ISO/IEC 27033-4:2014

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27033-4
ISO/IEC JTC 1 Secretariat: ANSI

Voting begins on Voting terminates on
2013-01-16 2013-04-16
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE

Information technology — Security techniques — Network
security —
Part 4:
Securing communications between networks using security
gateways
Technologies de l'information — Techniques de sécurité — Sécurité de réseau —
Partie 4: Sécurisation des communications entre réseaux en utilisant des portails de sécurité
[Revision of first edition (ISO/IEC 18028-3:2005)]
ICS 35.040
To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.

THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
R PURPOSES,
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USE
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
International Organization for Standardization, 2013
©
International Electrotechnical Commission, 2013

ISO/IEC DIS 27033-4
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO/IEC 2013 — All rights reserved

ISO/IEC DIS 27033-4
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Structure . 3
6 Overview . 4
7 Security threats . 5
8 Security requirements . 5
9 Security controls . 7
9.1 Overview . 7
9.2 Packet filtering . 8
9.3 Stateful packet inspection . 9
9.4 Application firewall . 9
9.5 Content filtering . 10
9.6 Intrusion protection system and intrusion detection system. 10
9.7 Security management API . 10
10 Design techniques . 11
10.1 Security gateway components . 11
10.1.1 Switches . 11
10.1.2 Routers . 11
10.1.3 Application level gateway . 11
10.1.4 Security appliances . 12
10.1.5 Monitoring function . 12
10.2 Deploying security gateway controls . 12
10.2.1 Packet filter firewall architecture . 12
10.2.2 Dual-homed gateway architecture . 13
10.2.3 Screened host architecture . 14
10.2.4 Screen subnet architecture . 15
11 Guidelines for product selection . 15
11.1 Overview . 15
11.2 Selection of a security gateway architecture and appropriate components . 16
11.3 Hardware and software platform . 16
11.4 Configuration . 16
11.5 Security features and settings . 17
11.6 Administration capability. 19
11.7 Logging capability . 19
11.8 Audit capability . 19
11.9 Training and education . 19
11.10 Implementation types . 20
11.11 High availability and operation mode . 20
11.12 Other considerations . 20
Bibliography . 21

© ISO/IEC 2012 – All rights reserved iii

ISO/IEC DIS 27033-4
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
This first edition cancels and replaces the ISO/IEC 18028-3:2005), which has been technically revised.
ISO/IEC 27033 consists of the following parts, under the general title Information technology — Security
techniques — Network security:
⎯ Part 1: Overview and concepts
⎯ Part 2: Guidelines for the design and implementation of network security
⎯ Part 3: Reference network scenarios – Threats, design techniques and control issues
⎯ Part 4: Securing Communications between networks using security gateways
⎯ Part 5: Securing communications across networks using virtual private networks (VPNs)
⎯ Part 6: Securing IP network access using wireless
(Note that there may be other Parts. Examples of possible topics to be covered by Parts include local area
networks, wide area networks, broadband networks, web hosting, Internet email, and routed access to third
party organizations. The main clauses of all such Parts should be Risks, Design Techniques and Control
Issues.)
iv © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
Introduction
The majority of both commercial and government organizations have their information systems connected by
networks, with the network connections being one or more of the following:
⎯ within the organization.
⎯ between different organizations.
⎯ between the organization and the general public.
Further, with the rapid developments in publicly available network technology (in particular with the Internet)
offering significant business opportunities, organizations are increasingly conducting electronic business on a
global scale and providing online public services. The opportunities include the provision of lower cost data
communications, using the Internet simply as a global connection medium, through to more sophisticated
services provided by Internet Service Providers (ISPs). This can mean the use of relatively low cost local
attachment points at each end of a circuit to full scale online electronic trading and service delivery systems,
using web-based applications and services. Further, the new technology (including the integration of data,
voice and video) increases the opportunities for remote working (also known as teleworking or telecommuting).
Telecommuters are able to keep in contact through the use of remote facilities to access organization and
community networks and related business support information and services.
However, whilst this environment does facilitate significant business benefits, there are new security threats to
be managed. With organizations relying heavily on the use of information and associated networks to conduct
their business, the loss of confidentiality, integrity, and availability of information and services could have
significant adverse impacts on business operations. Thus, there is a major need to properly protect networks
and their related information systems and information. In other words, implementing and maintaining adequate
network security is critical to the success of any organization’s business operations.
In this context, the telecommunications and information technology industries are seeking cost-effective
comprehensive security solutions, aimed at protecting networks against malicious attacks and inadvertent
incorrect actions, thereby meeting the business requirements for confidentiality, integrity, and availability of
information and services. Securing a network is also essential to achieve accurate billing for network usage.
Security capabilities in products are crucial to overall network security (including applications and services).
However, as more products are combined to provide total solutions, the interoperability, or the lack thereof,
will define the success of the solution. Security must not only be a thread of concern for each product or
service, but must be developed in a manner that promotes the interweaving of security capabilities in the
overall security solution.
The purpose of ISO/IEC 27033-4, Securing communications between networks using security gateways, is to
provide guidance on how to identify and analyze network security threats associated with security gateways,
define the network security requirements for security gateways based on threat analysis, introduce design
techniques to achieve a network technical security architecture to address the threats and control aspects
associated with typical network scenarios, and address the issues associated with implementing, operating,
monitoring and reviewing network security controls with security gateways.
It is emphasized that the ISO/IEC 27033-4 is relevant to all personnel who are involved in the detailed
planning, design and implementation of security gateways (for example network architects and designers,
network managers, and network security officers).
© ISO/IEC 2012 – All rights reserved v

