Upload
sai-global-apac
View
213
Download
0
Embed Size (px)
Citation preview
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
1/10
AS/NZS ISO/IEC 18028.4:2006ISO/IEC 18028-4:2005
Australian/New Zealand Standard
Information technologySecuritytechniquesIT network security
Part 4: Securing remote access
AS/NZS
ISO/IEC18028.4:2006
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
2/10
AS/NZS ISO/IEC 18028.4:2006
This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 31 March 2006 and onbehalf of the Council of Standards New Zealand on 16 June 2006.This Standard was published on 10 July 2006.
The following are represented on Commit tee IT-012:
Attorney Generals Department
Australian Association of Permanent Building Societies
Australian Bankers Association
Australian Chamber of Commerce and Industry
Australian Electrical and Electronic Manufacturers Association
Certification Forum of AustraliaDepartment of Defence (Australia)
Internet Industry Association
NSW Police Service
Reserve Bank of Australia
Keeping Standards up-to-dateStandards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.
Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.
Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards New
Zealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.
We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.
This Standard was issued in draft form for comment as DR 06037.
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
3/10
AS/NZS ISO/IEC 18028.4:2006
Australian/New Zealand StandardInformation technologySecuritytechniquesIT network security
Part 4: Securing remote access
COPYRIGHT
Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7597 7
First published as AS/NZS ISO/IEC 18028.4:2006.
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
4/10
ii
PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee
IT-012, Information Systems, Security and Identification.
This Standard is identical with, and has been reproduced from ISO/IEC 18028-4:2005,
Information technologySecurity techniquesIT network securityPart 4: Securing remote
access.
The objective of this Standard is to provide the Information Security community with clear
guidance on network protection, specifically, securing communications utilising remote access.
This Standard is Part4 of AS/NZS ISO/IEC 18028, Information technologySecuritytechniquesIT network security, which is published in parts as follows:
Part 2: Network security architecture
Part 3: Securing communications between networks using security gateways
Part 4: Securing remote access (this Standard)
The term informative has been used in this Standard to define the application of the annex to
which it applies. An informative annex is only for information and guidance.
As this Standard is reproduced from an international standard, the following applies:
(a) Its number appears on the cover and title page while the international standard number
appears only on the cover.
(b) In the source text this part of ISO/IEC 18028 should read this Australian/New Zealand
Standard.
(c) A full point substitutes for a comma when referring to a decimal marker.
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
5/10
ii i
CONTENTS
Page
1 Scope...................................................................................................................................................... 12 Terms, definitions and abbreviated terms.......................................................................................... 13 Aim.......................................................................................................................................................... 54 Overview ................................................................................................................................................65 Security requirements .......................................................................................................................... 76 Types of remote access connection ...................................................................................................87 Techniques of remote access connection ......................................................................................... 97.1 General ...................................................................................................................................................97.2 Access to communications servers.................................................................................................... 97.3
Access to LAN resources................................................................................................................... 13
7.4 Access for maintenance..................................................................................................................... 148 Guidelines for selection and configuration...................................................................................... 148.1 General .................................................................................................................................................148.2 Protecting the RAS client ................................................................................................................... 158.3 Protecting the RAS server..................................................................................................................168.4 Protecting the connection.................................................................................................................. 178.5 Wireless security.................................................................................................................................188.6 Organizational measures ................................................................................................................... 198.7 Legal considerations .......................................................................................................................... 209 Conclusion...........................................................................................................................................20Annex A (informative) Sample remote access security policy .................................................................... 21A.1 Purpose ................................................................................................................................................21A.2 Scope.................................................................................................................................................... 21A.3 Policy....................................................................................................................................................21A.4 Enforcement ........................................................................................................................................ 22A.5 Terms and definitions......................................................................................................................... 23Annex B (informative) RADIUS implementation and deployment best practices...................................... 24B.1 General .................................................................................................................................................24B.2 Implementation best practices .......................................................................................................... 24B.3 Deployment best practices ................................................................................................................ 25Annex C (informative) The two modes of FTP............................................................................................... 27C.1 PORT-mode FTP.................................................................................................................................. 27C.2 PASV-mode FTP.................................................................................................................................. 27Annex D (informative) Checklists for secure mail service ........................................................................... 29D.1 Mail server operating system checklist ............................................................................................ 29D.2 Mail server and content security checklist....................................................................................... 30D.3 Network infrastructure checklist ....................................................................................................... 31D.4 Mail client security checklist.............................................................................................................. 32D.5 Secure administration of mail server checklist ............................................................................... 32Annex E (informative) Checklists for secure web services.......................................................................... 34E.1 Web server operating system checklist ........................................................................................... 34E.2 Secure web server installation and configuration checklist .......................................................... 35E.3 Web content checklist ........................................................................................................................ 36
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
6/10
iv
Page
E.4 Web authentication and encryption checklist..................................................................................37E.5 Network infrastructure checklist .......................................................................................................37E.6 Secure web server administration checklist ....................................................................................38Annex F (informative) Wireless LAN security checklist................................................................................40Bibliography......................................................................................................................................................42
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
7/10
v
INTRODUCTION
In Information Technology there is an ever increasing need to use networks within organizations and between
organizations. Requirements have to be met to use networks securely.
The area of remote access to a network requires specific measures when IT security should be in place. Thispart of ISO/IEC 18028 provides guidance for accessing networks remotely either for using email, file transferor simply working remotely.
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
8/10
vi
NOTES
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
9/10
1AUSTRALIAN/NEW ZEALAND STANDARD
Information technology Security techniques IT network
security
Part 4:Securing remote access
1 Scope
This part of ISO/IEC 18028 provides guidance for securely using remote access a method to remotely
connect a computer either to another computer or to a network using public networks and its implication for ITsecurity. In this it introduces the different types of remote access including the protocols in use, discusses theauthentication issues related to remote access and provides support when setting up remote access securely.It is intended to help network administrators and technicians who plan to make use of this kind of connectionor who already have it in use and need advice on how to set it up securely and operate it securely.
2 Terms, definitions and abbreviated terms
For the purposes of this document, the following terms, definitions and abbreviated terms apply.
2.1Access PointAPthe system providing access from a wireless network to a terrestrial network
2.2Advanced Encryption StandardAESa symmetric encryption mechanism providing variable key length and allowing an efficient implementationspecified as Federal Information Processing Standard (FIPS) 197
2.3authenticationthe provision of assurance of the claimed identity of an entity. In case of user authentication, users are
identified either by knowledge (e.g., password), by possession (e.g., token) or by a personal characteristic(biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of atleast two of these factors (so-called multi-factor authentication).
2.4call-backa mechanism to place a call to a pre-defined or proposed location (and address) after receiving valid IDparameters
2.5Challenge-Handshake Authentication ProtocolCHAPa three-way authentication protocol defined in RFC 1994
COPYRIGHT
7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot
10/10
This is a free preview. Purchase the entire publication at the link below:
Looking for additional Standards? Visit SAI Global Infostore
Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?
Learn about other SAI Global Services:
LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us
AS/NZS ISO/IEC 18028.4:2006, Informationtechnology - Security techniques - IT networksecurity Securing remote access
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394700&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites