ISO/IEC 27033-4:2014

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27033-4
ISO/IEC JTC 1 Secretariat: ANSI

Voting begins on Voting terminates on
2013-01-16 2013-04-16
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE


Information technology — Security techniques — Network
security —
Part 4:
Securing communications between networks using security
gateways
Technologies de l'information — Techniques de sécurité — Sécurité de réseau —
Partie 4: Sécurisation des communications entre réseaux en utilisant des portails de sécurité
[Revision of first edition (ISO/IEC 18028-3:2005)]
ICS 35.040



To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.


THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
R PURPOSES,
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USE
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
International Organization for Standardization, 2013
©
International Electrotechnical Commission, 2013

---------------------- Page: 1 ----------------------
ISO/IEC DIS 27033-4

Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO/IEC 2013 — All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC DIS 27033-4

Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Structure . 3
6 Overview . 4
7 Security threats . 5
8 Security requirements . 5
9 Security controls . 7
9.1 Overview . 7
9.2 Packet filtering . 8
9.3 Stateful packet inspection . 9
9.4 Application firewall . 9
9.5 Content filtering . 10
9.6 Intrusion protection system and intrusion detection system. 10
9.7 Security management API . 10
10 Design techniques . 11
10.1 Security gateway components . 11
10.1.1 Switches . 11
10.1.2 Routers . 11
10.1.3 Application level gateway . 11
10.1.4 Security appliances . 12
10.1.5 Monitoring function . 12
10.2 Deploying security gateway controls . 12
10.2.1 Packet filter firewall architecture . 12
10.2.2 Dual-homed gateway architecture . 13
10.2.3 Screened host architecture . 14
10.2.4 Screen subnet architecture . 15
11 Guidelines for product selection . 15
11.1 Overview . 15
11.2 Selection of a security gateway architecture and appropriate components . 16
11.3 Hardware and software platform . 16
11.4 Configuration . 16
11.5 Security features and settings . 17
11.6 Administration capability. 19
11.7 Logging capability . 19
11.8 Audit capability . 19
11.9 Training and education . 19
11.10 Implementation types . 20
11.11 High availability and operation mode . 20
11.12 Other considerations . 20
Bibliography . 21

© ISO/IEC 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC DIS 27033-4

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
This first edition cancels and replaces the ISO/IEC 18028-3:2005), which has been technically revised.
ISO/IEC 27033 consists of the following parts, under the general title Information technology — Security
techniques — Network security:
⎯ Part 1: Overview and concepts
⎯ Part 2: Guidelines for the design and implementation of network security
⎯ Part 3: Reference network scenarios – Threats, design techniques and control issues
⎯ Part 4: Securing Communications between networks using security gateways
⎯ Part 5: Securing communications across networks using virtual private networks (VPNs)
⎯ Part 6: Securing IP network access using wireless
(Note that there may be other Parts. Examples of possible topics to be covered by Parts include local area
networks, wide area networks, broadband networks, web hosting, Internet email, and routed access to third
party organizations. The main clauses of all such Parts should be Risks, Design Techniques and Control
Issues.)
iv © ISO/IEC 2012 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC DIS 27033-4

