HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (15 Sep 2024)

GB/T 20280-2006 PDF in English


GB/T 20280-2006 (GB/T20280-2006, GBT 20280-2006, GBT20280-2006)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20280-2006English140 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Testing and evaluation approaches for network vulnerability scanners Obsolete
Standards related to: GB/T 20280-2006
PDF Preview

GB/T 20280-2006: PDF in English (GBT 20280-2006)

GB/T 20280-2006 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Testing and Evaluation Approaches for Network Vulnerability Scanners ISSUED ON. MAY 31, 2006 IMPLEMENTED ON. DECEMBER 1, 2006 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative References ... 5  3 Terms and Definitions ... 5  4 Stipulation of Symbol, Abbreviation and Notation ... 6  4.1 Symbols and Abbreviations ... 6  4.2 Stipulation of Notation ... 6  5 Overview of Network Vulnerability Scanners ... 7  6 Testing Environment ... 7  7 Testing and Evaluation Approaches and Procedure ... 8  7.1 Basic-type ... 8  7.1.1 Basic function ... 8  7.1.3 Security assurance requirements ... 18  7.2 Enhanced-type ... 23  7.2.1 Basic function and performance ... 23  7.2.2 Enhancement function ... 23  7.2.3 Security assurance requirements ... 27  Appendix A (Normative) Testing Evidence Provided by Product Manufacturer to Testing Organization ... 40  A.1 Basic-type ... 40  A.2 Enhanced-type ... 40  Bibliography ... 41  Figure 1 Test Environment Topological Graph for Network Vulnerability Scanners ... 7  Table 1 Environment Specification ... 7  Foreword Appendix A of this Standard is normative. This Standard was proposed by and shall be under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China. This Standard is responsibly drafted by Beijing Netpower Technology Ltd. AND Network Security Bureau of the Ministry of Public Security. Chief drafters of this Standard. Xiao Jiang, Lu Yi, Yang Wei, Liu Wei, Liu Bing and Ding Yuzheng. Introduction This Standard specifies testing and evaluation approaches for network vulnerability scanners, including testing and evaluation content, testing and evaluation function objective and testing environment of network vulnerability scanners; it gives specific objectives for basic function, enhanced function and security assurance requirements of products that must be reached. This Standard is aimed to provide technical support and guidance for the development, production and certification of network vulnerability scanners. If evaluation activity in conformity with this Standard is applied correctly, its results can be confirmed; testing objects can conduct a vulnerability inspection on network and put forward suggestions for solving discovered potential security hazards so that product quality can be improved. Information Security Technology - Testing and Evaluation Approaches for Network Vulnerability Scanners 1 Scope This Standard specifies the testing and evaluation approaches for network vulnerability scanners that adopt Transmission Control Protocol and Internet Protocol (TCP/IP). This Standard is applicable to the testing and evaluation, R&D and application of security products for manual or automatic network vulnerability scan on computer information system. This Standard is not applicable to products specialized for vulnerability scan on database system. 2 Normative References The following standard contains the provisions which, through reference into this document, constitute the provisions of this document. For the dated reference, the subsequent amendments (excluding corrigendum) or revisions of these publications do not apply. However, the parties who reach an agreement according to this Standard are encouraged to study whether the latest edition of these documents can be used. For undated references, their latest editions apply. GB/T 5271.8-2001 Information Technology – Vocabulary - Part 8. Security (idt ISO/IEC 2382-8.1998) GB/T 20278-2006 Information Security Technology Technique Requirement for Network Vulnerability Scanners 3 Terms and Definitions For the purpose of this Standard, terms and definitions established in GB/T 5271.8-2001 and GB/T 20278-2006 apply. 4 Stipulation of Symbol, Abbreviation and Notation 4.1 Symbols and Abbreviations CGI Common Gateway Interface CVE Common Vulnerabilities and Exposures DNS Domain Name System DOS Denial of Service FTP File Transfer Protocol IDS Intrusion Detection System IP Internet Protocol NETBIOS Network Basic Input Output System NFS Network File System POP Post Office Protocol RPC Remote Procedure Call SMB Server Message Block Protocol SNMP Simple Network Management Protocol TCP Transport Control Protocol UDP User Datagram Protocol 4.2 Stipulation of Notation a) Selection. It is used for emphasizing one or more than one options in the statement of certain functional requirement, represented by underlined italics. b) Note. This Standard performs a classified discussion on testing and evaluation of network vulnerability scanners. The provisions in this Standard, unless stated, are all the requirements of basic products. The testing and evaluation item, testing content and testing and evaluation result of enhanced products shall be represented in italics. Scanned host machine shall at least operate the following services. HTTP, FTP, POP3, SMTP, SQL SERVER, ORACLE; UNIX and LINUX server shall operate NFS service. Server shall run common Trojans. Server shall operate other service with vulnerability, and services with relative common vulnerability and causing relative serious hazard shall be selected. 7 Testing and Evaluation Approaches and Procedure 7.1 Basic-type 7.1.1 Basic function 7.1.1.1 Requirements for self-security 7.1.1.1.1 Identity authentication a) Evaluation contents. refer to the contents in 7.2.1 of GB/T 20278-2006. b) Testing and evaluation approaches 1) According to version release statement, administrator manual, installation management document etc. of network vulnerability scanners, start network vulnerability scanners A and B in Figure 1; 2) Log in and start network vulnerability scanners A and B in Figure 1, as an authorized administrator; operate and create such operations as ordinary administrator. c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches. 7.1.1.1.2 Application limit a) Evaluation contents. refer to the contents in 7.2.2 of GB/T 20278-2006. b) Testing and evaluation approaches. version release statement, user manual, high-level design document, testing document etc. of network vulnerability scanners, start network vulnerability scanners A and B in Figure 1 and perform such operations as management allocation, starting scan; c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches, e.g. whether network vulnerability scanners can limit the scannable specific IP address of products. 7.1.1.1.3 Sensitive information protection a) Evaluation contents. refer to the contents in 7.2.3 of GB/T 20278-2006. b) Testing and evaluation approaches. version release statement, user manual, high-level design document, testing document etc. of network vulnerability scanners, start network vulnerability scanners A and B in Figure 1 and perform such operations as management allocation, starting scan; c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches, such as whether policy information shall be encrypted, sensitive information shall be avoided etc. 7.1... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.