Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 38799-2020 English PDF

Q: How long will the true-PDF of English version of GB/T 38799-2020 be delivered?

Upon your order, we will start to translate GB/T 38799-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 38799-2020_English with my colleagues?

Yes. The purchased PDF of GB/T 38799-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$169.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38799-2020: Technical requirement for security of broadband customer network equipment based on public telecommunication network - Broadband customer gateway
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 38799-2020	169	Add to Cart	3 days	Technical requirement for security of broadband customer network equipment based on public telecommunication network - Broadband customer gateway	Valid

Similar standards

YD/T 2554.1 GB/T 9771.1 GB/T 20186.1 GB/T 12357.1 GB/T 38797

Basic data

Standard ID: GB/T 38799-2020 (GB/T38799-2020)
Description (Translated English): Technical requirement for security of broadband customer network equipment based on public telecommunication network - Broadband customer gateway
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: M33
Classification of International Standard: 33.040.50
Word Count Estimation: 9,952
Date of Issue: 2020-04-28
Date of Implementation: 2020-11-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 38799-2020: Technical requirement for security of broadband customer network equipment based on public telecommunication network - Broadband customer gateway

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Technical requirement for security of broadband customer network equipment based on public telecommunication network - Broadband customer gateway ICS 33.040.50 M33 National Standards of People's Republic of China Broadband customer network equipment based on public telecommunication network Security Technical Requirements Broadband Customer Gateway 2020-04-28 released 2020-11-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee

Foreword Ⅰ 1 Scope 1 2 Normative references 1 3 Abbreviations 1 4 User plane security requirements 2 4.1 Security management function 2 4.2 Access Control List 2 4.3 VPN function 3 4.4 NAT function 3 4.5 Firewall function 3 4.6 Anti-attack function 4 4.7 Security of network access 4 4.8 WLAN Security 4 5 Control plane security requirements 4 5.1 PPP user authentication 4 5.2 Log function 5 6 Management plane security requirements 5 6.1 Telnet access 5 6.2 Web Management 5 6.3 Connection authentication function 5 7 Reliability requirements 6 8 Electrical safety requirements 6

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed by the Ministry of Industry and Information Technology of the People's Republic of China. This standard is under the jurisdiction of the National Communication Standardization Technical Committee (SAC/TC485). Drafting organization of this standard. China Academy of Information and Communications Technology. The main drafters of this standard. Shen Tianjun, Cheng Qiang. Broadband customer network equipment based on public telecommunication network Security Technical Requirements Broadband Customer Gateway

1 Scope

This standard specifies the user plane security requirements and control level of broadband customer gateway equipment in broadband customer networks based on public telecommunication networks. Surface safety requirements, management plane safety requirements, equipment reliability and electrical safety requirements. This standard applies to gateways in broadband customer networks based on public telecommunication networks.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. YD/T 965 Safety requirements and test methods for telecommunication terminal equipment IETFRFC1918 Internet private address allocation (Addressalocationforprivateinternets)

3 Abbreviations

4 User plane security requirements

4.1 Safety management function 4.1.1 Password management The password involved in the broadband customer gateway should be no less than 8 characters in length, and should be composed of numbers, letters or special symbols. The gateway can provide a check mechanism to ensure that each password is composed of at least two of the aforementioned three types of symbols. 4.1.2 User Management The gateway should have ordinary users and administrator users. Ordinary user management authority can configure and query some non-important parameters of the gateway, but cannot perform important parameters of the gateway. Configuration. The administrator can configure and query important parameters of the gateway for local maintenance and management authority. 4.2 Access Control List The access control list that should be implemented. Should support based on the source MAC address, source IP address, destination IP address, Ethernet protocol type, TCP/UDP source port number, TCP/ Access control list of UDP destination port number, TOS domain, and IP protocol type. 4.3 VPN function 4.3.1 L2TP tunnel Should support to realize VPN through L2TP tunnel technology, should support LAC and LNS function, support CHAP authentication protocol. 4.3.2 IPSec tunnel (optional) Optional support to realize VPN through IPSec tunnel technology. 4.3.3 MPLSVPN (optional) 4.3.3.1 General requirements Whether it is L2VPN or L3VPN, data should be forwarded along the LSP strictly based on labels. Unless needed, a VPN data It should not be sent outside the VPN, and data from one VPN should not enter another VPN. When supporting VPN services and Internet services at the same time, especially when supporting different logical interfaces on the same physical interface For VPN services and Internet services, the access rate can be limited based on logical interfaces. 4.3.3.2 L2VPN The MAC address and VLAN information between VPNs should be isolated from each other, and between VPNs or between VPN and MPLS backbone should be able to Multiplexing MAC address space and VLAN space. Unless necessary, the exchange of information between VPNs or between VPNs and MPLS backbones Isolated from each other. 4.3.3.3 L3VPN The commonly used L3VPN technology is BGP/MPLSVPN. BGP/MPLSVPN essentially restricts routing through the BGP protocol The requirements of MPLS for information distribution on L3VPN are as follows. ---Should support static routing algorithms and dynamic routing algorithms. For dynamic routing algorithms, it should have the ability to filter routing updates on the interface. Both IGP and EGP routing protocols should support MD5 encryption authentication, and can limit the routing update speed based on the VRF instance. ---The topology and addressing information between VPNs should be isolated from each other, and a VPN should be able to use all Internet address ranges, including The private address range defined by IETFRFC1918, IP should be reused between VPNs or between VPN and MPLS backbone Address space. ---A separate VRF instance should be maintained for each VPN, unless required, between VPNs or between VPNs and MPLS backbone The routing information and its distribution and processing should be independent of each other and not interfere with each other. 4.4 NAT function The broadband customer gateway should support the NAT function, and the functional characteristics of NAT are as follows. --- should support NAPT; ---Should support HTTP, FTP, DNS, H.323, SIP and other application protocols; ---It should support output NAT log records. 4.5 Firewall function Broadband customer gateways should support firewall functions. In addition to packet filtering, access control lists, and NAT, they should support application proxy functions. Allow protected networks to access allowed network applications. Supports firewall high, middle and low level settings, and the content of each security level can be modified. Optional support to configure the level of the firewall on the local Web interface, divided into three levels. high, medium and low. State detection not only checks the information of the network layer and the transport layer, but also checks the information of the application layer protocol, and maintains these TCP or UDP in real time Status information. Using these status information to determine access control should support packet filtering based on status detection. 4.6 Anti-attack function 4.6.1 Anti-DoS attack function The broadband customer gateway should support the prevention of DoS attacks such as PingofDeath and SYNFlood, and it is recommended that the gateway be able to prevent the The application protocol (for example, DNS) to attack. 4.6.2 Anti-port scanning capability Broadband customer gateways should be able to provide anti-port scanning functions and support the prevention of malicious port scanning by other devices or applications. 4.6.3 Function to limit the number of MAC addresses learned per port The broadband customer gateway should be configured to limit the number of source MAC addresses learned from each user's LAN port. 4.6.4 Illegal multicast source control function Broadband customer gateways should support multicast that prevents users from being the source, and can be configured to prohibit IGMPQuery and multicast data from user ports According to the message. 4.6.5 Message suppression The broadband customer gateway should be able to suppress the rate of broadcast/multicast packets of specific protocols (for example, DHCP, ARP, ICMP, IGMP, etc.) It can limit the rate of other Layer 2 broadcast messages. 4.7 Security of network access The broadband customer gateway shall support the DMZ function. Broadband customer gateways should support access control based on MAC addresses and IP addresses (including LAN and WLAN). Broadband customer gateways should support the setting of black and white lists to implement URL access control functions. The black and white list should support the PPPoE account binding. The broadband customer gateway should support online time management based on the PPPoE account initiated by the gateway. 4.8 WLAN security Broadband customer gateways should support the configuration of different SSIDs to distinguish networks, enable or disable the SSID broadcast function, and support the hidden SSID The function of hiding. Should also support its WLAN wireless signal transmission power and working channel settings. Should support the WLAN client Authentication and encryption of data sent and received by WLAN.

