HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (15 Feb 2025)

GB/T 20281-2020 PDF English


Search result: GB/T 20281-2020 English: PDF (GB/T20281-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20281-2020English575 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security technical requirements and testing assessment approaches for firewall Valid
GB/T 20281-2015English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security technical requirements and testing and evaluation approaches for firewall Obsolete
GB/T 20281-2006EnglishRFQ ASK 9 days Information security technology Firewall technical requirements and test evaluation method Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 20281-2020     Related standards: GB/T 20281-2020

PDF Preview: GB/T 20281-2020


PDF Preview: GB/T 20281-2015


GB/T 20281-2020: PDF in English (GBT 20281-2020)

GB/T 20281-2020 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20010-2005, GB/T 20281-2015, GB/T 31505-2015 and GB/T 32917-2016 Information Security Technology - Security Technical Requirements and Testing Assessment Approaches for Firewall ISSUED ON: APRIL 28, 2020 IMPLEMENTED ON: NOVEMBER 1, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3 1 Scope ... 5 2 Normative References ... 5 3 Terms and Definitions... 5 4 Abbreviations ... 6 5 Overview ... 7 6 Security Technical Requirements ... 8 7 Testing and Assessment Methods ... 28 Appendix A (normative) Classification of Firewalls and Security Technical Requirements... 83 Appendix B (normative) Classification of Firewalls and Testing and Assessment Methods ... 91 Information Security Technology - Security Technical Requirements and Testing Assessment Approaches for Firewall 1 Scope This Standard specifies the classification, security technical requirements, and testing assessment methods for firewall. This Standard is applicable to the design, development and testing of firewall. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Components GB/T 25069-2010 Information Security Technology - Glossary 3 Terms and Definitions What is defined in GB/T 25069-2010, and the following terms and definitions are applicable to this document. 3.1 Firewall Firewall refers to a network security product that analyzes the passing data flow and implements access control and security protection functions. NOTE: in accordance with different security purposes and implementation principles, it is generally divided into network-based firewall, WEB application firewall, database firewall and host-based firewall, etc. 3.2 Network-based Firewall Network-based firewall is a network security product that is deployed between different security domains, analyzes the passing data flow, and possess network layer and application layer access control, and security protection functions. 6.1.1.2.1 Static routing The products shall support the function of static routing and be able to configurate static routing. 6.1.1.2.2 Policy routing Products with multiple network interfaces with the same attributes (multiple external network interfaces, multiple internal network interfaces or multiple DMZ network interfaces) shall support the function of policy routing, which include, but are not limited to: a) Source and destination IP-based policy routing; b) Interface-based policy routing; c) Protocol and port-based policy routing; d) Application type-based policy routing; e) Multi-link load-based automatic routing selection. 6.1.1.2.3 Dynamic routing The products shall support the function of dynamic routing, which includes one or multiple dynamic routing protocols in RIP, OSPF or BGP. 6.1.1.3 High availability 6.1.1.3.1 Redundant deployment The products shall support one or multiple redundant deployment modes in “master- standby”, “master-master” or “cluster”. 6.1.1.3.2 Load balancing The products shall support the function of load balancing and be able to balance network traffic to multiple servers based on security policies. 6.1.1.4 Device virtualization (optional) 6.1.1.4.1 Virtual system If the products support logical division into multiple virtual subsystems, isolation and independent management shall be supported among the virtual subsystems, which include, but are not limited to: a) Respectively set up administrators for the virtual subsystems, so as to implement management configuration to the virtual subsystems; b) Tunnel: encapsulate IPv6 in IPv4 to traverse IPv4 network, such as: IPv6 over IPv4, IPv6 to IPv4, ISATAP, etc. 6.1.2 Network layer access 6.1.2.1 Access control 6.1.2.1.1 Packet filtering The requirements for the products’ packet filtering function are as follows: a) Security policy shall adopt the principle of least security, namely, unless explicitly permitted, otherwise prohibited; b) Security policy shall include source IP address and destination IP address- based access control; c) Security policy shall include source port and destination port-based access control; d) Security policy shall include protocol type-based access control; e) Security policy shall include MAC address-based access control; f) Security policy shall include time-based access control; g) Support user-defined security policy, which includes some or all combinations of MAC address, IP address, port, protocol type and time. 6.1.2.1.2 Network address translation The requirements for the products’ network address translation are as follows: a) Support SNAT and DNAT; b) SNAT shall implement “many-to-one” address translation, so that when the internal network host accesses the external network, its source IP address is translated; c) DNAT shall implement “one-to-many” address translation, which maps the IP address / port of DMZ to the legal IP address / port of the external network, so that the external network host can implement access to the DMZ server by accessing the mapped address and port; d) Support dynamic SNAT technology; implement “many-to-many” SNAT. 6.1.2.1.3 State detection The products shall support state detection technology-based packet filtering function The products shall support the user authentication-based network access control function, which includes, but is not limited to: a) Local user authentication mode; b) Authentication mode that combines third-party authentication systems, such as: Radius and LDAP server-based authentication. 