HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (30 Nov 2024)

GB/T 37956-2019 PDF in English


GB/T 37956-2019 (GB/T37956-2019, GBT 37956-2019, GBT37956-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 37956-2019English160 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technology requirement for website security cloud protection platform Valid
Standards related to (historical): GB/T 37956-2019
PDF Preview

GB/T 37956-2019: PDF in English (GBT 37956-2019)

GB/T 37956-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Technology requirement for website security cloud protection platform ISSUED ON: AUGUST 30, 2019 IMPLEMENTED ON: MARCH 01, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Abbreviations ... 5  5 Overview ... 6  6 Platform function requirements ... 6  6.1 Website security protection ... 6  6.2 Website compliance check ... 10  6.3 Resource management ... 10  6.4 Policy management ... 11  6.5 Statistical analysis ... 12  6.6 System expansion ... 12  7 Platform security requirements ... 12  7.1 System and communication protection ... 12  7.2 Access control ... 13  7.3 Configuration management ... 13  7.4 Security incident handling ... 13  7.5 Platform disaster recovery backup ... 13  7.6 User data protection ... 14  7.7 Audit ... 15  References ... 16  Foreword This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This Standard shall be under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260). The drafting organizations of this Standard: China Industrial Control Systems Cyber Emergency Response Team, Beijing Kownsec Information Technology Co., Ltd., Third Research Institute of the Ministry of Public Security of PRC, China Information Security Research Institute Co., Ltd., Legendsec Information Technology (Beijing) Inc., Alibaba Cloud Computing Co. Ltd., Hangzhou DBAPPSecurity Co., Ltd., Sangfor Technologies Inc. The drafters of this Standard: Zhang Ge, Yu Meng, Zhang Zheyu, Zhao Guangming, Song Haohao, Yin Libo, He Xiaolong, Liu Ying, Zuo Xiaodong, Gu Jian, Yang Chen, Wang Pengtao, Wang Xiaoqing, Zhou Jun, Song Zhiming, Chen Xuexiu, Li Hongpei, Wu Yanyan, Tang Wang, Jiang Hao, Liu Wensheng, Xiao Junfang, Li Jun, Guo Xian, Zhao Wei, Zhou Xin, Liu Bozhong, Chen Yan, Lu Zhen, Mao Runhua, Zhang Chi. Information security technology - Technology requirement for website security cloud protection platform 1 Scope This Standard specifies the technical requirements of the website security cloud protection platform, including platform functional requirements and platform security requirements. This Standard is applicable to the development, operation, and use of website security cloud protection platforms, and provides a reference for government departments, enterprises, public organizations, and other organizations or individuals to purchase website security cloud protection platforms. 2 Normative references The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069-2010, Information security technology - Glossary GB/T 31167-2014, Information security technology - Security guide of cloud computing services GB/T 31168-2014, Information security technology - Security capability requirements of cloud computing services GB/T 32917-2016, Information security technology - Security technique requirements and testing and evaluation approaches for WEB application firewall 3 Terms and definitions Terms and definitions determined by GB/T 25069-2010 and the following ones are applicable to this document. 3.1 Website security cloud protection platform The collection of security protection nodes that provides website security protection by the cloud service model, and uses centralized management and control, collaborative defense, and other methods to update protection policies and rules in a timely manner, and to detect, analyze, and filter the website access requests and responses. 3.2 Website security protection cloud platform providers Organizations or institutions which are responsible for establishing and operating the infrastructure, network topology, and protection function components that are related to the website security cloud protection platform, and perform security protection and ensure website security on this platform. 3.3 Website security cloud protection platform users Organizations or individuals that use the website security cloud protection platform. 3.4 Platform users website data Website-related data of website security cloud protection platform users. Note: It includes website information, original access traffic, access logs, operation logs, attack logs, etc. 3.5 Website operators Organizations or individuals that are responsible for the later operation, maintenance and management of the website. 4 Abbreviations The following abbreviations apply to this document. ACK: Acknowledgement API: Application programming interface CC: Challenge Collapsar DNS: Domain Name System HTTP: Hyper Text Transfer Protocol ICMP: Internet Control Message Protocol IP: Internet Protocol SYN: Synchronous TCP: Transport Control Protocol UDP: User Datagram Protocol URL: Uniform Resource Locator WEB: World Wide Web 5 Overview The website security cloud protection platform is composed of interconnected and uniformly-dispatched security protection nodes. Through the cloud service model, the platform centrally and quickly deploys and updates protection policies, filters and cleans malicious requests on websites, and improves the ability of website security protection. The technical requirements of the website security cloud protection platform are divided into two aspects: platform functional requirements and platform security requirements. The functional requirements include website security protection, website compliance checking, resource management, and policy management; the security requirements include system and communication protection, access control, configuration management, security incident handling, and platform disaster recovery backup. According to the sensitivity of the business and information that are carried by the protection website, the technical requirements of the website security cloud protection platform are divided into general requirements and enhanced requirements. The general requirements are the basic functions and security requirements that a website security cloud protection platform shall have in developing a website security protection business. The enhanced requirements are supplements and enhancements to the general requirements. Website security cloud protection platform users can choose the website security cloud protection platform of corresponding security requirements according to the sensitivity of their own business type and the carried information. 