HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (27 Oct 2024)

GB/T 20275-2021 PDF in English


GB/T 20275-2021 (GB/T20275-2021, GBT 20275-2021, GBT20275-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20275-2021English1205 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system Valid
GB/T 20275-2013English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system Obsolete
GB/T 20275-2006EnglishRFQ ASK 9 days Technical requirements and testing methods of information security technology intrusion detection system Obsolete
Standards related to (historical): GB/T 20275-2021
PDF Preview

GB/T 20275-2021: PDF in English (GBT 20275-2021)

GB/T 20275-2021 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.030 CCS L 80 Replacing GB/T 20275-2013 Information Security Technology - Technical Requirements and Testing and Evaluation Approaches for Network-based Intrusion Detection System ISSUED ON: OCTOBER 11, 2021 IMPLEMENTED ON: MAY 1, 2022 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3 1 Scope ... 5 2 Normative References ... 5 3 Terms and Definitions ... 5 4 Abbreviations ... 6 5 Network-based Intrusion Detection System ... 6 6 Security Technology Requirements ... 6 6.1 Classification and Level Division of Requirements ... 6 6.2 Basic-level Security Requirements ... 10 6.3 Enhanced-level Security Requirements ... 19 7 Testing and Evaluation Approaches ... 34 7.1 Test environment ... 34 7.2 Test Tools ... 34 7.3 Basic Level ... 35 7.4 Enhanced Level ... 69 Bibliography ... 120 Information Security Technology - Technical Requirements and Testing and Evaluation Approaches for Network-based Intrusion Detection System 1 Scope This document specifies the security technology requirements, testing and evaluation approaches for network-based intrusion detection system. This document is applicable to the design, development, testing and evaluation of network- based intrusion detection system. 2 Normative References The contents of the following documents constitute indispensable clauses of this document through the normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 25069 Information Security Techniques - Terminology 3 Terms and Definitions What is defined in GB/T 25069, and the following terms and definitions are applicable to this document. 3.1 security incident Security incident refers to an incident that causes harm to networks and information systems, or the data contained therein. 3.2 alert Alert refers to a message sent by the network-based intrusion detection system to the authorized administrator when an attack or intrusion occurs. 3.3 supporting system Supporting system refers to an operating system that supports the operation of the network- based intrusion detection system. 6.2 Basic-level Security Requirements 6.2.1 Security function requirements 6.2.1.1 Data detection function requirements 6.2.1.1.1 Data collection When the system performs detection and analysis, it shall have the capability of obtaining data packets in the protected network segment in real time. 6.2.1.1.2 Protocol analysis The system shall perform protocol analysis on the collected data packets. 6.2.1.1.3 Attack behavior monitoring The system shall at least monitor the following attack behaviors: port scanning, brute force attack, malicious code attack, denial of service attack, buffer overflow attack and weak vulnerability attack, etc. 6.2.1.1.4 Traffic monitoring The system shall monitor the message traffic and byte traffic of the entire network or a specific protocol, address or port. 6.2.1.2 Intrusion analysis function requirements 6.2.1.2.1 Data analysis The system shall analyze the collected data packets and find security incidents. 6.2.1.2.2 Incident merging The system shall have the capability of combining alarms for the same security incidents that frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized administrators. 6.2.1.3 Intrusion response function requirements 6.2.1.3.1 Customized response The system shall allow the administrator to customize different response modes for the specific destination host in the detected network segment. 6.2.1.3.2 Security alert When the system detects an intrusion, it shall automatically take corresponding actions to issue security warnings. 6.2.1.3.3 Alert mode One or multiple modes, such as: real-time screen prompts and E-mail alerts, shall be adopted for the alert. 6.2.1.4 Management control function requirements 6.2.1.4.1 Graphic interface The system shall provide the administrator with a graphic interface to administrate and configure the intrusion detection system. The administrative configuration interface shall contain all the functions needed to configure and administrate the system. 6.2.1.4.2 Security incident library The content in the system security incident library shall include the definition and analysis of incidents, detailed vulnerability repair schemes and countermeasures that can be taken. 6.2.1.4.3 Incident level division The system shall divide the incidents in accordance with their severity, so that the authorized administrators can capture hazardous incidents from a large amount of information. 6.2.1.4.4 Policy configuration The system shall provide a convenient and fast method and means for the policy configuration of the intrusion detection system, and be equipped with policy templates, and support for policy import and export. 6.2.1.4.5 Incident library upgrade The system shall have the capability of upgrading the incident library. 6.2.1.4.6 System upgrade The system shall have the capability of upgrading system programs. 6.2.1.4.7 Hardware failure handling For hardware products, when the hardware fails, the administrator shall be notified in time. 6.2.1.4.8 Port separation The detectors of the system shall be equipped with different ports, which are respectively used for system administration and network data monitoring. 6.2.1.4.9 Clock synchronization The system shall provide a clock synchronization function to ensure the time consistency between each component of the system and the clock server. 6.2.1.5 Detection result processing requirements 6.2.1.5.1 Incident record The system shall save the detected security incidents and record the security incident information. The security incident information shall at least include the following contents: occurrence time, source address, destination address, incident level, incident type, incident name, incident definition, detailed incident process analysis and solution recommendations, etc. 6.2.1.5.2 Incident visualization The administrator shall be able to clearly check security incidents in real time through the administration interface. 