1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22051-8 SANS 18028-4:2009Edition 1 ISO/IEC 18028-4:2Edition 1 005 SOUTH AFRICAN NATIONAL STANDARD Information technology Security techniqu
4、es IT network security Part 4: Securing remote access This national standard is the identical implementation of ISO/IEC 18028-4:2005 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnical Commission. Published by SABS Standards
5、 Division 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 18028-4:2009 Edition 1 ISO/IEC 18028-4:2005 Edition 1 Table
6、 of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS SC 71F, Information technology Information security, in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS do
7、cument was published in March 2009. This standard may only be used and printed by approved subscription and freemailing clients of the SABS. Reference number ISO/IEC 18028-4:2005(E) ISO/IEC 2005INTERNATIONAL STANDARD ISO/IEC 18028-4 First edition 2005-04-01 Information technology Security techniques
8、 IT network security Part 4: Securing remote access Technologies de linformation Techniques de scurit Scurit de rseaux TI Partie 4: Tlaccs de la scurit SANS 18028-4:2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) PDF
9、 disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, par
10、ties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative
11、 to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2
12、005 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the co
13、untry of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2005 All rights reservedSANS 18028-4:2009This standard may only be used and printed by approved subs
14、cription and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) ISO/IEC 2005 All rights reserved iiiContents Page Foreword. v Introduction . vi 1 Scope 1 2 Terms, definitions and abbreviated terms 1 3 Aim 5 4 Overview 6 5 Security requirements 7 6 Types of remote access connection . 8 7 Techniq
15、ues of remote access connection . 9 7.1 General. 9 7.2 Access to communications servers 9 7.3 Access to LAN resources. 13 7.4 Access for maintenance. 14 8 Guidelines for selection and configuration14 8.1 General. 14 8.2 Protecting the RAS client. 15 8.3 Protecting the RAS server 16 8.4 Protecting th
16、e connection 17 8.5 Wireless security. 18 8.6 Organizational measures . 19 8.7 Legal considerations 20 9 Conclusion. 20 Annex A (informative) Sample remote access security policy 21 A.1 Purpose 21 A.2 Scope 21 A.3 Policy 21 A.4 Enforcement 22 A.5 Terms and definitions. 23 Annex B (informative) RADIU
17、S implementation and deployment best practices 24 B.1 General. 24 B.2 Implementation best practices 24 B.3 Deployment best practices 25 Annex C (informative) The two modes of FTP. 27 C.1 PORT-mode FTP 27 C.2 PASV-mode FTP 27 Annex D (informative) Checklists for secure mail service . 29 D.1 Mail serv
18、er operating system checklist 29 D.2 Mail server and content security checklist. 30 D.3 Network infrastructure checklist . 31 D.4 Mail client security checklist 32 D.5 Secure administration of mail server checklist . 32 Annex E (informative) Checklists for secure web services 34 E.1 Web server opera
19、ting system checklist .34 E.2 Secure web server installation and configuration checklist 35 E.3 Web content checklist 36 SANS 18028-4:2009This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) iv ISO/IEC 2005 All rights reserve
20、dE.4 Web authentication and encryption checklist37 E.5 Network infrastructure checklist .37 E.6 Secure web server administration checklist 38 Annex F (informative) Wireless LAN security checklist40 Bibliography42 SANS 18028-4:2009This standard may only be used and printed by approved subscription an
21、d freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) ISO/IEC 2005 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are me
22、mbers of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international o
23、rganizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO
24、/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 7
25、5 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18028-4 was prepared by Joint Technical Co
26、mmittee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18028 consists of the following parts, under the general title Information technology Security techniques IT network security: Part 2: Network security architecture Part 3: Securing communications betw
27、een networks using security gateways Part 4: Securing remote access Network security management and securing communications between networks using Virtual Private Networks will form the subjects of the future Parts 1 and 5, respectively. SANS 18028-4:2009This standard may only be used and printed by
28、 approved subscription and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) vi ISO/IEC 2005 All rights reservedIntroduction In Information Technology there is an ever increasing need to use networks within organizations and between organizations. Requirements have to be met to use networks se
29、curely. The area of remote access to a network requires specific measures when IT security should be in place. This part of ISO/IEC 18028 provides guidance for accessing networks remotely either for using email, file transfer or simply working remotely. SANS 18028-4:2009This standard may only be use
30、d and printed by approved subscription and freemailing clients of the SABS.INTERNATIONAL STANDARD ISO/IEC 18028-4:2005(E) ISO/IEC 2005 All rights reserved 1Information technology Security techniques IT network security Part 4: Securing remote access 1 Scope This part of ISO/IEC 18028 provides guidan
31、ce for securely using remote access a method to remotely connect a computer either to another computer or to a network using public networks and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication is
32、sues related to remote access and provides support when setting up remote access securely. It is intended to help network administrators and technicians who plan to make use of this kind of connection or who already have it in use and need advice on how to set it up securely and operate it securely.