6.3 and 6.4 of GB/T 31167-2014 give corresponding methods to determine the sensitivity of the business type and the carried information. 6 Platform function requirements 6.1 Website security protection 6.1.1 WEB attack defense 6.1.1.1 General requirements It shall support the identification of WEB attack types and block direct or indirect attacks, including: a) security protection functions that are required by 4.1.1.2.2 in GB/T 32917- 2016; b) brute-force protection; c) Webshell identification and interception; d) directory traversal protection; e) Cookie injection attack protection; f) malicious code execution protection. 6.1.1.2 Enhanced requirements It shall have other WEB attack protection functions. 6.1.2 DDoS attack defense 6.1.2.1 General requirements It shall support DDoS cleaning, and have the functions to prevent denial of service attacks such as SYN Flood, ACK Flood, ICMP Flood, UDP Flood, HTTP Flood, DNS Flood, and CC attack. 6.1.2.2 Enhanced requirements None. 6.1.3 Protection policy configuration 6.1.3.1 General requirements It shall meet the following requirements: a) provide default security protection policies; b) provide strategy models, such as detection and protection; c) support platform users to configure and select protection policies. 6.1.3.2 Enhanced requirements It shall support platform users to review blocked access requests and corresponding protection policies, and to report false negatives and false positives. 6.1.4 Cooperative defense 6.1.4.1 General requirements It shall meet the following requirements: a) Support the identification of attack of common domain names, IP addresses, and other information; record and analyze attacker behaviors; block malicious attacker IP addresses and the like across the entire cloud protection scope; b) For the malicious attack of IP addresses and other information that are provided by trusted third parties, it shall support identification, analysis and block within the entire cloud protection scope. 6.1.4.2 Enhanced requirements None. 6.1.5 Content security 6.1.5.1 Sensitive information filtration 6.1.5.1.1 General requirements It shall support custom sensitive words, and filter the sensitive words in the text content of the website. 6.1.5.1.2 Enhanced requirements It can support the filtration of contents such as pictures involving sensitive information. 6.1.5.2 Error page handling 6.1.5.2.1 General requirements It shall meet the following requirements: a) Support the customization of the error page that is returned by the website server; the error message cannot leak the content that is related to the security of the website; b) Support showing error messages to authorized personnel only. 6.1.5.2.2 Enhanced requirements None. 6.1.5.3 Tamper response 6.1.5.3.1 General requirements It shall support the function of providing a platform user-designated untampered page mirror within a predefined time and alerting when an abnormality is found. 6.1.5.3.2 Enhanced requirements It shall support automatic monitoring to detect page tampering within a predefined time. 6.1.6 Website monitoring 6.1.6.1 General requirements It shall meet the following requirements: a) It shall support website availability monitoring; b) It shall monitor and record the situation where the website is attacked, including attack type and attack time, and alert the platform users when abnormalities are found. 6.1.6.2 Enhanced requirements None. 6.1.7 Website access control 6.1.7.1 General requirements It shall meet the following requirements: a) support the setting of IP address whitelist or website URL whitelist to reserve access channels for website visitors; b) support the setting of IP address blacklist to block visitors who are included in the IP address blacklist; c) support the implementation of access control of any access request to the website within a predefined time period, to set to block/ pass; d) support to set access requests for predefined URL pages to block/ pass; e) a combination of the above access control policies. 6.1.7.2 Enhanced requirements None. 6.2 Website compliance check 6.2.1 General requirements It shall support compliance checks before accessing the website, and refuse non-compliant access such as undocumented sites. 6.2.2 Enhanced requirements It shall support regular review of the compliance of accessed websites. 6.3 Resource management 6.3.1 Resource operation monitoring 6.3.1.1 General requirements It shall meet the following requirements: a) Support unified monitoring of software and hardware platform resources such as DNS, bandwidth, and protection nodes that support the platform's operation; b) Support unified detection of resource usage such as network bandwidth, traffic processing delay, host system load, and site access success rate of the protection node/ host; c) Support timely detection of abnormal use of resources and alarm; d) Support regular analysis of resource usage and platform bearing business volume; assess current business, platform user capacity expansion and new user access needs; generate analysis reports; e) It shall provide query, statistics and report output functions for resource usage records. 