GB/T 20280-2006 PDF in English
GB/T 20280-2006 (GB/T20280-2006, GBT 20280-2006, GBT20280-2006)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 20280-2006 | English | 140 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Testing and evaluation approaches for network vulnerability scanners
| Obsolete |
Standards related to: GB/T 20280-2006
PDF Preview
GB/T 20280-2006: PDF in English (GBT 20280-2006) GB/T 20280-2006
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology -
Testing and Evaluation Approaches for Network
Vulnerability Scanners
ISSUED ON. MAY 31, 2006
IMPLEMENTED ON. DECEMBER 1, 2006
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Stipulation of Symbol, Abbreviation and Notation ... 6
4.1 Symbols and Abbreviations ... 6
4.2 Stipulation of Notation ... 6
5 Overview of Network Vulnerability Scanners ... 7
6 Testing Environment ... 7
7 Testing and Evaluation Approaches and Procedure ... 8
7.1 Basic-type ... 8
7.1.1 Basic function ... 8
7.1.3 Security assurance requirements ... 18
7.2 Enhanced-type ... 23
7.2.1 Basic function and performance ... 23
7.2.2 Enhancement function ... 23
7.2.3 Security assurance requirements ... 27
Appendix A (Normative) Testing Evidence Provided by Product Manufacturer to
Testing Organization ... 40
A.1 Basic-type ... 40
A.2 Enhanced-type ... 40
Bibliography ... 41
Figure 1 Test Environment Topological Graph for Network Vulnerability
Scanners ... 7
Table 1 Environment Specification ... 7
Foreword
Appendix A of this Standard is normative.
This Standard was proposed by and shall be under the jurisdiction of the National
Technical Committee on Information Security of Standardization Administration of
China.
This Standard is responsibly drafted by Beijing Netpower Technology Ltd. AND
Network Security Bureau of the Ministry of Public Security.
Chief drafters of this Standard. Xiao Jiang, Lu Yi, Yang Wei, Liu Wei, Liu Bing and
Ding Yuzheng.
Introduction
This Standard specifies testing and evaluation approaches for network vulnerability
scanners, including testing and evaluation content, testing and evaluation function
objective and testing environment of network vulnerability scanners; it gives specific
objectives for basic function, enhanced function and security assurance requirements
of products that must be reached.
This Standard is aimed to provide technical support and guidance for the development,
production and certification of network vulnerability scanners.
If evaluation activity in conformity with this Standard is applied correctly, its results can
be confirmed; testing objects can conduct a vulnerability inspection on network and
put forward suggestions for solving discovered potential security hazards so that
product quality can be improved.
Information Security Technology -
Testing and Evaluation Approaches for
Network Vulnerability Scanners
1 Scope
This Standard specifies the testing and evaluation approaches for network
vulnerability scanners that adopt Transmission Control Protocol and Internet Protocol
(TCP/IP).
This Standard is applicable to the testing and evaluation, R&D and application of
security products for manual or automatic network vulnerability scan on computer
information system.
This Standard is not applicable to products specialized for vulnerability scan on
database system.
2 Normative References
The following standard contains the provisions which, through reference into this
document, constitute the provisions of this document. For the dated reference, the
subsequent amendments (excluding corrigendum) or revisions of these publications
do not apply. However, the parties who reach an agreement according to this
Standard are encouraged to study whether the latest edition of these documents can
be used. For undated references, their latest editions apply.
GB/T 5271.8-2001 Information Technology – Vocabulary - Part 8. Security (idt ISO/IEC 2382-8.1998)
GB/T 20278-2006 Information Security Technology Technique Requirement for Network Vulnerability Scanners
3 Terms and Definitions
For the purpose of this Standard, terms and definitions established in GB/T
5271.8-2001 and GB/T 20278-2006 apply.
4 Stipulation of Symbol, Abbreviation and Notation
4.1 Symbols and Abbreviations
CGI Common Gateway Interface
CVE Common Vulnerabilities and Exposures
DNS Domain Name System
DOS Denial of Service
FTP File Transfer Protocol
IDS Intrusion Detection System
IP Internet Protocol
NETBIOS Network Basic Input Output System
NFS Network File System
POP Post Office Protocol
RPC Remote Procedure Call
SMB Server Message Block Protocol
SNMP Simple Network Management Protocol
TCP Transport Control Protocol
UDP User Datagram Protocol
4.2 Stipulation of Notation
a) Selection. It is used for emphasizing one or more than one options in the
statement of certain functional requirement, represented by underlined italics.
b) Note. This Standard performs a classified discussion on testing and evaluation
of network vulnerability scanners. The provisions in this Standard, unless
stated, are all the requirements of basic products. The testing and evaluation
item, testing content and testing and evaluation result of enhanced products
shall be represented in italics.
Scanned host machine shall at least operate the following services. HTTP, FTP, POP3,
SMTP, SQL SERVER, ORACLE; UNIX and LINUX server shall operate NFS service.
Server shall run common Trojans.
Server shall operate other service with vulnerability, and services with relative
common vulnerability and causing relative serious hazard shall be selected.
7 Testing and Evaluation Approaches and Procedure
7.1 Basic-type
7.1.1 Basic function
7.1.1.1 Requirements for self-security
7.1.1.1.1 Identity authentication
a) Evaluation contents. refer to the contents in 7.2.1 of GB/T 20278-2006.
b) Testing and evaluation approaches
1) According to version release statement, administrator manual,
installation management document etc. of network vulnerability
scanners, start network vulnerability scanners A and B in Figure 1;
2) Log in and start network vulnerability scanners A and B in Figure 1, as an
authorized administrator; operate and create such operations as
ordinary administrator.
c) Testing and evaluation result. record testing result and judge whether the
result conforms to requirements of testing and evaluation approaches.
7.1.1.1.2 Application limit
a) Evaluation contents. refer to the contents in 7.2.2 of GB/T 20278-2006.
b) Testing and evaluation approaches. version release statement, user manual,
high-level design document, testing document etc. of network vulnerability
scanners, start network vulnerability scanners A and B in Figure 1 and
perform such operations as management allocation, starting scan;
c) Testing and evaluation result. record testing result and judge whether the
result conforms to requirements of testing and evaluation approaches, e.g.
whether network vulnerability scanners can limit the scannable specific IP
address of products.
7.1.1.1.3 Sensitive information protection
a) Evaluation contents. refer to the contents in 7.2.3 of GB/T 20278-2006.
b) Testing and evaluation approaches. version release statement, user manual,
high-level design document, testing document etc. of network vulnerability
scanners, start network vulnerability scanners A and B in Figure 1 and
perform such operations as management allocation, starting scan;
c) Testing and evaluation result. record testing result and judge whether the
result conforms to requirements of testing and evaluation approaches, such
as whether policy information shall be encrypted, sensitive information shall
be avoided etc.
7.1...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|