GB/T 37956-2019 PDF in English
GB/T 37956-2019 (GB/T37956-2019, GBT 37956-2019, GBT37956-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 37956-2019 | English | 160 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Technology requirement for website security cloud protection platform
| Valid |
Standards related to (historical): GB/T 37956-2019
PDF Preview
GB/T 37956-2019: PDF in English (GBT 37956-2019) GB/T 37956-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technology
requirement for website security cloud protection
platform
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 5
5 Overview ... 6
6 Platform function requirements ... 6
6.1 Website security protection ... 6
6.2 Website compliance check ... 10
6.3 Resource management ... 10
6.4 Policy management ... 11
6.5 Statistical analysis ... 12
6.6 System expansion ... 12
7 Platform security requirements ... 12
7.1 System and communication protection ... 12
7.2 Access control ... 13
7.3 Configuration management ... 13
7.4 Security incident handling ... 13
7.5 Platform disaster recovery backup ... 13
7.6 User data protection ... 14
7.7 Audit ... 15
References ... 16
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some of the contents of this document may involve patents.
The issuing organization of this document is not responsible for identifying
these patents.
This Standard shall be under the jurisdiction of National Information Security
Standardization Technical Committee (SAC/TC 260).
The drafting organizations of this Standard: China Industrial Control Systems
Cyber Emergency Response Team, Beijing Kownsec Information Technology
Co., Ltd., Third Research Institute of the Ministry of Public Security of PRC,
China Information Security Research Institute Co., Ltd., Legendsec Information
Technology (Beijing) Inc., Alibaba Cloud Computing Co. Ltd., Hangzhou
DBAPPSecurity Co., Ltd., Sangfor Technologies Inc.
The drafters of this Standard: Zhang Ge, Yu Meng, Zhang Zheyu, Zhao
Guangming, Song Haohao, Yin Libo, He Xiaolong, Liu Ying, Zuo Xiaodong, Gu
Jian, Yang Chen, Wang Pengtao, Wang Xiaoqing, Zhou Jun, Song Zhiming,
Chen Xuexiu, Li Hongpei, Wu Yanyan, Tang Wang, Jiang Hao, Liu Wensheng,
Xiao Junfang, Li Jun, Guo Xian, Zhao Wei, Zhou Xin, Liu Bozhong, Chen Yan,
Lu Zhen, Mao Runhua, Zhang Chi.
Information security technology - Technology
requirement for website security cloud protection
platform
1 Scope
This Standard specifies the technical requirements of the website security cloud
protection platform, including platform functional requirements and platform
security requirements.
This Standard is applicable to the development, operation, and use of website
security cloud protection platforms, and provides a reference for government
departments, enterprises, public organizations, and other organizations or
individuals to purchase website security cloud protection platforms.
2 Normative references
The following documents are indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GB/T 25069-2010, Information security technology - Glossary
GB/T 31167-2014, Information security technology - Security guide of cloud
computing services
GB/T 31168-2014, Information security technology - Security capability
requirements of cloud computing services
GB/T 32917-2016, Information security technology - Security technique
requirements and testing and evaluation approaches for WEB application
firewall
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010 and the following ones
are applicable to this document.
3.1 Website security cloud protection platform
The collection of security protection nodes that provides website security
protection by the cloud service model, and uses centralized management and
control, collaborative defense, and other methods to update protection policies
and rules in a timely manner, and to detect, analyze, and filter the website
access requests and responses.
3.2 Website security protection cloud platform providers
Organizations or institutions which are responsible for establishing and
operating the infrastructure, network topology, and protection function
components that are related to the website security cloud protection platform,
and perform security protection and ensure website security on this platform.
3.3 Website security cloud protection platform users
Organizations or individuals that use the website security cloud protection
platform.
3.4 Platform users website data
Website-related data of website security cloud protection platform users.
Note: It includes website information, original access traffic, access logs,
operation logs, attack logs, etc.