6.3.1.2 Enhanced requirements None. 6.3.2 Centralized management and control of resources 6.3.2.1 General requirements It shall meet the following requirements: a) Support the centralized deployment of platform resources such as DNS, bandwidth, and protection nodes that support the platform's operation; b) Support the deployment of website access traffic via DNS in the WAN or the protection node according to the analysis results of the protection node/ host resource usage; c) Support centralized analysis and maintenance of website and user configuration information, platform log information and other resources; d) Support the centralized deployment of platform resources under uninterrupted service. 6.3.2.2 Enhanced requirements None. 6.4 Policy management 6.4.1 Centralized policy management and control 6.4.1.1 General requirements It shall meet the requirements of centralized maintenance and management of website protection policies, and support centralized addition, modification, and deactivation of policy configuration. 6.4.1.2 Enhanced requirements None. 6.4.2 Policy optimization update 6.4.2.1 General requirements It shall meet the following requirements: a) Support timely optimization of website security protection policies; b) Support the timely tracking, discovery and response to unknown attack methods and web security vulnerabilities; c) Support timely addition of corresponding security protection rules or update of security protection policies after WEB security vulnerability notification. 6.4.2.2 Enhanced requirements None. 6.5 Statistical analysis 6.5.1 General requirements It shall meet the following requirements: a) Support statistical analysis of alarm logs in a certain period of time; b) Support statistical analysis of the number of events of different attack types; c) Support statistical analysis of attack geographic areas; d) Support statistical analysis of attack source IP; e) The visual chart of the above data statistics, which supports display in time dimensions such as day, week and custom time. 6.5.2 Enhanced requirements None. 6.6 System expansion 6.6.1 General requirements None. 6.6.2 Enhanced requirements It shall support the provision of various API interfaces to external systems, including log interfaces, security policy interfaces, report interfaces, etc. 7 Platform security requirements 7.1 System and communication protection 7.1.1 General requirements It shall meet the general requirements of 6.2.1, 6.6.1 and 6.11.1 in GB/T 31168- 2014. 7.1.2 Enhanced requirements It shall meet the enhanced requirements of 6.2.2 [except a), g)], 6.3.2 and 6.11.2 in GB/T 31168-2014. 7.2 Access control 7.2.1 General requirements It shall meet the general requirements of 7.2.1, 7.4.1, 7.5.1, 7.6.1, 7.7.1, 7.8.1, 7.9.1, 7.11.1, 7.12.1 and 7.13.1 in GB/T 31168-2014. 7.2.2 Enhanced requirements It shall meet the enhanced requirements of 7.2.2, 7.3.2, 7.8.2 and 7.11.2 in GB/T 31168-2014. 7.3 Configuration management 7.3.1 General requirements It shall meet the general requirements of 8.3.1, 8.4.1 and 8.6.1 in GB/T 31168- 2014. 7.3.2 Enhanced requirements It shall meet the enhanced requirements of 8.3.2, 8.4.2 and 8.6.2 in GB/T 31168-2014. 7.4 Security incident handling 7.4.1 General requirements It shall meet the following requirements: a) Support timely release of risk alerts and early warnings of security incidents that affect the platform itself and platform users; b) Support the rapid implementation of emergency response after major and above security incidents; c) Support the recording of the process and results of security incident disposal and timely generation of disposal reports. 7.4.2 Enhanced requirements None. 7.5 Platform disaster recovery backup 7.5.1 General requirements It shall meet the following requirements: a) Establish a backup communication service. When the main communication service is unavailable, ensure that platform users access the platform through the backup communication service within the time period that meets business needs; b) Support platform data-level disaster recovery; c) Support the recording of disaster backup and recovery processes; d) Support disaster recovery speed/ time in accordance with the contract or service level agreement. 7.5.2 Enhanced requirements It shall meet the following requirements: a) Support application-level disaster recovery; b) Support disaster recovery in different places. 7.6 User data protection 7.6.1 General requirements The platform users website data shall meet the following requirements: a) It is clear that the user's website data belongs to the user and is not provided to any third party; b) Support user data isolation; platform users can only access their own security protection resources; c) Support the retention of user data within the scope that is permitted by laws and regulations; support the user-defined storage period of the platform; d) When using platform users website data (including data derivatives), user authorization shall be obtained in advance, and the data can only be used for processes such as vulnerability analysis and attack data mining which improve the platform's security protection capabilities; e) Support the handover of platform users website data when they exit the platform service and destroy all their website data. 7.6.2 Enhanced requirements None. 7.7 Audit 7.7.1 General requirements It shall meet the general requirements of 11.1.1, 11.2.1, 11.3.1, 11.7.1 and 11.11.1 in GB/T 31168-2014. 7.7.2 Enhanced requirements It shall meet the enhanced requirements of 11.2.2, 11.3.2, and 11.7.2 in GB/T 31168-2014. References  [1] GB/T 28451-2012, Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products [2] GB/T 28827.1-2012, Information technology service - Operations and maintenance - Part 1: General requirements [3] GB/T 30276-2013, Information security technology - Vulnerability management criterion specification [4] GB/T 32914-2016, Information security technology - Information security service provider management requirements [5] Office of the Central Cyberspace Affairs Commission, An Emergency Response Plan for Internet Security Incidents, January 10, 2017. [6] NIST SP800-53-r4 Security and Privacy Controls for Federal Information Systems and Organizations, June 2013. __________ END __________ ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.