GB/T 25068.5-2021 English PDFUS$409.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 25068.5-2021: Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks Status: Valid GB/T 25068.5: Historical versions
Basic dataStandard ID: GB/T 25068.5-2021 (GB/T25068.5-2021)Description (Translated English): Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Word Count Estimation: 22,253 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 25068.5-2021: Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology - Security techniques - Network security - Part 5.Securing communications across networks using virtual private networks ICS 35.040 L80 National Standards of People's Republic of China Replace GB/T 25068.5-2010 Information Technology Security Technology Cyber Security Part 5.Inter-network communication using virtual private network safety protection (ISO /IEC 27033-5.2013, MOD) Released on 2021-03-09 2021-10-01 implementation State Administration of Market Supervision and Administration Issued by the National Standardization Management Committee Table of contentsForeword Ⅲ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Overview 2 5.1 Introduction 2 5.2 VPN Type 3 6 Security threat 4 7 Safety requirements 4 7.1 Overview 4 7.2 Confidentiality 5 7.3 Completeness 5 7.4 Identification 5 7.5 Authorization 5 7.6 Usability 5 7.7 Tunnel Endpoint Security 6 8 Security Control 6 8.1 Safety aspects 6 8.2 Virtual Circuit 6 9 VPN related technologies 6 9.1 Overview 6 9.2 Regulations and legal aspects 7 9.3 VPN management aspects 7 9.4 VPN architecture aspects 7 9.4.1 Overview 7 9.4.2 Endpoint Security 8 9.4.3 End point security 8 9.4.4 Malware protection 8 9.4.5 Identification 9 9.4.6 Intrusion Detection and Defense System 9 9.4.7 Security Gateway 9 9.4.8 Network Design 9 9.4.9 Other connections 9 9.4.10 Separation tunnel 9 9.4.11 Log audit and network monitoring 9 9.4.12 Management of technical vulnerabilities 10 9.4.13 Public network routing encryption 10 9.5 VPN Technical Considerations 10 9.5.1 Background 10 9.5.2 VPN device management 10 9.5.3 VPN security monitoring 10 10 Product Selection Guide 11 10.1 Choice of bearer protocol 11 10.2 VPN device 11 Appendix A (informative appendix) TISec technology 12 Reference 16 Information Technology Security Technology Cyber Security Part 5.Inter-network communication using virtual private network safety protection1 ScopeThis part of GB/T 25068 specifies the use of virtual private network (VPN) to connect to the Internet and connect remote users to the network. Security requirements, and guidelines for the selection, implementation and monitoring of control technologies necessary for using VPN to provide network security. This section applies to those responsible for selecting and implementing technical control personnel necessary to provide network security when using VPNs, as well as subsequent VPN security network monitoring personnel.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated reference documents, the latest version (including all amendments) is applicable to this document. GB/T 9387 (all parts) Open System Interconnection Basic Reference Model [ISO 7498 (all parts)] GB/T 17901.1-2020 Information Technology Security Technology Key Management Part 1.Framework (ISO /IEC 11770-1. 2010, MOD) GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001.2013, IDT) GB/T 22081 Information Technology Security Technical Information Security Control Practice Guide (GB/T 22081-2016, ISO /IEC 27002. 2013, IDT) GB/T 25068.1-2020 Information Technology Security Technology Cyber Security Part 1.Overview and Concepts (ISO /IEC 27033-1.2015, IDT) GB/T 31722-2015 Information Technology Security Technology Information Security Risk Management (ISO /IEC 27005.2008, IDT)3 Terms and definitionsGB/T 9387 (all parts), GB/T 22080-2016, GB/T 22081, GB/T 25068.1-2020, GB/T 31722- The terms and definitions defined in.2015 and the following apply to this document. 3.1 Private Limited to authorized users. 3.2 Tunnel Between networked devices, the data path hidden in other protocols with higher visibility. 3.3 Virtual private network Based on physical network system resources, a restricted-use virtual network constructed through tunneling technology. 3.4 Virtual circuit Data channels between network devices established using packet or cell switching technologies such as X.25, ATM, or Frame Relay. 