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27033-4

1 Information technology — Security techniques — Network
2 security — Part 4: Securing communications between networks
3 using security gateways
4 1 Scope
5 This part of ISO/IEC 27033 gives guidance for securing communications between networks using security
6 gateways (firewall, application firewall, Intrusion Protection System,) in accordance with a documented
7 information security policy of the security gateways, including:
8 a) identifying and analyzing network security threats associated with security gateways;
9 b) defining network security requirements for security gateways based on threat analysis;
10 c) using techniques for design and implementation to address the threats and control aspects associated
11 with typical network scenarios; and
12 d) addressing issues associated with implementing, operating, monitoring and reviewing network security
13 gateway controls.
14 2 Normative references
15 The following referenced documents are indispensable for the application of this document. For dated
16 references, only the edition cited applies. For undated references, the latest edition of the referenced
17 document (including any amendments) applies.
18 ISO/IEC 27033-1, Information technology – Security techniques – Network security – Part 1: Overview and
19 concepts
20 ISO/IEC 27033-3, Information technology – Security techniques – Network security – Part 3: Reference
21 network scenarios – Risks, design techniques and control issues
22 3 Terms and definitions
23 For the purposes of this document, the terms and definitions given in ISO/IEC 27033-1 and the following apply.
24 3.2.1
25 Bastion host
26 Specific host that is used to intercept packets entering or leaving a network and the system that any outsider
27 must normally connect with to access a service or a system that lies within an organization’s firewall.
28 3.2.2
29 End-point software-based firewall
30 A software application running on a single machine, protecting network traffic into and out of that machine to
31 permit or deny communications based on an end user-defined security policy.
© ISO/IEC 2012 – All rights reserved 1

