GB/T 31505-2015 PDF in English
GB/T 31505-2015 (GB/T31505-2015, GBT 31505-2015, GBT31505-2015)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 31505-2015 | English | 510 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
[Replaced by GB/T 20281-2020] Information security technology -- Technique requirements and testing and evaluation approaches for host-based firewall and personal firewall
| Obsolete |
Standards related to (historical): GB/T 31505-2015
PDF Preview
GB/T 31505-2015: PDF in English (GBT 31505-2015) GB/T 31505-2015
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technique
requirements and testing and evaluation approaches
for host-based firewall and personal firewall
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Descriptions of host-based firewall and personal firewall ... 5
5 Security technical requirements ... 5
5.1 General description ... 5
5.2 Basic level requirements ... 6
5.3 Enhanced level requirements ... 13
6 Test evaluation method ... 26
6.1 Test environment ... 26
6.2 Basic level test ... 26
6.3 Enhanced level test ... 41
Information security technology - Technique
requirements and testing and evaluation approaches
for host-based firewall and personal firewall
1 Scope
This standard specifies the security technical requirements, evaluation methods,
security classification of host-based firewalls.
This standard applies to the design, development and testing of host-based
firewall and personal firewall.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 18336.3-2008 Information technology - Security techniques -
Evaluation criteria for IT security - Part 3: Security assurance requirements
GB/T 25069 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069 as well as the following
terms and definitions apply to this document.
3.1
Host-based firewall and personal firewall
It is also known the host-based firewall or personal firewall, which is a
software which runs on standalone computer. It can monitor the inbound and
outbound network connections on the host; perform network address-based
and application-based access control through predefined rules. It also
usually has other security functions such as anti-malware, intrusion
detection, network alert, etc.
5.2.1.5.3 Timeout lock or logout
The product shall have login timeout lock or logout function. If there is no
operation within the set time period, the session is terminated; it needs the
identity authentication again for the purpose of re-operation. The maximum
timeout period can only be set by an authorized administrator.
5.2.1.6 Security management
5.2.1.6.1 Identification uniqueness
The product shall provide a unique identifier for the user; at the same time
associate the user's identifier with all auditable events of the user.
5.2.1.6.2 Administrator attribute definition
If the product supports policy center for distributed deployment and centralized
management, the policy center shall be able to divide the roles of administrators:
a) Administrator roles with at least two different permissions, such as security
officer, auditor, etc.;
b) According to different functional modules, customize various different
authority roles and assign roles to administrators.
5.2.1.6.3 Remote management encryption
If the product supports the policy center and implements remote management
of the temporary policy center, it shall take confidential measures to protect the
remote management information implemented by the policy center.
5.2.1.6.4 Trusted management host
If the product supports the policy center and the console provides remote
management functions, it shall be able to limit the host addresses that can be
remotely managed.
5.2.1.7 Security audit
The product shall have a security audit function; the specific technical
requirements are as follows:
a) Type of recording event:
1) Network communication information matching packet filtering rules;
2) The administrator's login success and failure;
3) The operation of changing the security policy;
When delivering each version of the product to the user, the delivery document
shall describe all procedures necessary to maintain security.
5.2.2.2.2 Installation, generation, startup of program
The developer shall provide documentation explaining the process of product
installation, generation and startup.
5.2.2.3 Development
5.2.2.3.1 Description of informal function specification
The developer shall provide a functional specification, which shall meet the
following requirements:
a) Use informal styles to describe product security functions and external
interfaces;
b) Is internally consistent;
c) Describe the purpose and usage of all external interfaces; provide details
of effects, exceptions and error messages when appropriate;
d) Completely express product security functions.
5.2.2.3.2 Descriptive high-level design
Developers shall provide high-level designs for product security functions; high-
level designs shall meet the following requirements:
a) Representation shall be informal;
b) Is internally consistent;
c) Describe the structure of the security function based on subsystem;
d) Describe the security functions provided by each security function
subsystem;
e) Identify any basic hardware, firmware or software required by the security
function, as well as a representation of the functions provided by the
supporting protection mechanisms implemented in these hardware,
firmware or software;
f) Identify all interfaces of the security function level;
g) Identify which interfaces of the security function subsystems are externally
visible.
packet. When the same type and code field are matched, it will be
processed according to the packet processing method in the
corresponding rule;
2) According to the local port (including single port and < or> port range)
and < or> remote port (including single port and < or> port range) in the
UDP network data packet, perform rule matching;
3) According to the local port (including single port and < or> port range)
and < or> remote port (including single port and < or> port range) in the
TCP network data packet, as well as the flag bit of the TCP data packet,
perform rule matching filter.
d) Filter actions include:
1) Interception;
2) Access;
3) Continue to match the next rule.