Introduction
The majority of both commercial and government organizations have their information systems connected by
networks, with the network connections being one or more of the following:
⎯ within the organization.
⎯ between different organizations.
⎯ between the organization and the general public.
Further, with the rapid developments in publicly available network technology (in particular with the Internet)
offering significant business opportunities, organizations are increasingly conducting electronic business on a
global scale and providing online public services. The opportunities include the provision of lower cost data
communications, using the Internet simply as a global connection medium, through to more sophisticated
services provided by Internet Service Providers (ISPs). This can mean the use of relatively low cost local
attachment points at each end of a circuit to full scale online electronic trading and service delivery systems,
using web-based applications and services. Further, the new technology (including the integration of data,
voice and video) increases the opportunities for remote working (also known as teleworking or telecommuting).
Telecommuters are able to keep in contact through the use of remote facilities to access organization and
community networks and related business support information and services.
However, whilst this environment does facilitate significant business benefits, there are new security threats to
be managed. With organizations relying heavily on the use of information and associated networks to conduct
their business, the loss of confidentiality, integrity, and availability of information and services could have
significant adverse impacts on business operations. Thus, there is a major need to properly protect networks
and their related information systems and information. In other words, implementing and maintaining adequate
network security is critical to the success of any organization’s business operations.
In this context, the telecommunications and information technology industries are seeking cost-effective
comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent
incorrect actions, thereby meeting the business requirements for confidentiality, integrity, and availability of
information and services. Securing a network is also essential to achieve accurate billing for network usage.
Security capabilities in products are crucial to overall network security (including applications and services).
However, as more products are combined to provide total solutions, the interoperability, or the lack thereof,
will define the success of the solution. Security must not only be a thread of concern for each product or
service, but must be developed in a manner that promotes the interweaving of security capabilities in the
overall security solution.
The purpose of ISO/IEC 27033-4, Securing communications between networks using security gateways, is to
provide guidance on how to identify and analyze network security threats associated with security gateways,
define the network security requirements for security gateways based on threat analysis, introduce design
techniques to achieve a network technical security architecture to address the threats and control aspects
associated with typical network scenarios, and address the issues associated with implementing, operating,
monitoring and reviewing network security controls with security gateways.
It is emphasized that the ISO/IEC 27033-4 is relevant to all personnel who are involved in the detailed
planning, design and implementation of security gateways (for example network architects and designers,
network managers, and network security officers).
© ISO/IEC 2012 – All rights reserved v

---------------------- Page: 5 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27033-4

1 Information technology — Security techniques — Network
2 security — Part 4: Securing communications between networks
3 using security gateways
4 1 Scope
5 This part of ISO/IEC 27033 gives guidance for securing communications between networks using security
6 gateways (firewall, application firewall, Intrusion Protection System,) in accordance with a documented
7 information security policy of the security gateways, including:
8 a) identifying and analyzing network security threats associated with security gateways;
9 b) defining network security requirements for security gateways based on threat analysis;
10 c) using techniques for design and implementation to address the threats and control aspects associated
11 with typical network scenarios; and
12 d) addressing issues associated with implementing, operating, monitoring and reviewing network security
13 gateway controls.
14 2 Normative references
15 The following referenced documents are indispensable for the application of this document. For dated
16 references, only the edition cited applies. For undated references, the latest edition of the referenced
17 document (including any amendments) applies.
18 ISO/IEC 27033-1, Information technology – Security techniques – Network security – Part 1: Overview and
19 concepts
20 ISO/IEC 27033-3, Information technology – Security techniques – Network security – Part 3: Reference
21 network scenarios – Risks, design techniques and control issues
22 3 Terms and definitions
23 For the purposes of this document, the terms and definitions given in ISO/IEC 27033-1 and the following apply.
24 3.2.1
25 Bastion host
26 Specific host that is used to intercept packets entering or leaving a network and the system that any outsider
27 must normally connect with to access a service or a system that lies within an organization’s firewall.
28 3.2.2
29 End-point software-based firewall
30 A software application running on a single machine, protecting network traffic into and out of that machine to
31 permit or deny communications based on an end user-defined security policy.
© ISO/IEC 2012 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC DIS 27033-4