ISO/IEC DIS 27033-4
1 3.2.3
2 Hardened Operating System
3 An operating system which has been configured or designed specifically to minimize the potential for comprise
4 or attack. This may be a general OS, such as Linux, which has been configured for this environment or may
5 be a more custom built solution.
6 3.2.4
7 Internet gateway
8 An entry point to access the internet.
9 3.2.5
10 Packet
11 Entity comprising a well-defined block of bytes consisting of ‘header’, ‘data’ and optional ‘trailer’ which can be
12 transmitted across networks or over telephone lines
13 NOTE The format of a packet depends on the protocol that created it. Various communications standards and
14 protocols use special purpose packets to monitor and control a communications session. For example the X.25 standard
15 uses diagnostic, call clear and reset packets (among others), as well as data packets (or) a unit of data that is transmitted
16 over the network.
17 3.2.6
18 Perimeter network
19 A physical or logical subnetwork that contains and exposes an organization's external services to a public
20 network.
21 3.2.7
22 Remote office and branch office
23 Offices externally connected to the organizations main office through remote networks to provide users with
24 services (e.g., file, print and the other service) required to maintain their daily business routine
25 3.2.8
26 Single point of failure
27 A type of failure that if a part of a system fails, the entire system does not work
28 3.2.9
29 SIP gateway
30 A perimeter device that sits between the internal VoIP network and an external network such as the public
31 telephone network.
32 NOTE Often a router is used to perform the role. Where VoIP is in use to external IP networks it is important to
33 ensure that the gateway contains sufficient security measures especially dynamic rule base changes to all call setup to
34 take place securely.
35 4 Abbreviated terms
36 API  Application Programming Interface
37 BGP Border Gateway Protocol
38 DDoS Distributed Denial-Of-Service
39 DLL  Dynamic Link Library
40 DMZ Demilitarized Zone
41 DNS Domain Name Server
42 ICMP Internet Control Message Protocol
2 © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
1 LAN  Local Area Network
2 NFS Network File System
3 NIS  Network Information System
4 OSI  Open System Interconnection
5 OSPF Open Shortest Path First
6 RIP  Routing Information Protocol
7 RPC Remote Procedure Call
8 SIP  Session Initiation Protocol
9 SMS Short Message Service
10 S/MIME Secure/Multipurpose Internet Mail Extensions
11 SMTP Simple Mail Transfer Protocol
12 SPA Switched Port Analyzer
13 TLS  Transport Layer Security
14 VoIP Voice over Internet Protocol
15 VPN Virtual Private Network
16 WAIS Wide-area Information Servers or Service
17 WAN Wide Area Network
18 WLAN Wireless Local Area Network
19 5 Structure
20 The structure of ISO/IEC 27033-4 comprises:
21 ⎯ an overview of security gateway (see clause 6);
22 ⎯ security threats associated with security gateway (see clause 7);
23 ⎯ security requirements based on an analysis for security gateways (see clause 8);
24 ⎯ security controls associated with typical network scenarios and network technology areas using security
25 gateway (see clause 9);
26 ⎯ various design techniques for security gateways (see clause 10); and
27 ⎯ guidelines for product selection (see clause 11).
© ISO/IEC 2012 – All rights reserved 3

