ISO/IEC 27033-6
ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access
(first edition)
Abstract
ISO/IEC 27033 part 6 “describes the threats, security requirements, security control and design techniques associated with wireless networks. It provides guidelines for the selection, implementation and monitoring of the technical controls necessary to provide secure communications using wireless networks. The information in [part 6] is intended to be used when reviewing or selecting technical security architecture/design options that involve the use of wireless network in accordance with ISO/IEC 27033-2. Overall, ISO/IEC 27033-6 will aid considerably the comprehensive definition and implementation of security for any organization's wireless network environment. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls necessary to provide secure wireless networks.”
[Source: ISO/IEC 27033-6:2016]
Introduction
This is a generic wireless network security standard offering basic advice for WiFi, Bluetooth, 3G and other wireless networks.
Scope
Risks, design techniques and control issues for securing IP wireless networks.
Relevant to those involved in the detailed planning, design and implementation of security for wireless networks (e.g. network architects and designers, network managers and network security admins).
Structure
Main sections:
6: Overview
7: Security threats
8: Security requirements
9: Security controls
10: Security design techniques and considerations
Annex A: Technical description of threats and countermeasures
Status
The current first edition of part 6 was published in 2016 and confirmed unchanged in 2021.
Commentary
The standard uses the term “wire line network”, more commonly known as a wired network.
The standard repeatedly refers to “access network”, a curious term that is not defined (aside from Radio Access Network). It seems to mean “network” but without a definition, we cannot be sure.
The standard indicates that encryption is an integrity control, whereas normally other cryptographic controls and protocols provide the integrity functions, while encryption provides confidentiality.
Similarly to Part 7, this part lists a number of “threats” which are, in fact, attack modes or incident scenarios. The list would, I feel, have been more useful if the standard systematically addressed each of them, explaining how certain controls mitigate them. It doesn’t.