AS/NZS ISO/IEC 18028.

5:2008
ISO/IEC 18028-5:2006

AS/NZS ISO/IEC 18028.5:2008
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Australian/New Zealand Standard™
Information technology—Security techniques—IT network security Part 5: Securing communications across networks using virtual private networks

AS/NZS ISO/IEC 18028.5:2008 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf of the Council of Standards Australia on 28 May 2008 and on behalf of the Council of Standards New Zealand on 31 May 2008. This Standard was published on 25 June 2008.

The following are represented on Committee IT-012: Attorney General's Office Australian Association of Permanent Building Societies Australian Bankers Association Australian Chamber of Commerce and Industry Australian Electrical and Electronic Manufacturers Association Certification Forum of Australia Council of Small Business Organisations Internet Industry Association NSW Police New Zealand Defence Force Reserve Bank of Australia

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Keeping Standards up-to-date
Standards are living documents which reflect progress in science, technology and systems. To maintain their currency, all Standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current Standard, which should include any amendments which may have been published since the Standard was purchased. Detailed information about joint Australian/New Zealand Standards can be found by visiting the Standards Web Shop at www.standards.com.au or Standards New Zealand web site at www.standards.co.nz and looking up the relevant Standard in the on-line catalogue. Alternatively, both organizations publish an annual printed Catalogue with full details of all current Standards. For more frequent listings or notification of revisions, amendments and withdrawals, Standards Australia and Standards New Zealand offer a number of update options. For information about these services, users should contact their respective national Standards organization. We also welcome suggestions for improvement in our Standards, and especially encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Chief Executive of either Standards Australia or Standards New Zealand at the address shown on the back cover.

This Standard was issued in draft form for comment as DR 07260.

AS/NZS ISO/IEC 18028.5:2008

Australian/New Zealand Standard™
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Information technology—Security techniques—IT network security Part 5: Securing communications across networks using virtual private networks

First published as AS/NZS ISO/IEC 18028.5:2008.

COPYRIGHT © Standards Australia/Standards New Zealand All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards New Zealand, Private Bag 2439, Wellington 6020

ISBN 0 7337 8765 7

ii ii

PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee IT-012, Information Systems, Security and Identification Technology. The objective of this Standard is to provide IT professionals and general line management with detailed guidance on securing communications across networks using virtual private networks. This Standard is identical with, and has been reproduced from ISO/IEC 18028-5:2006, Information technology—Security techniques—IT network security, Part 5: Securing communications across networks using virtual private networks. As this Standard is reproduced from an international standard, the following applies: (a)
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Its number appears on the cover and title page while the international standard number appears only on the cover. In the source text ‘this part of ISO/IEC 18028’ should read ‘this Australian/New Zealand Standard’. A full point substitutes for a comma when referring to a decimal marker.

(b) (c)

References to International Standards should be replaced by references to Australian or Australian/New Zealand Standards, as follows: Reference to International Standard ISO/IEC 17799 Information technology—Security Techniques—Code of practice for information security management 18028 18028-1 18028-2 18028-3 Information technology—Security techniques—IT network security Part 1: Network security management Part 2: Network security architecture Part 3: Securing communications between networks using security gateways Part 4: Securing remote access Australian/New Zealand Standard AS/NZS 27002 Information technology—Security Techniques—Code of practice for information security management AS/NZS ISO/IEC 18028 Information technology—Security techniques—IT network security 18028.1 Part 1: Network security management 18028.2 Part 2: Network security architecture 18028.3 Part 3: Securing communications between networks using security gateways 18028.4 Part 4: Securing remote access

18028-4

Any international references not listed have not been adopted as Australian or Australian/New Zealand Standards. The term ‘informative’ has been used in this Standard to define the application of the appendix to which it applies. An ‘informative’ appendix is only for information and guidance.

iii iii

Contents

CONTENTS

Page

Foreword............................................................................................................................................................ iv Page Introduction ........................................................................................................................................................ v 1 2 3 3.1 3.2 4 5 5.1 5.2 5.3 5.4 6 7 7.1 7.2 7.3 7.4 7.5 7.6 8 8.1 8.2 8.3 9 9.1 9.2 Scope ......................................................................................................................................................1 Normative references ............................................................................................................................1 Terms and definitions ...........................................................................................................................2 Terms defined in other International Standards.................................................................................2 Terms defined in this part of ISO/IEC 18028 .......................................................................................2 Abbreviated terms .................................................................................................................................3 Overview of VPNs ..................................................................................................................................3 Introduction ............................................................................................................................................3 Types of VPN..........................................................................................................................................4 VPN techniques......................................................................................................................................5 Security aspects ....................................................................................................................................6 VPN security objectives ........................................................................................................................7 VPN security requirements...................................................................................................................7 Confidentiality ........................................................................................................................................8 Integrity...................................................................................................................................................8 Authentication........................................................................................................................................8 Authorization..........................................................................................................................................8 Availability ..............................................................................................................................................8 Tunnel Endpoints...................................................................................................................................8 Guidelines for the selection of secure VPNs ......................................................................................9 Regulatory and legislative aspects......................................................................................................9 VPN management aspects....................................................................................................................9 VPN architectural aspects ....................................................................................................................9 Guidelines for the implementation of secure VPNs .........................................................................12 VPN management considerations......................................................................................................12 VPN technical considerations ............................................................................................................12