ISO/IEC DIS 27033-4
1 6 Overview
2 A security gateway is placed at the boundary between two network segments, for example, between the
3 organization’s internal network and a public network, to filter the traffic flowing across the boundary in
4 accordance with the documented security gateway service access policy for that boundary. Another use of
5 security gateways is to separate segments of the network when using services that may have multiple tenants,
6 for example when using Cloud services a Security Gateway would protect an organization's information by
7 applying the organization's security policy.
8 An example network environment is shown in Figure 1 below which is only for illustrative purposes in this
9 overview. The DMZ, referred to as a Perimeter Network, is a physical or logical subnetwork that contains and
10 exposes an organization's external services to a public network, usually the Internet. The purpose of a DMZ is
11 to add an additional layer of security to an organization's internal network; an external attacker only has
12 access to services in the DMZ, rather than any other part of the internal network. All external connections to
13 services should terminate inside the DMZ and DMZ systems should have little or no access to internal
14 systems. Designing a network in this way does not eliminate the risk of an internal network compromise, it
15 merely makes it more difficult. Any intruder which can subvert a service inside a perimeter network may then
16 have the opportunity to identify another vulnerability which could allow access to the internal network. For this
17 reason, amongst others, the internal network should still be made as secure as possible.
19 Figure 1 — Example Network Environment
20 Most organizations may have multiple “zones” or DMZ areas for Web, application and Database layers and for
21 meeting some compliance/regulatory requirements.
22 The “hybrid” solutions now exist which incorporate multiple areas of functionality. Many packet filtering
23 firewalls now have proxies for certain services and include more controls for context such as role, time of day,
24 etc.
25 The Intranet owned by the organization is managed and maintained by those authorized by the organization.
26 An organization of any significant size should have separate network segments between which internal
27 security gateways will control the traffic flow. Separate infrastructure may be used for special purposes within
28 the Intranet. For instance, if a WLAN is used as part of the intranet, it should be isolated and require further
29 authentication as it introduces additional risks. The internal security gateway can be used to protect the
30 organization’s assets against attacks from this segmentation.
4 © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
1 The organization communicates and exchanges data with trusted third parties in a way extending the Intranet
2 towards the network of the partner’s network through the so-called Extranet. The extranet security gateway
3 can be used to address the threats induced from this extension. When using services such as cloud
4 computing the security gateway is used to restrict access and apply an organization's security policy to logical
5 networks. The business of the organization necessitates communications and data exchange with business
6 partners, customers, and general public through the public network, of which the Internet is the most common
7 example. Since trust level of the public network is relatively low, security gateways, so called Internet
8 gateways, are needed to address risks induced from the public network.
9 7 Security threats
10 For the foreseeable future, organizations can expect increasingly sophisticated attacks to be mounted against
11 their systems. Attempts at unauthorized access can be malicious, for example, leading to a Denial-of-Service
12 (DoS) attack, the misuse of resources, or the unauthorized access to valuable information. Organizations
13 should protect their internal network or assets from various threats, such as intentional misuse of the assets,
14 misconfiguration of the systems, unauthorized traffic transversal from different trusted domains within the
15 organization, or other threats from Internet application services.
16 The gateway needs to protect the organization from intrusions from unauthorized users accessing the network
17 from the internal network, the Internet, or third party networks. Unmonitored content leaving the organization
18 may introduce legal issues and a potential loss of intellectual property. In addition, as more organizations are
19 connecting to the Internet to meet their organizational requirements, they are faced with the need to control
20 access to inappropriate or objectionable Web sites or web applications and services. Without control,
21 organizations face the threat of productivity losses, liability exposure and misallocation of bandwidth due to
22 non-productive Web surfing. Thus, the key security threats to be addressed include those associated with:
23 ⎯ Denial-of-service to authorised users;
24 ⎯ unauthorised modification of data;
25 ⎯ unauthorised disclosure of data;
26 ⎯ unauthorised system re-configuration;
27 ⎯ unauthorised use of resources and assets of organization;
28 ⎯ unauthorized transversal of content e.g. virus and malware;
29 ⎯ violation of virtualization; and
30 ⎯ Denial-of-Service and Distributed Denial-of-Service attack against security gateway.
31 8 Security requirements
32 Security gateways control access to a network (OSI model layer 2, 3, and 4), or to an application (OSI model
33 layers 5 to 7) depicted in Figure 2.
© ISO/IEC 2012 – All rights reserved 5

