|
US$359.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 18018-2019: Information security technology - Technical requirement for router security
Status: Valid GB/T 18018: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 18018-2019 | English | 359 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Technical requirement for router security
| Valid |
GB/T 18018-2019
|
| GB/T 18018-2007 | English | 679 |
Add to Cart
|
3 days [Need to translate]
|
Information security technology -- Technical requirements for router security
| Obsolete |
GB/T 18018-2007
|
| GB/T 18018-1999 | English | 719 |
Add to Cart
|
5 days [Need to translate]
|
Security requirements for router
| Obsolete |
GB/T 18018-1999
|
PDF similar to GB/T 18018-2019
Basic data | Standard ID | GB/T 18018-2019 (GB/T18018-2019) | | Description (Translated English) | Information security technology - Technical requirement for router security | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 18,125 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 18018-2019: Information security technology - Technical requirement for router security---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical requirement for router security
ICS 35.040
L80
National Standards of People's Republic of China
Replace GB/T 18018-2007
Information Security Technology
Router security technical requirements
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions, abbreviations 1
3.1 Terms and definitions 1
3.2 Abbreviations 1
4 Level 1 safety technical requirements 2
4.1 Safety function requirements 2
4.2 Safety assurance requirements 3
5 Level 2 safety technical requirements 4
5.1 Safety function requirements 4
5.2 Safety assurance requirements 7
6 Level 3 safety technical requirements 8
6.1 Safety function requirements 8
6.2 Safety assurance requirements 11
Appendix A (Informative Appendix) Safety Requirements Comparison Table 14
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 18018-2007 "Information Security Technology Router Security Technical Requirements".
Compared with GB/T 18018-2007, the main technical changes of this standard are as follows except for editorial changes.
---Modified Chapter 2 normative references (see Chapter 2, Chapter 2 of the.2007 edition);
--- Modified 3.2 abbreviations (see 3.2, 3.2 in the.2007 edition);
---Modified 4.1.2.1 administrator authentication (see 4.1.2.1, 4.1.2.1 of the.2007 version);
--- Added 4.1.3.2 management protocol settings, 4.1.4 equipment safety protection, 4.1.5 safety function protection;
---Modified 5.1.2.1 administrator authentication, 5.1.3.1 authority management (see 5.1.2.1, 5.1.3.1, 5.1.2.1, 5.1.3.1 in.2007 version);
---Added 5.1.3.2 management protocol settings, 5.1.4 equipment security protection, 5.1.5 network security protection, 5.1.6 security function protection;
---Modified 6.1.2.1 administrator authentication, 6.1.4.1 authority management (see 6.1.2.1, 6.1.4.1, 6.1.2.1, 6.1.4.1 of the.2007 edition);
--- Added 6.1.2.2 device login password management, 6.1.2.3 certificate verification, 6.1.3.2 data storage, 6.1.3.3 data transmission,
6.1.3.4 sensitive data, 6.1.4.2 management protocol settings, 6.1.5 equipment security protection, 6.1.6 network security protection, 6.1.7 security
Functional protection;
--- Deleted 5.1.8 routing authentication and 6.1.10 routing authentication; adjusted to 5.1.5.2 and 6.1.6.2 respectively;
---The additional security functions in Chapter 7 have been deleted.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Institute of Software, Chinese Academy of Sciences, Huawei Technologies Co., Ltd., New H3C Technology Co., Ltd., Maipu Communication Technology
Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, School of Software and Microelectronics, Peking University, and China Electronics Standardization Institute.
The main drafters of this standard. Qing Sihan, Chen Chi, Fu Tianfu, Wang Bo, Yang Yinzhu, Li Jinglin, He Bin, Wang Liming, Zhao Zhiyu, Wang Huilai,
Luo Fengying, Zhou Qiming, Shen Qingni, Wen Weiping, Ma Shunan.
The previous versions of the standard replaced by this standard are as follows.
---GB/T 18018-1999, GB/T 18018-2007.
Information Security Technology
Router security technical requirements
1 Scope
This standard specifies the security function requirements and security assurance requirements of routers in grades.
This standard applies to the design and implementation of router product security, and the testing, evaluation and management of router products can also be referred to
use.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB 17859-1999 Classification criteria for security protection grades of computer information systems
GB/T 18336.1~18336.3-2015 Information Technology Security Technology Information Technology Security Evaluation Criteria
3 Terms and definitions, abbreviations
3.1 Terms and definitions
The following terms and definitions defined in GB 17859-1999 and GB/T 18336.1~18336.3-2015 apply to this document.
3.1.1
Router
The main network node equipment, carrying data traffic, determines the forwarding processing of the data flowing through the routing algorithm, and can pass the set
Functional modules such as firewalls provide access control and security extension functions.
