| GB/T 25068.4-2022 English PDFUS$384.00 ยท In stock Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 25068.4-2022: Information technology - Security techniques - Network security - Part 4: Securing communications between networks using security gateways Status: Valid GB/T 25068.4: Historical versions
 Basic dataStandard ID: GB/T 25068.4-2022 (GB/T25068.4-2022)Description (Translated English): Information technology - Security techniques - Network security - Part 4: Securing communications between networks using security gateways Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 22,212 Date of Issue: 2022-10-14 Date of Implementation: 2023-05-01 Older Standard (superseded by this standard): GB/T 25068.3-2010 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 25068.4-2022: Information technology - Security techniques - Network security - Part 4: Securing communications between networks using security gateways---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology -- Security techniques -- Network security -- Part 4.Securing communications between networks using security gateways ICS 35.030 CCSL80 National Standards of People's Republic of China Replacing GB/T 25068.3-2010 information technology security technology cyber security Part 4.Internetwork using secure gateways Communication security protection (ISO /IEC 27033-4.2014, IDT) Published on 2022-10-12 2023-05-01 Implementation State Administration for Market Regulation Released by the National Standardization Administration directory Preface I Introduction III 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Document Structure 3 6 Overview 3 7 Security Threats 5 8 Security requirements5 9 Security Controls 6 9.1 General 6 9.2 Stateless Packet Filtering 7 9.3 Stateful Packet Inspection 7 9.4 Application Firewall 7 9.5 Content Filtering 8 9.6 Intrusion Prevention Systems and Intrusion Detection Systems 9 9.7 Security Management API 9 10 Design Techniques 9 10.1 Security Gateway Components 9 10.2 Deploying the Security Gateway Control 10 11 Product Selection Guide 13 11.1 General 13 11.2 Selecting the Security Gateway Architecture and Appropriate Components 13 11.3 Hardware and Software Platforms 13 11.4 Configuration 13 11.5 Safety function settings 14 11.6 Management competencies 15 11.7 Logging function 15 11.8 Audit function 15 11.9 Training and Education 15 11.10 Implementation Type 15 11.11 High Availability and Operational Modes 16 11.12 Other considerations 16 Reference 17 forewordThis document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents" drafted. This document is part 4 of GB/T 25068 "Information Technology Security Technology Network Security". GB/T 25068 has been published with the next part. --- Part 1.Overview and concepts; --- Part 2.Guidelines for network security design and implementation; --- Part 3.Threats, design techniques and controls for network access scenarios; --- Part 4.Security protection of inter-network communication using security gateways; --- Part 5.Cross-network communication security protection using virtual private network. This document replaces GB/T 25068.3-2010 "Information Technology Security Technology IT Network Security Part 3.Using Security Gateways" Internet Communication Security Protection. Compared with GB/T 25068.3-2010, except for structural adjustment and editorial changes, the main technical changes as follows. a) Changed the recommended terms and expressions used when stating "scope" (see Chapter 1, Chapter 1 of the.2010 edition); b) Changed the content of "Terms and Definitions" (see Chapter 3, Chapter 3 of the.2010 edition); c) Deleted abbreviations such as "IT", "IDP", "V.35", and added abbreviations such as "ACL", "ASIC", "CPU", "DDoS" and "URL" (See Chapter 4, Chapter 4 of the.2010 edition); d) Added three chapters "Document Structure", "Overview" and "Security Threats" (see Chapters 5 to 7); e) Changed "Security Requirements" to "Security Requirements", added "Table 1", and incorporated the relevant contents of the.2010 edition after changes (see Section 1.1). Chapter 8, Chapter 5 of the.2010 edition); f) Changed "Security Gateway Technology" to "Security Control" (see Chapter 9, Chapter 6 of the.2010 edition), and added the element "General" (see Chapter 6 of the.2010 edition) 9.1), "Intrusion Prevention System and Intrusion Detection System" (see 9.6), "Security Management API" (see 9.7), deleted the element "Network location". Address Translation (NAT)" (see 6.4 of the.2010 edition); g) Deleted the comparison of the advantages and disadvantages of "Stateful Packet Inspection Firewall" and "Application Proxy Firewall", and changed the relevant content of the.2010 edition to Incorporated after modification (see 9.3, 6.2 of the.2010 edition); h) Changed "Application Proxy" to "Application Firewall", and