BS ISO IEC 27033-4-2014 Information technology Security techniques Network security Securing communications between networks using security gateways《信息技术 安全技术 网络安全 使用安全网关的网间安全通信》.pdf

1、BSI Standards PublicationBS ISO/IEC 27033-4:2014Information technology Security techniques NetworksecurityPart 4: Securing communications betweennetworks using security gatewaysBS ISO/IEC 27033-4:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC27033-4:2

2、014. It supersedes BS ISO/IEC 18028-3:2005 which iswithdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport

3、 to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 65101 4ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This

4、British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedBS ISO/IEC 27033-4:2014Information technology Security techniques Network security Part 4: Securing communications between network

5、s using security gatewaysTechnologies de linformation Techniques de scurit - Scurit de rseau Partie 4: Scurisation des communications entre rseaux en utilisant des portails de scurit ISO/IEC 2014INTERNATIONAL STANDARDISO/IEC27033-4First edition2014-03-01Reference numberISO/IEC 27033-4:2014(E)BS ISO/

6、IEC 27033-4:2014ISO/IEC 27033-4:2014(E)ii ISO/IEC 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including pho

7、tocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 4

8、7E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E) ISO/IEC 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 25 Structure . 46 Overview . 47 Se

9、curity threats 58 Security requirements 69 Security controls . 89.1 Overview 89.2 Stateless packet filtering. 89.3 Stateful packet inspection . 99.4 Application firewall . 99.5 Content filtering 109.6 Intrusion prevention system and intrusion detection system 109.7 Security management API 1110 Desig

10、n techniques 1110.1 Security gateway components 1110.2 Deploying security gateway controls 1211 Guidelines for product selection 1611.1 Overview . 1611.2 Selection of a security gateway architecture and appropriate components 1711.3 Hardware and software platform. 1711.4 Configuration . 1711.5 Secur

11、ity features and settings . 1811.6 Administration capability . 1911.7 Logging capability . 1911.8 Audit capability 2011.9 Training and education . 2011.10 Implementation types 2011.11 High availability and operation mode 2011.12 Other considerations 20Bibliography .22BS ISO/IEC 27033-4:2014ISO/IEC 2

12、7033-4:2014(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards t

13、hrough technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, a

14、lso take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to pre

15、pare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility t

16、hat some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security tech

17、niques.This first edition of ISO/IEC 27033-4 cancels and replaces ISO/IEC 18028-3:2005, which has been technically revised.ISO/IEC 27033 consists of the following parts, under the general title Information technology Security techniques Network security: Part 1: Overview and concepts Part 2: Guideli

18、nes for the design and implementation of network security Part 3: Reference networking scenarios Threats, design techniques and control issues Part 4: Securing communications between networks using security gateways Part 5: Securing communications across networks using Virtual Private Networks (VPNs

19、) Part 6: Securing wireless IP network access(Note that there may be other Parts. Examples of possible topics to be covered by Parts include local area networks, wide area networks, broadband networks, web hosting, Internet email, and routed access to third party organizations. The main clauses of a

20、ll such Parts should be Risks, Design Techniques and Control Issues.)iv ISO/IEC 2014 All rights reservedBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)IntroductionThe majority of both commercial and government organizations have their information systems connected by networks, with the network connec

21、tions being one or more of the following: within the organization. between different organizations. between the organization and the general public.Further, with the rapid developments in publicly available network technology (in particular with the Internet) offering significant business opportunit

22、ies, organizations are increasingly conducting electronic business on a global scale and providing online public services. The opportunities include the provision of lower cost data communications, using the Internet simply as a global connection medium, through to more sophisticated services provid

23、ed by Internet Service Providers (ISPs). This can mean the use of relatively low cost local attachment points at each end of a circuit to full scale online electronic trading and service delivery systems, using web-based applications and services. Further, the new technology (including the integrati

24、on of data, voice and video) increases the opportunities for remote working (also known as teleworking or telecommuting). Telecommuters are able to keep in contact through the use of remote facilities to access organization and community networks and related business support information and services

25、.However, while this environment does facilitate significant business benefits, there are new security threats to be managed. With organizations relying heavily on the use of information and associated networks to conduct their business, the loss of confidentiality, integrity, and availability of in

26、formation and services could have significant adverse impacts on business operations. Thus, there is a major need to properly protect networks and their related information systems and information. In other words, implementing and maintaining adequate network security is critical to the success of a

27、ny organizations business operations.In this context, the telecommunications and information technology industries are seeking cost-effective comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent incorrect actions, thereby meeting the business requi

28、rements for confidentiality, integrity, and availability of information and services. Securing a network is also essential to achieve accurate billing for network usage. Security capabilities in products are crucial to overall network security (including applications and services). However, as more

29、products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that promotes the interweaving of security capabilities i

30、n the overall security solution.The purpose of ISO/IEC 27033-4, Securing communications between networks using security gateways, is to provide guidance on how to identify and analyse network security threats associated with security gateways, define the network security requirements for security ga