5.3.1.2 Revision of security rules
The product shall provide default security rules, which can be revised by users:
a) Users can choose to use or abandon the security rules as provided by the
host-based firewall and personal firewall;
b) Users can add, delete, modify custom security rules according to the
format requirements in 5.3.1.1.
5.3.1.3 Application network access control
The security function of the product shall be able to control the permission of
each application on the host to use the network; the control of application
access to the network shall include the following three methods:
a) Access allowed: Allow the application to use the network;
b) Access prohibited: Prohibit the application from using the network;
c) Inquiry when accessing the network: When the application accesses the
network, it shall be able to provide users with detailed reports and inquiries
about the access operations it will perform; meanwhile it can accordingly
handle the behavior of the application accessing the network according to
the query results.
5.3.1.4 Intrusion prevention
c) It shall contain rationality, that is, to demonstrate that the model is
consistent with all security policies that can be modeled and is
complete;
d) It shall clarify the correspondence between the security policy model
and the functional specification, that is, to demonstrate that the
security functions in all functional specifications are consistent with
the security policy model and are complete.
5.3.2.4 Guiding documents
5.3.2.4.1 Administrator guide
The developer shall provide an administrator guide, which shall be consistent
with all other documents provided for evaluation.
The administrator guide shall state the following:
a) Management functions and interfaces available to the administrator;
b) How to manage products securely;
c) Functions and permissions that shall be controlled in a secured processing
environment;
d) All assumptions about user behavior related to the secured operation of
the product;
e) All security parameters controlled by the administrator, if possible, it shall
indicate the security value;
f) Every security-related event related to the management function, including
changes to the security characteristics of the entity controlled by the
security function;
g) All IT environment security requirements related to administrators.
5.3.2.4.2 User guide
The developer shall provide a user guide, which shall be consistent with all
other documents provided for evaluation.
The user guide shall state the following:
a) Security functions and interfaces available to non-administrator users of
the product;
b) How to use the security functions and interfaces provided by the product
The analysis result of the test coverage shall show that the
correspondence between the test identified in the test document and the
security function of the product described in the functional specification
is complete.
5.3.2.6.2 Test: High-level design
The developer shall provide in-depth analysis of the test.
In-depth analysis shall confirm that the tests identified in the test document are
sufficient to verify that the product's functionality is operating according to its
high-level design.
5.3.2.6.3 Function test
Developers shall test security functions, document the results and provide test
documentation.
The test document shall include the following:
a) The test plan shall identify the security functions to be tested and describe
the test objectives;
b) During the testing process, it shall identify the tests to be performed and
describe the test overview of each security function; the test overview shall
include the order dependency on other test results;
c) The expected test results shall show the expected output after the test is
successful;
d) The actual test results shall show that each security function tested can
operate in accordance with provisions.
5.3.2.6.4 Independence test
5.3.2.6.4.1 Consistency
Developers shall provide products suitable for testing; the test set provided shall
be consistent with the test set used in self-testing product functions.
5.3.2.6.4.2 Sampling
Developers shall provide a set of considerable resources for sampling testing
of security functions.
5.3.2.7 Vulnerability assessment
5.3.2.7.1 Misuse
1) Configure filtering rules based on different packet directions, to
generate corresponding network sessions;
2) Configure filtering rules based on different remote IP addresses, to
generate corresponding network sessions;
3) Configure filtering rules based on different protocol types, to generate
corresponding network sessions;
4) Configure filtering rules for different filtering actions, to generate
corresponding network sessions;
5) Configure user-defined filter rules, the filter condition is a combination
of some or all of the above filter conditions, to generate the
corresponding network session;
6) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result:
The product shall be able to implement correct IP packet filtering
according to the configured security rules.
6.2.1.2 Revision of security rules
The test evaluation methods and expected results of the security rule revision
of host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
1) Perform network connectivity testing according to the default protection
policy as provided by the product;
2) Change the default policy and perform the network connectivity test
again, until it covers all the policy sets provided by the product;
3) Add, delete, modify custom security rules, to test network connectivity;
4) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result:
The product shall be able to implement new security policies in
accordance with the revised security rules.
2) It shall be ensured that each administrator ID is globally unique; it is not
allowed to use one administrator ID for multiple administrators.
6.2.1.6.2 Administrator attribute definition
The test evaluation methods and expected results defined by the administrator
attribute of the host-based firewall and personal firewall products are as follows:
a) Test evaluation method: Check whether the security function of the system
allows the definition of multiple roles of administrators. Record the test
results and make a judgment on whether the results fully meet the
requirements of the above-mentioned test evaluation methods.
b) Expected result:
1) The system shall allow administrators with multiple roles to be defined;
2) Each role can have multiple administrators; each administrator can only
belong to one role;
3) It shall be ensured that each role identification is globally unique; one
role identification is not allowed to be used for multiple roles.
