|
US$419.00 ยท In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GA/T 1558-2019: Information security technology - Security technical requirements for IPv6-based high-performance network vulnerability scanners
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GA/T 1558-2019 | English | 419 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Security technical requirements for IPv6-based high-performance network vulnerability scanners
| Valid |
GA/T 1558-2019
|
PDF similar to GA/T 1558-2019
Basic data | Standard ID | GA/T 1558-2019 (GA/T1558-2019) | | Description (Translated English) | Information security technology - Security technical requirements for IPv6-based high-performance network vulnerability scanners | | Sector / Industry | Public Security (Police) Industry Standard (Recommended) | | Classification of Chinese Standard | A90 | | Classification of International Standard | 35.240 | | Word Count Estimation | 18,133 | | Date of Issue | 2019 | | Date of Implementation | 2019-04-19 | | Issuing agency(ies) | Ministry of Public Security | GA/T 1558-2019: Information security technology - Security technical requirements for IPv6-based high-performance network vulnerability scanners
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology-Security technical requirements for IPv6-based high-performance network vulnerability scanners
ICS 35.240
A.90
GA
People's Republic of China Public Safety Industry Standard
Information security technology based on IPv6
Technical requirements for weak scanning products
Information security technology Security technical requirements for IPv6-based
high-performance network vulnerability scanners
Published by the Ministry of Public Security of the People's Republic of China
Contents
Foreword ... II
1 Scope ... 1
2 Normative references ... 1
3 Terms and definitions ... 1
4 Acronyms ... 2
5 Product description of high-performance network vulnerability scanning based on IPv6 ... 2
6 General description ... 2
6.1 Classification of safety technical requirements ... 2
6.2 Security Level Classification ... 2
7 Safety function requirements ... 2
7.1 Information Acquisition ... 2
7.2 Vulnerability scan content ... 3
7.3 Scanning result analysis and processing ... 5
7.4 Scan configuration ... 6
7.5 Security of scanned objects ... 6
7.6 Scan speed adjustment ... 6
7.7 Concurrent scanning ... 7
7.8 Upgrade capability ... 7
7.9 Interaction requirements ... 7
8 Requirements for own safety functions ... 7
8.1 Identification and authentication ... 7
8.2 Security management ... 8
8.3 Audit logs ... 8
9 Environmental adaptability requirements ... 8
9.1 Supporting Pure IPv6 Network Environment ... 8
9.2 Self-management in IPv6 network environment ... 9
10 Security requirements ... 9
10.1 Development ... 9
10.2 Guiding documents ... 10
10.3 Life cycle support ... 10
10.4 Testing ... 11
10.5 Vulnerability assessment ... 11
11 Different security level requirements ... 11
11.1 Safety function requirements ... 11
11.2 Self-safety function requirements ... 13
11.3 Security requirements ... 13
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the Cyber Security Bureau of the Ministry of Public Security.
This standard is under the jurisdiction of the Information System Security Standardization Technical Committee of the Ministry of Public Security.
This standard was drafted. Computer Information System Security Product Quality Supervision and Inspection Center of the Ministry of Public Security.
The main drafters of this standard. Gu Jianxin, Song Haohao, Yang Chunhua, Li Yi, Lu Zhen, Shen Liang, Gu Jian.
Information security technology Security technology requirements for high-performance network vulnerability scanning products based on IPv6
1 Scope
This standard specifies the security function requirements, own security function requirements, and environmental protection requirements of high-performance network vulnerability scanning products based on IPv6.
Responsiveness requirements, security assurance requirements, and different security level requirements
This standard applies to the design, development, and testing of IPv6 based network vulnerability scanning products.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this document.
For undated references, the latest version (including all amendments) applies to this document.
GB/T 18336.3-2015 Information technology security technology Information technology security assessment guidelines Part 3. Security assurance components
GB/T 20278-2013 Information security technology Network security scanning product security technical requirements
GB/T 25069-2010 Information Security Technology Terminology
3 terms and definitions
The terms and definitions defined in GB/T 18336.3-2015, GB/T 20278-2013 and GB/T 25069-2010 and the following apply to this document
Pieces.