6.2.1.5.3 Report generation The system shall be able to generate detailed detection result reports. 6.2.1.5.4 Report review The system shall have the function of browsing the detection result reports. 6.2.1.5.5 Report output The detection result reports shall be able to be output in a text format that is easy for the administrator to read, including but not limited to WORD files, HTML files, PDF files, WPS files or OFD files. 6.2.1.6 Performance requirements 6.2.1.6.1 False alarm rate The system shall control the false alarm rate within 15% and shall not have a great impact on the normal application of the system. The false alarm rate of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators. 6.2.1.6.2 Missing report rate The system shall control the missing report rate within 15% and shall not have a great impact on the normal application of the system. The missing report rate of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators. 6.2.1.6.3 High traffic background intrusion detection capability 100 M system single-port monitoring traffic  90 Mbps, Gigabit system single-port monitoring traffic  0.9 Gbps, 10-Gigabit system single-port monitoring traffic  9 Gbps. The traffic monitoring capability of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators. 6.2.1.6.4 High concurrent connection background intrusion detection capability The number of concurrent connections of 100 M system single-port monitoring  100,000, the number of concurrent connections of Gigabit system single-port monitoring  1 million, the number of concurrent connections of 10-Gigabit system single-port monitoring  1.5 million. The capability of the system that supports operation under the IPv6 network environment in monitoring the number of concurrent connections shall satisfy the above-mentioned indicators. 6.2.1.6.5 High new TCP connection rate background intrusion detection capability The number of new TCP connections per second of 100 M system single-port monitoring  60,000, the number of new TCP connections per second of Gigabit system  100,000, the number of new TCP connections per second of 10-Gigabit system  150,000. The capability of the system that supports operation under the IPv6 network environment in monitoring the new TCP connection rate shall satisfy the above-mentioned indicators. 6.2.2 Self-security protection requirements 6.2.2.1 Identity authentication 6.2.2.1.1 Administrator authentication Before the administrator performs any operations related to security functions, the system shall authenticate the administrator. 6.2.2.1.2 Authentication information requirements When adopting password-based authentication information, the system shall check the complexity of the password set by the administrator, so as to ensure that the administrator password satisfies the complexity requirements. When there is a default password, the system shall prompt the administrator to modify the default password, so as to reduce the risk of user identity being impersonated. The system shall provide the function of regular replacement of authentication information. When the usage time of authentication information reaches the threshold of usage period, the administrator shall be prompted to modify it. 6.2.2.1.3 Authentication failure handling When the administrator authentication consecutively fails for a specified number of times, the system shall prevent the administrator from making further authentication requests and generate audit events of relevant information. The maximum number of failures is only set by the administrator. 6.2.2.1.4 Authentication data protection The system shall protect authentication data from unauthorized access and modification. 6.2.2.1.5 Timeout setting The system shall have the function of re-authentication when the administrator logs in over time. If there is no operation within the set time period, the session shall be locked or terminated, and identity authentication needs to be performed again to re-administrate the system. The maximum timeout period is only set by authorized administrators. 6.2.2.1.6 Administration address restrictions The system shall restrict the network address that the administrator can log in to. 6.2.2.2 Administrator management 6.2.2.2.1 Identity uniqueness The system shall ensure that the set administrator ID is globally unique. 6.2.2.2.2 Administrator attribute definition The system shall save a security attribute table for each administrator, and the attributes shall include: administration identity, authentication data, authorization information or administration group information, and other security attributes, etc. 6.2.2.2.3 Security behavior management The system shall have the capability of restricting the prohibition and modification of system functions merely to authorized administrators. 6.2.2.3 Security audit 6.2.2.3.1 Audit log generation The system shall generate audit logs for the following incidents: a) Login and logout of administrator account, system startup, system upgrade, important configuration changes, adding / deleting / modifying administrators, saving / deleting audit logs, etc.; b) Alerts for the abnormal status of the system and its modules. The system shall record the date, time, user ID, incident description and result in each audit log record. If the mode of remote login is adopted, the IP address of the administration host shall also be recorded. 6.2.2.3.2 Audit log comprehensibility The mode, in which the audit data is recorded, shall make it easy for administrators to comprehend, so as to facilitate the analysis of the audit logs. 6.2.2.3.3 Audit log review The system shall provide authorized administrators with the audit log review function, so as to make it convenient for administrators to review audit results. 6.2.2.3.4 Restricted audit log review Except for authorized administrators with explicit access rights, the system shall prohibit access to audit logs for all other users. 6.2.2.3.5 Optional audit review Retrieval or sorting of audit logs in accordance with certain conditions shall be supported. 6.2.2.4 Data security 6.2.2.4.1 Security management The system shall only allow authorized administrators to access security incident records and audit logs and prohibit other users from operating the security incident records and audit logs. 6.2.2.4.2 Data storage alert The system shall automatically generate an alert when the data storage space is about to be exhausted, and the size of the remaining storage space that triggers the alert shall be set by the administrator. 