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Annex A (informative) Technologies and protocols used to implement VPNs...........................................15 A.1 Introduction ..........................................................................................................................................15 A.2 Layer 2 VPNs ........................................................................................................................................15 A.3 Layer 3 VPNs ........................................................................................................................................17 A.4 Higher Layer VPNs...............................................................................................................................17 A.5 Comparison of typical VPN protocol security features ...................................................................19 Bibliography ......................................................................................................................................................20

© ISO/IEC 2006 – All rights reserved

iii

ISO/IEC 18028-5:2006(E)

iv iv INTRODUCTION

Introduction

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions. A secure network should be protected against malicious and inadvertent attacks, and should meet the business requirements for confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information and services. Securing a network is also essential for maintaining the accuracy of billing or usage information as appropriate. Security capabilities in products are crucial to overall network security (including applications and services). However, as more products are combined to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution. Security must not only be a thread of concern for each product or service, but must be developed in a manner that promotes the interweaving of security capabilities in the overall end-to-end security solution. Thus, the purpose of ISO/IEC 18028 is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. Those individuals within an organization that are responsible for information security in general, and network security in particular, should be able to adapt the material in ISO/IEC 18028 to meet their specific requirements. Its main objectives are as follows: ⎯ in ISO/IEC 18028-1, to define and describe the concepts associated with, and provide management guidance on, network security – including on how to identify and analyze the communications related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028); ⎯ in ISO/IEC 18028-2, to define a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security; ⎯ in ISO/IEC 18028-3, to define techniques for securing information flows between networks using security gateways; ⎯ in ISO/IEC 18028-4, to define techniques for securing remote access; ⎯ in ISO/IEC 18028-5, to define techniques for securing inter-network connections that are established using virtual private networks (VPNs). ISO/IEC 18028-1 is relevant to anyone involved in owning, operating or using a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or network security, network operation, or who are responsible for an organization's overall security program and security policy development. ISO/IEC 18028-2 is relevant to all personnel who are involved in the planning, design and implementation of the architectural aspects of network security (for example network managers, administrators, engineers, and network security officers). ISO/IEC 18028-3 is relevant to all personnel who are involved in the detailed planning, design and implementation of security gateways (for example network managers, administrators, engineers and network security officers). ISO/IEC 18028-4 is relevant to all personnel who are involved in the detailed planning, design and implementation of remote access security (for example network managers, administrators, engineers, and network security officers). ISO/IEC 18028-5 is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example network managers, administrators, engineers, and network security officers).

© ISO/IEC 2006 – All rights reserved

v

INTERNATIONAL STANDARD

ISO/IEC 18028-5:2006(E)

1 AUSTRALIAN/NEW ZEALAND STANDARD

1

Information technology — Security techniques — IT network security — Part 5: Securing communications across networks using virtual private networks

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

1

Scope

This part of ISO/IEC 18028 provides detailed direction with respect to the security aspects of using Virtual Private Network (VPN) connections to inter-connect networks, and also to connect remote users to networks. It builds upon the network management direction provided in ISO/IEC 18028-1. It is aimed at those individuals responsible for the selection and implementation of the technical controls necessary to provide network security when using VPN connections, and for the subsequent network monitoring of VPN security thereafter. This part of ISO/IEC 18028 provides an overview of VPNs, presents VPN security objectives, and summarizes VPN security requirements. It gives guidance on the selection of secure VPNs, on the implementation of secure VPNs, and on the network monitoring of VPN security. It also provides information on typical technologies and protocols used by VPNs.

2

Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498 (all parts), Information technology — Open Systems Interconnection — Basic Reference Model ISO/IEC 13335-1:2004, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information security management ISO/IEC 18028-1:2006, Information technology — Security techniques — IT network security — Part 1: Network security management ISO/IEC 18028-2:2006, Information technology — Security techniques — IT network security — Part 2: Network security architecture ISO/IEC 18028-3:2005, Information technology — Security techniques — IT network security — Part 3: Securing communications between networks using security gateways

© ISO/IEC 2006 – All rights reserved
COPYRIGHT

1

This is a free preview. Purchase the entire publication at the link below:

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

AS/NZS ISO/IEC 18028.5:2008, Information technology - Security techniques - IT network security Securing communications across networks using virtual private networks

Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters about Australian Standards® in Legislation; ISO, IEC, BSI and more Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Want to become an SAI Global Standards Sales Affiliate? Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times