3.1.2
Simple Network Management Protocol simplenetworkmanagementprotocol
A series of protocol groups and specifications provide a method for collecting network management information from devices on the
The workstation provides a way to report problems and errors.
3.1.3
Unicast reverse path forwarding unicastreversepathforwarding
In order to prevent network attacks based on source address spoofing, the source address is used as the destination address, and the
Action for inbound interface matching.
3.2 Abbreviations
The following abbreviations apply to this document.
4 First-level safety technical requirements
4.1 Safety function requirements
4.1.1 Discretionary access control
The router should implement an autonomous access control strategy, and control the configuration data and other
Data viewing, modification, and execution of procedures on the router prevent unauthorized personnel from performing the above activities.
4.1.2 Identity authentication
4.1.2.1 Administrator authentication
Before the administrator enters the system session, the router should authenticate the administrator's identity.
System. The password should be invisible and encrypted during storage and transmission.
When performing authentication, the router should only provide the minimum feedback (such as. the number of characters entered, the success or failure of authentication) to the authenticated person
member. At the same time, the feedback information should avoid prompting "user name error", "password error" and other information, so as to prevent attackers from violating username or password.
Guess the solution.
4.1.2.2 Authentication failure processing
After a certain number of authentication failures, the router should lock the account. The maximum number of failures can only be set by authorized administrators.
4.1.3 Security Management
4.1.3.1 Rights Management
The router should be able to set multiple roles, have the ability to divide administrator levels and specify related permissions (such as monitoring, maintenance configuration, etc.),
It can limit the management scope and authority of each administrator to prevent unauthorized login and unauthorized operation.
4.1.3.2 Management protocol settings
The router should be able to configure and use secure protocols to manage and control the system. SSH, SFTP, SNMPV3 and HT-
TPS.
4.1.3.3 Security attribute management
The router should provide administrators with functions to control and manage security functions, including.
a) Management of functions related to the corresponding router's autonomous access control, authentication and security assurance technology.
b) Management of functions related to general installation and configuration.
c) The security configuration parameters of the router must have initial values. After the router is installed, the security function should prompt the administrator to modify the configuration,
And can periodically remind the administrator to maintain the configuration.
4.1.4 Equipment safety protection
4.1.4.1 Flow Control
The router should be able to control the amount of protocol traffic that needs to be parsed and processed by the device itself, for example, by setting the bandwidth and other protective measures.
Section, to ensure that the original forwarding service is normal when the system is subjected to a protocol flood attack, and the system can be directly restored after the flood attack is eliminated.
4.1.4.2 Priority scheduling
no.
4.1.4.3 Resource exhaustion protection
no.
4.1.5 Security function protection
4.1.5.1 Self-check
When the device is powered on, it should perform a self-check of the security function, such as memory, digital signature, encryption algorithm, etc., to ensure the correct security function. only
The device can be started normally only when all the self-check functions pass.
4.1.5.2 Ensure the legality of software updates
The security administrator should be able to query the currently executing software/firmware version number and the last installed version number. Should be able to
Use digital signatures to verify the legality of software/firmware updates.
4.2 Security requirements
4.2.1 Configuration Management
Developers should design and implement router configuration management, provide unique identification for different versions of the product, and each version of the product should use
Use its unique identifier as a label.
4.2.2 Delivery and operation
The developer should explain the safe delivery, installation and startup process of the router in the form of a document. The documentation should include.
a) Instructions for safely delivering the router to users;
b) Instructions for safely installing and starting the router.
4.2.3 Development
Developers should provide router functional design, require functional design according to the requirements of informal functional design, and describe in an informal method.
Describe the safety function and its external interface, and describe the purpose and method of using the external safety function interface.
4.2.4 Guiding documents
Developers should compile guidance documents for routers with the following requirements.
a) The document should provide information on the security functions and interfaces of the router, the management and configuration of the router, the startup and operation of the router, and the security
Description of all attributes and warning messages;
b) The document should not contain any information that will endanger the security of the system once it is leaked. The document can be a hard copy, electronic document or online
Machine documentation. If it is an online document, access to the document should be controlled.
4.2.5 Life cycle support
Developers should establish a life cycle model for the development and maintenance of routers, including procedures, tools, and techniques used to develop and maintain routers.
Surgery. Developers should develop and maintain in accordance with their defined life cycle model, and provide life cycle definition documents, which describe the use of
Develop and maintain a life cycle model of router security functions.
4.2.6 Test
Developers should test the router, the requirements are as follows.
a) General functional tests should be carried out to ensure that the router can meet the requirements of all security functions;
b) Retain and provide test documents, describing in detail the test plan, test process, and predicted results and actual test results.