33、 2 Terms, definitions and abbreviated terms For the purposes of this document, the following terms, definitions and abbreviated terms apply. 2.1 Access Point AP the system providing access from a wireless network to a terrestrial network 2.2 Advanced Encryption Standard AES a symmetric encryption me
34、chanism providing variable key length and allowing an efficient implementation specified as Federal Information Processing Standard (FIPS) 197 2.3 authentication the provision of assurance of the claimed identity of an entity. In case of user authentication, users are identified either by knowledge
35、(e.g., password), by possession (e.g., token) or by a personal characteristic (biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of at least two of these factors (so-called multi-factor authentication). 2.4 call-back a mechanism to place a call t
36、o a pre-defined or proposed location (and address) after receiving valid ID parameters 2.5 Challenge-Handshake Authentication Protocol CHAP a three-way authentication protocol defined in RFC 1994 SANS 18028-4:2009This standard may only be used and printed by approved subscription and freemailing cli
37、ents of the SABS.ISO/IEC 18028-4:2005(E) 2 ISO/IEC 2005 All rights reserved2.6 Data Encryption Standard DES a well-known symmetric encryption mechanism using a 56 bit key. Due to its short key length DES was replaced by the AES, but is still used in multiple encryption mode, e.g., 3DES or Triple DES
38、 (FIPS 46-3). 2.7 de-militarised zone DMZ a separated area of a local or site network whose access is controlled by a specific policy using firewalls. A DMZ is not part of the internal network and is considered less secure. 2.8 Denial of Service DoS an attack against a system to deter its availabili
39、ty 2.9 Digital Subscriber Line DSL a technology providing fast access to networks over local telecommunications loops 2.10 Dynamic Host Control Protocol DHCP an Internet protocol that dynamically provides IP addresses at start up (RFC 2131) 2.11 Encapsulating Security Payload ESP an IP-based protoco
40、l providing confidentiality services for data. Specifically, ESP provides encryption as a security service to protect the data content of the IP packet. ESP is an Internet standard (RFC 2406). 2.12 Extensible Authentication Protocol EAP an authentication protocol supported by RADIUS and standardised
41、 by the IETF in RFC 2284 2.13 File Transfer Protocol FTP an Internet standard (RFC 959) for transferring files between a client and a server 2.14 Internet Engineering Task Force IETF the group responsible for proposing and developing technical Internet standards 2.15 Internet Message Access Protocol
42、 v4 IMAP4 an email protocol which allows accessing and administering emails and mailboxes located on a remote email server (defined in RFC 2060) 2.16 Local Area Network LAN a local network, usually within a building SANS 18028-4:2009This standard may only be used and printed by approved subscription
43、 and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) ISO/IEC 2005 All rights reserved 32.17 modem hardware or software that modulates digital signals into analogue ones and vice versa (demodulation) for the purpose of using telephone protocols as a computer protocol 2.18 Multipurpose Interne
44、t Mail Extensions MIME a method allowing the transfer of multimedia and binary data via email; it is specified in RFC 2045 to RFC 2049 2.19 Network Access Server NAS a system, normally a computer, which provides access to an infrastructure for remote clients 2.20 one-time password OTP a password onl
45、y used once thus countering replay attacks 2.21 Passive mode PASV mode an FTP connection establishment mode 2.22 Password Authentication Protocol PAP an authentication protocol provided for PPP (RFC 1334) 2.23 Personal Digital Assistant PDA usually a handheld computer (palmtop computer) 2.24 Point-t
46、o-Point Protocol PPP a standard method for encapsulating network layer protocol information over point-to-point links (RFC 1334) 2.25 Post Office Protocol v3 POP3 an email protocol defined in RFC 1939 which allows a mail client to retrieve email stored on the email server 2.26 Pretty Good Privacy PG
47、P a publicly available encryption software program based on public key cryptography. The message formats are specified in RFC 1991 and RFC 2440. 2.27 Private Branch Exchange PBX usually a computer-based digital telephone switch for an enterprise SANS 18028-4:2009This standard may only be used and pr
48、inted by approved subscription and freemailing clients of the SABS.ISO/IEC 18028-4:2005(E) 4 ISO/IEC 2005 All rights reserved2.28 Remote Access Dial-in User Service RADIUS an Internet Security protocol (RFC 2138 and RFC 2139) for authenticating remote users 2.29 Remote Access Service RAS usually har
49、dware and software to provide remote access 2.30 remote access authorized access to a system from outside of a security domain 2.31 Request for Comment RFC the title for Internet standards proposed by the IETF 2.32 Secure Shell SSH a protocol that provides secure remote login utilising an insecure network. SSH is proprietary but will become an IETF standard in the near future. SSH was originally developed by SSH Communications Security. 2.33 Secure Sockets Layer SSL a protocol located between the