31、teways based on threat analysis, introduce design techniques to achieve a network technical security architecture to address the threats and control aspects associated with typical network scenarios, and address the issues associated with implementing, operating, monitoring and reviewing network sec

32、urity controls with security gateways.It is emphasized that the ISO/IEC 27033-4 is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example network architects and designers, network managers, and network security officers). ISO/

33、IEC 2014 All rights reserved vBS ISO/IEC 27033-4:2014BS ISO/IEC 27033-4:2014Information technology Security techniques Network security Part 4: Securing communications between networks using security gateways1 ScopeThis part of ISO/IEC 27033 gives guidance for securing communications between network

34、s using security gateways (firewall, application firewall, Intrusion Protection System, etc.) in accordance with a documented information security policy of the security gateways, including:a) identifying and analysing network security threats associated with security gateways;b) defining network se

35、curity requirements for security gateways based on threat analysis;c) using techniques for design and implementation to address the threats and control aspects associated with typical network scenarios; andd) addressing issues associated with implementing, operating, monitoring and reviewing network

36、 security gateway controls.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.I

37、SO/IEC 27033-1, Information technology Security techniques Network security Part 1: Overview and concepts3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27033-1 and the following apply.3.1bastion hostspecific host with hardened operation system th

38、at is used to intercept packets entering or leaving a network and the system that any outsider must normally connect with to access a service or a system that lies within an organizations firewall3.2end-point software-based firewallsoftware application running on a single machine, protecting network

39、 traffic into and out of that machine to permit or deny communications based on an end user-defined security policyINTERNATIONAL STANDARD ISO/IEC 27033-4:2014(E) ISO/IEC 2014 All rights reserved 1BS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)3.3hardened operating systemoperating system which has bee

40、n configured or designed specifically to minimize the potential for comprise or attackNote 1 to entry: This may be a general OS, such as Linux, which has been configured for this environment or may be a more custom built solution.3.4Internet gatewayentry point to access the internet3.5packetentity c

41、omprising a well-defined block of bytes consisting of header, data and optional trailer which can be transmitted across networks or over telephone linesNote 1 to entry: The format of a packet depends on the protocol that created it. Various communications standards and protocols use special purpose

42、packets to monitor and control a communications session. For example the X.25 standard uses diagnostic, call clear and reset packets (among others), as well as data packets (or) a unit of data that is transmitted over the network.3.6perimeter networkphysical or logical subnetwork that contains and e

43、xposes an organizations external services to a public network3.7remote officebranch officeoffice externally connected to the organizations main office through remote networks to provide users with services (e.g. file, print and the other service) required to maintain their daily business routine3.8s

44、ingle point of failuretype of failure that if a part of a system fails, the entire system does not work3.9SIP gatewayperimeter device that sits between the internal VoIP network and an external network such as the public telephone networkNote 1 to entry: Often a router is used to perform the role. W

45、here VoIP is in use to external IP networks it is important to ensure that the gateway contains sufficient security measures especially dynamic rule base changes to all call setup to take place securely.4 Abbreviated termsACL Access Control ListAPI Application Programming InterfaceASIC Application S

46、pecific Integrated CircuitBGP Border Gateway ProtocolCPU Central Processing UnitDDoS Distributed Denial-of-Service2 ISO/IEC 2014 All rights reservedBS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)DLL Dynamic Link LibraryDMZ Demilitarized ZoneDNS Domain Name ServerDoS Denial-of-ServiceFTP File Transfer

47、 ProtocolHTTP Hypertext Transfer ProtocolHTTPS Hypertext Transfer Protocol over Secure Socket LayerICMP Internet Control Message ProtocolIDS Intrusion Detection SystemIP Internet ProtocolIPS Intrusion Prevention SystemISP Internet Service ProviderMIME Multipurpose Internet Mail ExtensionsNAT Network

48、 Address TranslationNFS Network File SystemNIS Network Information SystemNNTP Network News Transport ProtocolNTP Network Time ProtocolOS Operating SystemOSI Open System InterconnectionOSPF Open Shortest Path FirstRIP Routing Information ProtocolRPC Remote Procedure CallSIP Session Initiation Protoco

49、lSMS Short Message ServiceS/MIME Secure/Multipurpose Internet Mail ExtensionsSMTP Simple Mail Transfer ProtocolSOAP Simple Object Access ProtocolSPA Switched Port AnalyzerSPOF Single Point Of FailureSQL Structured Query Language ISO/IEC 2014 All rights reserved 3BS ISO/IEC 27033-4:2014ISO/IEC 27033-4:2014(E)SSL Secure Sockets Layer protocolSYN SynchronousTCP Transmission Control ProtocolTLS Transport Layer SecurityUDP User Datagram ProtocolVLAN Virtual Local Area NetworkVM Virtual MachineVoIP Voice over Int