ISO/IEC 18028-1:2006

INTERNATIONAL ISO/IEC
STANDARD 18028-1
First edition
2006-07-01


Information technology — Security
techniques — IT network security —
Part 1:
Network security management
Technologies de l'information — Techniques de sécurité — Sécurité de
réseaux TI —
Partie 1: Gestion de sécurité de réseau




Reference number
ISO/IEC 18028-1:2006(E)
©
ISO/IEC 2006

---------------------- Page: 1 ----------------------
ISO/IEC 18028-1:2006(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
should not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2006 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 18028-1:2006(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope .1
2 Normative references .1
3 Terms and definitions .2
3.1 Terms defined in other International Standards.2
3.2 Terms defined in this part of ISO/IEC 18028 .2
4 Abbreviated terms .7
5 Structure .9
6 Aim .10
7 Overview.10
7.1 Background.10
7.2 Identification Process .12
8 Consider Corporate Information Security Policy Requirements.15
9 Review Network Architectures and Applications.15
9.1 Background.15
9.2 Types of Network.16
9.3 Network Protocols .16
9.4 Networked Applications.17
9.5 Technologies Used to Implement Networks .17
9.5.1 Local Area Networks .17
9.5.2 Wide Area Networks .18
9.6 Other Considerations .18
10 Identify Types of Network Connection .18
11 Review Networking Characteristics and Related Trust Relationships .20
11.1 Network Characteristics.20
11.2 Trust Relationships .20
12 Identify the Information Security Risks.22
13 Identify Appropriate Potential Control Areas .27
13.1 Background.27
13.2 Network Security Architecture .27
13.2.1 Preface .27
13.2.2 Local Area Networking.29
13.2.3 Wide Area Networking.31
13.2.4 Wireless Networks.32
13.2.5 Radio Networks.33
13.2.6 Broadband Networking .35
13.2.7 Security Gateways.36
13.2.8 Remote Access Services .37
13.2.9 Virtual Private Networks .38
13.2.10 IP Convergence (data, voice, video) .39
13.2.11 Enabling Access to Services Provided by Networks that are External (to the Organization).41
13.2.12 Web Hosting Architecture.42
13.3 Secure Service Management Framework.44
13.3.1 Management Activities.44
© ISO/IEC 2006 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 18028-1:2006(E)
13.3.2 Networking Security Policy. 44
13.3.3 Security Operating Procedures . 45
13.3.4 Security Compliance Checking . 45
13.3.5 Security Conditions for Connection . 45
13.3.6 Documented Security Conditions for Users of Network Services. 46
13.3.7 Incident Management . 46
13.4 Network Security Management. 46
13.4.1 Preface . 46
13.4.2 Networking Aspects. 46
13.4.3 Roles and Responsibilities . 48
13.4.4 Network Monitoring . 49
13.4.5 Evaluating Network Security. 49
13.5 Technical Vulnerability Management. 49
13.6 Identification and Authentication . 49
13.6.1 Background . 49
13.6.2 Remote Log-in . 49
13.6.3 Authentication Enhancements . 50
13.6.4 Remote System Identification. 50
13.6.5 Secure Single Sign-on . 51
13.7 Network Audit Logging and Monitoring . 51
13.8 Intrusion Detection . 52
13.9 Protection against Malicious Code . 53
13.10 Common Infrastructure Cryptographic Based Services. 54
13.10.1 Preface . 54
13.10.2 Data Confidentiality over Networks . 54
13.10.3 Data Integrity over Networks . 54
13.10.4 Non-Repudiation . 54
13.10.5 Key Management. 55
13.11 Business Continuity Management . 57
14 Implement and Operate Security Controls. 58
15 Monitor and Review Implementation . 58
Bibliography . 59

iv © ISO/IEC 2006 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 18028-1:2006(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC should not be held responsible for identifying any or all such patent rights.
ISO/IEC 18028-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 18028 consists of the following parts, under the general title Information technology — Security
techniques ― IT network security:
⎯ Part 1: Network security management
⎯ Part 2: Network security architecture
⎯ Part 3: Securing communications between networks using security gateways
⎯ Part 4: Securing remote access
⎯ Part 5: Securing communications across networks using virtual private networks

