As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot

7/31/2019 As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot

1/10

AS/NZS ISO/IEC 18028.4:2006ISO/IEC 18028-4:2005

Australian/New Zealand Standard

Information technologySecuritytechniquesIT network security

Part 4: Securing remote access

AS/NZS

ISO/IEC18028.4:2006


2/10

AS/NZS ISO/IEC 18028.4:2006

This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 31 March 2006 and onbehalf of the Council of Standards New Zealand on 16 June 2006.This Standard was published on 10 July 2006.

The following are represented on Commit tee IT-012:

Attorney Generals Department

Australian Association of Permanent Building Societies

Australian Bankers Association

Australian Chamber of Commerce and Industry

Australian Electrical and Electronic Manufacturers Association

Certification Forum of AustraliaDepartment of Defence (Australia)

Internet Industry Association

NSW Police Service

Reserve Bank of Australia

Keeping Standards up-to-dateStandards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.

Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.

Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards New

Zealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.

We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.

This Standard was issued in draft form for comment as DR 06037.


3/10

AS/NZS ISO/IEC 18028.4:2006

Australian/New Zealand StandardInformation technologySecuritytechniquesIT network security

Part 4: Securing remote access

COPYRIGHT

Standards Australia/Standards New Zealand

All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written

permission of the publisher.

Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards

New Zealand, Private Bag 2439, Wellington 6020

ISBN 0 7337 7597 7

First published as AS/NZS ISO/IEC 18028.4:2006.


4/10

ii

PREFACE

This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee

IT-012, Information Systems, Security and Identification.

This Standard is identical with, and has been reproduced from ISO/IEC 18028-4:2005,

Information technologySecurity techniquesIT network securityPart 4: Securing remote

access.

The objective of this Standard is to provide the Information Security community with clear

guidance on network protection, specifically, securing communications utilising remote access.

This Standard is Part4 of AS/NZS ISO/IEC 18028, Information technologySecuritytechniquesIT network security, which is published in parts as follows:

Part 2: Network security architecture

Part 3: Securing communications between networks using security gateways

Part 4: Securing remote access (this Standard)

The term informative has been used in this Standard to define the application of the annex to

which it applies. An informative annex is only for information and guidance.

As this Standard is reproduced from an international standard, the following applies:

(a) Its number appears on the cover and title page while the international standard number

appears only on the cover.

(b) In the source text this part of ISO/IEC 18028 should read this Australian/New Zealand

Standard.

(c) A full point substitutes for a comma when referring to a decimal marker.


5/10

ii i

CONTENTS

Page

1 Scope...................................................................................................................................................... 12 Terms, definitions and abbreviated terms.......................................................................................... 13 Aim.......................................................................................................................................................... 54 Overview ................................................................................................................................................65 Security requirements .......................................................................................................................... 76 Types of remote access connection ...................................................................................................87 Techniques of remote access connection ......................................................................................... 97.1 General ...................................................................................................................................................97.2 Access to communications servers.................................................................................................... 97.3

Access to LAN resources................................................................................................................... 13

7.4 Access for maintenance..................................................................................................................... 148 Guidelines for selection and configuration...................................................................................... 148.1 General .................................................................................................................................................148.2 Protecting the RAS client ................................................................................................................... 158.3 Protecting the RAS server..................................................................................................................168.4 Protecting the connection.................................................................................................................. 178.5 Wireless security.................................................................................................................................188.6 Organizational measures ................................................................................................................... 198.7 Legal considerations .......................................................................................................................... 209 Conclusion...........................................................................................................................................20Annex A (informative) Sample remote access security policy .................................................................... 21A.1 Purpose ................................................................................................................................................21A.2 Scope.................................................................................................................................................... 21A.3 Policy....................................................................................................................................................21A.4 Enforcement ........................................................................................................................................ 22A.5 Terms and definitions......................................................................................................................... 23Annex B (informative) RADIUS implementation and deployment best practices...................................... 24B.1 General .................................................................................................................................................24B.2 Implementation best practices .......................................................................................................... 24B.3 Deployment best practices ................................................................................................................ 25Annex C (informative) The two modes of FTP............................................................................................... 27C.1 PORT-mode FTP.................................................................................................................................. 27C.2 PASV-mode FTP.................................................................................................................................. 27Annex D (informative) Checklists for secure mail service ........................................................................... 29D.1 Mail server operating system checklist ............................................................................................ 29D.2 Mail server and content security checklist....................................................................................... 30D.3 Network infrastructure checklist ....................................................................................................... 31D.4 Mail client security checklist.............................................................................................................. 32D.5 Secure administration of mail server checklist ............................................................................... 32Annex E (informative) Checklists for secure web services.......................................................................... 34E.1 Web server operating system checklist ........................................................................................... 34E.2 Secure web server installation and configuration checklist .......................................................... 35E.3 Web content checklist ........................................................................................................................ 36


6/10

iv

Page

E.4 Web authentication and encryption checklist..................................................................................37E.5 Network infrastructure checklist .......................................................................................................37E.6 Secure web server administration checklist ....................................................................................38Annex F (informative) Wireless LAN security checklist................................................................................40Bibliography......................................................................................................................................................42


7/10

v

INTRODUCTION

In Information Technology there is an ever increasing need to use networks within organizations and between

organizations. Requirements have to be met to use networks securely.

The area of remote access to a network requires specific measures when IT security should be in place. Thispart of ISO/IEC 18028 provides guidance for accessing networks remotely either for using email, file transferor simply working remotely.


8/10

vi

NOTES


9/10

1AUSTRALIAN/NEW ZEALAND STANDARD

Information technology Security techniques IT network

security

Part 4:Securing remote access

1 Scope

This part of ISO/IEC 18028 provides guidance for securely using remote access a method to remotely

connect a computer either to another computer or to a network using public networks and its implication for ITsecurity. In this it introduces the different types of remote access including the protocols in use, discusses theauthentication issues related to remote access and provides support when setting up remote access securely.It is intended to help network administrators and technicians who plan to make use of this kind of connectionor who already have it in use and need advice on how to set it up securely and operate it securely.

2 Terms, definitions and abbreviated terms

For the purposes of this document, the following terms, definitions and abbreviated terms apply.

2.1Access PointAPthe system providing access from a wireless network to a terrestrial network

2.2Advanced Encryption StandardAESa symmetric encryption mechanism providing variable key length and allowing an efficient implementationspecified as Federal Information Processing Standard (FIPS) 197

2.3authenticationthe provision of assurance of the claimed identity of an entity. In case of user authentication, users are

identified either by knowledge (e.g., password), by possession (e.g., token) or by a personal characteristic(biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of atleast two of these factors (so-called multi-factor authentication).

2.4call-backa mechanism to place a call to a pre-defined or proposed location (and address) after receiving valid IDparameters

2.5Challenge-Handshake Authentication ProtocolCHAPa three-way authentication protocol defined in RFC 1994

COPYRIGHT


10/10

This is a free preview. Purchase the entire publication at the link below:

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more

Do you need to Manage Standards Collections Online?

Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation

Do you want to know when a Standard has changed?

Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers

Materials Infobase Database of Materials, Standards and Suppliers

Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

AS/NZS ISO/IEC 18028.4:2006, Informationtechnology - Security techniques - IT networksecurity Securing remote access
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394700&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites

Documents

As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot