1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22053-2 SANS 18043:2009 Edition 1 ISO/IEC 18043:2006 Edition 1 SOUTH AFRICAN NATIONAL STANDARD Information technology Security techniques
4、Selection, deployment and operations of intrusion detection systems This national standard is the identical implementation of ISO/IEC 18043:2006 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnical Commission. Published by SA
5、BS Standards Division 1 Dr Lategan Road Groenkloof envelopeback Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS SANS 18043:2009 Edition 1 ISO/IEC 18043:2006 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was
6、 approved by National Committee SABS SC 71F, Information technology Information security, in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in June 2009. Reference numberISO/IEC 18043:2006(E)ISO/IEC 200
7、6INTERNATIONAL STANDARD ISO/IEC18043First edition2006-06-15Information technology Security techniques Selection, deployment and operations of intrusion detection systemsTechnologies de linformation Techniques de scurit Slection, dploiement et oprations des systmes de dtection dintrusion SANS 18043:2
8、009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 18043:2006(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unles
9、s the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark
10、of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
11、the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2006 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
12、including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Pu
13、blished in Switzerland ii ISO/IEC 2006 All rights reservedSANS 18043:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 18043:2006(E) ISO/IEC 2006 All rights reserved iiiContents Page Foreword iv Introduction v 1 Scope 1 2 Terms and
14、definitions .1 3 Background4 4 General5 5 Selection .6 5.1 Information Security Risk Assessment.7 5.2 Host or Network IDS 7 5.3 Considerations.7 5.4 Tools that complement IDS 13 5.5 Scalability .17 5.6 Technical support17 5.7 Training.17 6 Deployment 18 6.1 Staged Deployment .18 7 Operations 22 7.1
15、IDS Tuning22 7.2 IDS Vulnerabilities .22 7.3 Handling IDS Alerts .22 7.4 Response Options .25 7.5 Legal Considerations 26 Annex A (informative) Intrusion Detection System (IDS): Framework and Issues to be Considered 27 A.1 Introduction to Intrusion Detection27 A.2 Types of intrusions and attacks.28
16、A.3 Generic Model of Intrusion Detection Process.29 A.4 Types of IDS .35 A.5 Architecture38 A.6 Management of an IDS 39 A.7 Implementation and Deployment Issues.42 A.8 Intrusion Detection Issues44 Bibliography 46 SANS 18043:2009This s tandard may only be used and printed by approved subscription and
17、 freemailing clients of the SABS .ISO/IEC 18043:2006(E) iv ISO/IEC 2006 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are mem
18、bers of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international or
19、ganizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/
20、IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75
21、 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18043 was prepared by Joint Technical Committee ISO
22、/IEC JTC 1 Information technology, Subcommittee SC 27, IT Security techniques. Legal notice The National Institute of Standards and Technology (NIST), hereby grant non-exclusive license to ISO/IEC to use the NIST Special Publication on Intrusion Detection Systems (SP800-31) in the development of the
23、 ISO/IEC 18043 International Standard. However, the NIST retains the right to use, copy, distribute, or modify the SP800-31 as they see fit. SANS 18043:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 18043:2006(E) ISO/IEC 2006 All
24、 rights reserved vIntroduction Organizations should not only know when, if, and how an intrusion of their network, system or application occurs, they also should know what vulnerability was exploited and what safeguards or appropriate risk treatment options (i.e. risk transfer, risk acceptance, risk
25、 avoidance) should be implemented to prevent similar intrusions in the future. Organizations should also recognize and deflect cyber-based intrusions. This requires an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious
26、or suspicious intent. In the mid-1990s, organizations began to use Intrusion Detection Systems (IDS) to fulfil these needs. The general use of IDS continues to expand with a wider range of IDS products being made available to satisfy an increasing level of organizational demands for advanced intrusi
27、on detection capability. In order for an organization to derive the maximum benefits from IDS, the process of IDS selection, deployment, and operations should be carefully planned and implemented by properly trained and experienced personnel. In the case where this process is achieved, then IDS prod
28、ucts can assist an organization in obtaining intrusion information and can serve as an important security device within the overall information and communications technology (ICT) infrastructure. This International Standard provides guidelines for effective IDS selection, deployment and operation, a
29、s well as fundamental knowledge about IDS. It is also applicable to those organizations that are considering outsourcing their intrusion detection capabilities. Information about outsourcing service level agreements can be found in the IT Service Management (ITSM) processes based on ISO/IEC 20000. S
30、ANS 18043:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .SANS 18043:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .INTERNATIONAL STANDARD ISO/IEC 18043:2006(E) ISO/IEC 2006 A
