As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot

AS/NZS ISO/IEC 18028.
4:2006
ISO/IEC 18028-4:2005
This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.
AS/NZS ISO/IEC 18028.4:2006
Australian/New Zealand Standard

Information technologySecurity
techniquesIT network security
Part 4: Securing remote access

This Joint Australian/New Zealand Standard was prepared by Joint Technical
Committee IT-012, Information Systems, Security and Identification. It was
approved on behalf of the Council of Standards Australia on 31 March 2006 and on
behalf of the Council of Standards New Zealand on 16 June 2006.
This Standard was published on 10 July 2006.
The following are represented on Committee IT-012:

Attorney Generals Department
Australian Association of Permanent Building Societies
Australian Bankers Association
Australian Chamber of Commerce and Industry
Australian Electrical and Electronic Manufacturers Association
Certification Forum of Australia
Department of Defence (Australia)
Internet Industry Association
NSW Police Service
Reserve Bank of Australia
Keeping Standards up-to-date

Standards are living documents which reflect progress in science, technology and
systems. To maintain their currency, all Standards are periodically reviewed, and
new editions are published. Between editions, amendments may be issued.
Standards may also be withdrawn. It is important that readers assure themselves
they are using a current Standard, which should include any amendments which
may have been published since the Standard was purchased.
Detailed information about joint Australian/New Zealand Standards can be found by
visiting the Standards Web Shop at www.standards.com.au or Standards New
Zealand web site at www.standards.co.nz and looking up the relevant Standard in
the on-line catalogue.
Alternatively, both organizations publish an annual printed Catalogue with full
details of all current Standards. For more frequent listings or notification of
revisions, amendments and withdrawals, Standards Australia and Standards New
Zealand offer a number of update options. For information about these services,
users should contact their respective national Standards organization.
We also welcome suggestions for improvement in our Standards, and especially
encourage readers to notify us immediately of any apparent inaccuracies or
ambiguities. Please address your comments to the Chief Executive of either
Standards Australia or Standards New Zealand at the address shown on the back
cover.
This Standard was issued in draft form for comment as DR 06037.
Australian/New Zealand Standard

Information technologySecurity
techniquesIT network security
Part 4: Securing remote access
First published as AS/NZS ISO/IEC 18028.4:2006.
COPYRIGHT
Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or by
any means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7597 7
ii
PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee
IT-012, Information Systems, Security and Identification.
This Standard is identical with, and has been reproduced from ISO/IEC 18028-4:2005,
Information technologySecurity techniquesIT network securityPart 4: Securing remote
access.
The objective of this Standard is to provide the Information Security community with clear
guidance on network protection, specifically, securing communications utilising remote access.
This Standard is Part 4 of AS/NZS ISO/IEC 18028, Information technologySecurity

techniquesIT network security, which is published in parts as follows:
Part 2: Network security architecture
Part 3: Securing communications between networks using security gateways
Part 4: Securing remote access (this Standard)
The term informative has been used in this Standard to define the application of the annex to
which it applies. An informative annex is only for information and guidance.
As this Standard is reproduced from an international standard, the following applies:
(a)
Its number appears on the cover and title page while the international standard number
appears only on the cover.
(b)
In the source text this part of ISO/IEC 18028 should read this Australian/New Zealand
Standard.
(c)
A full point substitutes for a comma when referring to a decimal marker.
iii
Contents
CONTENTS
Page
Page
Foreword .............................................................................................................................................................
v
Introduction ....................................................................................................................................................... vi
1
Scope...................................................................................................................................................... 1
Terms, definitions and abbreviated terms.......................................................................................... 1
Aim.......................................................................................................................................................... 5
Overview ................................................................................................................................................ 6
Security requirements .......................................................................................................................... 7
Types of remote access connection ................................................................................................... 8
7
7.1
7.2
7.3
7.4
Techniques of remote access connection ......................................................................................... 9

General ................................................................................................................................................... 9
Access to communications servers.................................................................................................... 9
Access to LAN resources................................................................................................................... 13
Access for maintenance..................................................................................................................... 14
8
8.1
8.2
8.3
8.4
8.5
8.6
8.7
Guidelines for selection and configuration...................................................................................... 14

General ................................................................................................................................................. 14
Protecting the RAS client ................................................................................................................... 15
Protecting the RAS server.................................................................................................................. 16
Protecting the connection.................................................................................................................. 17
Wireless security................................................................................................................................. 18
Organizational measures ................................................................................................................... 19
Legal considerations .......................................................................................................................... 20
Conclusion........................................................................................................................................... 20
Annex A (informative) Sample remote access security policy .................................................................... 21

A.1
Purpose ................................................................................................................................................ 21
A.2
Scope.................................................................................................................................................... 21
A.3
Policy.................................................................................................................................................... 21
A.4
Enforcement ........................................................................................................................................ 22
A.5
Terms and definitions......................................................................................................................... 23
Annex B (informative) RADIUS implementation and deployment best practices...................................... 24
B.1
General ................................................................................................................................................. 24
B.2
Implementation best practices .......................................................................................................... 24
B.3
Deployment best practices ................................................................................................................ 25
Annex C (informative) The two modes of FTP ............................................................................................... 27
C.1
PORT-mode FTP.................................................................................................................................. 27
C.2
PASV-mode FTP.................................................................................................................................. 27
Annex D (informative) Checklists for secure mail service ........................................................................... 29
D.1
Mail server operating system checklist ............................................................................................ 29
D.2
Mail server and content security checklist....................................................................................... 30
D.3
Network infrastructure checklist ....................................................................................................... 31
D.4
Mail client security checklist.............................................................................................................. 32
D.5
Secure administration of mail server checklist ............................................................................... 32
Annex E (informative) Checklists for secure web services.......................................................................... 34
E.1
Web server operating system checklist ........................................................................................... 34
E.2
Secure web server installation and configuration checklist .......................................................... 35
E.3
Web content checklist ........................................................................................................................ 36
ISO/IEC 2005 All rights reserved
iii
iv
ISO/IEC 18028-4:2005(E)
Page
E.4
E.5
E.6
Web authentication and encryption checklist .................................................................................. 37

Network infrastructure checklist ....................................................................................................... 37
Secure web server administration checklist .................................................................................... 38
Annex F (informative) Wireless LAN security checklist................................................................................ 40
Bibliography...................................................................................................................................................... 42
iv
ISO/IEC 18028-4:2005(E)
v
INTRODUCTION
Introduction
In Information Technology there is an ever increasing need to use networks within organizations and between
organizations. Requirements have to be met to use networks securely.
The area of remote access to a network requires specific measures when IT security should be in place. This
part of ISO/IEC 18028 provides guidance for accessing networks remotely either for using email, file transfer
or simply working remotely.
vi
vi
NOTES
INTERNATIONAL STANDARD
ISO/IEC 18028-4:2005(E)
AUSTRALIAN/NEW ZEALAND STANDARD
Information technology Security techniques IT network

security
Part 4:
Securing remote access
Scope
This part of ISO/IEC 18028 provides guidance for securely using remote access a method to remotely
connect a computer either to another computer or to a network using public networks and its implication for IT
security. In this it introduces the different types of remote access including the protocols in use, discusses the
authentication issues related to remote access and provides support when setting up remote access securely.
It is intended to help network administrators and technicians who plan to make use of this kind of connection
or who already have it in use and need advice on how to set it up securely and operate it securely.
Terms, definitions and abbreviated terms
For the purposes of this document, the following terms, definitions and abbreviated terms apply.
2.1
Access Point
AP
the system providing access from a wireless network to a terrestrial network
2.2
Advanced Encryption Standard
AES
a symmetric encryption mechanism providing variable key length and allowing an efficient implementation
specified as Federal Information Processing Standard (FIPS) 197
2.3
authentication
the provision of assurance of the claimed identity of an entity. In case of user authentication, users are
identified either by knowledge (e.g., password), by possession (e.g., token) or by a personal characteristic
(biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of at
least two of these factors (so-called multi-factor authentication).
2.4
call-back
a mechanism to place a call to a pre-defined or proposed location (and address) after receiving valid ID
parameters
2.5
Challenge-Handshake Authentication Protocol
CHAP
a three-way authentication protocol defined in RFC 1994

COPYRIGHT
This is a free preview. Purchase the entire publication at the link below:
AS/NZS ISO/IEC 18028.4:2006, Information

technology - Security techniques - IT network
security Securing remote access
Looking for additional Standards? Visit SAI Global Infostore

Subscribe to our Free Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?
Learn about other SAI Global Services:
LOGICOM Military Parts and Supplier Database
Metals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us

As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

As NZS ISO IEC 18028.4-2006 Information Technology - Security Techniques - IT Network Security Securing Remot

Uploaded by

Copyright:

Available Formats

AS/NZS ISO/IEC 18028.

This is a free 9 page sample. Access the full version at http://infostore.saiglobal.com.