incorporated the relevant content of the.2010 version after the modification (see 9.4,.2010 version 6.3); i) Changed "Content Analysis and Filtering" to "Content Filtering", added "Content Analysis" column item "Protocol Analysis", and changed the.2010 version The relevant content is changed and incorporated (see 9.5, 6.5 of the.2010 edition); j) The chapters "Security Gateway Components" and "Security Gateway Architecture" were merged into the "Design Techniques" chapter, and the dangling segment guidance was deleted Words, redrawn the schematic diagram (see Figure 3 to Figure 6, Figure 1 to Figure 4 of the.2010 edition), and changed the relevant content of the.2010 edition later included (see Chapter 10, Chapters 7 and 8 of the.2010 edition); k) Added the usage rule of "There may be a load balancing switch" (see 10.1.1, 7.1 of the.2010 edition); l) Changed "application-level gateway" to "application-level gateway", added the usage rules of "SIP gateway", and changed the relevant rules of the.2010 edition Incorporated after content changes (see 10.1.3, 7.3 of the.2010 edition); m) Added the usage rules of "monitoring function" (see 10.1.5); n) Changed "Security Gateway Architecture" to "Deploying Security Gateway Controls", removed the overhang section (see 10.2,.2010 edition of 8.1); o) Deleted the element "Hierarchical approach" (see 8.2 of the.2010 edition); p) deleted the paragraph describing the advantages and disadvantages of "shielded host architecture" (see 8.1.3 of the.2010 edition); q) Added the usage rules of "Packet Filtering Firewall" (see 10.2.1); r) Added the element "General" (see 11.1); s) Changed "Security Features and Settings" to "Security Features Settings", added "Support for packaged enterprise or other business applications" Proxy Services" and "Support for identifying applications running in protocol streams (such as office productivity applications, embedded video, instant messaging, etc.)" The recommended clauses of the.2010 edition will be incorporated into the revised version (see 11.5, 9.4 of the.2010 edition); t) Added "fine-grained access rights" (see 11.6, 9.6 of the.2010 edition); u) deleted the element "documentation" (see 9.7 of the.2010 edition); v) elements "implementation type" and elements "high availability and operation mode" were added (see 11.10, 11.11). This document is equivalent to ISO /IEC 27033-4.2014 "Information Technology Security Technology Cybersecurity Part 4.Security of Use" Internet Communication Security Protection of Gateways. The following minimal editorial changes have been made to this document. --- Replaced ISO /IEC 27035 (see 9.1) with GB/T 20985.2-2020 cited for information; --- Replaced ISO /IEC 27039 (see 9.5) with GB/T 28454-2020 cited for information; Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents. This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This document is drafted by. Heilongjiang Cyberspace Research Center, China Electronics Standardization Institute, Antiy Technology Group Co., Ltd. Co., Ltd., Heilongjiang Anxin and Cheng Technology Development Co., Ltd., Shanghai Industrial Control Security Innovation Technology Co., Ltd., Harbin University of Science and Technology, Harbin Erbin Institute of Technology. The main drafters of this document. Fang Zhou, Qu Jiaxing, Gu Juntao, Yu Haining, Xiao Hongjiang, Li Linlin, Li Rui, Song Xue, Yang Xiaoxuan, Bai Rui, Wang Dameng, Shangguan Xiaoli, Gan Junjie, Du Yufang, Hu Dayong, Ma Yao, Huang Hai, Shubin, Zhang Guohua, Yan Sijia, Xu Yan, Wu Qiong, Jiang Tianyi, Zhou Ying, Cao Wei, Fang Wei, Tong Songhua, Zhao Chao, Zhu Yulin, Shi Dongqing, Shan Jianzhong, Meng Qingchuan, Ni Hua. The previous versions of this document and its superseded documents are as follows. ---First published in.2010 as GB/T 25068.3-2010;IntroductionThe purpose of GB/T 25068 is to provide detailed guidance on the security aspects of the management, operation, use and interconnection of information system networks. To facilitate the adoption of this document by those responsible for information security, especially cybersecurity, within the organization to meet their specific needs. to consist of six parts constitute. --- Part 1.Overview and concepts. The purpose is to define and describe concepts related to cybersecurity and to provide management guidance. --- Part 2.Network security design and implementation guidelines. The purpose is to help organizations plan, design, and implement high-quality cybersecurity system to ensure that network security is suitable for the appropriate business environment to provide guidance. --- Part 3.Threats, design techniques and controls for network access scenarios. The purpose is to enumerate typical network access scenarios The specific risks, design techniques, and controls related to cybersecurity are