© ISO/IEC 2006 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 18028-1:2006(E)
Introduction
The telecommunications and information technology industries are seeking cost-effective comprehensive
security solutions. A secure network should be protected against malicious and inadvertent attacks, and
should meet the business requirements for confidentiality, integrity, availability, non-repudiation,
accountability, authenticity and reliability of information and services. Securing a network is also essential for
maintaining the accuracy of billing or usage information as appropriate. Security capabilities in products are
crucial to overall network security (including applications and services). However, as more products are
combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the
solution. Security must not only be a thread of concern for each product or service, but must be developed in
a manner that promotes the interweaving of security capabilities in the overall end-to-end security solution.
Thus, the purpose of ISO/IEC 18028 is to provide detailed guidance on the security aspects of the
management, operation and use of information system networks, and their inter-connections. Those
individuals within an organization that are responsible for information security in general, and network security
in particular, should be able to adapt the material in this standard to meet their specific requirements. Its main
objectives are as follows:
⎯ in ISO/IEC 18028-1, to define and describe the concepts associated with, and provide management
guidance on, network security – including on how to identify and analyze the communications related
factors to be taken into account to establish network security requirements, with an introduction to the
possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028);
⎯ in ISO/IEC 18028-2, to define a standard security architecture, which describes a consistent framework to
support the planning, design and implementation of network security;
⎯ in ISO/IEC 18028-3, to define techniques for securing information flows between networks using security
gateways;
⎯ in ISO/IEC 18028-4, to define techniques for securing remote access;
⎯ in ISO/IEC 18028-5, to define techniques for securing inter-network connections that are established
using virtual private networks (VPNs).
ISO/IEC 18028-1 is relevant to anyone involved in owning, operating or using a network. This includes senior
managers and other non-technical managers or users, in addition to managers and administrators who have
specific responsibilities for information security and/or network security, network operation, or who are
responsible for an organization's overall security program and security policy development.
ISO/IEC 18028-2 is relevant to all personnel who are involved in the planning, design and implementation of
the architectural aspects of network security (for example network managers, administrators, engineers, and
network security officers).
ISO/IEC 18028-3 is relevant to all personnel who are involved in the detailed planning, design and
implementation of security gateways (for example network managers, administrators, engineers and network
security officers).
ISO/IEC 18028-4 is relevant to all personnel who are involved in the detailed planning, design and
implementation of remote access security (for example network managers, administrators, engineers, and
network security officers).
ISO/IEC 18028-5 is relevant to all personnel who are involved in the detailed planning, design and
implementation of VPN security (for example network managers, administrators, engineers, and network
security officers).
vi © ISO/IEC 2006 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 18028-1:2006(E)

Information technology — Security techniques — IT network
security —
Part 1:
Network security management
1 Scope
ISO/IEC 18028-1 provides direction with respect to networks and communications, including on the security
aspects of connecting information system networks themselves, and of connecting remote users to networks.
It is aimed at those responsible for the management of information security in general, and network security in
particular. This direction supports the identification and analysis of the communications related factors that
should be taken into account to establish network security requirements, provides an introduction on how to
identify appropriate control areas with respect to security associated with connections to communications
networks, and provides an overview of the possible control areas including those technical design and
implementation topics dealt with in detail in ISO/IEC 18028-2 to ISO/IEC 18028-5.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 18028-2:2005, Information technology — Security techniques — IT network security — Part 2:
Network security architecture
ISO/IEC 18028-3:2005, Information technology — Security techniques — IT network security — Part 3:
Securing communications between networks using security gateways
ISO/IEC 18028-4:2005, Information technology — Security techniques — IT network security — Part 4:
Securing remote access
ISO/IEC 18028-5:2006, Information technology — Security techniques — IT network security — Part 5:
Securing communications across networks using virtual private networks
ISO/IEC 13335-1:2004, Information technology — Security techniques — Management of information and
communications technology security — Part 1: Concepts and models for information and communications
technology security management
ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information
security management
ISO/IEC 18044:2004, Information technology — Security techniques — Information security incident
management
ISO/IEC 18043:2006, Information technology — Security techniques — Selection, deployment and operations
of intrusion detection systems
© ISO/IEC 2006 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 18028-1:2006(E)
3 Terms and definitions
3.1 Terms defined in other International Standards
For the purposes of this document, the terms and definitions given in ISO/IEC 7498 (all parts) and the
following terms defined in ISO/IEC 17799 and ISO/IEC 13335-1 apply: accountability, asset, authenticity,
availability, baseline controls, confidentiality, data integrity, impact, integrity, security policy, non-repudiation,
reliability, risk, risk analysis, risk assessment, risk management, control, threat and vulnerability.
3.2 Terms defined in this part of ISO/IEC 18028
For the purposes of this document, the following terms and definitions apply.
3.2.1
alert
‘instant’ indication that an information system and network may be under attack, or in danger because of
accident, failure or people error
3.2.2
attacker
any person deliberately exploiting vulnerabilities in technical and non-technical security controls in order to
steal or compromise information systems and networks, or to compromise availability to legitimate users of
information system and network resources
3.2.3
audit
formal inquiry, formal examination, or verification of facts against expectations, for compliance and conformity
3.2.4
audit logging
gathering of data on information security events for the purpose of review and analysis, and ongoing
monitoring
3.2.5
audit tools
automated tools to aid the analysis of the contents of audit logs
3.2.6
business continuity management
process to ensure that recovery of operations will be assured should any unexpected or unwanted incident
occur that is capable of negatively impacting the continuity of essential business functions and supporting
elements
NOTE The process should also ensure that recovery is achieved in the required priorities and timescales, and
subsequently all business functions and supporting elements will be recovered back to normal. The key elements of this
process need to ensure that the necessary plans and facilities are put in place, and tested, and that they encompass
information, business processes, information systems and services, voice and data communications, people and physical
facilities.
3.2.7
Comp128-1
proprietary algorithm that was initially used by default in SIM cards
3.2.8
demilitarized zone
DMZ
perimeter network (also known as a screened sub-net) inserted as a “neutral zone" between networks
NOTE It forms a security buffer zone.
2 © ISO/IEC 2006 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC FDIS 18028-1:2006(E)
3.2.9
denial of service
DoS
prevention of authorized access to a system resource or the delaying of system operations and functions
3.2.10
extranet
extension of an organization’s Intranet, especially over the public network infrastructure, enabling resource
sharing between the organization and other organizations and individuals that it deals with by providing limited
access to its Intranet
3.2.11
filtering
process of accepting or rejecting data flows through a network, according to specified criteria
3.2.12
firewall
type of security barrier placed between network environments – consisting of a dedicated device or a
composite of several components and techniques – through which all traffic from one network environment to
another, and vice versa, traverses and only authorized traffic, as defined by the local security policy, is
allowed to pass
3.2.13
hub
network device that functions at layer 1 of the OSI reference model (ISO/IEC 7498-1)
NOTE There is no real intelligence in network hubs; they only provide physical attachment points for networked
systems or resources.
3.2.14
information security event
identified occurrence of a system, service or network state indicating a possible breach of information security
policy or failure of controls, or a previously unknown situation that may be security relevant
NOTE See ISO/IEC 18044.
3.2.15
information security incident
that indicated by a single or a series of unwanted or unexpected information security events that have a
significant probability of compromising business operations and threatening information security
NOTE See ISO/IEC 18044.
3.2.16
information security incident management
formal process of responding to and dealing with information security events and incidents
NOTE See ISO/IEC 18044.
3.2.17
internet
global system of inter-connected networks in the public domain
3.2.18
intranet
private network established internally in an organization
© ISO/IEC 2006 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 18028-1:2006(E)
3.2.19
intrusion
unauthorized access to a network or a network-connected system i.e. deliberate or accidental unauthorized
access to an information system, to include malicious activity against an information system, or unauthorized
use of resources within an information system
3.2.20
intrusion detection
formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage
patterns as well as what, how, and which vulnerability has been exploited to include how and when it occurred
NOTE See ISO/IEC 18043.
3.2.21
intrusion detection system
IDS
technical system that is used to identify that an intrusion has been attempted, is occurring, or has occurred
and possibly respond to intrusions in information systems and networks
NOTE See ISO/IEC 18043.
3.2.22
intrusion prevention system
IPS
variant on intrusion detection systems that are specifically designed to provide an active response capability
NOTE See ISO/IEC 18043.
3.2.23
jitter
one form of line distortion caused when a transmitted signal deviates from its reference
3.2.24
malware
malicious software, such as a virus or a trojan horse, designed specifically to damage or disrupt a system
3.2.25
multi protocol label switching
MPLS
technique, developed for use in inter-network routing, whereby labels are assigned to individual data paths or
flows, and used to switch connections, underneath and in addition to normal routing protocol mechanisms
NOTE Label switching can be used as one method of creating tunnels.
3.2.26
network administration
day-to-day operation and management of network processes and users
3.2.27
network analyzer
device used to capture and decode information flowing in networks
3.2.28
network element
information system that is connected to a network
NOTE The detailed description of security element is given in ISO/IEC 18028-2.
3.2.29
network management
process of planning, designing, implementing, operating, monitoring and maintaining a network
4 © ISO/IEC 2006 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC FDIS 18028-1:2006(E)
3.2.30
network monitoring
process of continuously observing and reviewing data recorded on network activity and operations, including
audit logs and alerts, and related analysis
3.2.31
network security policy
set of statements, rules and practices that explain an organization’s approach to the use of its network
resources, and specify how its network infrastructure and services should be protected
3.2.32
port
endpoint to a connection
NOTE In the context of the Internet protocol a port is a logical channel endpoint of a TCP or UDP connection.
Application protocols which are based on TCP or UDP have typically assigned default port numbers, e.g. port 80 for the
HTTP protocol.
3.2.33
privacy
right of every individual that his/her private and family life, home and correspondence are treated in
confidence
NOTE There should be no interference by an authority with the exercise of this right except where it is in accordance
with the law and is necessary in a democratic society in the interests of national secu
...