1、BSI Standards Publication BS ISO/IEC 27033-1:2015 Information technology Security techniques Network security Part 1: Overview and conceptsBS ISO/IEC 27033-1:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 27033-1:2015. It supersedes BS ISO/IEC 27033
2、-1:2009 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33/-/4, IT Security Techniques - Security Controls and Ser. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purpor
3、t to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 81999 5 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligatio
4、ns. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 August 2015. Amendments issued since publication Date Text affectedBS ISO/IEC 27033-1:2015 Information technology Security techniques Network security Part 1: Overview and concepts Techno
5、logies de linformation Techniques de scurit Scurit de rseau Partie 1: Vue densemble et concepts INTERNATIONAL STANDARD ISO/IEC 27033-1 Reference number ISO/IEC 27033-1:2015(E) Second edition 2015-08-15 ISO/IEC 2015 BS ISO/IEC 27033-1:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUME
6、NT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior writt
7、en permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27
8、033-1:2015(E)BS ISO/IEC 27033-1:2015ISO/IEC 27033-1:2015(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 2 4 Symbols and abbreviated terms . 6 5 Structure . 8 6 Overview 10 6.1 Background .10 6.2 Network security planning and management.11 7 Identifying r
9、isks and preparing to identify security controls 13 7.1 Introduction .13 7.2 Information on current and/or planned networking .13 7.2.1 Security requirements in corporate information security policy .13 7.2.2 Information on current/planned networking .14 7.3 Information security risks and potential
10、control areas 18 8 Supporting controls 21 8.1 Introduction .21 8.2 Management of network security 21 8.2.1 Background21 8.2.2 Network security management activities .21 8.2.3 Network security roles and responsibilities .23 8.2.4 Network monitoring 24 8.2.5 Evaluating network security .25 8.3 Technic
11、al vulnerability management .25 8.4 Identification and authentication 25 8.5 Network audit logging and monitoring 26 8.6 Intrusion detection and prevention .27 8.7 Protection against malicious code 28 8.8 Cryptographic based services .28 8.9 Business continuity management .29 9 Guidelines for the de
12、sign and implementation of network security 30 9.1 Background .30 9.2 Network technical security architecture/design .30 10 Reference network scenarios Risks, design, techniques and control issues 32 10.1 Introduction .32 10.2 Internet access services for employees 33 10.3 Enhanced collaboration ser
13、vices .33 10.4 Business to business services .33 10.5 Business to customer services .34 10.6 Outsourced services 34 10.7 Network segmentation .34 10.8 Mobile communication .34 10.9 Networking support for travelling users .35 10.10 Networking support for home and small business offices .35 11 Technol
14、ogy topics Risks, design techniques and control issues 35 12 Develop and test security solution .36 13 Operate security solution .36 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 27033-1:2015ISO/IEC 27033-1:2015(E)14 Monitor and review solution implementation .37 Annex A (informative)
15、 Cross-references between ISO/IEC 27001/27002 network security related controls and ISO/IEC 27033-1 clauses/subclauses 38 Annex B (informative) Example template for a SecOPs document.42 Bibliography .47 iv ISO/IEC 2015 All rights reservedBS ISO/IEC 27033-1:2015ISO/IEC 27033-1:2015(E) Foreword ISO (t
16、he International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees
17、established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. I
18、n the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria n
19、eeded for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent ri
20、ghts. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name u
21、sed in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical
22、Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 27033-1:2009), which
23、have been technically revised. ISO/IEC 27033 consists of the following parts, under the general title Information technology Security techniques Network security: Part 1: Overview and concepts Part 2: Guidelines for the design and implementation of network security Part 3: Reference networking scena
24、rios Threats, design techniques and control issues Part 4: Securing communications between networks using security gateways Part 5: Securing communications across networks using Virtual Private Networks (VPNs) Part 6: Securing wireless IP network access ISO/IEC 2015 All rights reserved vBS ISO/IEC 2
25、7033-1:2015ISO/IEC 27033-1:2015(E) Introduction In todays world, the majority of both commercial and government organizations have their information systems connected by networks (see Figure 1), with the network connections being one or more of the following: within the organization, between differe
26、nt organizations, between the organization and the general public. Network A 1 Network A 3 Network A 2 Public Network Private Network Network B 1 Network B 2 Network C 1 Organization A Organization B Organization C General Public Figure 1 Broad types of network connection Further, with the rapid dev
27、elopments in publicly available network technology (in particular with the Internet) offering significant business opportunities, organizations are increasingly conducting electronic business on a global scale and providing online public services. The opportunities include the provision of lower cos
28、t data communications, using the Internet simply as a global connection medium, through to more sophisticated services provided by Internet service providers (ISPs). This can mean the use of relatively low cost local attachment points at each end of a circuit to full scale online electronic trading
