1、BSI Standards Publication BS ISO/IEC 27039:2015 Information technology Security techniques Selection, deployment and operations of intrusion detection systems (IDPS)BS ISO/IEC 27039:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 27039:2015. It super
2、sedes BS ISO/IEC 18043:2006 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to inclu
3、de all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 76243 7 ICS 35.020; 35.040 Compliance with a British Standard cannot confer immunity from legal obligations
4、. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 28 February 2015. Amendments/corrigenda issued since publication Date Text affectedInformation technology Security techniques Selection, deployment and operations of intrusion detection system
5、s (IDPS) Technologies de linformation Techniques de scurit Slection, dploiement et oprations des systmes de dtection dintrusion INTERNATIONAL STANDARD ISO/IEC 27039 Reference number ISO/IEC 27039:2015(E) First edition 2015-02-15 ISO/IEC 2015 BS ISO/IEC 27039:2015ii ISO/IEC 2015 All rights reserved C
6、OPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior writte
7、n permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ISO
8、/IEC 27039:2015(E)BS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)Foreword v Introduction vi 1 Scope . 1 2 T erms and definitions . 1 3 Background 5 4 General 5 5 Selection 6 5.1 Introduction 6 5.2 Information security risk assessment. 7 5.3 Host or Network IDPS . 7 5.3.1 Overview . 7 5.3.2 Host-based IDP
9、S (HIDPS) . 7 5.3.3 Network-based IDPS (NIDPS) . 7 5.4 Considerations 8 5.4.1 System environment . 8 5.4.2 Security protection mechanisms . 8 5.4.3 IDPS security policy 8 5.4.4 Performance 9 5.4.5 Verification of capabilities 10 5.4.6 Cost .10 5.4.7 Updates .11 5.4.8 Alert strategies .12 5.4.9 Ident
10、ity management12 5.5 Tools that complement IDPS 13 5.5.1 Overview 13 5.5.2 File integrity checkers 14 5.5.3 Firewall .14 5.5.4 Honeypots .14 5.5.5 Network management tools 15 5.5.6 Security Information Event Management (SIEM) tools 15 5.5.7 Virus/Content protection tools 16 5.5.8 Vulnerability asses
11、sment tools .16 5.6 Scalability .17 5.7 Technical support 17 5.8 Training 18 6 Deployment .18 6.1 Overview .18 6.2 Staged deployment .18 6.3 NIDPS deployment 19 6.3.1 Overview 19 6.3.2 Location of NIDPS inside an Internet firewall .20 6.3.3 Location of NIDPS outside an Internet firewall 20 6.3.4 Loc
12、ation of NIDPS on a major network backbone .21 6.3.5 Location of NIDPS on critical subnets 21 6.4 HIDPS deployment 21 6.5 Safeguarding and protecting IDPS information security .22 ISO/IEC 2015 All rights reserved iiiBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E)7 Operations 22 7.1 Overview .22 7.2 IDPS
13、tuning 23 7.3 IDPS vulnerabilities .23 7.4 Handling IDPS alerts .23 7.4.1 Overview 23 7.4.2 Information Security Incident Response Team (ISIRT) 24 7.4.3 Outsourcing .24 7.5 Response options .25 7.5.1 Principles .25 7.5.2 Active response 25 7.5.3 Passive reaction .27 7.6 Legal Considerations .27 7.6.
14、1 Overview 27 7.6.2 Privacy .27 7.6.3 Other legal and policy considerations 27 7.6.4 Forensics 27 Annex A (informative) Intrusion Detection and Prevention System (IDPS): Framework and issues to be considered .28 Bibliography .48 iv ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015ISO/IEC 27039:2
15、015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through
16、 technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also ta
17、ke part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the differe
18、nt approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be th
19、e subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/pate
20、nts). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO princi
21、ples in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. This first edition of ISO/IEC 27039 cancels and replaces ISO/IEC 1
22、8 0 4 3 : 2 0 0 6 , w h i c h h a s b e e n technically revised. Legal notice The National Institute of Standards and Technology (NIST), hereby grant non-exclusive license to ISO/IEC to use the NIST Special Publication on intrusion detection systems (SP800-94 rev1, July 2012) in the development of t
23、he ISO/IEC 27039 International Standard. However, the NIST retains the right to use, copy, distribute, or modify the SP800-94 as they see fit. ISO/IEC 2015 All rights reserved vBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E) Introduction Organizations should not only know when, if, and how an intrusion o
24、f their network, system, or application occurs. They also should know what vulnerability was exploited and what safeguards or appropriate risk treatment options (i.e. risk modification, risk retention, risk avoidance, risk sharing) should be implemented to prevent similar intrusions in the future. O
25、rganizations should also recognize and deter cyber-based intrusions. This requires an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious or suspicious intent. In the mid-1990s, organizations began to use intrusion detec
26、tion and prevention systems (IDPS) to fulfil these needs. The general use of IDPS continues to expand with a wider range of IDPS products being made available to satisfy an increasing level of organizational demands for advanced intrusion detection capability. In order for an organization to derive
27、the maximum benefits from IDPS, the process of IDPS selection, deployment, and operations should be carefully planned and implemented by properly trained and experienced personnel. In the case where this process is achieved, then IDPS products can assist an organization in obtaining intrusion inform
28、ation and can serve as an important security device within the overall information and communications technology (ICT) infrastructure. This International Standard provides guidelines for effective IDPS selection, deployment, and operation, as well as fundamental knowledge about IDPS. It is also appl