3.1
Scan
Use technical tools to detect the target system and find the process of potential security risks in the target system.
3.2
Vulnerability
Vulnerabilities in network systems that can be exploited and cause harm.
3.3
Network vulnerability scan
Remotely detect the hidden dangers of the target system through the network, check and analyze its security vulnerability, and find out that it may be used by intruders.
Potential safety hazards, and put forward certain precautions and remedial measures.
3.4
Flag banner
A piece of information sent by an application, usually including a welcome message, application name, and version.
4 Acronyms
The following abbreviations apply to this document.
CVE. Common Vulnerabilities and Exposures
NETBIOS. NETwork Basic Input/Output System
NFS. Network File System
RPC. Remote Procedure Call
SMB. Server Message Block
5 Product description of high-performance network vulnerability scanning based on IPv6
This standard proposes security function requirements and security assurance requirements for high-performance network vulnerability scanning products based on IPv6. Fragile network
Sexual scanning products refer to software or software and hardware combinations that use scanning methods to detect potential security risks in the target network system
This product can perform port scanning and inspection on specified devices in the target network system according to pre-defined policies or other requirements.
Check its open services, and further detect the configuration information of each service program and the existing security problems, so as to achieve the target network system
System vulnerability scan. In addition, high-performance network vulnerability scanning products for next-generation Internet network environments also require support for
IPv6, IPv4/IPv6 transition technology network environment, with high processing performance, can achieve the simultaneous scanning of multiple targets.
The application environment of network vulnerability scanning products requires that the product and each network device or host of the scanned system should be in a connected state.
No other network security equipment is on the way.
6 General description
6.1 Classification of safety technical requirements
This standard divides the security technical requirements of IPv6-based high-performance network vulnerability scanning products into security function requirements and self-security functions
Requirements, environmental adaptability requirements, and security requirements. Among them, the security function requirement is to scan the vulnerability of high-performance network based on IPv6.
Specific requirements for the security functions that the product should have, including information acquisition, vulnerability scan content, scan result analysis and processing, scan configuration,
Scanned object security, etc .; own security function requirements include identification and authentication, security management, and audit logs; security assurance requirements
Specific requirements for the life cycle process of high-performance network vulnerability scanning products for IPv6, such as development, guidance documents, life cycle
Support and testing.
6.2 Classification of security levels
The security level of a high-performance IPv6 based vulnerability scanning product is based on its security function requirements, its own security function requirements, and security
The strength of the security requirements is divided into basic and enhanced levels. Among them, security requirements refer to GB/T 18336.3-2015.
7 Safety function requirements
7.1 Information acquisition
7.1.1 Port Scan
7.1.1.1 TCP port
The product should be able to scan all TCP ports of the target device and check if they are open.
7.1.1.2 UDP port
The product should be able to scan all UDP ports of the target device and check if they are open.
7.1.1.3 Port protocol analysis
The product should be able to determine the general service or application protocol corresponding to the TCP/UDP port opened by the target device.
7.1.2 Operating system detection
The product should be able to detect the operating system type and version number of the target device.
7.1.3 Service Flag
The product should be able to obtain the flags of the universal services that have been turned on for the target device.
7.1.4 Other information
The product should be able to detect other information about the target device, such as network configuration information and operating status information.
7.2 Vulnerability scanning content
7.2.1 Browser Vulnerability
The product should be able to check the information and configuration of the target device and browser security, find dangerous or unreasonable configurations, and propose corresponding
Security recommendations. Inspection items should include.
a) browser version number;
b) browser security settings;
c) the vulnerability of the browser itself;
d) Other security risks.
7.2.2 Vulnerability of mail services
The product should be able to check the security issues of the service program using POP3, SMTP and other email-related protocols in the target device and check the items
Should include.
a) service program flag and version number;
b) The vulnerability of the service process itself, including.