3.5 Website operators
Organizations or individuals that are responsible for the later operation,
maintenance and management of the website.
4 Abbreviations
The following abbreviations apply to this document.
ACK: Acknowledgement
API: Application programming interface
CC: Challenge Collapsar
DNS: Domain Name System
HTTP: Hyper Text Transfer Protocol
ICMP: Internet Control Message Protocol
IP: Internet Protocol
SYN: Synchronous
TCP: Transport Control Protocol
UDP: User Datagram Protocol
URL: Uniform Resource Locator
WEB: World Wide Web
5 Overview
The website security cloud protection platform is composed of interconnected
and uniformly-dispatched security protection nodes. Through the cloud service
model, the platform centrally and quickly deploys and updates protection
policies, filters and cleans malicious requests on websites, and improves the
ability of website security protection.
The technical requirements of the website security cloud protection platform are
divided into two aspects: platform functional requirements and platform security
requirements. The functional requirements include website security protection,
website compliance checking, resource management, and policy management;
the security requirements include system and communication protection,
access control, configuration management, security incident handling, and
platform disaster recovery backup.
According to the sensitivity of the business and information that are carried by
the protection website, the technical requirements of the website security cloud
protection platform are divided into general requirements and enhanced
requirements. The general requirements are the basic functions and security
requirements that a website security cloud protection platform shall have in
developing a website security protection business. The enhanced requirements
are supplements and enhancements to the general requirements. Website
security cloud protection platform users can choose the website security cloud
protection platform of corresponding security requirements according to the
sensitivity of their own business type and the carried information. 6.3 and 6.4 of
GB/T 31167-2014 give corresponding methods to determine the sensitivity of
the business type and the carried information.
6 Platform function requirements
6.1 Website security protection
6.1.1 WEB attack defense
6.1.1.1 General requirements
It shall support the identification of WEB attack types and block direct or indirect
attacks, including:
a) security protection functions that are required by 4.1.1.2.2 in GB/T 32917-
2016;
b) brute-force protection;
c) Webshell identification and interception;
d) directory traversal protection;
e) Cookie injection attack protection;
f) malicious code execution protection.
6.1.1.2 Enhanced requirements
It shall have other WEB attack protection functions.
6.1.2 DDoS attack defense
6.1.2.1 General requirements
It shall support DDoS cleaning, and have the functions to prevent denial of
service attacks such as SYN Flood, ACK Flood, ICMP Flood, UDP Flood, HTTP
Flood, DNS Flood, and CC attack.
6.1.2.2 Enhanced requirements
None.
6.1.3 Protection policy configuration
6.1.3.1 General requirements
It shall meet the following requirements:
a) provide default security protection policies;
b) provide strategy models, such as detection and protection;
c) support platform users to configure and select protection policies.
6.1.3.2 Enhanced requirements
It shall support platform users to review blocked access requests and
corresponding protection policies, and to report false negatives and false
positives.
6.1.4 Cooperative defense
6.1.4.1 General requirements
It shall meet the following requirements:
a) Support the identification of attack of common domain names, IP
addresses, and other information; record and analyze attacker behaviors;
block malicious attacker IP addresses and the like across the entire cloud
protection scope;
b) For the malicious attack of IP addresses and other information that are
provided by trusted third parties, it shall support identification, analysis and
block within the entire cloud protection scope.
6.1.4.2 Enhanced requirements
None.
6.1.5 Content security
6.1.5.1 Sensitive information filtration
6.1.5.1.1 General requirements
It shall support custom sensitive words, and filter the sensitive words in the text
content of the website.
6.1.5.1.2 Enhanced requirements
It can support the filtration of contents such as pictures involving sensitive
information.
6.1.5.2 Error page handling
6.1.5.2.1 General requirements
It shall meet the following requirements:
a) Support the customization of the error page that is returned by the website
server; the error message cannot leak the content that is related to the
security of the website;
b) Support showing error messages to authorized personnel only.