29、icable to those organizations that are considering outsourcing their intrusion detection capabilities. Information about outsourcing service level agreements can be found in the IT service management (ITSM) processes based on ISO/IEC 20000 Series. This International Standard is intended to be helpfu
30、l to: a) An organization in satisfying the following requirements of ISO/IEC 27001: The organization shall implement procedures and other controls capable of enabling prompt detection of and response to security incidents; The organization shall execute monitoring and review procedures and other con
31、trols to properly identify attempted and successful security breaches and incidents. b) An organization in implementing controls that meet the following security objectives of ISO/IEC 27002: To detect unauthorized information processing activities; Systems should be monitored and information securit
32、y events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified; An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities; System monitoring should be used to check the effe
33、ctiveness of controls adopted and to verify conformity to an access policy model. An organization should recognize that deploying IDPS is not a sole and/or exhaustive solution to satisfy or meet the above-cited requirements. Furthermore, this International Standard is not intended as criteria for an
34、y kind of conformity assessments, e.g., information security management system (ISMS) certification, IDPS services or products certification.vi ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015Information technology Security techniques Selection, deployment and operations of intrusion detection
35、systems (IDPS) 1 Scope This International Standard provides guidelines to assist organizations in preparing to deploy intrusion detection and prevention systems (IDPS). In particular, it addresses the selection, deployment, and operations of IDPS. It also provides background information from which t
36、hese guidelines are derived. 2 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply. 2.1 attack attempts to destroy, expose, alter, or disable information systems and/or information within it or otherwise breach the secu
37、rity policy 2.2 attack signature sequence of computing activities or alterations that are used to execute an attack and which are also used by an IDPS to discover that an attack has occurred and often is determined by the examination of network traffic or host logs Note 1 to entry: This can also be
38、referred to as an attack pattern. 2.3 attestation variant of public-key encryption that lets IDPS software programs and devices authenticate their identity to remote parties Note 1 to entry: See remote attestation (2.23). 2.4 bridge network equipment that transparently connects a local area network
39、(LAN) at OSI layer 2 to another LAN that uses the same protocol 2.5 cryptographic hash value mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously changed 2.6 denial-of-service DoS unauthorized
40、 access to a system resource or the delaying of system operations and functions, with resultant loss of availability to authorized users SOURCE: ISO/IEC 27033-1:2009 INTERNATIONAL ST ANDARD ISO/IEC 27039:2015(E) ISO/IEC 2015 All rights reserved 1BS ISO/IEC 27039:2015ISO/IEC 27039:2015(E) 2.7 distrib
41、uted denial-of-service attack DDoS unauthorized access to a system resource or the delaying of system operations and functions in the way of compromising multiple systems to flood the bandwidth or resources of the targeted system, with resultant loss of availability to authorized users 2.8 demilitar
42、ized zone DMZ logical and physical network space between the perimeter router and the exterior firewall Note 1 to entry: The DMZ can be between networks and under close observation but does not have to be so. Note 2 to entry: They are generally unsecured areas containing bastion hosts that provide p
43、ublic services. 2.9 exploit defined way to breach the security of information systems through vulnerability 2.10 f i r ew a l l type of barrier placed between network environments consisting of a dedicated device or a composite of several components and techniques through which all traffic from one
44、network environment traverses to another, and vice versa, and only authorized traffic as defined by the local security policy is allowed to pass SOURCE: ISO/IEC 27033-1:2009 2.11 false positive IDPS alert when there is no attack 2.12 false negative no IDPS alert when there is an attack 2.13 honeypot
45、 generic term for a decoy system used to deceive, distract, divert, and encourage the attacker to spend time on information that appears to be very valuable, but actually is fabricated and would not be of interest to a legitimate user 2.14 host addressable system or computer in TCP/IP-based networks
46、 like the Internet 2.15 intruder individual who is conducting, or has conducted, an intrusion or attack against a victims host, site, network, or organization 2.16 intrusion unauthorized access to a network or a network-connected system, that is, deliberate or accidental unauthorized access to infor
47、mation systems, to include malicious activity against information systems, or unauthorized use of resources within information systems2 ISO/IEC 2015 All rights reservedBS ISO/IEC 27039:2015ISO/IEC 27039:2015(E) 2.17 intrusion detection formal process of detecting intrusions, generally characterized
48、by gathering knowledge about abnormal usage patterns, as well as what, how, and which vulnerability has been exploited to include how and when it occurred 2.18 intrusion detection system IDS information systems used to identify that an intrusion has been attempted, is occurring, or has occurred 2.19
49、 intrusion prevention system IPS variant on intrusion detection systems that are specifically designed to provide an active response capability 2.20 intrusion detection and prevention system IDPS intrusion detection systems (IDPS) and intrusion prevention systems (IPS) software applications or appliances that monitor systems for malicious activities, where IDS focus is to only alert on the discovery of such activity while IPS have the potent to prevent some intrusions up