6.1.3.2 Application type control The products shall support identification and control of various application types based on application characteristics, which include, but are not limited to: a) HTTP protocol; b) Database protocol; c) Commonly seen protocols: FTP, TELNET, SMTP, POP3 and IMAP; d) Instant chat, P2P, network streaming, online games, stock trading and other applications; e) Applications with escape or tunnel encryption characteristics, for example, encryption proxy applications; f) Customized applications. 6.1.3.3 Application content control 6.1.3.3.1 WEB application The products shall support the control of access to WEB application based on the following content, which includes, but is not limited to: a) URL; have a library of classified websites; b) Keywords of HTTP transfer content; c) HTTP request modes, including GET, POST, PUT and HEAD, etc.; d) HTTP request file type; e) Length of each field in HTTP protocol head, including general-header, request-header and response-header, etc.; f) HTTP upload file type; g) HTTP request frequency; h) Response content returned by HTTP, for example, error message returned by and destination port, etc.; 3) Description of attack event. c) Log management: 1) Only authorized administrators are allowed to access the logs; provide functions of log review and export, etc.; 2) Able to query audit events by date, time, subject, object and other conditions; 3) The log is stored in the power-off non-volatile storage medium; 4) The log storage period is set to not less than 6 months; 5) When the storage space reaches the threshold, it shall be able to notify the authorized administrators and ensure the normal operation of the audit functions; 6) The log shall support automated backup to other storage devices. 6.1.5.2 Security warning The products shall support the warning of attack behaviors in 6.1.4 and be able to initiate combined warning to the same warning events that occur at a high frequency, so as to avoid warning storms. The warning information shall at least include the following content: a) Event body; b) Event object; c) Event description; d) Hazard level; e) The date and time of the occurrence of the event. 6.1.5.3 Statistics 6.1.5.3.1 Network traffic statistics The products shall support a graphical interface to display network traffic, which includes, but is not limited to: a) In accordance with IP, time period and protocol type, or a combination of the above conditions, conduct statistics of the network traffic; being illegally used; g) For authorized administrators, select two or more combinations of authentication technologies for identity authentication. 6.2.2 Management capabilities The security requirements for the products’ management capabilities include, but are not limited to: a) Provide authorized administrators with the function of setting and modifying data parameters related with security management; b) Provide authorized administrators with the function of setting, querying and modifying various security policy; c) Provide authorized administrators with the function of managing audit logs; d) Support the capability of update its own system, including the upgrade of the software system and the upgrade of the various feature libraries; e) Be able to synchronize system time from NTP server; f) Support the synchronization of logs, warnings and other information to the log server through the SYSLOG protocol; g) The roles of administrators shall be distinguished and divided into system administrators, security operators and security auditors. The three types of administrator roles are permissions can restrict each other; h) Provide security policy validity check function, for example, security policy matching detection. 6.2.3 Management audit The security requirements for the products’ management audit include, but are not limited to: a) Log operation behaviors, such as: user account login and logout, system startup, important configuration changes, adding / deleting / modifying administrators, saving / deleting audit logs, etc.; b) Alarm the abnormal state of the products and their modules, and record logs; c) The log records include the following content: the date and time of the occurrence of event, the type of event, the body of event and the result of event operation; d) Only authorized administrators are allowed to access the log. 2) In terms of 512-byte medium and long packets, 100 M products: not less than 70% of linear speed; 1 G and 10 G products: not less than 80% of linear speed; 3) In terms of 1,518-byte long packets, 100 M products: not less than 90% of linear speed; 1 G and 10 G products: not less than 95% of linear speed; b) In terms of high-performance 10 G products, for 1,518-byte long packets, the throughput shall reach at least 80 Gbit/s. 6.3.1.2 Mixed application layer throughput The application layer throughput of hardware products varies with products of different rates. Under the circumstance that the function of application attack protection is initiated, the specific index requirements are as follows: a) The mixed application layer throughput of 100 M products shall be not less than 60 Mbit/s; b) The mixed application layer throughput of 1 G products shall be not less than 600 Mbit/s; c) The mixed application layer throughput of 10 G products shall be not less than 5 Gbit/s; in terms of high-performance 10 G products, the whole-machine mixed application layer throughput shall at least 20 Gbit/s. 6.3.1.3 HTTP throughput The HTTP throughput of hardware products varies with products of different rates. Under the circumstance that the function of WEB attack protection is initiated, the specific index requirements are as follows: a) The application layer throughput of 100 M products shall be not less than 80 Mbit/s; b) The application layer throughput of 1 G products shall be not less than 800 Mbit/s; c) The application layer throughput of 10 G products shall be not less than 6 Gbit/s. 6.3.2 Delay The delay of hardware products varies with products of different rates. The specific index requirements for the delay of a pair of ports with corresponding rates are as follows: a) In terms of 64-byte short packets, 512-byte medium and long packets, 1,518- subsystems. 