1、BS ISO/IEC 27033-6:2016 Information technology Security techniques Network security Part 6: Securing wireless IP network access BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27033-6:2016 BRITISH STANDARD National foreword This British Standard is the UK
2、 implementation of ISO/IEC 27033-6:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to incl
3、ude all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 65103 8 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This
4、British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 27033-6:2016 Information technology Security techniques Network security Part 6: Securing wireless
5、IP network access Technologies de linformation Techniques de scurit Scurit de rseau Partie 6: Scurisation de laccs rseau IP sans fil INTERNATIONAL STANDARD ISO/IEC 27033-6 Reference number ISO/IEC 27033-6:2016(E) First edition 2016-06-01 ISO/IEC 2016 BS ISO/IEC 27033-6:2016ii ISO/IEC 2016 All rights
6、 reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet
7、 or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 cop
8、yrightiso.org www.iso.org ISO/IEC 27033-6:2016(E)BS ISO/IEC 27033-6:2016ISO/IEC 27033-6:2016(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 3 5 Structure . 5 6 Overview . 5 7 Security threats 8 7.1 General . 8 7.2 Unauthorized acces
9、s 8 7.3 Packet sniffing 8 7.4 Rogue wireless access point 9 7.5 Denial of service attack 9 7.6 Bluejacking 10 7.7 Bluesnarfing .10 7.8 Adhoc networks 10 7.9 Other threats 10 8 Security requirements .10 8.1 General 10 8.2 Confidentiality 11 8.3 Integrity .11 8.4 Availability .11 8.5 Authentication 11
10、 8.6 Authorization 12 8.7 Accountability (Non-repudiation).12 9 Security controls 12 9.1 General 12 9.2 Encryption control and implementation .13 9.3 Integrity evaluation14 9.4 Authentication 14 9.5 Access control .15 9.5.1 General.15 9.5.2 Permission control 16 9.5.3 Network-based control . .16 9.6
11、 Denial of service attack resilience .16 9.7 DMZ segregation via firewall protection .16 9.8 Vulnerability management though secure configurations and hardening of devices 16 9.9 Continuous monitoring of wireless networks 17 10 Security design techniques and considerations .17 10.1 General 17 10.2 W
12、i-Fi 18 10.2.1 General.18 10.2.2 User authentication 18 10.2.3 Confidentiality and integrity 19 10.2.4 Wireless Wi-Fi technologies .19 10.2.5 Other Wi-Fi Configurations .19 10.2.6 Access control User equipment 19 10.2.7 Access control Infrastructure access point .20 10.2.8 Availability21 ISO/IEC 201
13、6 All rights reserved iii Contents PageBS ISO/IEC 27033-6:2016ISO/IEC 27033-6:2016(E)10.2.9 Accountability .21 10.3 Mobile communication security design .21 10.4 Bluetooth .22 10.5 Other wireless technologies .23 Annex A (informative) Technical description of threats and countermeasures 24 Bibliogra
14、phy .26 iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27033-6:2016ISO/IEC 27033-6:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are memb
15、ers of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international org
16、anizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further mai
17、ntenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attenti
18、on is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introd
19、uction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to c
20、onformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Secur
21、ity techniques. ISO/IEC 27033 consists of the following parts, under the general title Information technology Security techniques Network security: Part 1: Overview and concepts Part 2: Guidelines for the design and implementation of network security Part 3: Reference networking scenarios Threats, d
22、esign techniques and control issues Part 4: Securing communications between networks using security gateways Part 5: Securing communications across networks using virtual private networks (VPNs) Part 6: Securing wireless IP network access ISO/IEC 2016 All rights reserved vBS ISO/IEC 27033-6:2016ISO/
23、IEC 27033-6:2016(E) Introduction In todays world, the majority of both commercial and government organizations have their information systems connected by networks with the network connections being one or more of the following: within the organization; between different organizations; between the o
24、rganization and the general public. Further, with the rapid developments in publicly available network technology (in particular with the Internet) offering significant business opportunities, organizations are increasingly conducting electronic business on a global scale and providing online public
25、 services. The opportunities include the provision of lower cost data communications, using the Internet simply as a global connection medium, through to more sophisticated services provided by Internet service providers (ISPs). This can mean the use of relatively low cost local attachment points at
26、 each end of a circuit to full scale online electronic trading and service delivery systems, using web-based applications and services. Additionally, the new technology (including the integration of data, voice and video) increases the opportunities for remote working (also known as “teleworking” or
27、 “telecommuting”) that enable personnel to operate away from their homework base for significant periods of time. They are able to keep in contact through the use of remote facilities to access organization and community networks and related business support information and services. However, while
28、this environment does facilitate significant business benefits, there are new security risks to be managed. With organizations relying heavily on the use of information and associated networks to conduct their business, the loss of confidentiality, integrity, and availability of information and serv