5 Level 2 safety technical requirements
5.1 Safety function requirements
5.1.1 Discretionary access control
The router should implement an autonomous access control strategy, and control the configuration data and other
Data viewing, modification, and execution of procedures on the router prevent unauthorized personnel from performing the above activities.
5.1.2 Identity authentication
5.1.2.1 Administrator authentication
Before the administrator enters the system session, the router should authenticate the administrator's identity.
System. The password should be invisible and encrypted during storage and transmission.
When performing authentication, the router should only provide the minimum feedback (such as. the number of characters entered, the success or failure of authentication) to the authenticated person
member. At the same time, the feedback information should avoid prompting "user name error", "password error" and other information, so as to prevent attackers from violating username or password.
Guess the solution.
5.1.2.2 Authentication failure handling
After a certain number of authentication failures, the router should lock the account. The maximum number of failures can only be set by authorized administrators.
5.1.2.3 Timeout lock
The router should have a login timeout lock function. To terminate the session without any operation within the set time period, you need to
Only after identification can be re-operation. The maximum timeout period can only be set by an authorized administrator.
Note. The boldface type in this standard indicates the newly emerging enhancement requirements in this level.
5.1.2.4 Session Lock
The router should provide administrators with the function of locking their own interactive sessions. After locking, they need to be authenticated again to be able to manage again.
Manage routers.
5.1.2.5 Login History
The router should have a log-in history function to provide log-in personnel with relevant information about system log-in activities, so that log-in personnel can identify intrusive companies.
Figure. After successfully passing the authentication and logging in to the system, the router should display the following data.
a) Date, time, source and last successful login to the system;
b) The identity authentication failed since the last successful login to the system;
c) The number of days from the password expiration date.
5.1.3 Safety Management
5.1.3.1 Authority management
The router should be able to set multiple roles, have the ability to divide administrator levels and specify related permissions (such as monitoring, maintenance configuration, etc.),
It can limit the management scope and authority of each administrator to prevent unauthorized login and unauthorized operation.
The system should be able to support centralized authentication and authorization management of RADIUS/T ACACS.
5.1.3.2 Management protocol settings
The router should be able to configure and use secure protocols to manage and control the system. SSH, SFTP, SNMPV3 and HT-
TPS.
5.1.3.3 Security attribute management
The router should provide administrators with functions to control and manage security functions, including.
a) Management of functions related to the corresponding router's autonomous access control, authentication and security assurance technology.
b) Management of functions related to general installation and configuration.
c) The security configuration parameters of the router must have initial values. After the router is installed, the security function should prompt the administrator to modify the configuration,
And can periodically remind the administrator to maintain the configuration.
5.1.4 Equipment safety protection
5.1.4.1 Flow control
The router should be able to control the amount of protocol traffic that needs to be parsed and processed by the device itself, for example, by setting the bandwidth and other protective measures.
Section, to ensure that the original forwarding service is normal when the system is subjected to a protocol flood attack, and the system can be directly restored after the flood attack is eliminated.
5.1.4.2 Priority scheduling
The router should be able to prioritize the protocol traffic that the device itself needs to analyze and process according to the importance of the business. High priority
Priority guarantee is given to the protocol traffic, so that important services are not interrupted when there is a surge in business volume or a network attack.
5.1.4.3 Resource exhaustion protection
Routers should be able to protect important system resources and limit the impact of attacks to a certain range by limiting resource allocation.
The router should support the MAC address learning restriction function so that users of other interfaces of the system are not affected.
5.1.5 Network Security Protection
5.1.5.1 Unicast reverse path forwarding function
The router should have the URPF function to block the source IP address spoofing attack at the network boundary.
5.1.5.2 Routing Protocol Authentication
The routing protocol used by the router should support the routing authentication function to ensure that the route is issued by a legal router and is in the forwarding process.
Has not been changed.
5.1.5.3 MPLSVPN function
The router should implement the Layer 2 and Layer 3 VPN functions based on the MPLS protocol, and use an independent VPN management network to realize communication between different users.
Business isolation.
5.1.6 Security function protection
5.1.6.1 Self-check
When the device is powered on, it should perform a self-check of the security function, such as memory, digital signature, encryption algorithm, etc., to ensure that the security function is correct.
Only when all the self-check functions pass, the device can be started normally.
5.1.6.2 Secure software update
The security administrator should be able to query the currently executing software/firmware version number and the last installed version number. Should be able to
Use digital signatures to verify the legality of software/firmware updates.
5.1.7 Audit
5.1.7.1 Audit data generation
The router should have an audit function and at least be able to audit the following behaviors.
a) Initiation and termination of the audit function;
b) Account management;
c) Login event;
d) System events;
e) Modification of configuration files.