-Lack of legality checks on inputs;
-Cannot handle abnormal situations correctly.
c) dangerous or misconfigured servers, including.
-Allow EXPN and VRFY commands;
-Allow mail forwarding;
--Other unsafe configurations.
d) other security risks.
7.2.3 FTP Service Vulnerability
The product should be able to check the security issues of the applications that provide FTP services in the target device. The inspection items should include.
a) service program flag and version number;
b) The vulnerability of the service process itself, including.
-Lack of legality checks on inputs;
-Cannot handle abnormal situations correctly.
c) dangerous or misconfigured servers, including.
-Allow anonymous login;
-Used the default password;
-Allow dangerous orders;
--Other unsafe configurations.
d) other security risks.
7.2.4 DNS Service Vulnerability
The product should be able to check the security issues of the DNS service provided by the target device. The inspection items should include.
a) service program flag and version number;
b) The vulnerability of the service process itself, including.
-Lack of legality checks on inputs;
-Cannot handle abnormal situations correctly.
c) other security risks.
7.2.5 RPC Service Vulnerability
The product should be able to check the security of the service program using the RPC protocol in the target device and check whether the dangerous RPC service is enabled.
7.2.6 Vulnerability of SNMP Service
The product should be able to check the security issues of the service program using the SNMP protocol in the target device. The inspection items should include.
a) SNMP version information;
b) SNMP password vulnerability check;
c) Check whether the SNMP service will expose the following system sensitive information, including.
--TCP port table;
--UDP port table;
-Service list;
-Process list;
-Routing table;
-Network interface device table.
7.2.7 Password Vulnerability
The product should be able to check the robustness of the user password of the target system using a dictionary or exhaustive methods. The check items should include.
a) Whether the system uses a simple converted password for the user name;
b) Whether the system uses easy-to-guess passwords.
7.2.8 Operating System Vulnerability
The product should be able to check the vulnerability specific to the target operating system. The inspection items should include.
a) System security settings, including.
-Registry item access permissions settings;
-Audit policy settings;
-System password policy settings.
b) Check the operating system version and patch installation;
c) other related inspections.
7.2.9 Vulnerability of NFS Service
The product should be able to check vulnerabilities related to NFS services.
7.2.10 File sharing vulnerability
The product should be able to check the NETBIOS or SMB share used in the target device and find dangerous settings. The inspection items should include.
a) important directories are shared;
b) the shared directory can be written by anonymous users;
c) whether a default or overly simple shared password is used;
d) The version number of the SAMBA server software.
7.2.11 Router/switch vulnerability
Products should be able to check for vulnerabilities related to routers, switches and their turn-on services.
7.2.12 Vulnerability of Trojan ports
The product should be able to check whether the default ports used by common Trojans are open, and test and analyze the open ports obtained by scanning.
Service and known Trojans warn.
7.2.13 Other known TCP/IP service vulnerabilities
The product shall be able to check the security issues of other service programs using the TCP/IP protocol in the target device. The inspection items shall include.
a) service program flag and version number;
b) The vulnerability of the service process itself, including.
-Lack of legality checks on inputs;
-Cannot handle abnormal situations correctly.
c) Misconfiguration of the service program.
7.3 Scanning result analysis and processing
7.3.1 Results browsing
The product shall provide a scan result browsing function.
7.3.2 Vulnerability patching recommendations
The product can propose repair recommendations for the vulnerabilities found. The vulnerability repair recommendations meet the following requirements.
a) propose targeted vulnerability patching methods for different operating system types;
b) The vulnerability description should be detailed, and the vulnerability repair methods provided should ensure its rationality and availability.
7.3.3 Results storage
The scan results should be written to the results database.
7.3.4 Report Generation
The product should be able to generate a corresponding report based on the scan results. The report requirements include the following.
a) CVE number, detailed information, remedial suggestions, etc. of each vulnerability;
b) Target's risk level assessment, categorize scan vulnerability points according to the severity of the risk, and clearly mark them
c) summary results of multiple target scans;
d) Summary of key vulnerability scan information.