1 3.2.3
2 Hardened Operating System
3 An operating system which has been configured or designed specifically to minimize the potential for comprise
4 or attack. This may be a general OS, such as Linux, which has been configured for this environment or may
5 be a more custom built solution.
6 3.2.4
7 Internet gateway
8 An entry point to access the internet.
9 3.2.5
10 Packet
11 Entity comprising a well-defined block of bytes consisting of ‘header’, ‘data’ and optional ‘trailer’ which can be
12 transmitted across networks or over telephone lines
13 NOTE The format of a packet depends on the protocol that created it. Various communications standards and
14 protocols use special purpose packets to monitor and control a communications session. For example the X.25 standard
15 uses diagnostic, call clear and reset packets (among others), as well as data packets (or) a unit of data that is transmitted
16 over the network.
17 3.2.6
18 Perimeter network
19 A physical or logical subnetwork that contains and exposes an organization's external services to a public
20 network.
21 3.2.7
22 Remote office and branch office
23 Offices externally connected to the organizations main office through remote networks to provide users with
24 services (e.g., file, print and the other service) required to maintain their daily business routine
25 3.2.8
26 Single point of failure
27 A type of failure that if a part of a system fails, the entire system does not work
28 3.2.9
29 SIP gateway
30 A perimeter device that sits between the internal VoIP network and an external network such as the public
31 telephone network.
32 NOTE Often a router is used to perform the role. Where VoIP is in use to external IP networks it is important to
33 ensure that the gateway contains sufficient security measures especially dynamic rule base changes to all call setup to
34 take place securely.
35 4 Abbreviated terms
36 API  Application Programming Interface
37 BGP Border Gateway Protocol
38 DDoS Distributed Denial-Of-Service
39 DLL  Dynamic Link Library
40 DMZ Demilitarized Zone
41 DNS Domain Name Server
42 ICMP Internet Control Message Protocol
2 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC DIS 27033-4

1 LAN  Local Area Network
2 NFS Network File System
3 NIS  Network Information System
4 OSI  Open System Interconnection
5 OSPF Open Shortest Path First
6 RIP  Routing Information Protocol
7 RPC Remote Procedure Call
8 SIP  Session Initiation Protocol
9 SMS Short Message Service
10 S/MIME Secure/Multipurpose Internet Mail Extensions
11 SMTP Simple Mail Transfer Protocol
12 SPA Switched Port Analyzer
13 TLS  Transport Layer Security
14 VoIP Voice over Internet Protocol
15 VPN Virtual Private Network
16 WAIS Wide-area Information Servers or Service
17 WAN Wide Area Network
18 WLAN Wireless Local Area Network
19 5 Structure
20 The structure of ISO/IEC 27033-4 comprises:
21 ⎯ an overview of security gateway (see clause 6);
22 ⎯ security threats associated with security gateway (see clause 7);
23 ⎯ security requirements based on an analysis for security gateways (see clause 8);
24 ⎯ security controls associated with typical network scenarios and network technology areas using security
25 gateway (see clause 9);
26 ⎯ various design techniques for security gateways (see clause 10); and
27 ⎯ guidelines for product selection (see clause 11).
© ISO/IEC 2012 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC DIS 27033-4

1 6 Overview
2 A security gateway is placed at the boundary between two network segments, for example, between the
3 organization’s internal network and a public network, to filter the traffic flowing across the boundary in
4 accordance with the documented security gateway service access policy for that boundary. Another use of
5 security gateways is to separate segments of the network when using services that may have multiple tenants,
6 for example when using Cloud services a Security Gateway would protect an organization's information by
7 applying the organization's security policy.
8 An example network environment is shown in Figure 1 below which is only for illustrative purposes in this
9 overview. The DMZ, referred to as a Perimeter Network, is a physical or logical subnetwork that contains and
10 exposes an organization's external services to a public network, usually the Internet. The purpose of a DMZ is
11 to add an additional layer of security to an organization's internal network; an external attacker only has
12 access to services in the DMZ, rather than any other part of the internal network. All external connections to
13 services should terminate inside the DMZ and DMZ systems should have little or no access to internal
14 systems. Designing a network in this way does not eliminate the risk of an internal network compromise, it
15 merely makes it more difficult. Any intruder which can subvert a service inside a perimeter network may then
16 have the opportunity to identify another vulnerability which could allow access to the internal network. For this
17 reason, amongst others, the internal network should still be made as secure as possible.
18
19 Figure 1 — Example Network Environment
20 Most organizations may have multiple “zones” or DMZ areas for Web, application and Database layers and for
21 meeting some compliance/regulatory requirements.
22 The “hybrid” solutions now exist which incorporate multiple areas of functionality. Many packet filtering
23 firewalls now have proxies for certain services and include more controls for context such as role, time of day,
24 etc.
25 The Intranet owned by the organization is managed and maintained by those authorized by the organization.
26 An organization of any significant size should have separate network segments between which internal
27 security gateways will control the traffic flow. Separate infrastructure may be used for special purposes within
28 the Intranet. For instance, if a WLAN is used as part of the intranet, it should be isolated and require further
29 authentication as it introduces additional risks. The internal security gateway can be used to protect the
30 organization’s assets against attacks from this segmentation.
4 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC DIS 27033-4

