Powered by Google www.ChineseStandard.net Database: 189760 (20 Apr 2024)

GB/T 20275-2021 (GBT20275-2021)

GB/T 20275-2021_English: PDF (GBT 20275-2021, GBT20275-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 20275-2021English1205 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system Valid GB/T 20275-2021

BASIC DATA
Standard ID GB/T 20275-2021 (GB/T20275-2021)
Description (Translated English) Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.030
Word Count Estimation 74,790
Date of Issue 2021-10-11
Date of Implementation 2022-05-01
Older Standard (superseded by this standard) GB/T 20275-2013
Drafting Organization The Third Research Institute of the Ministry of Public Security, Beijing Tianrongxin Network Security Technology Co., Ltd., Qi Anxin Technology Group Co., Ltd., Beijing Shenzhou NSFOCUS Technology Co., Ltd., Venus Star Information Technology Group Co., Ltd., Shanghai International Technology and Trade Union Co., Ltd., Shen Information Technology (Beijing) Co., Ltd., China Network Security Review Technology and Certification Center, China Electronics Technology Group Corporation 15th Research Institute (Information Industry Information Security Evaluation Center), Shanghai Information Security Evaluation and Certification Center, Beijing Hillstone Network Technology Information Technology Co., Ltd., Xi'an Jiaotong University Jabil Network Technology Co., Ltd., New H3C Technology Co., Ltd., Beijing Anbotong Technology Co., Ltd., Beijing Zhongke Wangwei Information Technology Co., Ltd., Sangfor Technology Co., Ltd., Shenzhen Tencent Computer System Co., Ltd. company
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Regulation (derived from) National Standard Announcement No. 12 of 2021
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, National Standardization Administration