7.3.5 Report output
The report should be able to output to a common document format, such as PDF, DOC, HTML, etc.
7.3.6 Importing and Exporting Results
Import and export operations can be performed on the scan result data.
7.3.7 Report customization
The report content should be able to be customized based on user requirements.
7.3.8 Results comparison
The product should provide the comparison function for multiple scan results of the same target or scan results between different hosts, and can generate based on the comparison results.
Match report.
7.4 Scan configuration
7.4.1 Scanning strategy
The product should provide a convenient method of customizing policies, which can specify scan address ranges, port ranges, vulnerability types, and so on.
7.4.2 Scheduled tasks
The product should be able to customize the scan schedule, which can be started at regular intervals or executed on a periodic basis.
7.4.3 Scanning for Known Accounts/Passwords
The product should be able to scan the target system more effectively with a known account/password.
7.5 Security of scanned objects
7.5.1 Impact on the network performance of the target system
Scanning should not affect the normal operation of the target network.
7.5.2 Impact on the target system
Scanning should not affect the normal operation of the target system and avoid testing with attack methods; using some
When scanning for adverse consequences, the product should be able to give a clear prompt to the target system or the target system administrator before the test starts.
7.5.3 Scanning Message Identification
When the product scans the target device, the scan message sent by the product should have the name of the product or the letter of the unit that produced the product.
interest.
7.6 Scan speed adjustment
The product should be able to adjust the scanning speed by adjusting the number of concurrent.
7.7 Concurrent scanning
The product should be able to support concurrent scanning of no less than 1,000 target devices.
7.8 Upgrade Capabilities
The product can update the vulnerability signature database and meet the following requirements.
a) The design of the product architecture should be conducive to product upgrades and facilitate upgrade operations;
b) Support manual or automatic upgrade operation;
c) Upgrade security measures to prevent getting wrong or fake product upgrade packages. Such as authentication, digital signature,
And data transmission encryption.
7.9 Interaction requirements
Products should have or at least use a standard, open interface. Complying with this interface specification, it is possible to write related programs for other types of safety products.
Application program module to achieve the purpose of interacting with network vulnerability scanning products.
8 Requirements for own safety functions
8.1 Identification and authentication
8.1.1 User Identification
8.1.1.1 Attribute Definition
The product should specify the security attributes associated with each administrator, such as identification, authentication information, membership groups, permissions, and so on.
8.1.1.2 Property Initialization
The product should provide the ability to initialize the attributes of each administrator created with default values.
8.1.1.3 Unique identification
The product should provide the administrator with a unique identity and be able to associate the identity with all auditable events for that user.
8.1.2 Identity authentication
8.1.2.1 Basic authentication
The product shall authenticate the user before performing any operations related to the security function.
8.1.2.2 Authentication data protection
The product shall ensure that the authentication data is not unauthorized access or modification.
8.1.2.3 Handling of authentication failure
When the number of failed user authentications reaches the specified number, the product shall be able to terminate the user's access.
8.1.2.4 Timeout lock or logout
The product should have login timeout lockout or logout capabilities. In the case of no operation for a set period of time, terminating the session requires
Re-authentication can be performed again. The maximum timeout period is set only by an authorized administrator.
8.2 Security management
8.2.1 Security Function Management
Authorized administrators should be able to perform the following management operations on the product.
a) View and modify related security attributes;
b) enable or disable all or part of the safety functions;
c) Develop and modify various security policies.
8.2.2 Security Role Management
The product should be able to distinguish between administrator roles.
a) an administrator role with at least two different permissions;
b) Define different authority roles according to different function modules.
8.2.3 Remote Security Management
If the product supports remote management through the network, the following technical requirements should be met.
a) protection of remote session information;
b) Limit the address of the remote management host.