3.5 Protocolencapsulation By transmitting the protocol data unit wrapped in another protocol, one data stream is encapsulated in another data stream. Note. This method can be used to establish tunnels in virtual private network technology.4 Abbreviations5 overview5.1 Introduction As a method of network interconnection and a method of connecting remote users to the network, VPN technology has been developing rapidly. There is a wide range of VPN definitions. According to its simplest definition, VPN provides a way to connect to existing networks or peer-to-peer Connect to the mechanism of establishing one or more secure data channels. It is only allocated to restricted user groups for exclusive use, and can be dynamically built when needed. Establish and revoke. The host network can be private or public. The schematic diagram of VPN is shown in Figure 1.It has a cross-domain public network to connect the secure data channel of the endpoint and gateway, and a cross-domain public network. The public network is used to connect the secure data channels of the two gateways. Figure 1 Schematic diagram of VPN Remote access using VPN is realized on top of ordinary point-to-point connection. First, establish a connection between the local user and the remote location Establish an ordinary point-to-point connection. Some VPNs are provided as a managed service. In these VPNs, secure and reliable connectivity, Management and addressing functions (the same as those on the private network) are provided on a shared infrastructure. The additional security given in this section can be used Control to enhance VPN functions. The data and codes that traverse the VPN should be restricted to the organization that uses the VPN, and should be kept separate from other users of the underlying network. Data and codes belonging to other users should not have the ability to access the same VPN channel. When the scope of additional security controls may need to be evaluated At the same time, the credibility of the organization that owns or provides the VPN in terms of confidentiality and other security should be considered. 5.2 VPN type As mentioned above, there are many ways to express VPN. From an architectural perspective, VPN includes. ---Single point-to-point connection (for example, the client accesses the organization network remotely via the site gateway, or the site gateway connects to another Site gateway); --- Point-to-cloud connection (for example, implemented through MPLS technology). From the perspective of the OSI basic reference model, there are three main types of VPNs. ---Layer 2 VPN provides simulated LAN facilities. It uses a VPN running on the host network (e.g. provider network) Connect to link the organization's site or provide a remote connection to the organization. Typical providers in this field usually provide virtual private Line Service (VPWS) or Virtual Local Area Network Service (VPLS). Among them, VPWS provides a virtual "wired connection", VPLS Provide a more complete analog LAN service. ---Layer 3 VPN provides simulated WAN facilities. It uses a VPN running on the network infrastructure to provide a model for the site The proposed "OSI network layer" connection. It is worth noting that it has the ability to use private IP addressing schemes on public infrastructures. force. This practice is not allowed on "normal" public IP connections. In a layer 3 VPN, private addresses can be It is used after NAT (Network Address Translation) on the public network. Although this approach is indeed feasible, it will make IPSec The establishment and use of VPNs have become complicated. Refer to GB/T 36968-2018 for IPSecVPN technology. ---High-level VPN is used to protect the security of cross-public network transactions. Usually they provide a security link between applications that communicate with each other. Channel to ensure the confidentiality and integrity of transaction data. This type can also be called a Layer 4 VPN, because the VPN connection It is often built on top of TCP, and TCP is a layer 4 protocol. Refer to GM/T 0024-2014 for high-level VPN technology.6 Security threatsIn the foreseeable future, network user organizations can expect that effective attacks against their systems will increase. Unauthorized Access is very harmful, for example, it will lead to DoS attacks, abuse of resources, or arbitrary access to valuable information. Generally speaking, attacks on VPNs appear in the form of intrusion attacks or DoS attacks. When outsiders or malicious attackers Control a part of the network and the intrusion occurs. These intrusions can be implemented by computers or other network devices (including mobile devices). The intrusion can come from anywhere connected to the network. These attacks may also come from other VPNs, Internet or service providers itself. These types of attacks can be resisted by filtering unexpected data streams from unexpected sources at the network entrance. This type of invasion A typical example is unauthorized access to secure tunnels by unauthorized entities. In some VPN design models that lack centralized management, all sites are connected to each other but data flow control is not performed to resist intrusion It will be difficult. DoS attacks are another type of threat faced by VPNs. DoS attacks and intrusions come from other VPNs, Internet or service providers The core of quotient. The main difference between these two types of attacks is that for DoS attacks, the attacker needs to access or control a certain device. DoS