6.2.2.4.3 Outgoing data transmission The system shall support the outgoing transmission of security incident records and audit logs, so as to facilitate further analysis of the security incident records and audit logs. 6.2.2.5 Communication security The system shall ensure that data transmitted among the various components (including but not limited to configuration and control information, alert and incident data, etc.) is not leaked. 6.2.2.6 Operation security The system shall take measures, for example, hiding the IP address of the detector, to make itself invisible on the network, so as to reduce the possibility of being attacked. 6.2.2.7 Supporting system security The supporting system of the system shall: a) Make necessary tailoring, and do not provide redundant components or network services; b) During the restart process, the security policy and log information shall not be lost; c) Do not contain already-known medium, high and ultra-critical security vulnerabilities. 6.2.3 Environmental adaptability requirements (if applicable) 6.2.3.1 Support pure IPv6 network environment The system shall support pure IPv6 network environment, be able to normally operate under pure IPv6 network environment and realize the detection of the target network intrusion. 6.2.3.2 Self-management under IPv6 network environment The system shall support self-management under IPv6 network environment, so as to realize the management and operation of products. 6.2.3.3 Dual protocol stack The system shall support IPv4 / IPv6 dual-stack network environment, be able to operate normally under IPv4 / IPv6 dual-stack network environment and realize the detection of the target network intrusion. 6.2.4 Security guarantee requirements 6.2.4.1 Development 6.2.4.1.1 Security architecture The developer shall provide a security architecture description of product security functions and self-security protection. The security architecture description shall satisfy the following requirements: a) Consistent with the level of abstract description implemented on the security functions and self-security protection in the product design documents; b) Describe the security domain of the product security functions and self-security protection consistent with the security functions and self-security protection requirements; c) Describe why the initialization process of product security functions and self-security protection is secure; d) Demonstrate that the product security functions and self-security protection can prevent damages; e) Demonstrate that the product security functions and self-security protection can prevent bypassing of security features. 6.2.4.1.2 Functional specification The developer shall provide a complete functional specification, which shall satisfy the following requirements: a) Completely describe the product security functions and self-security protection; b) Describe the purpose and usage of all interfaces for security functions and self- security protection; c) Identify and describe all parameters related to each interface of security functions and self-security protection; d) Describe the security functions and self-security protection implementation behaviors related to the interfaces of security functions and self-security protection; e) Describe the immediate error messages resulting from the handling of security functions and self-security protection implementation behaviors; f) Demonstrate the traceability of the security functions and self-security protection requirements to the security functions and self-security protection interfaces. 6.2.4.1.3 Product design The developer shall provide product design documents, which shall satisfy the following requirements: a) Describe the product structure in terms of subsystems; b) Identify and describe all subsystems of the product security functions and self- security protection; c) Describe the interaction among all subsystems of the security functions and self- security protection; d) The provided mapping relations can demonstrate that all the behaviors described in the design can be mapped to the security functions and self-security protection interfaces calling it. 6.2.4.2 Guidance documents 6.2.4.2.1 Operating user guide The developer shall provide a clear and reasonable operating user guide. The operating user guide shall be consistent with all other documents provided for evaluation. The description of each user role shall satisfy the following requirements: a) Describe the functions and privileges accessible to controlled users in the secure processing environment, including appropriate warning messages; b) Describe how to use the available interfaces provided by the product in a secure mode; c) Describe available functions and interfaces, especially all security parameters controlled by the user; d) Clearly describe each type of security-related incident related to the user-accessible functions that need to be performed, including changes to the security features of entities controlled by the security functions and self-security protection; e) Identify all possible states of product operation (including failures caused by operation or operational errors), as well as their casual relations and connections with maintaining secure operation; f) Thoroughly realize the security policy implemented by security objectives. 6.2.4.2.2 Preparation procedure The developer shall provide product and its preparation procedure. The description of the preparation procedure shall satisfy the following requirements: a) Describe all steps necessary to securely receive the delivered product consistent with the developer’s delivery procedure; b) Describe all steps necessary to securely install the product and the environment in which it operates. 6.2.4.3 Life cycle support 6.2.4.3.1 Configuration management capabilities The configuration management capabilities of the developer shall satisfy the following requirements: a) Provide unique identification for different versions of the product; b) Adopt the configuration management system to maintain all configuration items that constitute the product, and uniquely identify the configuration items; c) Provide configuration management documents, which describe the method used to uniquely identify the configuration items. 6.2.4.3.2 Configuration management scope The developer shall provide a list of product configuration items and describe the developer of the configuration items. The list of configuration items includes at least the evaluation evidence of the product and security guarantee requirements and the constituent parts of the product. 6.2.4.3.3 Delivery procedure ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.