8.3 Audit logs
8.3.1 Audit log generation
The product should generate audit logs for the following events related to its own security.
a) User login success and failure;
b) changes to security policies;
c) Add, delete and modify attributes to the administrator;
d) The session connection was terminated because the number of authentication failures exceeded the set value;
e) start, pause and stop scanning tasks;
f) Other actions of the administrator.
Each audit log should include at least the date, time, user ID, event description, and result of the event. If using remote login
In order to manage the product, the address of the management host should also be recorded.
8.3.2 Audit log storage
The audit log should be stored in a non-volatile storage medium at power failure.
8.3.3 Audit log management
The product shall provide the following audit log management functions.
a) Only authorized administrators are allowed to access the audit log;
b) query function for audit logs;
c) Save and export audit logs.
9 Environmental adaptability requirements
9.1 Support Pure IPv6 Network Environment
The product should support pure IPv6 network environment and be able to work normally in pure IPv6 network environment.
9.2 Self-management in IPv6 network environment
The product should support its own management in an IPv6 network environment.
10 Security requirements
10.1 Development
10.1.1 Security Architecture
The developer should provide a description of the security architecture of the product's security functions. The description of the security architecture should meet the following requirements.
a) Consistent with the level of abstract description of security functions implemented in the product design document;
b) describe the security domain of the product security function consistent with the requirements of the security function;
c) describe why the product safety function initialization process is safe;
d) confirm that product safety functions can be prevented from being compromised;
e) Verify that product safety functions prevent safety features from being bypassed.
10.1.2 Functional Specifications
Developers should provide complete functional specifications, which should meet the following requirements.
a) fully describe the safety functions of the product;
b) describe the purpose and use of all safety function interfaces;
c) identify and describe all parameters related to each safety function interface;
d) describe the safety function implementation behavior related to the safety function interface;
e) describe direct error messages caused by the behavioral processing of safety functions;
f) confirm that the safety function requires traceability to the safety function interface;
g) describe all actions related to the safety function interface during the implementation of the safety function;
h) Describe all direct error messages that may be caused by the call of the safety function interface.
10.1.3 Implementation Representation
Developers should provide implementation representations for all security functions. Implementation representations should meet the following requirements.
a) Provide a mapping between product design descriptions and implementation representation examples and prove their consistency;
b) Define product safety functions according to the level of detail, to a level of detail that can be generated without further design;
c) Provided in the form used by developers.
10.1.4 Product Design
Developers should provide product design documents, which should meet the following requirements.
a) describe the product structure in terms of subsystems;
b) identify and describe all subsystems of product safety functions;
c) describe the interaction between all subsystems of the safety function;
d) the mapping relationship provided can verify that all the behaviors described in the design can be mapped to the security function interface that calls it;
e) describe safety functions according to the module;
f) Provide the mapping relationship between the safety function subsystem and the module;
g) describe all safety function implementation modules, including their purpose and interaction with other modules;
h) Describe the relevant interfaces required by all modules to implement the security functions, return values from other interfaces, interactions with other modules, and
Called interface
i) Describe the supporting or related modules of all safety functions, including their purpose and interaction with other modules.
10.2 Guidance Documents
10.2.1 Operation User Guide
Developers should provide clear and reasonable operating user guides, which are kept in line with all other documents provided for evaluation
Sincerely, the description of each user role should meet the following requirements.
a) describe the functions and privileges accessible to users controlled in a secure processing environment, including appropriate alert information;
b) describe how to use the available interfaces provided by the product in a secure manner;
c) describe available functions and interfaces, especially all safety parameters controlled by the user, and indicate safety values where appropriate;
d) clearly state each security-related event related to the user-accessible function that needs to be performed, including changes to the control of the security function
Security features of the entity;
e) identify al...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GA/T 1558-2019_English be delivered?Answer: Upon your order, we will start to translate GA/T 1558-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GA/T 1558-2019_English with my colleagues?Answer: Yes. The purchased PDF of GA/T 1558-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|