31、ll rights reserved 1Information technology Security techniques Selection, deployment and operations of intrusion detection systems 1 Scope This International Standard provides guidelines to assist organizations in preparing to deploy Intrusion Detection System (IDS). In particular, it addresses the
32、selection, deployment and operations of IDS. It also provides background information from which these guidelines are derived. This International Standard is intended to be helpful to a) an organization in satisfying the following requirements of ISO/IEC 27001: The organization shall implement proced
33、ures and other controls capable of enabling prompt detection of and response to security incidents. The organization shall execute monitoring and review procedures and other controls to properly identify attempted and successful security breaches and incidents. b) an organization in implementing con
34、trols that meet the following security objectives of ISO/IEC 17799: To detect unauthorized information processing activities. Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are ident
35、ified. An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model. An organization should recognize that dep
36、loying IDS is not a sole and/or exhaustive solution to satisfy or meet the above-cited requirements. Furthermore, this International Standard is not intended as criteria for any kind of conformity assessments, e.g., Information Security Management System (ISMS) certification, IDS services or product
37、s certification. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 attack attempts to destroy, expose, alter, or disable an Information System and/or information within it or otherwise breach the security policy SANS 18043:2009This s tandard ma
38、y only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 18043:2006(E) 2 ISO/IEC 2006 All rights reserved2.2 attack signature sequence of computer activities or alterations that are used to execute an attack and which are also used by an IDS to discover that a
39、n attack has occurred and often is determined by the examination of network traffic or host logs NOTE This may also be referred to as an attack pattern. 2.3 attestation variant of public-key encryption that lets IDS software programs and devices authenticate their identity to remote parties. NOTE Se
40、e Clause 2.21, Remote attestation. 2.4 bridge network equipment that transparently connects a local area network (LAN) at OSI layer 2 to another LAN that uses the same protocol 2.5 cryptographic hash value mathematical value that is assigned to a file and used to “test” the file at a later date to v
41、erify that the data contained in the file has not been maliciously changed 2.6 DoS (Denial-of-Service) attack prevention of authorized access to a system resource or the delaying of system operations and functions ISO/IEC 18028-1 2.7 Demilitarized Zone DMZ logical and physical network space between
42、the perimeter router and the exterior firewall NOTE 1 The DMZ may be between networks and under close observation but does not have to be so. NOTE 2 They are generally unsecured areas containing bastion hosts that provide public services. 2.8 exploit defined way to breach the security of an Informat
43、ion System through vulnerability 2.9 firewall type of security gateway or barrier placed between network environments consisting of a dedicated device or a composite of several components and techniques through which all traffic from one network environment to another, and vice versa, traverses and
44、only authorized traffic is allowed to pass ISO/IEC 18028-1 2.10 false positive IDS alert when there is no attack 2.11 false negative no IDS alert when there is an attack SANS 18043:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 1
45、8043:2006(E) ISO/IEC 2006 All rights reserved 32.12 host addressable system or computer in TCP/IP based networks like the Internet 2.13 intruder individual who is conducting, or has conducted, an intrusion or attack against a victims host, site, network, or organization 2.14 intrusion unauthorized a
46、ccess to a network or a network-connected system, i.e. deliberate or accidental unauthorized access to an information system, to include malicious activity against an information system, or unauthorized use of resources within an information system 2.15 intrusion detection formal process of detectin
47、g intrusions, generally characterized by gathering knowledge about abnormal usage patterns as well as what, how, and which vulnerability has been exploited to include how and when it occurred 2.16 intrusion detection system IDS information system used to identify that an intrusion has been attempted
48、, is occurring, or has occurred and possibly respond to intrusions in Information Systems and networks 2.17 intrusion prevention system IPS variant on intrusion detection systems that are specifically designed to provide an active response capability 2.18 honeypot generic term for a decoy system use
49、d to deceive, distract, divert and to encourage the attacker to spend time on information that appears to be very valuable, but actually is fabricated and would not be of interest to a legitimate user 2.19 penetration unauthorized act of bypassing the security mechanisms of an Information System 2.20 provisioning process of remotely searching for new software updates from a vendors website and downloading authenticated updates 2.21 remote attestation processes of using digital certificates to ensure