1 The organization communicates and exchanges data with trusted third parties in a way extending the Intranet
2 towards the network of the partner’s network through the so-called Extranet. The extranet security gateway
3 can be used to address the threats induced from this extension. When using services such as cloud
4 computing the security gateway is used to restrict access and apply an organization's security policy to logical
5 networks. The business of the organization necessitates communications and data exchange with business
6 partners, customers, and general public through the public network, of which the Internet is the most common
7 example. Since trust level of the public network is relatively low, security gateways, so called Internet
8 gateways, are needed to address risks induced from the public network.
9 7 Security threats
10 For the foreseeable future, organizations can expect increasingly sophisticated attacks to be mounted against
11 their systems. Attempts at unauthorized access can be malicious, for example, leading to a Denial-of-Service
12 (DoS) attack, the misuse of resources, or the unauthorized access to valuable information. Organizations
13 should protect their internal network or assets from various threats, such as intentional misuse of the assets,
14 misconfiguration of the systems, unauthorized traffic transversal from different trusted domains within the
15 organization, or other threats from Internet application services.
16 The gateway needs to protect the organization from intrusions from unauthorized users accessing the network
17 from the internal network, the Internet, or third party networks. Unmonitored content leaving the organization
18 may introduce legal issues and a potential loss of intellectual property. In addition, as more organizations are
19 connecting to the Internet to meet their organizational requirements, they are faced with the need to control
20 access to inappropriate or objectionable Web sites or web applications and services. Without control,
21 organizations face the threat of productivity losses, liability exposure and misallocation of bandwidth due to
22 non-productive Web surfing. Thus, the key security threats to be addressed include those associated with:
23 ⎯ Denial-of-service to authorised users;
24 ⎯ unauthorised modification of data;
25 ⎯ unauthorised disclosure of data;
26 ⎯ unauthorised system re-configuration;
27 ⎯ unauthorised use of resources and assets of organization;
28 ⎯ unauthorized transversal of content e.g. virus and malware;
29 ⎯ violation of virtualization; and
30 ⎯ Denial-of-Service and Distributed Denial-of-Service attack against security gateway.
31 8 Security requirements
32 Security gateways control access to a network (OSI model layer 2, 3, and 4), or to an application (OSI model
33 layers 5 to 7) depicted in Figure 2.
© ISO/IEC 2012 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC DIS 27033-4

1
2 Figure 2 — OSI seven layers
3 Security gateways are used to fulfill the following security requirements:
4 ⎯ provide logical network segmentation;
5 ⎯ restrict and analyse the traffic which passes between the logical networks;
6 ⎯ control access to and from the organization ́s network, by inspection of connections or by proxy
7 operations on selected applications;
8 ⎯ enforce an organization ́s network security policy;
9 ⎯ log traffic for subsequent audit;
10 ⎯ hide internal network, host and application architecture; or
11 ⎯ provide the capability for facilitating network management functions, e.g. DoS or DDoS mitigation.
12 Table 1 illustrates the relationship between the threats in clause 7 and the security requirements in this clause.
6 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC DIS 27033-4

1 Table 1 — Relationship between the threats and the requirements
Control access Enforce an Log traffic Hide internal Provide the
Requirement Provide Restrict
to and from organizatio for network, capability
logical and
the ns network subsequen host and for
network analyse
organization's security t audit application facilitating
segme the traffic
network, by policy architecture network
ntation which
inspection of manageme
passes
connections or nt
between
by proxy functions
the logical
networks operations on

selected

applications
Threats
Denial of X  X  X X
service to
authorised
users
Unauthorised X X X X X X
modification of
data
Unauthorised X X X X X X
disclosure of
data
Unauthorised  X X X X X
system re-
configuration
Unauthorised X X X X X X
...