BS ISO IEC 27039-2015 Information technology Security techniques Selection deployment and operations of intrusion detection systems (IDPS)《信息技术 安全技术 入侵式检测系统的选择、开发和操作(IDPS)》.pdf

1、BSI Standards PublicationBS ISO/IEC 27039:2015Information technology Security techniques Selection, deployment andoperations of intrusiondetection systems (IDPS)BS ISO/IEC 27039:2015 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC 27039:2015. It supersedes

2、BS ISO/IEC 18043:2006 whichis withdrawn.The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the

3、 necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 76243 7 ICS 35.020; 35.040 Compliance with a British Standard cannot confer immunity from legal obligations.This Britis

4、h Standard was published under the authority of the Standards Policy and Strategy Committee on 28 February 2015.Amendments/corrigenda issued since publicationDate Text affectedInformation technology Security techniques Selection, deployment and operations of intrusion detection systems (IDPS)Technol

5、ogies de linformation Techniques de scurit Slection, dploiement et oprations des systmes de dtection dintrusionINTERNATIONAL STANDARDISO/IEC 27039Reference number ISO/IEC 27039:2015(E)First edition 2015-02-15 ISO/IEC 2015BS ISO/IEC 27039:2015ii ISO/IEC 2015 All rights reservedCOPYRIGHT PROTECTED DOC

6、UMENT ISO/IEC 2015All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permissio

7、n can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandISO/IEC 27039:2015(E)BS ISO/IEC 27

8、039:2015ISO/IEC 27039:2015(E)Foreword vIntroduction vi1 Scope . 12 Terms and definitions . 13 Background 54 General 55 Selection 65.1 Introduction 65.2 Information security risk assessment. 75.3 Host or Network IDPS . 75.3.1 Overview . 75.3.2 Host-based IDPS (HIDPS) . 75.3.3 Network-based IDPS (NIDP

9、S) . 75.4 Considerations 85.4.1 System environment . 85.4.2 Security protection mechanisms . 85.4.3 IDPS security policy 85.4.4 Performance 95.4.5 Verification of capabilities 105.4.6 Cost .105.4.7 Updates . 115.4.8 Alert strategies .125.4.9 Identity management125.5 Tools that complement IDPS 135.5.

10、1 Overview 135.5.2 File integrity checkers 145.5.3 Firewall . 145.5.4 Honeypots . 145.5.5 Network management tools 155.5.6 Security Information Event Management (SIEM) tools 155.5.7 Virus/Content protection tools 165.5.8 Vulnerability assessment tools .165.6 Scalability . 175.7 Technical support 175

11、.8 Training 186 Deployment .186.1 Overview . 186.2 Staged deployment . 186.3 NIDPS deployment 196.3.1 Overview 196.3.2 Location of NIDPS inside an Internet firewall .206.3.3 Location of NIDPS outside an Internet firewall 206.3.4 Location of NIDPS on a major network backbone .216.3.5 Location of NIDP

12、S on critical subnets 216.4 HIDPS deployment 216.5 Safeguarding and protecting IDPS information security .22 ISO/IEC 2015 All rights reserved iiiBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)7 Operations 227.1 Overview . 227.2 IDPS tuning 237.3 IDPS vulnerabilities . 237.4 Handling IDPS alerts . 237.4.1

13、 Overview 237.4.2 Information Security Incident Response Team (ISIRT) 247.4.3 Outsourcing . 247.5 Response options . 257.5.1 Principles . 257.5.2 Active response 257.5.3 Passive reaction .277.6 Legal Considerations . 277.6.1 Overview 277.6.2 Privacy . 277.6.3 Other legal and policy considerations 27

14、7.6.4 Forensics 27Annex A (informative) Intrusion Detection and Prevention System (IDPS): Framework and issues to be considered .28Bibliography .48iv ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)ForewordISO (the International Organization for Standardization) and IEC (th

15、e International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with partic

16、ular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have establ

17、ished a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This

18、 document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying

19、any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of

20、users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplemen

21、tary information .The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques.This first edition of ISO/IEC 27039 cancels and replaces ISO/IEC 18043:2006, which has been technically revised.Legal noticeThe National Institute of Standa

22、rds and Technology (NIST), hereby grant non-exclusive license to ISO/IEC to use the NIST Special Publication on intrusion detection systems (SP800-94 rev1, July 2012) in the development of the ISO/IEC 27039 International Standard. However, the NIST retains the right to use, copy, distribute, or modi

23、fy the SP800-94 as they see fit. ISO/IEC 2015 All rights reserved vBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)IntroductionOrganizations should not only know when, if, and how an intrusion of their network, system, or application occurs. They also should know what vulnerability was exploited and what

24、safeguards or appropriate risk treatment options (i.e. risk modification, risk retention, risk avoidance, risk sharing) should be implemented to prevent similar intrusions in the future. Organizations should also recognize and deter cyber-based intrusions. This requires an analysis of host and netwo

25、rk traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious or suspicious intent. In the mid-1990s, organizations began to use intrusion detection and prevention systems (IDPS) to fulfil these needs. The general use of IDPS continues to expand with a wid

26、er range of IDPS products being made available to satisfy an increasing level of organizational demands for advanced intrusion detection capability.In order for an organization to derive the maximum benefits from IDPS, the process of IDPS selection, deployment, and operations should be carefully pla