ISO/IEC DIS 27033-4
2 Figure 2 — OSI seven layers
3 Security gateways are used to fulfill the following security requirements:
4 ⎯ provide logical network segmentation;
5 ⎯ restrict and analyse the traffic which passes between the logical networks;
6 ⎯ control access to and from the organization ́s network, by inspection of connections or by proxy
7 operations on selected applications;
8 ⎯ enforce an organization ́s network security policy;
9 ⎯ log traffic for subsequent audit;
10 ⎯ hide internal network, host and application architecture; or
11 ⎯ provide the capability for facilitating network management functions, e.g. DoS or DDoS mitigation.
12 Table 1 illustrates the relationship between the threats in clause 7 and the security requirements in this clause.
6 © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
1 Table 1 — Relationship between the threats and the requirements
Control access Enforce an Log traffic Hide internal Provide the
Requirement Provide Restrict
to and from organizatio for network, capability
logical and
the ns network subsequen host and for
network analyse
organization's security t audit application facilitating
segme the traffic
network, by policy architecture network
ntation which
inspection of manageme
passes
connections or nt
between
by proxy functions
the logical
networks operations on
selected
applications
Threats
Denial of X  X  X X
service to
authorised
users
Unauthorised X X X X X X
modification of
data
Unauthorised X X X X X X
disclosure of
data
Unauthorised  X X X X X
system re-
configuration
Unauthorised X X X X X X X
use of
resources and
assets of
organization
Unauthorized X X X X X X X
transversal of
content e.g.
virus and
malware
Violation of X X X X X X
virtualization
Denial-of- X X X X
service and
Distributed DoS
attack against
security
gateway.
2 9 Security controls
3 9.1 Overview
4 For each security gateway, a separate service access (security) policy document should be developed and
5 the content implemented to ensure that only the authorized traffic is allowed to pass. This document should
6 contain the details of the ruleset that the gateway is required to administer and the configuration of the
7 gateway. It needs to be ensured that the policy hierarchy is put into force: an organisation of any significant
8 size is likely to have generic policy across the whole organisation, possibly augmented by a generic policy
9 towards a whole class of security devices, possibly further augmented by a specific policy for a particular
10 device. Thus, in order to ensure that only valid users and traffic gain access from communications
11 connections, the policy should define and record in detail the constraints and rules applied to traffic passing
© ISO/IEC 2012 – All rights reserved 7