6.1.5.2.2 Enhanced requirements
None.
6.1.5.3 Tamper response
6.1.5.3.1 General requirements
It shall support the function of providing a platform user-designated untampered
page mirror within a predefined time and alerting when an abnormality is found.
6.1.5.3.2 Enhanced requirements
It shall support automatic monitoring to detect page tampering within a
predefined time.
6.1.6 Website monitoring
6.1.6.1 General requirements
It shall meet the following requirements:
a) It shall support website availability monitoring;
b) It shall monitor and record the situation where the website is attacked,
including attack type and attack time, and alert the platform users when
abnormalities are found.
6.1.6.2 Enhanced requirements
None.
6.1.7 Website access control
6.1.7.1 General requirements
It shall meet the following requirements:
a) support the setting of IP address whitelist or website URL whitelist to
reserve access channels for website visitors;
b) support the setting of IP address blacklist to block visitors who are included
in the IP address blacklist;
c) support the implementation of access control of any access request to the
website within a predefined time period, to set to block/ pass;
d) support to set access requests for predefined URL pages to block/ pass;
e) a combination of the above access control policies.
6.1.7.2 Enhanced requirements
None.
6.2 Website compliance check
6.2.1 General requirements
It shall support compliance checks before accessing the website, and refuse
non-compliant access such as undocumented sites.
6.2.2 Enhanced requirements
It shall support regular review of the compliance of accessed websites.
6.3 Resource management
6.3.1 Resource operation monitoring
6.3.1.1 General requirements
It shall meet the following requirements:
a) Support unified monitoring of software and hardware platform resources
such as DNS, bandwidth, and protection nodes that support the platform's
operation;
b) Support unified detection of resource usage such as network bandwidth,
traffic processing delay, host system load, and site access success rate of
the protection node/ host;
c) Support timely detection of abnormal use of resources and alarm;
d) Support regular analysis of resource usage and platform bearing business
volume; assess current business, platform user capacity expansion and new
user access needs; generate analysis reports;
e) It shall provide query, statistics and report output functions for resource
usage records.
6.3.1.2 Enhanced requirements
None.
6.3.2 Centralized management and control of resources
6.3.2.1 General requirements
It shall meet the following requirements:
a) Support the centralized deployment of platform resources such as DNS,
bandwidth, and protection nodes that support the platform's operation;
b) Support the deployment of website access traffic via DNS in the WAN or
the protection node according to the analysis results of the protection
node/ host resource usage;
c) Support centralized analysis and maintenance of website and user
configuration information, platform log information and other resources;
d) Support the centralized deployment of platform resources under
uninterrupted service.
6.3.2.2 Enhanced requirements
None.
6.4 Policy management
6.4.1 Centralized policy management and control
6.4.1.1 General requirements
It shall meet the requirements of centralized maintenance and management of
website protection policies, and support centralized addition, modification, and
deactivation of policy configuration.
6.4.1.2 Enhanced requirements
None.
6.4.2 Policy optimization update
6.4.2.1 General requirements
It shall meet the following requirements:
a) Support timely optimization of website security protection policies;
b) Support the timely tracking, discovery and response to unknown attack
methods and web security vulnerabilities;
c) Support timely addition of corresponding security protection rules or
update of security protection policies after WEB security vulnerability
notification.
6.4.2.2 Enhanced requirements
None.
6.5 Statistical analysis
6.5.1 General requirements
It shall meet the following requirements:
a) Support statistical analysis of alarm logs in a certain period of time;
b) Support statistical analysis of the number of events of different attack
types;
c) Support statistical analysis of attack geographic areas;
d) Support statistical analysis of attack source IP;
e) The visual chart of the above data statistics, which supports display in time
dimensions such as day, week and custom time.
6.5.2 Enhanced requirements
None.
6.6 System expansion
6.6.1 General requirements
None.