attacks on service provider equipment can also cause some VPNs to deny service. Although protecting the network from DoS attacks sometimes It is difficult. The defense against DoS attacks mainly lies in a good VPN network design. The security issues of VPNs include. ---Separation of the address space and routing between VPNs carried on the label switching network; ---Ensure that the internal structure of the tag switching network core is invisible to the external network (for example, adding information to potential attackers) To limit); ---Provide measures to resist denial of service attacks; ---Provide measures to resist unauthorized access attacks; ---Resistance to tag spoofing (although it is possible to insert wrong tags into the tag switching network from the outside, but due to address separation, fraud A scam packet can only damage the VPN that generated the spoof packet).7 Safety requirements7.1 Overview The main security goal of VPN is to resist unauthorized access. Therefore, VPN can be used to accomplish more network security goals. ---Protect the information in the network and the systems connected to the network and the services they use; ---Protect supporting network infrastructure; ---Protect the network management system. In order to achieve the above goals, the implementation of VPN should ensure. ---The confidentiality of data transmitted between VPN endpoints; ---The integrity of the data transmitted between VPN endpoints; ---The authenticity of VPN users and administrators; ---Authorization management of VPN users and administrators; ---The availability of VPN endpoints and network infrastructure. In short, this means that the underlying tunnel used to construct the VPN should be implemented in a way that meets the security goals. These are summarized in Figure 2 Security goals. It is advisable to use cryptographic technology-based mechanisms when achieving confidentiality, integrity and authentication requirements, and support the approval of the national cryptographic management authority The cryptographic algorithm used, using cryptographic products certified and approved by the national cryptographic management authority, and complying with relevant cryptographic national standards and industries Figure 2 General security requirements for VPNs mapped to lower-layer tunnels 7.2 Confidentiality The confidentiality of data and codes transmitted in the tunnel should not be compromised. The use of tunneling technology may mean that the transmitted data and code pair Other users in the network are invisible. However, this does not mean that this data stream is always kept secret. Especially the data in the tunnel And the code flow cannot resist deterministic detection using data analyzers or probes. Therefore, keep the data and code transmitted in the tunnel Confidentiality depends critically on the possibility of such detection. In short, this is one of the credibility factors that exist in the underlying network that supports the VPN. First, it will vary depending on the ownership of the transmission network. If the transmission network is not in a trusted domain (for more information about trusted domains, see GB/T 25068.1-2021), or if the transmitted data and codes are considered sensitive, additional security control measures may be required. Shilai further protects confidentiality. In these cases, the tunnel mechanism used should support encryption, or the data items sent should be in the VPN It should be encrypted offline before uploading. The security of the tunnel endpoint should not be ignored (see 7.7). 7.3 Completeness The integrity of the data and codes transmitted in the tunnel should not be damaged. The mechanism used to implement the VPN tunnel should support the transmitted data Data and code integrity check. The technologies used include message authentication codes, message authentication codes, and mechanisms to prevent replay. If in the tunnel This type of protection cannot be used during implementation, or if the transmitted data and codes are particularly sensitive, the integrity protection control should be implemented in the terminal system. Now, such integrity protection will be provided in an end-to-end manner. 7.4 Identification It is advisable to provide message authentication across the public IP network between the participating ends of the VPN. The authentication control should support the establishment and operation of the tunnel It can ensure that each end of the tunnel communicates with the real peer (perhaps a remote access system) and that the received data comes from the correct The authorized source can be identified by using TePA-EA technology (see GB/T 15843.3-2016). 7.5 Authorization The establishment and operation of the tunnel should be supported by access control, and TePA-AC (see GB/T 28455-2010), ACL (Access Control List) and other technologies to ensure that each end of the tunnel is connected to the authorized peer (may be a remote access system). System) communications and received data and codes come from authorized sources. 7.6 Availability The availability of tunnels and VPNs is a function of the availability of supporting network infrastructure and endpoint systems. Resistant to the tunneling mechanism Security control facilities for denial of service attacks should be combined wherever possible. For the agreement of a specific service level, it is advisable to test multiple flexible tunnel mechanisms as a backup. 7.7 Tunnel Endpoint Security The security requirements of VPN endpoints should also be considered. Generally, each VPN endpoint should ensure that there is only Controlled network data flow. This usually means turning off routing and at least using packet filters or firewall technology. See 9.4.2 for more details (Endpoint Security) and 9.4.3 (Termination Point Security).8 Security Control8.1 Security Although the tunnel is hidden from ordinary network users, it is not invisible, so it is not inherently safe. Used to construct tunnels The basic division process (divided into virtual circuits or label switching channels) or encapsulation process is determined by the attacker using a network analyzer or detector. When qualitatively probed, it will not be protected. If the tunnel is implemented without using encryption technology, the attacker will be able to access its data stream. Even if used Encryption technology cannot hide the tunnel and its endpoints. In addition, protecting tunnel endpoints from unauthorized logical or (and) physical access may also be unnecessary. For safety For VPN, it is necessary to use security control measures for the tunnel according to the organization's security strategy and risk tolerance level. Can these security risks be accepted? It depends on the organization's security strategy. If the network access security between network communication nodes is protected, it is necessary to provide network access security and data transmission security between nodes. Full protection. Network access security includes the identification of the legitimacy of the access network node and the authenticity of its platform. Data transmission security includes Ensure the confidentiality, integrity and anti-replay of data during transmission. The use of existing IP security and trustworthy technology can meet the above requirements Requirement, such as using the TISec technology given in Appendix A. Note. Even if the data is encrypted, the appearance of the data stream may be as important as the communication data. For example, if the VPN endpoint is determined, the location of the individual user It can also be determined that this may expose personal privacy, and if it is in law enforcement or military operations, it may reveal their mission. 8.2 Virtual Circuit The security control used to establish the lower-layer secure channel can use the virtual circuit in the conventional wide-area telecommunication facility, such as leased line, which uses frame Technologies such as relay or ATM. In these technologies, it is important for telecommunications operators to maintain private users’ leased line facilities with the publicly provided facilities. In terms of the degree of separation between shared access to Internet services, the underlying network is also basically safe. The technology used in the virtual circuit makes the channel Has a certain degree of confidentiality, but does not have absolute security. VPNs built on this traditional virtual circuit are considered compromised The possibility is relatively small, because violations of security operations or attacks usually need to come from within the service provider’s core network.9 VPN related technologies9.1 Overview VPN is constructed using the system resources of the physical network. For example, through the use of encryption and/or virtual network tunnels that traverse the real network Road link construction. VPN can be fully implemented in the private network under the control of its own organization, can also be implemented through the network of the public domain, or through both The combination of the network to achieve. It is entirely possible for VPN to be built on an existing dedicated wide area network. Because usually can provide relatively low cost Internet access makes this public network system gradually become an economy that supports wide-area VPN and remote access VPN in many applications. Effective tool. Another solution is to ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 25068.5-2021_English be delivered?Answer: Upon your order, we will start to translate GB/T 25068.5-2021_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 25068.5-2021_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 25068.5-2021_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 25068.5-2021?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 25068.5-2021 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