29、ices could have significant adverse impacts on business operations. Thus, there is a major requirement to properly protect networks and their related information systems and information. In other words, implementing and maintaining adequate network security is absolutely critical to the success of a
30、ny organizations business operations. In this context, the telecommunications and information technology industries are seeking cost- effective comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent incorrect actions, and meeting the business require
31、ments for confidentiality, integrity, and availability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information, as appropriate. Security capabilities in products are crucial to overall network security (including applications and
32、 services). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security should not only be a thread of concern for each product or service, but should be developed in a manner that promotes the interw
33、eaving of security capabilities in the overall security solution. The purpose of ISO/IEC 27033 is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. Those individuals within an organization that are r
34、esponsible for information security in general, and network security in particular, should be able to adapt the material in this document to meet their specific requirements. Its main objectives are as follows. ISO/IEC 27033-1 aims to define and describe the concepts associated with, and provide man
35、agement guidance on, network security. This includes the provision of an overview of network security and related definitions, and guidance on how to identify and analyze network security risks and then define network security requirements. It also introduces how to achieve good quality technical se
36、curity architectures, and the risk, design and control aspects associated with typical network scenarios and network technology areas (which are dealt with in detail in subsequent parts of ISO/IEC 27033). ISO/IEC 27033-2 aims to define how organizations should achieve quality network technical secur
37、ity architectures, designs and implementations that will ensure network security appropriate to their vi ISO/IEC 2016 All rights reservedBS ISO/IEC 27033-6:2016ISO/IEC 27033-6:2016(E) business environments, using a consistent approach to the planning, design and implementation of network security, a
38、s relevant, aided by the use of models/frameworks (in this context, a model/framework is used to outline a representation or description showing the structure and high level workings of a type of technical security architecture/design), and is relevant to all personnel who are involved in the planni
39、ng, design and implementation of the architectural aspects of network security (for example, network architects and designers, network managers, and network security officers). ISO/IEC 27033-3 aims to define the specific risks, design techniques and control issues associated with typical network sce
40、narios. It is relevant to all personnel who are involved in the planning, design and implementation of the architectural aspects of network security (for example, network architects and designers, network managers, and network security officers). ISO/IEC 27033-4 aims to define the specific risks, de
41、sign techniques and control issues for securing information flows between networks using security gateways. It is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example, network architects and designers, network managers, and
42、network security officers). ISO/IEC 27033-5 aims to define the specific risks, design techniques and control issues for securing connections that are established using virtual private networks (VPNs). It is relevant to all personnel who are involved in the detailed planning, design and implementatio
43、n of VPN security (for example, network architects and designers, network managers, and network security officers). ISO/IEC 27033-6 aims to define the specific risks, design techniques and control issues for securing IP wireless networks. It is relevant to all personnel who are involved in the detai
44、led planning, design and implementation of security for wireless networks (for example, network architects and designers, network managers, and network security officers). It is emphasized that ISO/IEC 27033 provides further detailed implementation guidance on the network security controls that are
45、described at a basic standardized level in ISO/IEC 27002. It should be noted that this part of ISO/IEC 27033 is not a reference or normative document for regulatory and legislative security requirements. Although it emphasizes the importance of these influences, it cannot state them specifically, si
46、nce they are dependent on the country, the type of business, etc. Unless otherwise stated, throughout this part of ISO/IEC 27033, the guidance referenced is applicable to current and/or planned networks, but will only be referenced as “networks” or “the network”. ISO/IEC 2016 All rights reserved vii
47、BS ISO/IEC 27033-6:2016BS ISO/IEC 27033-6:2016Information technology Security techniques Network security Part 6: Securing wireless IP network access 1 Scope This part of ISO/IEC 27033 describes the threats, security requirements, security control and design techniques associated with wireless netwo
48、rks. It provides guidelines for the selection, implementation and monitoring of the technical controls necessary to provide secure communications using wireless networks. The information in this part of ISO/IEC 27033 is intended to be used when reviewing or selecting technical security architecture/
49、design options that involve the use of wireless network in accordance with ISO/IEC 27033-2. Overall, ISO/IEC 27033-6 will aid considerably the comprehensive definition and implementation of security for any organizations wireless network environment. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls necessary to provide secure wireless networks. 2 Normative references The fol
