1、BRITISH STANDARD BS ISO/IEC 18028-4:2005 Information technology Security techniques IT network security Part 4: Securing remote access ICS 35.040 BS ISO/IEC 18028-4:2005 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 10 June 2005 BSI 10 June
2、 2005 ISBN 0 580 45922 5 National foreword This British Standard reproduces verbatim ISO/IEC 18028-4:2005 and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/33, Information technology Security techniques, which has the resp
3、onsibility to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publications referred to in this document may be found in the BSI Catalogue under the section entitled “International
4、 Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British St
5、andard does not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep UK interests informed; monitor related international and European
6、 developments and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to vi, pages 1 to 43 and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. Amendme
7、nts issued since publication Amd. No. Date CommentsReference number ISO/IEC 18028-4:2005(E) INTERNATIONAL STANDARD ISO/IEC 18028-4 First edition 2005-04-01 Information technology Security techniques IT network security Part 4: Securing remote access Technologies de linformation Techniques de scurit
8、Scurit de rseaux TI Partie 4: Tlaccs de la scurit BS ISO/IEC 18028-4:2005ii BS ISO/IEC 18028-4:2005iii Contents Page Foreword. v Introduction . vi 1 Scope 1 2 Terms, definitions and abbreviated terms 1 3 Aim 5 4 Overview 6 5 Security requirements 7 6 Types of remote access connection . 8 7 Technique
9、s of remote access connection .9 7.1 General. 9 7.2 Access to communications servers 9 7.3 Access to LAN resources. 13 7.4 Access for maintenance. 14 8 Guidelines for selection and configuration 14 8.1 General. 14 8.2 Protecting the RAS client. 15 8.3 Protecting the RAS server 16 8.4 Protecting the
10、connection 17 8.5 Wireless security. 18 8.6 Organizational measures . 19 8.7 Legal considerations 20 9 Conclusion. 20 Annex A (informative) Sample remote access security policy 21 A.1 Purpose 21 A.2 Scope 21 A.3 Policy 21 A.4 Enforcement 22 A.5 Terms and definitions. 23 Annex B (informative) RADIUS
11、implementation and deployment best practices 24 B.1 General. 24 B.2 Implementation best practices 24 B.3 Deployment best practices 25 Annex C (informative) The two modes of FTP. 27 C.1 PORT-mode FTP 27 C.2 PASV-mode FTP 27 Annex D (informative) Checklists for secure mail service . 29 D.1 Mail server
12、 operating system checklist 29 D.2 Mail server and content security checklist. 30 D.3 Network infrastructure checklist . 31 D.4 Mail client security checklist 32 D.5 Secure administration of mail server checklist .32 Annex E (informative) Checklists for secure web services 34 E.1 Web server operatin
13、g system checklist . 34 E.2 Secure web server installation and configuration checklist 35 E.3 Web content checklist 36 BS ISO/IEC 18028-4:2005iv E.4 Web authentication and encryption checklist37 E.5 Network infrastructure checklist .37 E.6 Secure web server administration checklist 38 Annex F (infor
14、mative) Wireless LAN security checklist40 Bibliography42 BS ISO/IEC 18028-4:2005v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of I
15、SO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizatio
16、ns, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Direc
17、tives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the
18、 national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18028-4 was prepared by Joint Technical Committee IS
19、O/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18028 consists of the following parts, under the general title Information technology Security techniques IT network security: Part 2: Network security architecture Part 3: Securing communications between networ
20、ks using security gateways Part 4: Securing remote access Network security management and securing communications between networks using Virtual Private Networks will form the subjects of the future Parts 1 and 5, respectively. BS ISO/IEC 18028-4:2005vi Introduction In Information Technology there i
21、s an ever increasing need to use networks within organizations and between organizations. Requirements have to be met to use networks securely. The area of remote access to a network requires specific measures when IT security should be in place. This part of ISO/IEC 18028 provides guidance for acce
22、ssing networks remotely either for using email, file transfer or simply working remotely. BS ISO/IEC 18028-4:20051 Information technology Security techniques IT network security Part 4: Securing remote access 1 Scope This part of ISO/IEC 18028 provides guidance for securely using remote access a met
23、hod to remotely connect a computer either to another computer or to a network using public networks and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication issues related to remote access and provide
24、s support when setting up remote access securely. It is intended to help network administrators and technicians who plan to make use of this kind of connection or who already have it in use and need advice on how to set it up securely and operate it securely. 2 Terms, definitions and abbreviated ter
25、ms For the purposes of this document, the following terms, definitions and abbreviated terms apply. 2.1 Access Point AP the system providing access from a wireless network to a terrestrial network 2.2 Advanced Encryption Standard AES a symmetric encryption mechanism providing variable key length and
26、 allowing an efficient implementation specified as Federal Information Processing Standard (FIPS) 197 2.3 authentication the provision of assurance of the claimed identity of an entity. In case of user authentication, users are identified either by knowledge (e.g., password), by possession (e.g., to
27、ken) or by a personal characteristic (biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of at least two of these factors (so-called multi-factor authentication). 2.4 call-back a mechanism to place a call to a pre-defined or proposed location (and
28、 address) after receiving valid ID parameters 2.5 Challenge-Handshake Authentication Protocol CHAP a three-way authentication protocol defined in RFC 1994 BS ISO/IEC 18028-4:20052 2.6 Data Encryption Standard DES a well-known symmetric encryption mechanism using a 56 bit key. Due to its short key le
29、ngth DES was replaced by the AES, but is still used in multiple encryption mode, e.g., 3DES or Triple DES (FIPS 46-3). 2.7 de-militarised zone DMZ a separated area of a local or site network whose access is controlled by a specific policy using firewalls. A DMZ is not part of the internal network an
30、d is considered less secure. 2.8 Denial of Service DoS an attack against a system to deter its availability 2.9 Digital Subscriber Line DSL a technology providing fast access to networks over local telecommunications loops 2.10 Dynamic Host Control Protocol DHCP an Internet protocol that dynamically
31、 provides IP addresses at start up (RFC 2131) 2.11 Encapsulating Security Payload ESP an IP-based protocol providing confidentiality services for data. Specifically, ESP provides encryption as a security service to protect the data content of the IP packet. ESP is an Internet standard (RFC 2406). 2.