6.6.2 Enhanced requirements
It shall support the provision of various API interfaces to external systems,
including log interfaces, security policy interfaces, report interfaces, etc.
7 Platform security requirements
7.1 System and communication protection
7.1.1 General requirements
It shall meet the general requirements of 6.2.1, 6.6.1 and 6.11.1 in GB/T 31168-
2014.
7.1.2 Enhanced requirements
It shall meet the enhanced requirements of 6.2.2 [except a), g)], 6.3.2 and
6.11.2 in GB/T 31168-2014.
7.2 Access control
7.2.1 General requirements
It shall meet the general requirements of 7.2.1, 7.4.1, 7.5.1, 7.6.1, 7.7.1, 7.8.1,
7.9.1, 7.11.1, 7.12.1 and 7.13.1 in GB/T 31168-2014.
7.2.2 Enhanced requirements
It shall meet the enhanced requirements of 7.2.2, 7.3.2, 7.8.2 and 7.11.2 in
GB/T 31168-2014.
7.3 Configuration management
7.3.1 General requirements
It shall meet the general requirements of 8.3.1, 8.4.1 and 8.6.1 in GB/T 31168-
2014.
7.3.2 Enhanced requirements
It shall meet the enhanced requirements of 8.3.2, 8.4.2 and 8.6.2 in GB/T
31168-2014.
7.4 Security incident handling
7.4.1 General requirements
It shall meet the following requirements:
a) Support timely release of risk alerts and early warnings of security
incidents that affect the platform itself and platform users;
b) Support the rapid implementation of emergency response after major and
above security incidents;
c) Support the recording of the process and results of security incident
disposal and timely generation of disposal reports.
7.4.2 Enhanced requirements
None.
7.5 Platform disaster recovery backup
7.5.1 General requirements
It shall meet the following requirements:
a) Establish a backup communication service. When the main
communication service is unavailable, ensure that platform users access
the platform through the backup communication service within the time
period that meets business needs;
b) Support platform data-level disaster recovery;
c) Support the recording of disaster backup and recovery processes;
d) Support disaster recovery speed/ time in accordance with the contract or
service level agreement.
7.5.2 Enhanced requirements
It shall meet the following requirements:
a) Support application-level disaster recovery;
b) Support disaster recovery in different places.
7.6 User data protection
7.6.1 General requirements
The platform users website data shall meet the following requirements:
a) It is clear that the user's website data belongs to the user and is not
provided to any third party;
b) Support user data isolation; platform users can only access their own
security protection resources;
c) Support the retention of user data within the scope that is permitted by
laws and regulations; support the user-defined storage period of the
platform;
d) When using platform users website data (including data derivatives), user
authorization shall be obtained in advance, and the data can only be used
for processes such as vulnerability analysis and attack data mining which
improve the platform's security protection capabilities;
e) Support the handover of platform users website data when they exit the
platform service and destroy all their website data.
7.6.2 Enhanced requirements
None.
7.7 Audit
7.7.1 General requirements
It shall meet the general requirements of 11.1.1, 11.2.1, 11.3.1, 11.7.1 and
11.11.1 in GB/T 31168-2014.
7.7.2 Enhanced requirements
It shall meet the enhanced requirements of 11.2.2, 11.3.2, and 11.7.2 in GB/T
31168-2014.
References
[1] GB/T 28451-2012, Information security technology - Technical requirements
and testing and evaluation approaches for network-based intrusion prevention
system products
[2] GB/T 28827.1-2012, Information technology service - Operations and
maintenance - Part 1: General requirements
[3] GB/T 30276-2013, Information security technology - Vulnerability
management criterion specification
[4] GB/T 32914-2016, Information security technology - Information security
service provider management requirements
[5] Office of the Central Cyberspace Affairs Commission, An Emergency
Response Plan for Internet Security Incidents, January 10, 2017.
[6] NIST SP800-53-r4 Security and Privacy Controls for Federal Information
Systems and Organizations, June 2013.
__________ END __________
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|