HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (9 Feb 2025)

GB/T 20278-2013 (GB/T 20278-2022 Newer Version) PDF English


Search result: GB/T 20278-2013 (GB/T 20278-2022 Newer Version)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20278-2022English1239 Add to Cart 8 days Information security technology - Security technical requirements and testing assessment approaches for network vulnerability scanners Valid
GB/T 20278-2013English125 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security technical requirements for network vulnerability scanners Obsolete
GB/T 20278-2006English919 Add to Cart 6 days The technical requirements of the information security technology for network vulnerability scanning products Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 20278-2013     Newer/related standards: GB/T 20278-2022

PDF Preview: GB/T 20278-2013


GB/T 20278-2013: PDF in English (GBT 20278-2013)

GB/T 20278-2013 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20278-2006 Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners ISSUED ON. DECEMBER 31, 2013 IMPLEMENTED ON. JULY 15, 2014 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China. Table of Contents 1 Scope ... 5  2 Normative References ... 5  3 Terms and Definitions ... 5  4 Abbreviations ... 6  5 Level Classification of Network Vulnerability Scanners ... 7  5.1 Description of Level Classification... 7  5.2 Level Classification ... 7  6 Service Environment ... 10  7 Security Technical Requirements for Basic-level ... 11  7.1 Security Function Requirements ... 11  7.2 Self-security Requirements ... 17  7.3 Security Assurance Requirements ... 19  8 Security Technical Requirements for Enhanced-level ... 23  8.1 Security Function Requirements ... 23  8.2 Self-security Requirements ... 31  8.3 Security Assurance Requirements ... 34  Foreword This Standard was drafted according to the rules in GB/T 1.1-2009. This Standard replaces GB/T 20278-2006 "Information Security Technology Technique Requirement for Network Vulnerability Scanners". The main differences in this Standard over GB/T 20278-2006 are as follows. - The name of the standard was changed to "Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners"; - The definition of "network vulnerability scan" was modified (see 3.3); - "vulnerability of NIS service" (see 7.3.1.8 of 2006-edition) was deleted; - "vulnerability of database" was deleted (see 7.3.1.18 of 2006-edition); - "RPC port" was deleted (see 7.3.4.1 of 2006-edition); - "NI service" was deleted (see 7.3.4.5 of 2006-edition); - "alarm function" was deleted (see 7.4.4.1 of 2006-edition); - "installation and operation control" was deleted (see 7.5 of 2006-edition); - "interaction with IDS product", "interaction with fire wall product", "interaction with other application programs" were deleted ( see 7.7.4.2, 7.7.4.3,7.7.7.4 and 8 of 2006-edition); - "performance requirements" was deleted; - The requirement of upgrading security measures during product upgrading was added; - The function of comparison and analysis between scanning results was added; - Authentication data protection, authentication failure handling, timeout locking or logout, remote management and other functions were added in the self-security requirements of product; - The integral structure of this Standard was adjusted; it is described according to the product security function requirements, self-security requirements and security assurance requirements; in addition, the requirement items of product self-security were detailed, and the contents of audit function requirements were defined. This Standard was proposed by and shall be under the jurisdiction of National Technical Committee on Information Technology Security of Standardization Administration of China (SAC/TC 260). Certain content of this document may involve patent. The issuing organization of this Standard shall not undertake the responsibility of identifying these patents. Drafting organizations of this Standard. Quality Supervision Testing Center of Ministry of Public Security for Computer information system security product, Venustech Information & Technology Co., Ltd. AND Netpower Information & Technology Co., Ltd. Chief drafters of this Standard. Gu Jianxin, Lu Zhen, Yu You, Gu Jian, Zhao Ting, Wang Zhijia, Wang Honghong and Ming Xu. Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners 1 Scope This Standard specifies the security function requirements, self-security requirements and security assurance requirements of network vulnerability scanners, and classifies their levels according to different security technical requirements for network vulnerability scanners. This Standard is applicable to the development, production and detection of network vulnerability scanners. 2 Normative References The following documents are essential for the application of this document. For the dated references, only the dated editions apply to this document. For undated references, the latest editions (including amendments) apply to this document. GB 17859-1999 Classified Criteria for Security Protection of Computer Information System GB/T 18336.3-2008 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3. Security Assurance Requirements GB/T 25069-2010 Information Security Technology - Glossary 3 Terms and Definitions For the purpose of this Standard, the terms and definitions specified in GB/T 17859- 1999 and GB/T 25069-2010 as well as the following ones apply. 3.1 Scan The process of using technical tools to detect the security risks that are existed in target system. 3.2 Vulnerability The weakness in network system that may be made use of and cause hazard. 3.3 Network vulnerability scan Remotely detect target system for security risk through network, inspect and analyze its security vulnerability thereby to find out the security loophole that may be utilized by intruder, and recommend some preventative and remedial measures. 3.4 Banner A piece of information sent by application program, generally including words of welcome, application name and version, etc. 4 Abbreviations For the purpose of this Standard, the following abbreviations apply. CGI. Common Gateway Interface CVE. Common Vulnerabilities and Exposures DNS. Domain Name System DoS. Denial of Service FTP. File Transfer Protocol IP. Internet Protoco1 NETBIOS. NETwork Basic Input Output System NFS. Network File System POP3. Post Office Protocol 3 RPC. Remote Procedure Call SMB. Server Message Block SMTP. Simple Mail Transfer Protocol SNMP. Simple Network Management Protocol TCP. Transmission Control Protocol UDP. User Datagram Protocol 5 Level Classification of Network Vulnerability Scanners 5.1 Description of Level Classification 5.1.1 Basic-level This level specifies basic functional requirements for network vulnerability scanners, It limits the use of the product function and the control of data access through certain user identification and identity authentication, making product be possessed with the ability of autonomous security protection, guaranteeing that the network vulnerability scanners can operate normally and with audit function so that the operation behaviors of administrators and scanning events are traceable. It provides basic analysis processing capability according to the scanning result through obtaining scanning information and generates report. Its self-security requirements shall be in accordance with the relevant requirements of system audit protection level in GB 17859-1999, and security assurance requirements shall be in accordance with the requirement of EAL Level 2 specified in GB/T 18336.3-2008. 5.1.2 Enhanced-level Network vulnerability scanners of this level not only meet all the aforesaid basic-level requirements, but also further divide different security management roles, so as to detail the control of product management rights, in addition, the input and output as well as comparison of scanning result, the scanning under known account number / password, upgrading security measures, IP address scanning restriction, interactivity requirements, audit storage safety and other contents are added, making the functional requirements of products more complete and the use more convenient. The self- security requirements of product shall be in accordance with the requirements of security label protection level specified in GB 17859-1999, the security assurance requirements of product cover all stages of the product from development to application, in accordance with the requirements of EAL Level 4 specified in GB/T 18336.3-2008, and on this basis, lifting vulnerability analysis requirement to be able to resist the attack initiated by attacker with medium attack capability. 5.2 Level Classification The level classification of network vulnerability scanners are shown in Tables 1, 2 and 3. The level assessment of network vulnerability scanners is obtained comprehensively in accordance with these three tables, the network vulnerability scanners in acco... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.