Australian/New Zealand Standard

Transcription

1 AS/NZS ISO/IEC :2006 ISO/IEC :2005 AS/NZS ISO/IEC :2006 Australian/New Zealand Standard Information technology Security techniques IT network security Part 4: Securing remote access

2 AS/NZS ISO/IEC :2006 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification. It was approved on behalf of the Council of Standards Australia on 31 March 2006 and on behalf of the Council of Standards New Zealand on 16 June This Standard was published on 10 July The following are represented on Committee IT-012: Attorney General s Department Australian Association of Permanent Building Societies Australian Bankers Association Australian Chamber of Commerce and Industry Australian Electrical and Electronic Manufacturers Association Certification Forum of Australia Department of Defence (Australia) Internet Industry Association NSW Police Service Reserve Bank of Australia Keeping Standards up-to-date Standards are living documents which reflect progress in science, technology and systems. To maintain their currency, all Standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current Standard, which should include any amendments which may have been published since the Standard was purchased. Detailed information about joint Australian/New Zealand Standards can be found by visiting the Standards Web Shop at or Standards New Zealand web site at and looking up the relevant Standard in the on-line catalogue. Alternatively, both organizations publish an annual printed Catalogue with full details of all current Standards. For more frequent listings or notification of revisions, amendments and withdrawals, Standards Australia and Standards New Zealand offer a number of update options. For information about these services, users should contact their respective national Standards organization. We also welcome suggestions for improvement in our Standards, and especially encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Chief Executive of either Standards Australia or Standards New Zealand at the address shown on the back cover. This Standard was issued in draft form for comment as DR

3 AS/NZS ISO/IEC :2006 Australian/New Zealand Standard Information technology Security techniques IT network security Part 4: Securing remote access First published as AS/NZS ISO/IEC :2006. COPYRIGHT Standards Australia/Standards New Zealand All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards New Zealand, Private Bag 2439, Wellington 6020 ISBN

4 ii PREFACE This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee IT-012, Information Systems, Security and Identification. This Standard is identical with, and has been reproduced from ISO/IEC :2005, Information technology Security techniques IT network security Part 4: Securing remote access. The objective of this Standard is to provide the Information Security community with clear guidance on network protection, specifically, securing communications utilising remote access. This Standard is Part 4 of AS/NZS ISO/IEC 18028, Information technology Security techniques IT network security, which is published in parts as follows: Part 2: Network security architecture Part 3: Securing communications between networks using security gateways Part 4: Securing remote access (this Standard) The term informative has been used in this Standard to define the application of the annex to which it applies. An informative annex is only for information and guidance. As this Standard is reproduced from an international standard, the following applies: (a) Its number appears on the cover and title page while the international standard number appears only on the cover. (b) In the source text this part of ISO/IEC should read this Australian/New Zealand Standard. (c) A full point substitutes for a comma when referring to a decimal marker.

5 iii CONTENTS Page 1 Scope Terms, definitions and abbreviated terms Aim Overview Security requirements Types of remote access connection Techniques of remote access connection General Access to communications servers Access to LAN resources Access for maintenance Guidelines for selection and configuration General Protecting the RAS client Protecting the RAS server Protecting the connection Wireless security Organizational measures Legal considerations Conclusion Annex A (informative) Sample remote access security policy A.1 Purpose A.2 Scope A.3 Policy A.4 Enforcement A.5 Terms and definitions Annex B (informative) RADIUS implementation and deployment best practices B.1 General B.2 Implementation best practices B.3 Deployment best practices Annex C (informative) The two modes of FTP C.1 PORT-mode FTP C.2 PASV-mode FTP Annex D (informative) Checklists for secure mail service D.1 Mail server operating system checklist D.2 Mail server and content security checklist D.3 Network infrastructure checklist D.4 Mail client security checklist D.5 Secure administration of mail server checklist Annex E (informative) Checklists for secure web services E.1 Web server operating system checklist...34 E.2 Secure web server installation and configuration checklist E.3 Web content checklist... 36

6 iv Page E.4 Web authentication and encryption checklist...37 E.5 Network infrastructure checklist...37 E.6 Secure web server administration checklist...38 Annex F (informative) Wireless LAN security checklist...40 Bibliography...42

7 v INTRODUCTION In Information Technology there is an ever increasing need to use networks within organizations and between organizations. Requirements have to be met to use networks securely. The area of remote access to a network requires specific measures when IT security should be in place. This part of ISO/IEC provides guidance for accessing networks remotely either for using , file transfer or simply working remotely.

8 vi NOTES

9 1 AUSTRALIAN/NEW ZEALAND STANDARD Information technology Security techniques IT network security Part 4: Securing remote access 1 Scope This part of ISO/IEC provides guidance for securely using remote access a method to remotely connect a computer either to another computer or to a network using public networks and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication issues related to remote access and provides support when setting up remote access securely. It is intended to help network administrators and technicians who plan to make use of this kind of connection or who already have it in use and need advice on how to set it up securely and operate it securely. 2 Terms, definitions and abbreviated terms For the purposes of this document, the following terms, definitions and abbreviated terms apply. 2.1 Access Point AP the system providing access from a wireless network to a terrestrial network 2.2 Advanced Encryption Standard AES a symmetric encryption mechanism providing variable key length and allowing an efficient implementation specified as Federal Information Processing Standard (FIPS) authentication the provision of assurance of the claimed identity of an entity. In case of user authentication, users are identified either by knowledge (e.g., password), by possession (e.g., token) or by a personal characteristic (biometrics). Strong authentication is either based on strong mechanisms (e.g., biometrics) or makes use of at least two of these factors (so-called multi-factor authentication). 2.4 call-back a mechanism to place a call to a pre-defined or proposed location (and address) after receiving valid ID parameters 2.5 Challenge-Handshake Authentication Protocol CHAP a three-way authentication protocol defined in RFC

10 This is a free preview. Purchase the entire publication at the link below: Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Create safe work processes for the workplace with our Safe Work Method Statements Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions Need to speak with a Customer Service Representative - Contact Us