6.4.1.4 Implementation expression The developer shall provide implementation expression of the products’ security functions. The implementation expression shall satisfy the following requirements: a) Specifically define the products’ security functions, including examples of software codes and design data; b) Provide the correspondence between the implementation expression and the product design description. 6.4.2 Guidance document 6.4.2.1 User guide for operation The developer shall provide an explicit and reasonable user guide for operation. The description of each user role shall satisfy the following requirements: a) Describe the functions and privileges that the user can access, including appropriate warning information; b) Describe the methods for users to operate the products’ security functions and interfaces, including the security values of configuration parameters; c) Identify and describe all possible states of product operation, including operation-induced failures or operational errors; d) Describe the security policy that must be implemented to achieve the products’ security objectives. 6.4.2.2 Preparation procedure The developer shall provide the products and their preparation procedures. The description of the preparation procedures shall satisfy the following requirements: a) Describe all steps necessary to securely receive the delivered products consistent with the developer’s delivery procedure; b) Describe all steps necessary to securely install the products and their operating environment. 6.4.3 Life cycle support 6.4.3.1 Configuration management capabilities The developer’s configuration management capabilities shall satisfy the following requirements: product development and maintenance; provide a life cycle definition document to describe the model used for product development and maintenance. 6.4.3.6 Tools and technology The developer shall clearly define the tools used to develop products and provide a development tool document to unambiguously define the meaning of each statement in the implementation and the meaning of all implementation-dependent options. 6.4.4 Tests 6.4.4.1 Test coverage The developer shall provide a test coverage document, which shall satisfy the following requirements: a) Indicate the correspondence between the tests identified in the test document and the security functions of the products described in the functional specifications; b) Indicate that the above correspondence is complete; confirm that all security function interfaces in the functional specifications have been tested. 6.4.4.2 Test depth The developer shall provide an analysis of test depth. The description of the test depth analysis shall satisfy the following requirements: a) Confirm the consistency between the tests in the test document and the security function subsystems and the implementation modules in the product design; b) Confirm that all security function subsystems and implementation modules in the product design have been tested. 6.4.4.3 Functional test The developer shall test the products’ security functions, document the results and provide a test document. The test document shall include the following content: a) Test the scheme; identify the tests to be executed; describe the schemes of executing each test. These schemes include any order dependence on other test results; b) The expected test result, indicating the expected output after the test is successful; c) The comparison of actual test results and the expected test results. b) Expected results: 1) Under the transparent transfer mode, the security policies take effect; 2) Under the routing forward mode, the security policies take effect; 3) Under the reverse proxy mode, the security policies take effect. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.1.2 Routing 7.2.1.2.1 Static routing The testing and assessment methods of static routing are as follows: a) Testing and assessment methods: 1) Set up a static route in the products; 2) Send data packets matching the above-mentioned routing policy to the products. b) Expected results: 1) The products support the set static route; 2) The products forward the data packets matching the policy in accordance with the routing policy. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.1.2.2 Policy routing The testing and assessment methods of policy routing are as follows: a) Testing and assessment methods: 1) Set up a source and destination IP-based policy route in the products; send data packets matching the above-mentioned routing policy to the products; DMZ zone. b) Expected results: The products support the load balancing function and can balance network access to multiple servers. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.1.4 Device virtualization 7.2.1.4.1 Virtual system The testing and assessment methods of virtual system are as follows: a) Testing and assessment methods: 1) In the products, set up multiple subsystems; respectively set up administrators for the various subsystems; verify whether the administrators can only manage the subsystems, to which, they belong, and cannot manage other subsystems; 2) For the various subsystems, set up routing tables, security policies and generate logs; verify whether the various subsystems independently maintain their own routing tables, security policies and log systems; 3) For the various subsystems, set up usage quotas; verify whether the subsystems cannot use resources that exceed the quota. b) Expected results: 1) The virtual subsystems can set up their own administrators; implement management configuration for the current subsystem without configurating or managing other subsystems; 2) The virtual subsystems can independently work and maintain their routing tables, security policies and log systems; 3) Resource usage quota can be allocated to the virtual subsystems. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. security functions can normally work in Ipv6 network environment; 2) Simulate Ipv6 network environment; verify whether the products support the implementation of self-management in Ipv6 network environment. b) Expected results: 1) The products support normal operation in pure Ipv6 network environment; 2) The products support the implementation of self-management in Ipv6 network environment. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.1.5.2 Protocol consistency The testing and assessment methods of protocol consistency are as follows: a) Testing and assessment methods: 1) Under the routing mode, use protocol consistency test tool to test the consistency of the products’ Ipv6 core protocol; 2) Under the routing mode, test the consistency of the products’ Ipv6 NDP protocol; 3) Under the routing mode, test the consistency of the products’ Ipv6 Autoconfig protocol; 4) Under the routing mode, test the consistency of the products’ ICMPv6 protocol. b) Expected results: 1) The products pass the consistency test of Ipv6 core protocol; 2) The products pass the consistency test of Ipv6 NDP protocol; 3) The products pass the consistency test of Ipv6 Autoconfig protocol; 4) The products pass the consistency test of ICMPv6 protocol. c) Result determination: When the actual testing and assessment result is consistent with the relevant the Ipv6 terminal can communicate with the products through the ISATAP tunnel. b) Expected results: 1) The communication in the Ipv4 and Ipv6 protocol transition environment is normal; 2) The communication is normal in at least one of the tunnel environments: Ipv6 over Ipv4 tunnel, Ipv6 to Ipv4 tunnel and ISATAP tunnel. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.2 Network layer control 7.2.2.1 Access control 7.2.2.1.1 Packet filtering The testing and assessment methods of packet filtering are as follows: a) Testing and assessment methods: 1) Initialize the products’ packet filtering policy; conduct mutual access operations among the hosts of various areas; check whether the products’ default security policy is prohibited; 2) Set up source IP address and destination IP address-based access control policy; generate corresponding network sessions to verify whether the policy takes effect; 3) Set up source port and destination port-based access control policy; generate corresponding network sessions to verify whether the policy takes effect; 4) Set up protocol type-based access control policy; generate corresponding network sessions to verify whether the policy takes effect; 5) Set up MAC address-based access control policy; generate corresponding network sessions to verify whether the policy takes effect; 6) Set up time-based access control policy; generate corresponding network sessions to verify whether the policy takes effect; 7) Make attempts to set up a MAC address, IP address, port, protocol type 2) Use the automatic binding or manual binding function to bind the UP and MAC address of the host in the intranet; 3) Respectively generate a session with correct IP / MAC binding and a session with IP theft; check the validity of the binding. b) Expected results: 1) The IP / MAC address can be automatically or manually bound; 2) After IP / MAC address binding, the security policy can be correctly executed; IP theft behaviors can be found. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.2.2 Traffic management 7.2.2.2.1 Bandwidth management The testing and assessment methods of bandwidth management are as follows: a) Testing and assessment methods: 1) Set up a source IP, destination IP, application type and time period-based traffic policy on the products; send traffic that matches the policy to the products and gradually increase the traffic, until the traffic changes from within the allowable range to exceeding the policy range; 2) Set up a source IP, destination IP, application type and time period-based assurance bandwidth policy on the products; send traffic that matches the policy to the products and keep the traffic above the assured bandwidth, then, send other traffics to the products; try to seize the bandwidth used by the above-mentioned traffic; 3) Set up a total traffic bandwidth limit policy on the products; set up a bandwidth limit for a specific traffic in it. Before and after the products’ total traffic bandwidth occupancy rate reaches the threshold, respectively verify whether the bandwidth policy of the above-mentioned specific traffic automatically starts and stops. b) Expected results: 1) The source IP, destination IP, application type and time period-based traffic rate or total traffic policy takes effect; a) Testing and assessment methods: 1) Set up session timeout time on the products; 2) Through the products, establish a session connection, and no longer operate on the session, until the timeout time is reached, then, verify whether the above-mentioned session is closed. b) Expected results: 1) The products can configurate the session timeout time (or set a default value) of the various protocols; 2) After the inactive time of the already-connected session reaches the timeout time, the connection is automatically closed by the products. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.3 Application layer control 7.2.3.1 User management and control The testing and assessment methods of user management and control are as follows: a) Testing and assessment methods: 1) Locally add the user on the products; set up a local user authentication- based network access policy; generate a session request that matches the policy; verify whether the session can only be established after user authentication is successful; 2) Configurate third-party authentication servers, such as Radius and LDAP, on the products; set up third-party user authentication-based network access policy; generate a session request that matches the policy; verify whether the session can only be established after user authentication is successful. b) Expected results: 1) The products support the local user authentication-based network access control function; 2) The products support the third-party authentication-based network access control function. 5) The application-based (with escape or tunnel encryption features) access control policy takes effect; 6) Support the customized applications; the customized application-based access control policy takes effect. c) Result determination: When the actual testing and assessment result is consistent with the relevant expected result, it shall be determined to be conformant, otherwise, it shall be determined to be non-conformant. 7.2.3.3 Application content control 7.2.3.3.1 WEB application The testing and assessment methods of WEB application are as follows: a) Testing and assessment methods: 1) Set up an URL-based access control policy on the products; through the products, access the corresponding URL; verify whether the policy takes...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.