applicable to all those involved in the planning, design, and implementation of cybersecurity architecture. --- Part 4.Security protection of inter-network communication using security gateways. The purpose is to secure Internet-to-network communications using a secure gateway. It provides information on how to identify and analyze network security threats related to security gateways, and define a network security gateway based on threat analysis. Network security requirements, introduces network technology security architecture design techniques to address threats and controls associated with typical network scenarios Guidelines for technical implementation and addressing issues related to the use of secure gateways to implement, operate, monitor, and review network security controls. This article This software applies to all those involved in the detailed planning, design and implementation of security gateways (e.g. network architects and designers, network administrators and cybersecurity executives). --- Part 5.Cross-network communication security protection using virtual private network. The purpose is to define the use of virtual private networks to establish secure connections The specific risks, design techniques and control elements that are involved. --- Part 6.Wireless network access security. The purpose is to provide for the selection, implementation and monitoring of the use of wireless networks necessary to provide secure communications The technical controls of the Check and select. GB/T 25068 is based on GB/T 22081 "Information Technology Security Technology Information Security Control Practice Guidelines", and further Detailed implementation guidance on network security controls is provided. GB/T 25068 only emphasizes the importance of business types and other factors affecting network security rather than specify. Where this document involves the use of cryptographic technology to solve the requirements of confidentiality, integrity, authenticity, and non-repudiation, the relevant national standards for cryptography shall be followed. and industry standards. information technology security technology cyber security Part 4.Internetwork using secure gateways Communication security protection1 ScopeThis document provides guidelines for the security protection of communication between networks using security gateways (firewalls, application firewalls, intrusion prevention systems, etc.). South, these security gateways communicate in accordance with documented information security policies, guidelines including. a) identify and analyze cybersecurity threats associated with the security gateway; b) Define the network security requirements of the security gateway based on the threat analysis; c) use techniques designed and implemented to address threats and controls associated with typical cyber scenarios; d) Identify issues related to implementing, operating, monitoring, and reviewing cybersecurity gateway controls.2 Normative referencesThe contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, dated citations documents, only the version corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document. ISO /IEC 27033-1 Information technology security technology Cybersecurity Part 1.Overview and concepts (Informationtech- Note. GB/T 25068.1-2020 Information Technology Security Technology Network Security Part 1.Overview and Concepts (ISO /IEC 27033-1.2015, IDT)3 Terms and DefinitionsISO /IEC 27033-1 and the following terms and definitions apply to this document. 3.1 bastionhost Used to intercept packets in and out of the network, specific hosts with hardened operating systems, and any outsiders accessing services within the organization's firewall When connecting to the host system, the host system should be connected. 3.2 end-pointsoftware-basedfirewal A software application that protects network traffic to and from a single machine by allowing or denying communications based on end-user-defined security policies. 3.3 A specially configured or designed operating system to minimize the possibility of potentially unwanted content or attacks. Note. It may be a general-purpose operating system, such as a Linux system specially configured for the environment, or a solution with a higher degree of customization. 3.4 Internet gateway Port device to access the Internet. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 25068.4-2022_English be delivered?Answer: Upon your order, we will start to translate GB/T 25068.4-2022_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 25068.4-2022_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 25068.4-2022_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 25068.4-2022?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 25068.4-2022 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |