GB/T 20281-2020 PDF English (GB/T 20281-2015: Older version)

GB/T20281-2020 (GBT20281-2020): PDF in English

GB/T 20281-2020 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20010-2005, GB/T 20281-2015, GB/T 31505-2015 and GB/T 32917-2016 Information Security Technology - Security Technical Requirements and Testing Assessment Approaches for Firewall ISSUED ON: APRIL 28, 2020 IMPLEMENTED ON: NOVEMBER 1, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3 1 Scope ... 5 2 Normative References ... 5 3 Terms and Definitions... 5 4 Abbreviations ... 6 5 Overview ... 7 6 Security Technical Requirements ... 8 7 Testing and Assessment Methods ... 28 Appendix A (normative) Classification of Firewalls and Security Technical Requirements... 83 Appendix B (normative) Classification of Firewalls and Testing and Assessment Methods ... 91 Information Security Technology - Security Technical Requirements and Testing Assessment Approaches for Firewall 1 Scope This Standard specifies the classification, security technical requirements, and testing assessment methods for firewall. This Standard is applicable to the design, development and testing of firewall. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Components GB/T 25069-2010 Information Security Technology - Glossary 3 Terms and Definitions What is defined in GB/T 25069-2010, and the following terms and definitions are applicable to this document. 3.1 Firewall Firewall refers to a network security product that analyzes the passing data flow and implements access control and security protection functions. NOTE: in accordance with different security purposes and implementation principles, it is generally divided into network-based firewall, WEB application firewall, database firewall and host-based firewall, etc. 3.2 Network-based Firewall Network-based firewall is a network security product that is deployed between different security domains, analyzes the passing data flow, and possess network layer and application layer access control, and security protection functions. 6.1.1.2.1 Static routing The products shall support the function of static routing and be able to configurate static routing. 6.1.1.2.2 Policy routing Products with multiple network interfaces with the same attributes (multiple external network interfaces, multiple internal network interfaces or multiple DMZ network interfaces) shall support the function of policy routing, which include, but are not limited to: a) Source and destination IP-based policy routing; b) Interface-based policy routing; c) Protocol and port-based policy routing; d) Application type-based policy routing; e) Multi-link load-based automatic routing selection. 6.1.1.2.3 Dynamic routing The products shall support the function of dynamic routing, which includes one or multiple dynamic routing protocols in RIP, OSPF or BGP. 6.1.1.3 High availability 6.1.1.3.1 Redundant deployment The products shall support one or multiple redundant deployment modes in “master- standby”, “master-master” or “cluster”. 6.1.1.3.2 Load balancing The products shall support the function of load balancing and be able to balance network traffic to multiple servers based on security policies. 6.1.1.4 Device virtualization (optional) 6.1.1.4.1 Virtual system If the products support logical division into multiple virtual subsystems, isolation and independent management shall be supported among the virtual subsystems, which include, but are not limited to: a) Respectively set up administrators for the virtual subsystems, so as to implement management configuration to the virtual subsystems; b) Tunnel: encapsulate IPv6 in IPv4 to traverse IPv4 network, such as: IPv6 over IPv4, IPv6 to IPv4, ISATAP, etc. 6.1.2 Network layer access 6.1.2.1 Access control 6.1.2.1.1 Packet filtering The requirements for the products’ packet filtering function are as follows: a) Security policy shall adopt the principle of least security, namely, unless explicitly permitted, otherwise prohibited; b) Security policy shall include source IP address and destination IP address- based access control; c) Security policy shall include source port and destination port-based access control; d) Security policy shall include protocol type-based access control; e) Security policy shall include MAC address-based access control; f) Security policy shall include time-based access control; g) Support user-defined security policy, which includes some or all combinations of MAC address, IP address, port, protocol type and time. 6.1.2.1.2 Network address translation The requirements for the products’ network address translation are as follows: a) Support SNAT and DNAT; b) SNAT shall implement “many-to-one” address translation, so that when the internal network host accesses the external network, its source IP address is translated; c) DNAT shall implement “one-to-many” address translation, which maps the IP address / port of DMZ to the legal IP address / port of the external network, so that the external network host can implement access to the DMZ server by accessing the mapped address and port; d) Support dynamic SNAT technology; implement “many-to-many” SNAT. 6.1.2.1.3 State detection The products shall support state detection technology-based packet filtering function The products shall support the user authentication-based network access control function, which includes, but is not limited to: a) Local user authentication mode; b) Authentication mode that combines third-party authentication systems, such as: Radius and LDAP server-based authentication. 6.1.3.2 Application type control The products shall support identification and control of various application types based on application characteristics, which include, but are not limited to: a) HTTP protocol; b) Database protocol; c) Commonly seen protocols: FTP, TELNET, SMTP, POP3 and IMAP; d) Instant chat, P2P, network streaming, online games, stock trading and other applications; e) Applications with escape or tunnel encryption characteristics, for example, encryption proxy applications; f) Customized applications. 6.1.3.3 Application content control 6.1.3.3.1 WEB application The products shall support the control of access to WEB application based on the following content, which includes, but is not limited to: a) URL; have a library of classified websites; b) Keywords of HTTP transfer content; c) HTTP request modes, including GET, POST, PUT and HEAD, etc.; d) HTTP request file type; e) Length of each field in HTTP protocol head, including general-header, request-header and response-header, etc.; f) HTTP upload file type; g) HTTP request frequency; h) Response content returned by HTTP, for example, error message returned by and destination port, etc.; 3) Description of attack event. c) Log management: 1) Only authorized administrators are allowed to access the logs; provide functions of log review and export, etc.; 2) Able to query audit events by date, time, subject, object and other conditions; 3) The log is stored in the power-off non-volatile storage medium; 4) The log storage period is set to not less than 6 months; 5) When the storage space reaches the threshold, it shall be able to notify the authorized administrators and ensure the normal operation of the audit functions; 6) The log shall support automated backup to other storage devices. 6.1.5.2 Security warning The products shall support the warning of attack behaviors in 6.1.4 and be able to initiate combined warning to the same warning events that occur at a high frequency, so as to avoid warning storms. The warning information shall at least include the following content: a) Event body; b) Event object; c) Event description; d) Hazard level; e) The date and time of the occurrence of the event. 6.1.5.3 Statistics 6.1.5.3.1 Network traffic statistics The products shall support a graphical interface to display network traffic, which includes, but is not limited to: a) In accordance with IP, time period and protocol type, or a combination of the above conditions, conduct statistics of the network traffic; being illegally used; g) For authorized administrators, select two or more combinations of authentication technologies for identity authentication. 6.2.2 Management capabilities The security requirements for the products’ management capabilities include, but are not limited to: a) Provide authorized administrators with the function of setting and modifying data parameters related with security management; b) Provide authorized administrators with the function of setting, querying and modifying various security policy; c) Provide authorized administrators with the function of managing audit logs; d) Support the capability of update its own system, including the upgrade of the software system and the upgrade of the various feature libraries; e) Be able to synchronize system time from NTP server; f) Support the synchronization of logs, warnings and other information to the log server through the SYSLOG protocol; g) The roles of administrators shall be distinguished and divided into system administrators, security operators and security auditors. The three types of administrator roles are permissions can restrict each other; h) Provide security policy validity check function, for example, security policy matching detection. 6.2.3 Management .......
Source: https://www.ChineseStandard.net/PDF.aspx/GBT20281-2020