ISO/IEC DIS 27033-4
1 into and out of the security gateway and the parameters for its management and configuration. With all
2 security gateways, appropriate use should be made of available identification and authentication, logical
3 access control and audit facilities. In addition, they should be checked regularly for unauthorized software
4 and/or data and, if such is found, incident reports should be produced in accordance with the organization
5 and/or community’s information security incident management scheme (see ISO/IEC 27035). A security patch
6 is a change applied to a security gateway to correct the weakness expressed by a vulnerability, in order to
7 prevent successful exploitation and removes or mitigates a threat’s capability in a gateway. Hence, security
8 gateways should be regularly updated with the latest patches and versions to ensure that they are effective
9 against the latest vulnerabilities.
10 A security gateway should not be connected to an organization’s network until it has been established that its
11 configuration satisfies the requirements of its governing policies.
12 A firewall is a good example of a security gateway. Firewalls should normally be those that have achieved an
13 appropriate assurance level commensurate with the assessed threats, with the standard firewall ruleset
14 having an implicit deny all for any traffic between networks and adding explicit rules to satisfy only the required
15 communications paths.
16 The policies governing a security gateway used to protect a remote system may not warrant the expense and
17 specialist skills to support a dedicated hardware device. Instead, an end-point software-based firewall, so-
18 called a personal firewall, can be used, which controls the flow of traffic between the remote computer and the
19 network to which it is attached. As with any other security gateway, the organization must be satisfied that the
20 configuration of the ruleset in the end-point software-based firewall satisfies the requirements of the governing
21 policies.
22 There are many typess of security gateways; including a packet filtering, a proxy firewall, a stateful packet
23 inspection, a content filtering and application firewall. The details of each type of security gateway will be
24 described in the following sub-clauses.
25 Security gateway may employ a virtualization technology to implement necessary functions. Virtual machines
26 should be well-isolated when sharing memory, CPU and storage capacities.
27 The hypervisor, also called virtual machine manager, should provide protection for itself and for hosted VMs,
28 e.g. by moving antivirus and anti-spam processing from VM to hypervisors.
29 Virtualization security protects both the hypervisor and its VMs. It protects the hypervisor from attacks and
30 enables VM isolation. This function also includes the protection of the VM images and suspended VM
31 instances in storage and during migration, and overall VM security life-cycle management. .
32 9.2 Stateless packet filtering
33 A packet filter judges each packet in isolation from any other packet. The decision as to whether to allow or
34 deny its progress is based entirely on data within the packet itself. There is no attempt to associate the packet
35 with any preceding packets that may have been presented to the packet filter. The decision is therefore based
36 on factors such as:
37 ⎯ Source and/or destination IP address;
38 ⎯ Payload the packet is carrying (e.g., TCP, UDP, ICMP);
39 ⎯ Source and/or destination port for a TCP or UDP payload;
40 ⎯ Time/date of packet arrival/departure; and
41 ⎯ Network interface card of arrival/departure.
42 Packet filtering gateways are fast but do not track the significance of any packet within an overall
43 communication stream.
8 © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
1 9.3 Stateful packet inspection
2 Stateful packet inspection extends (stateless) packet filtering by recording key events in the life cycle of a
3 communications exchange, typically tracking the state of transport layer protocols. Based upon packet filtering
4 technology, the stateful packet inspection approach intended and implemented in some firewall products adds
5 more security checks in an attempt to simulate the secure checks of an application proxy firewall. Instead of
6 simply looking at the address of each incoming packet individually, the stateful packet inspection firewall
7 intercepts incoming packets at the network layer until it has enough information to determine the state of the
8 attempted connection on upper layers. When deciding the fate of a packet, a stateful packet filter will consider
9 the packet in the context of other packets it has already seen. This allows the filter, for example, to distinguish
10 between a packet which is part of an established TCP connection and a similar packet which has arrived on
11 its own. A stateful packet filter can therefore make more subtle decisions than a packet filter without state.
12 This, however, requires more resource (memory and processing power) to achieve the same packet
13 throughput.
14 9.4 Application firewall
15 An application firewall analyses communications exchange at the application level protocol. For example, a
16 Web Application Firewall would be configured with rules that represented the correct operation of HTTP. The
17 decision as to whether to allow an HTTP request or HTTP response can be based both on the state of the
18 HTTP conversation (for example, is this an appropriate response for a previously seen request?) or some
19 particular pattern in the data (for example, are characters present which indicate an SQL injection attack?).
20 If an application firewall is to function on encrypted communication such as SSL /TLS, then end-to-end
21 encryption must be broken at the application firewall so that it can filter application data in the clear. In these
22 circumstances, the application firewall should operate a pair of back-to-back encrypted communication
23 channels between the source and destination. Should the integrity of such an application firewall be
24 compromised, then the consequences are especially severe due to the trust that users might have had in the
25 protection of end to end encryption.
26 Firewalls mask some of the threats described in clause 7, for example, unauthorized use of resources and
27 assets of an organization, by limiting the access to an application or a computer system to a finite set of
28 identifiable tasks within the proxy itself.
29 The application firewall approach offers superior security control because it provides application-level
30 awareness of attempted connections by examining everything at the highest layer of the protocol stack. The
31 application firewall can be implemented in part of the application proxy which can improve responsiveness
32 and reduce duplicate traffic. The application proxy service has full visibility at the application layer and can
33 accordingly see the granular details of each attempted connection up front and implement security policies
34 accordingly. Application proxy services also feature a built-in proxy function – terminating the client connection
35 at the application gateway and initiating a new connection to the internal protected network. The proxy
36 mechanism provides added security because it separates the external and internal systems and makes it
37 more difficult for attackers on the outside to exploit vulnerabilities on systems internally. The encrypted end-to-
38 end communications cannot directly traverse an application firewall but instead exist as two back-to-back
39 encrypted streams with the message in the clear within the application firewall. This makes the application
40 firewall particularly attractive as an attack target from which to launch man-in-the-middle attacks against
41 encrypted connections.
42 Many firewalls now offer both the traditional proxy services, along with transparent proxy capabilities, often
43 referred to as “deep packet inspection” or application control. They are application aware and are able to allow
44 only certain functions within an application or to apply additional controls (for example, anti-virus scanning of
45 files transferred within an application or blocking video call within Instant Messaging clients.).
46 Secure gateways using the application proxies provide the strongest security with the only drawback being
47 that the added security can negatively impact the performance. Furthermore, for new services it often takes
48 time before the proxy for this service becomes available.
© ISO/IEC 2012 – All rights reserved 9