29、and service delivery systems, using web-based applications and services. Additionally, the new technology (including the integration of data, voice and video) increases the opportunities for remote working (also known as “teleworking” or “telecommuting”) that enable personnel to operate away from th
30、eir homework base for significant periods of time. They are able to keep in contact through the use of remote facilities to access organization and community networks and related business support information and services. However, whilst this environment does facilitate significant business benefits
31、, there are new security risks to be managed. With organizations relying heavily on the use of information and associated networks to conduct their business, the loss of confidentiality, integrity, and availability of information and services could have significant adverse impacts on business operat
32、ions. Thus, there is a major vi ISO/IEC 2015 All rights reservedBS ISO/IEC 27033-1:2015ISO/IEC 27033-1:2015(E) requirement to properly protect networks and their related information systems and information. In other words: implementing and maintaining adequate network security is absolutely critical
33、 to the success of any organizations business operations. In this context, the telecommunications and information technology industries are seeking cost- effective comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent incorrect actions, and meeting
34、the business requirements for confidentiality, integrity, and availability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information as appropriate. Security capabilities in products are crucial to overall network security (includi
35、ng applications and services). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that prom
36、otes the interweaving of security capabilities in the overall security solution. The purpose of this International Standard is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. Those individuals with
37、in an organization that are responsible for information security in general, and network security in particular, should be able to adapt the material in this International Standard to meet their specific requirements. Its main objectives are as follows. ISO/IEC 27033-1, to define and describe the co
38、ncepts associated with, and provide management guidance on, network security. This includes the provision of an overview of network security and related definitions, and guidance on how to identify and analyse network security risks and then define network security requirements. It also introduces h
39、ow to achieve good quality technical security architectures, and the risk, design and control aspects associated with typical network scenarios and network “technology” areas (which are dealt with in detail in subsequent parts of ISO/IEC 27033). ISO/IEC 27033-2, to define how organizations should ac
40、hieve quality network technical security architectures, designs and implementations that will ensure network security appropriate to their business environments, using a consistent approach to the planning, design and implementation of network security, as relevant, aided by the use of models/framew
41、orks (in this context, a model/framework is used to outline a representation or description showing the structure and high level workings of a type of technical security architecture/design), and is relevant to all personnel who are involved in the planning, design and implementation of the architec
42、tural aspects of network security (for example network architects and designers, network managers, and network security officers). ISO/IEC 27033-3, to define the specific risks, design techniques and control issues associated with typical network scenarios. It is relevant to all personnel who are in
43、volved in the planning, design and implementation of the architectural aspects of network security (for example, network architects and designers, network managers, and network security officers). ISO/IEC 27033-4, to define the specific risks, design techniques and control issues for securing inform
44、ation flows between networks using security gateways. It is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example, network architects and designers, network managers, and network security officers). ISO/IEC 27033-5, to define
45、 the specific risks, design techniques and control issues for securing connections that are established using Virtual Private Networks (VPNs). It is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example, network architects and des
46、igners, network managers, and network security officers). ISO/IEC 27033-6, to define the specific risks, design techniques and control issues for securing IP wireless networks. It is relevant to all personnel who are involved in the detailed planning, design and implementation of security for wirele
47、ss networks (for example, network architects and designers, network managers, and network security officers). It is emphasized that this International Standard provides further detailed implementation guidance on the network security controls that are described at a basic standardized level in ISO/I
48、EC 27002. ISO/IEC 2015 All rights reserved viiBS ISO/IEC 27033-1:2015ISO/IEC 27033-1:2015(E) It should be noted that this International Standard is not a reference or normative document for regulatory and legislative security requirements. Although it emphasizes the importance of these influences, i
49、t cannot state them specifically, since they are dependent on the country, the type of business, etc. Unless otherwise stated, throughout this part of ISO/IEC 27033 the guidance referenced is applicable to current and/or planned networks, but will only be referenced as “networks” or “the network”.viii ISO/IEC 2015 All rights reservedBS ISO/IEC 27033-1:2015Information technology Security techniques Network security Part 1: Overview and concepts 1