contact through the use of remote facilities to access organization and community networks and related business support information and services

25、.However, while this environment does facilitate significant business benefits, there are new security threats to be managed. With organizations relying heavily on the use of information and associated networks to conduct their business, the loss of confidentiality, integrity, and availability of in

26、formation and services could have significant adverse impacts on business operations. Thus, there is a major need to properly protect networks and their related information systems and information. In other words, implementing and maintaining adequate network security is critical to the success of a

27、ny organizations business operations.In this context, the telecommunications and information technology industries are seeking cost-effective comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent incorrect actions, thereby meeting the business requi

28、rements for confidentiality, integrity, and availability of information and services. Securing a network is also essential to achieve accurate billing for network usage. Security capabilities in products are crucial to overall network security (including applications and services). However, as more

29、products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that promotes the interweaving of security capabilities i

30、n the overall security solution.The purpose of ISO/IEC 27033-4, Securing communications between networks using security gateways, is to provide guidance on how to identify and analyse network security threats associated with security gateways, define the network security requirements for security ga

31、teways based on threat analysis, introduce design techniques to achieve a network technical security architecture to address the threats and control aspects associated with typical network scenarios, and address the issues associated with implementing, operating, monitoring and reviewing network sec

32、urity controls with security gateways.It is emphasized that the ISO/IEC 27033-4 is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example network architects and designers, network managers, and network security officers). ISO/

33、IEC 2014 All rights reserved vBS ISO/IEC 27033-4:2014BS ISO/IEC 27033-4:2014Information technology Security techniques Network security Part 4: Securing communications between networks using security gateways1 ScopeThis part of ISO/IEC 27033 gives guidance for securing communications between network

34、s using security gateways (firewall, application firewall, Intrusion Protection System, etc.) in accordance with a documented information security policy of the security gateways, including:a) identifying and analysing network security threats associated with security gateways;b) defining network se

35、curity requirements for security gateways based on threat analysis;c) using techniques for design and implementation to address the threats and control aspects associated with typical network scenarios; andd) addressing issues associated with implementing, operating, monitoring and reviewing network

36、 security gateway controls.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.I

37、SO/IEC 27033-1, Information technology Security techniques Network security Part 1: Overview and concepts3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27033-1 and the following apply.3.1bastion hostspecific host with hardened operation system th

38、at is used to intercept packets entering or leaving a network and the system that any outsider must normally connect with to access a service or a system that lies within an organizations firewall3.2end-point software-based firewallsoftware application running on a single machine, protecting network

39、 traffic into and out of that machine to permit or deny communications based on an end user-defined security policyINTERNATIONAL STANDARD ISO/IEC 27033-4:2014(E) ISO/IEC 2014 All rights reserved 1BS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)3.3hardened operating systemoperating system which has bee

40、n configured or designed specifically to minimize the potential for comprise or attackNote 1 to entry: This may be a general OS, such as Linux, which has been configured for this environment or may be a more custom built solution.3.4Internet gatewayentry point to access the internet3.5packetentity c

41、omprising a well-defined block of bytes consisting of header, data and optional trailer which can be transmitted across networks or over telephone linesNote 1 to entry: The format of a packet depends on the protocol that created it. Various communications standards and protocols use special purpose

42、packets to monitor and control a communications session. For example the X.25 standard uses diagnostic, call clear and reset packets (among others), as well as data packets (or) a unit of data that is transmitted over the network.3.6perimeter networkphysical or logical subnetwork that contains and e

43、xposes an organizations external services to a public network3.7remote officebranch officeoffice externally connected to the organizations main office through remote networks to provide users with services (e.g. file, print and the other service) required to maintain their daily business routine3.8s

44、ingle point of failuretype of failure that if a part of a system fails, the entire system does not work3.9SIP gatewayperimeter device that sits between the internal VoIP network and an external network such as the public telephone networkNote 1 to entry: Often a router is used to perform the role. W

45、here VoIP is in use to external IP networks it is important to ensure that the gateway contains sufficient security measures especially dynamic rule base changes to all call setup to take place securely.4 Abbreviated termsACL Access Control ListAPI Application Programming InterfaceASIC Application S

46、pecific Integrated CircuitBGP Border Gateway ProtocolCPU Central Processing UnitDDoS Distributed Denial-of-Service2 ISO/IEC 2014 All rights reservedBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)DLL Dynamic Link LibraryDMZ Demilitarized ZoneDNS Domain Name ServerDoS Denial-of-ServiceFTP File Transfer

47、 ProtocolHTTP Hypertext Transfer ProtocolHTTPS Hypertext Transfer Protocol over Secure Socket LayerICMP Internet Control Message ProtocolIDS Intrusion Detection SystemIP Internet ProtocolIPS Intrusion Prevention SystemISP Internet Service ProviderMIME Multipurpose Internet Mail ExtensionsNAT Network

48、 Address TranslationNFS Network File SystemNIS Network Information SystemNNTP Network News Transport ProtocolNTP Network Time ProtocolOS Operating SystemOSI Open System InterconnectionOSPF Open Shortest Path FirstRIP Routing Information ProtocolRPC Remote Procedure CallSIP Session Initiation Protoco

49、lSMS Short Message ServiceS/MIME Secure/Multipurpose Internet Mail ExtensionsSMTP Simple Mail Transfer ProtocolSOAP Simple Object Access ProtocolSPA Switched Port AnalyzerSPOF Single Point Of FailureSQL Structured Query Language ISO/IEC 2014 All rights reserved 3BS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)SSL Secure Sockets Layer protocolSYN SynchronousTCP Transmission Control ProtocolTLS Transport Layer SecurityUDP User Datagram ProtocolVLAN Virtual Local Area NetworkVM Virtual MachineVoIP Voice over Int

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1