5 Control plane security requirements

5.1 PPP user authentication As a data link layer protocol, PPP does not have perfect security capabilities. Should support PAP mode user access authentication. in When accessing through PPPoE, user authentication can be done through PAP method. Should support CHAP mode user access authentication. When accessing through PPPoE, users can be accessed through CHAP Certification. Should support user access authentication based on operator information. During the dialing process, the gateway extracts the operator information from the Based on this information, it is determined whether to proceed with the subsequent dialing process. Optional proxy that supports user access authentication based on PPPoE user account. That is, the broadband customer gateway receives the inclusion of the user terminal After the PPPoE Internet request of the user name and password, the gateway terminates the PPPoE request, and then uses the intercepted user name and password to initiate to the network side Link request. The broadband customer gateway assigns an internal network address to the user terminal to allow the user terminal to access the network. If broadband customers When the gateway receives a new user terminal using the username and password to dial, the gateway directly allocates the internal network address for the user terminal, and no longer The network side initiates a new connection and directly uses the existing connection to go online. When there are multiple network-side PPPoE connections with different accounts, the corresponding The connection of the user-side account should only be bound to the network-side connection of the corresponding account. 5.2 Log function To provide logging function for control plane information, the gateway should have an independent firewall log, which records the network The network behavior that violates the firewall rules in the broadband customer network detected by the device, each record should be time stamped. The firewall log should Can contain at least 100 records. If the number of logs generated exceeds the capacity, it is advisable to keep the latest record and cover the earliest record. Way of recording. The firewall log should not be modified. The log should not be deleted, unless reset to the factory/default configuration. The log should record related security events such as filtering rules, denial of access, configuration modification, etc. The requirements for logs include. --- Each security log entry should include the subject of the event, the time of occurrence, and the description of the event; ---It should be able to be stored in the cache area of the local system or sent to a dedicated log host for further processing; ---Optional real-time printing on a dedicated printer or display terminal connected to the device; ---The severity level of the log should be defined, and the output can be filtered according to the severity level; ---Should support the interface with the log host.

6 Management plane security requirements

6.1 Telnet access The Telnet protocol is used for remote login through network devices. If Telnet service is provided to users, it is recommended to meet the following Provisions. ---The user should provide the username/password for subsequent operations, and the user address and operation should be included in the log; ---The number of users who can access at the same time should be limited; ---If there is no interaction within the set time, the user should be automatically logged out; ---You can limit which IP addresses the user can use to access the device using Telnet services; ---Telnet service can be turned off if necessary. 6.2 Web management Web management is based on the HTTP protocol, and the broadband customer gateway should support Web management and should meet the following conventions. ---The user should provide the user name/password for subsequent operations, and the user address and operation should be recorded in the log; ---You can limit which IP addresses the user uses to access the device using HTTP; ---You can turn off the HTTP service if necessary; ---Should support SSL/T LS. 6.3 Connection authentication function The gateway should have certain security measures to ensure the security of RMS's remote management and control of the gateway, and avoid illegal configuration of the gateway. Set. At the same time, the gateway should have a certain security mechanism, such as remote network management should support connection authentication, support modification of management authentication account, system date Logs and security logs, security mechanisms for management information transmission, etc., to ensure the security of remote management.

7 Reliability requirements

Broadband customer gateway should realize automatic rollback after software upgrade fails, key configuration is not lost, remote diagnosis and remote restart, etc. Features.

8 Electrical safety requirements

The broadband customer gateway should meet the electrical safety requirements in YD/T 965. ......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 38799-2020_English be delivered?

Answer: Upon your order, we will start to translate GB/T 38799-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 38799-2020_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 38799-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.