1、INCITS/ISO/IEC 18043:20062008 (ISO/IEC 18043:2006, IDT) Information technology Security techniques Selection, deployment and operationsof intrusion detection systemsINCITS/ISO/IEC 18043:20062008(ISO/IEC 18043:2006, IDT)INCITS/ISO/IEC 18043:20062008 ii ITIC 2008 All rights reserved PDF disclaimer Thi
2、s PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept the
3、rein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; t
4、he PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (Inter
5、National Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/1/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council (ITI). All rights res
6、erved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication ma
7、y be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 18043:20062008 ITI
8、C 2008 All rights reserved iii Contents Page Foreword iv Introduction .v Information technology Security techniques Selection, deployment and operations of intrusion detection systems 1 1 Scope 1 2 Terms and definitions 1 3 Background 4 4 General5 5 Selection .6 5.1 Information Security Risk Assessm
9、ent .7 5.2 Host or Network IDS .7 5.3 Considerations .7 5.4 Tools that complement IDS 13 5.5 Scalability . 17 5.6 Technical support. 17 5.7 Training . 17 6 Deployment . 18 6.1 Staged Deployment 18 7 Operations 22 7.1 IDS Tuning 22 7.2 IDS Vulnerabilities 22 7.3 Handling IDS Alerts 22 7.4 Response Op
10、tions 25 7.5 Legal Considerations . 26 Annex A (informative) Intrusion Detection System (IDS): Framework and Issues to be Considered . 27 A.1 Introduction to Intrusion Detection . 27 A.2 Types of intrusions and attacks 28 A.3 Generic Model of Intrusion Detection Process . 29 A.4 Types of IDS . 35 A.
11、5 Architecture 38 A.6 Management of an IDS . 39 A.7 Implementation and Deployment Issues . 42 A.8 Intrusion Detection Issues . 44 Bibliography 46 INCITS/ISO/IEC 18043:20062008 iv ITIC 2008 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the Internationa
12、l Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of
13、 technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint
14、technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee a
15、re circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held
16、responsible for identifying any or all such patent rights. ISO/IEC 18043 was prepared by Joint Technical Committee ISO/IEC JTC 1 Information technology, Subcommittee SC 27, IT Security techniques. Legal notice The National Institute of Standards and Technology (NIST), hereby grant non-exclusive lice
17、nse to ISO/IEC to use the NIST Special Publication on Intrusion Detection Systems (SP800-31) in the development of the ISO/IEC 18043 International Standard. However, the NIST retains the right to use, copy, distribute, or modify the SP800-31 as they see fit. INCITS/ISO/IEC 18043:20062008 ITIC 2008 A
18、ll rights reserved v Introduction Organizations should not only know when, if, and how an intrusion of their network, system or application occurs, they also should know what vulnerability was exploited and what safeguards or appropriate risk treatment options (i.e. risk transfer, risk acceptance, r
19、isk avoidance) should be implemented to prevent similar intrusions in the future. Organizations should also recognize and deflect cyber-based intrusions. This requires an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicio
20、us or suspicious intent. In the mid-1990s, organizations began to use Intrusion Detection Systems (IDS) to fulfil these needs. The general use of IDS continues to expand with a wider range of IDS products being made available to satisfy an increasing level of organizational demands for advanced intr
21、usion detection capability. In order for an organization to derive the maximum benefits from IDS, the process of IDS selection, deployment, and operations should be carefully planned and implemented by properly trained and experienced personnel. In the case where this process is achieved, then IDS p
22、roducts can assist an organization in obtaining intrusion information and can serve as an important security device within the overall information and communications technology (ICT) infrastructure. This International Standard provides guidelines for effective IDS selection, deployment and operation
23、, as well as fundamental knowledge about IDS. It is also applicable to those organizations that are considering outsourcing their intrusion detection capabilities. Information about outsourcing service level agreements can be found in the IT Service Management (ITSM) processes based on ISO/IEC 20000
24、. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 18043:20062008 ITIC 2008 All rights reserved 1 Information technology Security techniques Selection, deployment and operations of intrusion detection systems 1 Scope This International Standard provides guidelines to assist organizations in preparing to de
25、ploy Intrusion Detection System (IDS). In particular, it addresses the selection, deployment and operations of IDS. It also provides background information from which these guidelines are derived. This International Standard is intended to be helpful to a) an organization in satisfying the following
26、 requirements of ISO/IEC 27001: The organization shall implement procedures and other controls capable of enabling prompt detection of and response to security incidents. The organization shall execute monitoring and review procedures and other controls to properly identify attempted and successful
27、security breaches and incidents. b) an organization in implementing controls that meet the following security objectives of ISO/IEC 17799: To detect unauthorized information processing activities. Systems should be monitored and information security events should be recorded. Operator logs and fault
28、 logging should be used to ensure information system problems are identified. An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of controls adopted and to verify conformi
29、ty to an access policy model. An organization should recognize that deploying IDS is not a sole and/or exhaustive solution to satisfy or meet the above-cited requirements. Furthermore, this International Standard is not intended as criteria for any kind of conformity assessments, e.g., Information S
30、ecurity Management System (ISMS) certification, IDS services or products certification. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 attack attempts to destroy, expose, alter, or disable an Information System and/or information within it o
31、r otherwise breach the security policy INCITS/ISO/IEC 18043:20062008 2 ITIC 2008 All rights reserved 2.2 attack signature sequence of computer activities or alterations that are used to execute an attack and which are also used by an IDS to discover that an attack has occurred and often is determine
32、d by the examination of network traffic or host logs NOTE This may also be referred to as an attack pattern. 2.3 attestation variant of public-key encryption that lets IDS software programs and devices authenticate their identity to remote parties. NOTE See Clause 2.21, Remote attestation. 2.4 bridg
33、e network equipment that transparently connects a local area network (LAN) at OSI layer 2 to another LAN that uses the same protocol 2.5 cryptographic hash value mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file ha
34、s not been maliciously changed 2.6 DoS (Denial-of-Service) attack prevention of authorized access to a system resource or the delaying of system operations and functions ISO/IEC 18028-1 2.7 Demilitarized Zone DMZ logical and physical network space between the perimeter router and the exterior firewa
35、ll NOTE 1 The DMZ may be between networks and under close observation but does not have to be so. NOTE 2 They are generally unsecured areas containing bastion hosts that provide public services. 2.8 exploit defined way to breach the security of an Information System through vulnerability 2.9 firewal
36、l type of security gateway or barrier placed between network environments consisting of a dedicated device or a composite of several components and techniques through which all traffic from one network environment to another, and vice versa, traverses and only authorized traffic is allowed to pass I
37、SO/IEC 18028-1 2.10 false positive IDS alert when there is no attack 2.11 false negative no IDS alert when there is an attack INCITS/ISO/IEC 18043:20062008 ITIC 2008 All rights reserved 3 2.12 host addressable system or computer in TCP/IP based networks like the Internet 2.13 intruder individual who
38、 is conducting, or has conducted, an intrusion or attack against a victims host, site, network, or organization 2.14 intrusion unauthorized access to a network or a network-connected system, i.e. deliberate or accidental unauthorized access to an information system, to include malicious activity aga
39、inst an information system, or unauthorized use of resources within an information system 2.15 intrusion detection formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns as well as what, how, and which vulnerability has been exploited to
40、include how and when it occurred 2.16 intrusion detection system IDS information system used to identify that an intrusion has been attempted, is occurring, or has occurred and possibly respond to intrusions in Information Systems and networks 2.17 intrusion prevention system IPS variant on intrusio
41、n detection systems that are specifically designed to provide an active response capability 2.18 honeypot generic term for a decoy system used to deceive, distract, divert and to encourage the attacker to spend time on information that appears to be very valuable, but actually is fabricated and woul
42、d not be of interest to a legitimate user 2.19 penetration unauthorized act of bypassing the security mechanisms of an Information System 2.20 provisioning process of remotely searching for new software updates from a vendors website and downloading authenticated updates 2.21 remote attestation proc
43、esses of using digital certificates to ensure the identity as well as the hardware and software configuration of IDS and to securely transmit this information to a trusted operations center 2.22 response (incident response or intrusion response) actions taken to protect and restore the normal operat
44、ional conditions of an Information System and the information stored in them when an attack or intrusion occurs INCITS/ISO/IEC 18043:20062008 4 ITIC 2008 All rights reserved 2.23 router network device that is used to establish and control the flow of data between different networks, which themselves
45、 can be based on different networks protocols, by selecting paths or routes based upon routing protocol mechanisms and algorithms NOTE The routing information is kept in a routing table. ISO/IEC 18028-1 2.24 server computer system or program that provides services to other computers 2.25 Service Lev
46、el Agreement contract that defines the technical support or business performance objectives including measures for performance and consequences for failure the provider of a service can provide its clients 2.26 sensor component/agent of IDS, which collects event data from an Information System or ne
47、twork under observation NOTE Also referred to as a monitor. 2.27 subnet portion of a network that shares a common address component 2.28 switch device which provides connectivity between networked devices by means of internal switching mechanisms NOTE Switches are distinct from other local area netw
48、ork interconnection devices (e.g. a hub) as the technology used in switches sets up connections on a point-to-point basis. This ensures the network traffic is only seen by the addressed network devices and enables several connections to exist simultaneously routing. ISO/IEC 18028-1 2.29 Test Access
49、Points TAP typically passive devices that do not install any overhead on the packet; they also increase the level of the security as they make the data collection interface invisible to the network, where a switch can still maintain layer 2 information about the port. A TAP also gives the functionality of multiple ports so network issues can be debugged without losing the IDS capability. 2.30 trojan horse malicious program that masquerades as a benign application 3 Background The purpose of Intrusion Dete