27、nned and implemented by properly trained and experienced personnel. In the case where this process is achieved, then IDPS products can assist an organization in obtaining intrusion information and can serve as an important security device within the overall information and communications technology

28、(ICT) infrastructure.This International Standard provides guidelines for effective IDPS selection, deployment, and operation, as well as fundamental knowledge about IDPS. It is also applicable to those organizations that are considering outsourcing their intrusion detection capabilities. Information

29、 about outsourcing service level agreements can be found in the IT service management (ITSM) processes based on ISO/IEC 20000 Series.This International Standard is intended to be helpful to: a) An organization in satisfying the following requirements of ISO/IEC 27001: The organization shall implemen

30、t procedures and other controls capable of enabling prompt detection of and response to security incidents; The organization shall execute monitoring and review procedures and other controls to properly identify attempted and successful security breaches and incidents.b) An organization in implement

31、ing controls that meet the following security objectives of ISO/IEC 27002: To detect unauthorized information processing activities; Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems ar

32、e identified; An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities; System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.An organization should recognize th

33、at deploying IDPS is not a sole and/or exhaustive solution to satisfy or meet the above-cited requirements. Furthermore, this International Standard is not intended as criteria for any kind of conformity assessments, e.g., information security management system (ISMS) certification, IDPS services or

34、 products certification.vi ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015Information technology Security techniques Selection, deployment and operations of intrusion detection systems (IDPS)1 ScopeThis International Standard provides guidelines to assist organizations in preparing to deploy i

35、ntrusion detection and prevention systems (IDPS). In particular, it addresses the selection, deployment, and operations of IDPS. It also provides background information from which these guidelines are derived.2 Terms and definitionsFor the purposes of this document, the terms and definitions given i

36、n ISO/IEC 27000 and the following apply.2.1attackattempts to destroy, expose, alter, or disable information systems and/or information within it or otherwise breach the security policy2.2attack signaturesequence of computing activities or alterations that are used to execute an attack and which are

37、also used by an IDPS to discover that an attack has occurred and often is determined by the examination of network traffic or host logsNote 1 to entry: This can also be referred to as an attack pattern.2.3attestationvariant of public-key encryption that lets IDPS software programs and devices authen

38、ticate their identity to remote partiesNote 1 to entry: See remote attestation (2.23).2.4bridgenetwork equipment that transparently connects a local area network (LAN) at OSI layer 2 to another LAN that uses the same protocol2.5cryptographic hash valuemathematical value that is assigned to a file an

39、d used to “test” the file at a later date to verify that the data contained in the file has not been maliciously changed2.6denial-of-serviceDoSunauthorized access to a system resource or the delaying of system operations and functions, with resultant loss of availability to authorized usersSOURCE: I

40、SO/IEC 27033-1:2009INTERNATIONAL STANDARD ISO/IEC 27039:2015(E) ISO/IEC 2015 All rights reserved 1BS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)2.7distributed denial-of-service attackDDoSunauthorized access to a system resource or the delaying of system operations and functions in the way of compromisin

41、g multiple systems to flood the bandwidth or resources of the targeted system, with resultant loss of availability to authorized users2.8demilitarized zoneDMZlogical and physical network space between the perimeter router and the exterior firewallNote 1 to entry: The DMZ can be between networks and

42、under close observation but does not have to be so.Note 2 to entry: They are generally unsecured areas containing bastion hosts that provide public services.2.9exploitdefined way to breach the security of information systems through vulnerability2.10firewalltype of barrier placed between network env

43、ironments consisting of a dedicated device or a composite of several components and techniques through which all traffic from one network environment traverses to another, and vice versa, and only authorized traffic as defined by the local security policy is allowed to passSOURCE: ISO/IEC 27033-1:20

44、092.11false positiveIDPS alert when there is no attack2.12false negativeno IDPS alert when there is an attack2.13honeypotgeneric term for a decoy system used to deceive, distract, divert, and encourage the attacker to spend time on information that appears to be very valuable, but actually is fabric

45、ated and would not be of interest to a legitimate user2.14hostaddressable system or computer in TCP/IP-based networks like the Internet2.15intruderindividual who is conducting, or has conducted, an intrusion or attack against a victims host, site, network, or organization2.16intrusionunauthorized ac

46、cess to a network or a network-connected system, that is, deliberate or accidental unauthorized access to information systems, to include malicious activity against information systems, or unauthorized use of resources within information systems2 ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015

47、ISO/IEC 27039:2015(E)2.17intrusion detectionformal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns, as well as what, how, and which vulnerability has been exploited to include how and when it occurred2.18intrusion detection systemIDSinfor

48、mation systems used to identify that an intrusion has been attempted, is occurring, or has occurred2.19intrusion prevention systemIPSvariant on intrusion detection systems that are specifically designed to provide an active response capability2.20intrusion detection and prevention systemIDPSintrusio

49、n detection systems (IDPS) and intrusion prevention systems (IPS) software applications or appliances that monitor systems for malicious activities, where IDS focus is to only alert on the discovery of such activity while IPS have the potent to prevent some intrusions upon detectionNote 1 to entry: IPS is deployed actively in the network if attack prevention is desired. If deployed in passive mode, it will not offer such functionality and effectively function as a regular IDS by providing alerts only.2.21penetrationunauth