32、12 Extensible Authentication Protocol EAP an authentication protocol supported by RADIUS and standardised by the IETF in RFC 2284 2.13 File Transfer Protocol FTP an Internet standard (RFC 959) for transferring files between a client and a server 2.14 Internet Engineering Task Force IETF the group re
33、sponsible for proposing and developing technical Internet standards 2.15 Internet Message Access Protocol v4 IMAP4 an email protocol which allows accessing and administering emails and mailboxes located on a remote email server (defined in RFC 2060) 2.16 Local Area Network LAN a local network, usual
34、ly within a building BS ISO/IEC 18028-4:20053 2.17 modem hardware or software that modulates digital signals into analogue ones and vice versa (demodulation) for the purpose of using telephone protocols as a computer protocol 2.18 Multipurpose Internet Mail Extensions MIME a method allowing the tran
35、sfer of multimedia and binary data via email; it is specified in RFC 2045 to RFC 2049 2.19 Network Access Server NAS a system, normally a computer, which provides access to an infrastructure for remote clients 2.20 one-time password OTP a password only used once thus countering replay attacks 2.21 P
36、assive mode PASV mode an FTP connection establishment mode 2.22 Password Authentication Protocol PAP an authentication protocol provided for PPP (RFC 1334) 2.23 Personal Digital Assistant PDA usually a handheld computer (palmtop computer) 2.24 Point-to-Point Protocol PPP a standard method for encaps
37、ulating network layer protocol information over point-to-point links (RFC 1334) 2.25 Post Office Protocol v3 POP3 an email protocol defined in RFC 1939 which allows a mail client to retrieve email stored on the email server 2.26 Pretty Good Privacy PGP a publicly available encryption software progra
38、m based on public key cryptography. The message formats are specified in RFC 1991 and RFC 2440. 2.27 Private Branch Exchange PBX usually a computer-based digital telephone switch for an enterprise BS ISO/IEC 18028-4:20054 2.28 Remote Access Dial-in User Service RADIUS an Internet Security protocol (
39、RFC 2138 and RFC 2139) for authenticating remote users 2.29 Remote Access Service RAS usually hardware and software to provide remote access 2.30 remote access authorized access to a system from outside of a security domain 2.31 Request for Comment RFC the title for Internet standards proposed by th
40、e IETF 2.32 Secure Shell SSH a protocol that provides secure remote login utilising an insecure network. SSH is proprietary but will become an IETF standard in the near future. SSH was originally developed by SSH Communications Security. 2.33 Secure Sockets Layer SSL a protocol located between the n
41、etwork layer and the application layer provides authentication of clients and server and integrity and confidentiality services. SSL was developed by Netscape and builds the basis for TLS. 2.34 Security/Multipurpose Internet Mail Extensions S/MIME a protocol providing secure multipurpose mail exchan
42、ge. Its current version 3 consists of five parts: RFC 3369 and RFC 3370 define the message syntax, RFC 2631 to RFC 2633 define message specification, certificate handling and key agreement method. 2.35 Serial Line Internet Protocol SLIP a packet framing protocol specified in RFC 1055 for transferrin
43、g data using telephone lines (serial lines) 2.36 Service Set Identifier SSID an identifier for wireless access points, usually in the form of a name 2.37 Simple Mail Transfer Protocol SMTP an Internet protocol (RFC 821 and extensions) for sending mail to mail servers (outgoing) 2.38 Transport Layer
44、Security Protocol TLS the successor of SSL is an official Internet Protocol (RFC 2246) BS ISO/IEC 18028-4:20055 2.39 Uniform Resource Locator URL the address scheme for web services 2.40 Uninterruptible Power Supply UPS usually a battery-based system to protect devices against power outages, sags an
45、d surges 2.41 User Datagram Protocol UDP an Internet networking protocol for connectionless communications (RFC 768) 2.42 Virtual Private Network VPN a private network utilising shared networks. E.g., A network based on a cryptographic tunnelling protocol operating over another network infrastructur
46、e. 2.43 WiFi Protected Access WPA a specification for a security enhancement to provide confidentiality and integrity for wireless communications; it includes the temporal key implementation protocol (TKIP). WPA is the successor of WEP. 2.44 Wired Equivalent Privacy WEP a cryptographic protocol offe
47、ring stream cipher encryption with a key length of 128 bits; it is defined within the IEEE 802.11 Wireless LAN specifications 2.45 Wireless Fidelity WiFi a trademark provided by the WiFi Alliance promoting the use of wireless LAN equipment 2.46 Wireless LAN WLAN a network using radio frequencies. Th
48、e most common standards in use are IEEE 802.11b and 802.11g with up to 11 Mbps respectively 54 Mbps transfer rate utilising the 2,4 GHz frequency band. 3 Aim This part of ISO/IEC 18028 is intended to guide network administrators and IT security officers when confronted with the problems of securing
49、remote access. It provides information on the various types and techniques for remote access and helps the intended audience to identify adequate measures to protect remote access against identified threats. It may also provide help to users who intend to access their office remotely from their home office or when travelling. BS ISO/IEC 18028-4:20056 4 Overview Remote access enables a user to log on from a local computer to a remote computer or comp