The router should generate audit records for auditable activities and record at least the following information in each audit record.
a) The date and time of the incident;
b) the type of event;
c) Administrator status;
d) The result of the event (success or failure).
5.1.7.2 Audit data access
The router should provide authorized administrators with the ability to read audit information from audit records, and the audit records provided by administrators are unique.
1.Clear definition and easy-to-read format.
5.1.7.3 Audit data protection
The router should be able to protect the stored audit records, avoid unauthorized deletion, and be able to monitor and prevent the modification of the audit records. when
When the audit storage is exhausted, fails, or is attacked, the router should ensure that the latest audit records will not be destroyed within a certain period of time.
5.1.8 Reliability
Routers should provide reliability guarantees and have partial redundancy design performance. Supports redundancy and hot swap of plug-in cards, interfaces, power supplies and other components
ability.
5.2 Security requirements
5.2.1 Configuration Management
Developers should design and implement router configuration management, the requirements are as follows.
a) Developers should use a configuration management system and provide configuration management documents, provide unique identifications for different versions of the product, and
Each version of the product should use its unique identification as a label.
b) The scope of configuration management should include at least the product implementation representation, design documents, test documents, user documents, and configuration management of the router.
This ensures that their modifications are carried out in a properly authorized and controlled manner. Configuration management documents should at least be able to track
And describe how the configuration management system tracks these configuration items.
5.2.2 Delivery and operation
The developer should explain the safe delivery, installation and startup process of the router in the form of a document. The documentation should include.
a) Instructions for safely delivering the router to users;
b) Instructions for safely installing and starting the router.
5.2.3 Development
Developers should provide router functional specifications, the requirements are as follows.
a) Perform functional design according to the requirements of informal functional design, describe safety functions and their external interfaces in an informal way, and describe
Describe the purpose and method of using the external safety function interface.
b) Provide high-level design of router security functions. The high-level design should describe the safety function and structure according to the subsystem, and identify the safety
All interfaces of the functional subsystem. The high-level design should also identify the basic hardware, firmware, and
software.
c) The developer should provide an informal correspondence analysis between the functional design of the router security function and the high-level design.
It is proved that all relevant safety functions expressed by the functional design are correctly and completely refined in the high-level design.
5.2.4 Guiding documents
Developers should compile guidance documents for routers with the following requirements.
a) The document should provide information on the security functions and interfaces of the router, the management and configuration of the router, the startup and operation of the router, and the security
Description of full attributes, warning messages, and audit tools.
b) The document should not contain any information that will endanger the security of the system once it is leaked. The document can be a hard copy, electronic document or online
Machine documentation. If it is an online document, access to the document should be controlled.
5.2.5 Life cycle support
Developers should establish a life cycle model for the development and maintenance of routers, that is, the procedures, tools and techniques used to develop and maintain routers.
Requirements are as follows.
a) Developers should develop and maintain according to their defined life cycle model, and provide life cycle definition documents, which are described in the documents
A life cycle model used to develop and maintain router security functions.
b) The model should provide the necessary control for the development and maintenance of the router, using physical, procedural, personnel and other aspects
The security measures to protect the security of the router development environment, including the physical security of the site and the choice of developers, and take appropriate
Use appropriate protective measures to eliminate or reduce the security threats faced by router development.
5.2.6 Test
Developers should test the router, the requirements are as follows.
a) General functional tests should be carried out to ensure that the router can meet the requirements of all security functions.
b) An analysis of the depth of the test should be provided. In the in-depth analysis, it should be demonstrated that the safety function test identified in the test document is sufficient
Shows that the operation of the safety function is consistent with the high-level design.
c) An independent compliance test should be carried out, and a professional third-party independent laboratory should implement the test to confirm that the router can meet all safety requirements.
Functional requirements.
d) Retain and provide test documents, describing in detail the test plan, test process, and predicted results and actual test results.
5.2.7 Vulnerability assessment
The vulnerability assessment includes the following.
a) The developer should provide guidance documents and analysis documents, and determine all possible operation modes of the router (including failure
The consequences of failure and operation errors) and the significance of maintaining safe operation, and list all the assumptions and assumptions of the target environment
All external security measures (including external procedural, physical or human control) requirements. The content should be complete, clear,
Consistent and reasonable.
b) Developers should conduct security function strength analysis for security mechanisms (for example, password mechanisms) with security function strength and life. An
The full-featured strength analysis shall prove that the safety mechanism has reached the stated strength.
c) Developers should implement vulnerability analysis and provide documentation of vulnerability distribution. For all identified vulnerabilities, the documentation should state it
They cannot be used in the expected router usage environment. The document should ...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 18018-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 18018-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 18018-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 18018-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 18018-2019?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 18018-2019 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|