GA/T 1788.2-2021 PDF in English
GA/T 1788.2-2021 (GA/T1788.2-2021, GAT 1788.2-2021, GAT1788.2-2021)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GA/T 1788.2-2021 | English | 170 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Security technical requirements for video and image information system for public security -- Part 2: Front-end device
| Valid |
Standards related to (historical): GA/T 1788.2-2021
PDF Preview
GA/T 1788.2-2021: PDF in English (GAT 1788.2-2021) GA/T 1788.2-2021
GA
PUBLIC SECURITY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 13.310
CCS A 91
Security technical requirements for video and image
information system for public security - Part 2: Front-end
device
ISSUED ON: JULY 20, 2021
IMPLEMENTED ON: DECEMBER 01, 2021
Issued by: Ministry of Public Security of the People's Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms, definitions and abbreviations ... 5
3.1 Terms and definitions ... 5
3.2 Abbreviations ... 5
4 Classification and grading of front-end device ... 5
5 Security technical requirements ... 6
5.1 General requirements ... 6
5.2 Physical security ... 8
5.3 Identification ... 8
5.4 Access control ... 9
5.5 Intrusion prevention ... 10
5.6 Data security ... 10
5.7 Certificate and key management ... 11
5.8 Log security ... 11
5.9 Management and control of wireless interactive front-end device... 11
5.10 Bearer business of wireless front-end device ... 12
Security technical requirements for video and image
information system for public security - Part 2: Front-end
device
1 Scope
This document specifies the classification and grading description of the front-end
device in the public security video and image information system, as well as the security
technical requirements for the front-end device.
This document is applicable to the design, manufacture and inspection of the front-end
device of the public security video and image information system.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GB/T 20271, Information security technology - Common security techniques
requirement for information system
GB/T 28181-2016, Technical requirements for information transport, switch and
control in video surveillance network system for public security
GB 35114-2017, Technical requirements for information security of video
surveillance network system for public security
GM/T 0021, One time password application of cryptography algorithm
GA/T 1400-2017 (all parts), Video and image information application system for
public security - Part 1: General technical requirements
GA/T 1788.1-2021, Security technical requirements for video and image
information system for public security - Part 1: General requirements
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The terms and definitions defined in GB/T 28181-2016, GB/T 20271, GB 35114-2017,
GA/T 1788.1-2021 apply to this document.
3.2 Abbreviations
The following abbreviations apply to this document.
HTTP: Hyper Text Transfer Protocol
IP: Internet Protocol
MAC: Media Access Control
OTA: Over the Air
SIM: Subscriber Identify Module
SSH: Secure Shell
SSID: Service Set Identifier
TLS: Transport Layer Security
WEP: Wired Equivalent Privacy
WIFI: Wireless Fidelity
WLAN: Wireless Local Area Network
WPA: Wi-Fi Protected Access)
WPS: Wi-Fi Protect Setup
WSSE: Web Service Security
4 Classification and grading of front-end device
4.1 Front-end device is divided into wired front-end device and wireless front-end
device according to the transmission mode. Front-end device that completes access,
transmission, and use based on wireless communication technology is called wireless
front-end device.
front-end device transmitted using the GB/T 28181 protocol, the certification process
shall comply with the provisions of 9.1 in GB/T 28181-2016. The front-end device
using GA/T 1400 protocol transmission shall comply with the provisions of 7.2.1 and
7.3.1 in GA/T 1400.4-2017. The front-end device accessed by HTTP protocol shall
support security mode for identity authentication, such as Digest authentication and
WSSE authentication.
5.3.1.4 When the front-end device is connected, and when the collection device is
connected to the access device, the device identity authentication based on digital
certificate is adopted. Its front-end device certification process shall comply with the
provisions of C.2 in Annex C of GB 35114-2017.
5.3.2 Authentication failure processing
5.3.2.1 After the front-end device fails to authenticate 5 times in a row, it shall lock the
account for no less than 5min. It can support the setting of consecutive authentication
failure times and lock time.
5.3.2.2 After the account of the front-end device is locked, it can be unlocked through
at least one or more methods, such as unlocking by a user with higher authority.
5.3.3 Timeout processing
5.3.3.1 The communication session shall support setting the maximum timeout period.
If the timeout period can be modified, it shall only be set by authorized users.
5.3.3.2 If the communication session does not perform any operations within the
maximum timeout period, the session shall be terminated. Identity verification shall be
performed when operating again.
5.4 Access control
5.4.1 The default account shall be renamed or deleted on first login. For default
accounts that cannot be deleted, their default passwords shall be modified.
5.4.2 Collection devices shall support the use of special tools to set management
account passwords centrally and uniformly.
5.4.3 It shall support deletion or deactivation of redundant, expired accounts. Sharing
accounts is prohibited.
5.4.4 It shall support granting the minimum permissions required by management users,
so as to realize the separation of permissions for management users.
5.4.5 The granularity of access control shall at least include attributes such as IP/MAC.
5.4.6 It shall support setting the maximum number of sessions.
5.4.7 Unauthorized users shall be prohibited from accessing system files of the
operating system.
5.4.8 Unauthorized users shall be prohibited from configuring or changing the software
on the front-end device.
5.4.9 When the user accesses the front-end device through the public security video and
image information system, the front-end device only receives protocol access based on
GB/T 28181-2016, GA/T 1400-2017 or GB 35114-2017.
5.4.10 When a user directly accesses the front-end device, the front-end device only
receives access from a specific IP address or based on peripheral equipment.
5.5 Intrusion prevention
5.5.1 It shall support following minimum installation requirements. Only necessary
components and applications can be installed.
5.5.2 It shall support closing unnecessary system services, default shares, and high-risk
ports.
5.5.3 Vulnerability patching by means of version upgrades shall be supported.
5.5.4 It shall support the use of SSH, TLS and other security protocols for business
access and remote management.
5.5.5 It shall support upgrades through upgrade packages verified by digital signatures.
5.5.6 It shall have the ability to detect events such as signaling verification failures and
record logs or alarm prompts.
5.5.7 It shall support monitoring of system files. Conduct virus detection for newly
added or modified files. It can scan and kill malicious virus files.
5.5.8 The wireless front-end device shall support access authentication function. Do not
use WEP for authentication.
5.5.9 The wireless front-end device shall disable the WPA function by default.
5.5.10 The wireless front-end device shall be able to detect the open status of high-risk
functions such as SSID broadcast and WPS. SSID broadcast is disabled by default.
5.6 Data security
5.6.1 The front-end device shall ensure that user data cannot be queried, modified and
deleted by unauthorized users.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|