6.2.1.6.3 Remote management encryption
The test evaluation methods and expected results of remote management
encryption for host-based firewall and personal firewall products are as follows:
a) Test evaluation method: Check whether the remote management data of
the host-based firewall and personal firewall product is transmitted
confidentially. Record the test results and make a judgment on whether
the results fully meet the requirements of the above-mentioned test
evaluation methods.
b) Expected result: The product can ensure the confidential transmission of
remote management data.
6.2.1.6.4 Trusted management host
The test evaluation methods and expected results of the trusted management
host for host-based firewall and personal firewall products are as follows:
a) Test evaluation method: Check whether the host-based firewall and
personal firewall product can restrict the host address that can be remotely
managed. Record the test results and make a judgment on whether the
results fully meet the requirements of the above-mentioned test evaluation
methods.
- The content of the network communication information log matching
the filtering rules shall include the following information:
communication date and time, filtering action, remote IP address,
local port, remote port, remarks;
- Other logs shall record the date, time, user identification, event
description and results of the event; if remote login is used to manage
the product, the log content shall include the address of the
management host.
3) Log management:
- The host-based firewall and personal firewall product shall be able to
query the content of the network communication information log
matching the filtering rules according to the communication date and
time, filtering actions, remote IP address, local port, remote port;
- The host-based firewall and personal firewall product shall be able to
query other log content according to the date and time of the event,
user identification, event description, result and other conditions;
- Restart the host after shutting down, the log record shall not
disappear;
- When the remaining data storage space reaches the threshold, the
host-based firewall and personal firewall product shall be able to
provide an alarm function;
- Before the data storage space is exhausted, host-based firewall and
personal firewall products shall be able to use automatic dumping
and other methods to back up data to other storage spaces.
6.2.2 Security assurance evaluation
6.2.2.1 Configuration management
6.2.2.1.1 Version number
The test evaluation methods and expected results of the version number are as
follows:
a) Test evaluation method:
1) The evaluator shall review whether the configuration management
support file provided by the developer contains the following content:
version number; the version number used by the developer shall be
completely corresponding to the product sample that shall be
a) Test evaluation method:
The evaluator shall review the test coverage evidence provided by the
developer. In the test coverage evidence, whether it shows that the test
identified in the test document corresponds to the security function of the
product described in the functional specification.
b) Expected result:
The content of the document provided by the developer shall meet the
above requirements.
6.2.2.5.2 Function test
The test evaluation methods and expected results of the functional test are as
follows:
a) Test evaluation method:
1) The evaluator shall review the test documentation provided by the
developer, to see whether it includes the test plan, test procedures,
expected test results and actual test results;
2) The evaluator shall review whether the test plan identifies the security
function to be tested and whether it describes the test objectives;
3) The evaluator shall review whether the test procedure identifies the test
to be performed and whether it describes the test profile of each
security function (the profile includes the order dependency on other
test results);
4) The evaluator shall review whether the expected test results indicate
the expected output after the test is successful;
5) The evaluator shall review whether the actual test results show that
each tested security function can operate according to provisions.
b) Expected result:
The content of the document provided by the developer shall meet the
above requirements.
6.2.2.5.3 Independence test
6.2.2.5.3.1 Consistency
The consistency test evaluation methods and expected results are as follows:
The testing and evaluation methods and expected results of developer
vulnerability analysis are as follows:
a) Test evaluation method:
1) The evaluator shall review the vulnerability analysis document provided
by the developer, to see whether it analyzes the various functions of
the product from the obvious ways that the user may violate the security
policy;
2) The evaluator shall review whether the developer clearly records the
measures taken for the identified vulnerability;
3) For each vulnerability, the evaluator shall review whether there is
sufficient evidence to prove that the vulnerability cannot be used in the
environment where the product is used.
b) Expected result:
The documentation provided by the developer shall meet the above
requirements.
6.3 Enhanced level test
6.3.1 Security function test
6.3.1.1 IP packet filtering
The test evaluation methods and expected results of IP packet filtering of host-
based firewall and personal firewall products are as follows:
a) Test evaluation method:
1) Configure packet filtering rules based on different packet directions, to
generate corresponding network sessions;
2) Configure packet filtering rules based on different remote IP addresses,
to generate corresponding network sessions;
3) Configure packet filtering rules based on different protocol types, to
generate corresponding network sessions;
4) Configure packet filtering rules for different filtering actions, to generate
corresponding network sessions;
5) Configure user-defined packet filtering rules, the filtering conditions are
part or all of the combination of 1) ~ 5) filtering conditions, to generate
corresponding program access operations;
3) Ask when configuring an application to access the network, to generate
the corresponding program access operation;
4) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result:
The product shall be able to control the network access behavior of the
application according to the access control rules.
