ISO/IEC 27033-5
ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
(first edition)
Abstract
ISO/IEC 27033 part 5 “gives guidelines for the selection, implementation, and monitoring of the technical controls necessary to provide network security using Virtual Private Network (VPN) connections to interconnect networks and connect remote users to networks.”
[Source: ISO/IEC 27033-5:2013]
Introduction
Part 5 revised ISO/IEC 18028 part 5.
It extends the IT security management guidelines of ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
It provides guidance for securing remote access over public networks.
Scope
Guides network administrators and technicians who plan to make use of this kind of connection, or who already have it in use and need advice on how to set it up securely and operate it securely.
Structure
Main sections:
6: Overview
7: Security threats
8: Security requirements
9: Security controls
10: Design techniques
11: Guidelines for product selection
Status
The current first edition of part 5 was published in 2013 and confirmed unchanged in 2019.
Commentary
Gives a high-level, incomplete assessment of the threats to VPNs (i.e. it mentions the threats of intrusion and denial of service but not unauthorized monitoring/interception, traffic analysis, data corruption, insertion of bogus traffic, various attacks on VPN end points, malware, masquerading/identity theft, insider threats etc., although these are mentioned or at least hinted-at later under security requirements).
Introduces different types of remote access including protocols, authentication issues and support when setting up remote access securely.