ISO/IEC DIS 27033-4
1 9.5 Content filtering
2 Security gateways with application level proxies often implement content filtering. Content filtering is a key
3 protection against malicious or inappropriate code. It can help to defend against threats delivered as
4 application downloads or executed in the browser. This can range from Trojan horses to in-appropriate
5 ActiveX controls. As most of this malicious code is distributed over the Internet via email or HTTP-based
6 communication (e.g. downloads from a web site or a FTP site), the protection should start at the point where
7 the security gateway interfaces to the Internet. Therefore, a virus scanner or more generally, a content
8 scanner is added to the screened subnet or the demilitarized zone (DMZ). In most of the installations, the
9 content scanner is linked directly to the firewall with a network interface so that the services such as SMTP-
10 based email traffic and the HTTP-based communication are routed to the content filtering scanner.
11 The predominant technologies for content analysis are as follows:
12 ⎯ protocol analysis;
13 ⎯ Signature-based scanning (searching for known patterns);
14 ⎯ Investigative analysis (analyzing code for functions and behavior known to be associated with malicious
15 code); and
16 ⎯ Sandbox technology (essentially a content monitoring program, which quarantines suspect code in a
17 “sandbox”).
18 As the difference between content scanning and intrusion detection is small, especially regarding network
19 based intrusion detection, an intrusion detection system (IDS) can also be combined with the firewall by
20 implementing an IDS agent on the firewall device. See ISO/IEC TR 15947.
21 NOTE Selection, deployment and operations of intrusion detection or prevention systems will form the subject of an
22 International Standard, ISO/IEC 27039.
23 Content filtering technology also has some limitations. If data is encrypted on the transport or application layer
24 (e.g., SSL/TLS or S/MIME), content screening is no longer possible unless the encrypted data is decrypted
25 and re-encrypted again on the firewall. This could pose security threats such as “man in the middle” attacks.
26 There may be legal implications regarding content scanning and filtering, especially where a strong data
27 protection legislation is in effect. In such a scenario, only automatic scanning for malicious code may be
28 allowed, but not the scanning for specific content of an email because this may infringe upon the privacy of the
29 sender and of the recipient.
30 9.6 Intrusion protection system and intrusion detection system
31 An intrusion is an unauthorized access to a network or a network-connected system, i.e. deliberate or
32 accidental unauthorized access to an information system, malicious activity against an information system, or
33 unauthorized use of resources within an information system. Intrusion prevention is a formal process of
34 actively responding to prevent intrusions. The intrusion prevention system is a variant on intrusion detection
35 systems that are specifically designed to provide an active response capability, while intrusion detection
36 systems simply detect possible intrusions that have been attempted, are occurring, or have occurred and
37 possibly notify the administrators of the intrusions.
38 9.7 Security management API
39 A centralized management function allows proper and efficient management of security gateways deployed in
40 the organization network.
41 The security management API should be provided by the security gateway for this remote centralized
42 management in an organization. This centralized management function should help remote management of
43 security gateways in terms of operation and configuration.
10 © ISO/IEC 2012 – All rights reserved

ISO/IEC DIS 27033-4
1 The remote security administrator should be identified and authenticated by the security gateway. This remote
2 management API should provide a network administrator with tools to administer, monitor, and troubleshoot
3 the security gateway.
4 10 Design techniques
5 10.1 Security gateway components
6 10.1.1 Switches
7 Switches are used to allow high-speed communications delivering full network bandwidth to each physical port.
8 Generally switches are layer 2 devices which are extensively used to segment local area networks. Further,
9 they can provide subnet isolation when VLAN techniques are implemented. The traffic between a switch and
10 the nodes connected to that switch can be controlled through the use of access control lists (ACLS). These
11 can be applied to the OSI model layers 2, 3 and 4. Access control function
...