6.3.1.4 Rapid network cutoff/recovery
The test evaluation methods and expected results of the rapid network
cutoff/recovery of host-based firewall and personal firewall products are
as follows:
a) Test evaluation method:
1) Desktop management: Perform rapid network recovery/cutoff
operations, respectively;
2) Policy center: Randomly select some nodes, to perform rapid
network recovery/cut-off operations on the selected nodes in the
product policy center;
3) Record the test results and make a judgment on whether the
results fully meet the requirements of the above test evaluation
methods.
b) Expected result:
The product shall be able to execute corresponding policies based
on rapid cutoff/recovery operations.
6.3.1.5 Intrusion prevention
The test evaluation methods and expected results of the intrusion prevention of
host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
1) Configure intrusion prevention rules; use network attack tools to
simulate attacks, to check whether the product can correctly detect
attacks;
6.3.1.9.1 Identification uniqueness
The test evaluation methods and expected results of the uniqueness of the
host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
Check whether the security function of the system ensures that the
defined administrator ID is globally unique. Record the test results and
make a judgment on whether the results fully meet the requirements of
the above-mentioned test evaluation methods.
b) Expected result:
1) The system shall allow multiple administrators to be defined;
2) It shall be ensured that each administrator ID is globally unique; it is not
allowed to use one administrator ID for multiple administrators.
6.3.1.9.2 Administrator attribute definition
The test evaluation methods and expected results of the administrator attribute
definition of the host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
Define multiple administrators who belong to different roles, to check
whether the entered administrator information can be saved. Record the
test results and make a judgment on whether the results fully meet the
requirements of the above-mentioned test evaluation methods.
b) Expected result:
The system shall save the security attributes for each administrator,
including: administrator identification, authentication data (such as
password), authorization information or administrator group information,
other security attributes, etc. The entered administrator information is not
lost.
6.3.1.9.3 Remote management encryption
The test evaluation methods and expected results of remote management
encryption for host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
Check whether the remote management data of the host-based firewall
and personal firewall product is transmitted confidentially. Record the test
The test evaluation methods and expected results of the security audit of host-
based firewall and personal firewall products are as follows:
a) Test evaluation method:
1) Simulate and generate various audit events;
2) Check the log content and format;
3) Perform log query, backup and other operations according to the
product manual;
4) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result
1) Type of recording event:
- Host-based firewall and personal firewall products shall be able to
record network communication information that matches the filtering
rules;
- The host-based firewall and personal firewall product shall be able to
record identity authentication and measures taken to prohibit further
attempts because the number of authentication failures exceeds the
threshold;
- Host-based firewall and personal firewall products shall be able to
record the addition, deletion, modification, deployment of security
policies;
- The host-based firewall and personal firewall product shall be able to
record the addition, deletion, modification of users and roles;
- Host-based firewall and personal firewall products shall be able to
record, backup, delete logs;
- The host-based firewall and personal firewall product shall be able to
record other operations of the administrator.
2) Log content:
- The content of the network communication information log matching
the filtering rules shall include the following information:
communication date and time, filtering action, remote IP address,
local port, remote port, remarks;
The content of on-site activity evidence provided by the developer
shall meet the above requirements.
6.3.2.1.2 Configuration management capabilities
6.3.2.1.2.1 Version number
The test evaluation methods and expected results of the version number are as
follows:
a) Test evaluation method:
1) The evaluator shall review whether the configuration management
support file provided by the developer contains the following content:
version number; the version number used by the developer shall be
completely corresponding to the product sample that shall be
represented; meanwhile there is no ambiguity;
2) The evaluator shall check on site whether the product sample has a
unique version number in the configuration management activities;
whether the version number corresponds exactly to the description of
the product sample and configuration management support documents.
b) Expected result:
The documents and on-site activity evidence provided by the developer
shall meet the above requirements.
6.3.2.1.2.2 Configuration items
The test evaluation methods and expected results of configuration items are as
follows:
a) Test evaluation method:
1) The evaluator shall review the configuration management document
provided by the developer, to see whether it includes a configuration
checklist and a configuration management plan. Whether the
configuration list describes all the configuration items that make up the
system;
2) The evaluator shall check on site whether the configuration items in the
configuration management system are consistent with the description
of the configuration list; whether the configuration management system
uniquely identifies all configuration items; whether the configuration
management system maintains the configuration items;
3) The evaluator shall review the configuration management document
verification are as follows:
a) Test evaluation method:
1) The evaluator shall review whether the developer provides a
correspondence analysis between all adjace......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|