Standards related to: GB/T 20275-2021

GB/T 20275-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20275-2013
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 6
5 Network-based Intrusion Detection System ... 6
6 Security Technology Requirements ... 6
6.1 Classification and Level Division of Requirements ... 6
6.2 Basic-level Security Requirements ... 10
6.3 Enhanced-level Security Requirements ... 19
7 Testing and Evaluation Approaches ... 34
7.1 Test environment ... 34
7.2 Test Tools ... 34
7.3 Basic Level ... 35
7.4 Enhanced Level ... 69
Bibliography ... 120
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
1 Scope
This document specifies the security technology requirements, testing and evaluation
approaches for network-based intrusion detection system.
This document is applicable to the design, development, testing and evaluation of network-
based intrusion detection system.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069, and the following terms and definitions are applicable to this
document.
3.1 security incident
Security incident refers to an incident that causes harm to networks and information systems,
or the data contained therein.
3.2 alert
Alert refers to a message sent by the network-based intrusion detection system to the authorized
administrator when an attack or intrusion occurs.
3.3 supporting system
Supporting system refers to an operating system that supports the operation of the network-
based intrusion detection system.
6.2 Basic-level Security Requirements
6.2.1 Security function requirements
6.2.1.1 Data detection function requirements
6.2.1.1.1 Data collection
When the system performs detection and analysis, it shall have the capability of obtaining data
packets in the protected network segment in real time.
6.2.1.1.2 Protocol analysis
The system shall perform protocol analysis on the collected data packets.
6.2.1.1.3 Attack behavior monitoring
The system shall at least monitor the following attack behaviors: port scanning, brute force
attack, malicious code attack, denial of service attack, buffer overflow attack and weak
vulnerability attack, etc.
6.2.1.1.4 Traffic monitoring
The system shall monitor the message traffic and byte traffic of the entire network or a specific
protocol, address or port.
6.2.1.2 Intrusion analysis function requirements
6.2.1.2.1 Data analysis
The system shall analyze the collected data packets and find security incidents.
6.2.1.2.2 Incident merging
The system shall have the capability of combining alarms for the same security incidents that
frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized
administrators.
6.2.1.3 Intrusion response function requirements
6.2.1.3.1 Customized response
The system shall allow the administrator to customize different response modes for the specific
destination host in the detected network segment.
6.2.1.3.2 Security alert
When the system detects an intrusion, it shall automatically take corresponding actions to issue
security warnings.
6.2.1.3.3 Alert mode
One or multiple modes, such as: real-time screen prompts and E-mail alerts, shall be adopted
for the alert.
6.2.1.4 Management control function requirements
6.2.1.4.1 Graphic interface
The system shall provide the administrator with a graphic interface to administrate and
configure the intrusion detection system. The administrative configuration interface shall
contain all the functions needed to configure and administrate the system.
6.2.1.4.2 Security incident library
The content in the system security incident library shall include the definition and analysis of
incidents, detailed vulnerability repair schemes and countermeasures that can be taken.
6.2.1.4.3 Incident level division
The system shall divide the incidents in accordance with their severity, so that the authorized
administrators can capture hazardous incidents from a large amount of information.
6.2.1.4.4 Policy configuration
The system shall provide a convenient and fast method and means for the policy configuration
of the intrusion detection system, and be equipped with policy templates, and support for policy
import and export.
6.2.1.4.5 Incident library upgrade
The system shall have the capability of upgrading the incident library.
6.2.1.4.6 System upgrade
The system shall have the capability of upgrading system programs.
6.2.1.4.7 Hardware failure handling
For hardware products, when the hardware fails, the administrator shall be notified in time.
6.2.1.4.8 Port separation
The detectors of the system shall be equipped with different ports, which are respectively used
for system administration and network data monitoring.
6.2.1.4.9 Clock synchronization
The system shall provide a clock synchronization function to ensure the time consistency
between each component of the system and the clock server.
6.2.1.5 Detection result processing requirements
6.2.1.5.1 Incident record
The system shall save the detected security incidents and record the security incident
information.
The security incident information shall at least include the following contents: occurrence time,
source address, destination address, incident level, incident type, incident name, incident
definition, detailed incident process analysis and solution recommendations, etc.
6.2.1.5.2 Incident visualization
The administrator shall be able to clearly check security incidents in real time through the
administration interface.
6.2.1.5.3 Report generation
The system shall be able to generate detailed detection result reports.
6.2.1.5.4 Report review
The system shall have the function of browsing the detection result reports.
6.2.1.5.5 Report output
The detection result reports shall be able to be output in a text format that is easy for the
administrator to read, including but not limited to WORD files, HTML files, PDF files, WPS
files or OFD files.
6.2.1.6 Performance requirements
6.2.1.6.1 False alarm rate
The system shall control the false alarm rate within 15% and shall not have a great impact on
the normal application of the system. The false alarm rate of the system that supports operation
under the IPv6 network environment shall satisfy the above-mentioned indicators.
6.2.1.6.2 Missing report rate
The system shall control the missing report rate within 15% and shall not have a great impact
on the normal application of the system. The missing report rate of the system that supports
operation under the IPv6 network environment shall satisfy the above-mentioned indicators.
6.2.1.6.3 High traffic background intrusion detection capability
100 M system single-port monitoring traffic  90 Mbps, Gigabit system single-port monitoring
traffic  0.9 Gbps, 10-Gigabit system single-port monitoring traffic  9 Gbps. The traffic
monitoring capability of the system that supports operation under the IPv6 network
environment shall satisfy the above-mentioned indicators.
6.2.1.6.4 High concurrent connection background intrusion detection capability
The number of concurrent connections of 100 M system single-port monitoring  100,000, the
number of concurrent connections of Gigabit system single-port monitoring  1 million, the
number of concurrent connections of 10-Gigabit system single-port monitoring  1.5 million.
The capability of the system that supports operation under the IPv6 network environment in
monitoring the number of concurrent connections shall satisfy the above-mentioned indicators.
6.2.1.6.5 High new TCP connection rate background intrusion detection capability
The number of new TCP connections per second of 100 M system single-port monitoring 
60,000, the number of new TCP connections per second of Gigabit system  100,000, the
number of new TCP connections per second of 10-Gigabit system  150,000. The capability of
the system that supports operation under the IPv6 network environment in monitoring the new
TCP connection rate shall satisfy the above-mentioned indicators.
6.2.2 Self-security protection requirements
6.2.2.1 Identity authentication
6.2.2.1.1 Administrator authentication
Before the administrator performs any operations related to security functions, the system shall
authenticate the administrator.
6.2.2.1.2 Authentication information requirements
When adopting password-based authentication information, the system shall check the
complexity of the password set by the administrator, so as to ensure that the administrator
password satisfies the complexity requirements. When there is a default password, the system
shall prompt the administrator to modify the default password, so as to reduce the risk of user
identity being impersonated. The system shall provide the function of regular replacement of
authentication information. When the usage time of authentication information reaches the
threshold of usage period, the administrator shall be prompted to modify it.
6.2.2.1.3 Authentication failure handling
When the administrator authentication consecutively fails for a specified number of times, the
system shall prevent the administrator from making further authentication requests and generate
audit events of relevant information. The maximum number of failures is only set by the
administrator.
6.2.2.1.4 Authentication data protection
The system shall protect authentication data from unauthorized access and modification.
6.2.2.1.5 Timeout setting
The system shall have the function of re-authentication when the administrator logs in over
time. If there is no operation within the set time period, the session shall be locked or terminated,
and identity authentication needs to be performed again to re-administrate the system. The
maximum timeout period is only set by authorized administrators.
6.2.2.1.6 Administration address restrictions
The system shall restrict the network address that the administrator can log in to.
6.2.2.2 Administrator management
6.2.2.2.1 Identity uniqueness
The system shall ensure that the set administrator ID is globally unique.
6.2.2.2.2 Administrator attribute definition
The system shall save a security attribute table for each administrator, and the attributes shall
include: administration identity, authentication data, authorization information or
administration group information, and other security attributes, etc.
6.2.2.2.3 Security behavior management
The system shall have the capability of restricting the prohibition and modification of system
functions merely to authorized administrators.
6.2.2.3 Security audit
6.2.2.3.1 Audit log generation
The system shall generate audit logs for the following incidents:
a) Login and logout of administrator account, system startup, system upgrade, important
configuration changes, adding / deleting / modifying administrators, saving / deleting
audit logs, etc.;
b) Alerts for the abnormal status of the system and its modules.
The system shall record the date, time, user ID, incident description and result in each audit log
record. If the mode of remote login is adopted, the IP address of the administration host shall
also be recorded.
6.2.2.3.2 Audit log comprehensibility
The mode, in which the audit data is recorded, shall make it easy for administrators to
comprehend, so as to facilitate the analysis of the audit logs.
6.2.2.3.3 Audit log review
The system shall provide authorized administrators with the audit log review function, so as to
make it convenient for administrators to review audit results.
6.2.2.3.4 Restricted audit log review
Except for authorized administrators with explicit access rights, the system shall prohibit access
to audit logs for all other users.
6.2.2.3.5 Optional audit review
Retrieval or sorting of audit logs in accordance with certain conditions shall be supported.
6.2.2.4 Data security
6.2.2.4.1 Security management
The system shall only allow authorized administrators to access security incident records and
audit logs and prohibit other users from operating the security incident records and audit logs.
6.2.2.4.2 Data storage alert
The system shall automatically generate an alert when the data storage space is about to be
exhausted, and the size of the remaining storage space that triggers the alert shall be set by the
administrator.
6.2.2.4.3 Outgoing data transmission
The system shall support the outgoing transmission of security incident records and audit logs,
so as to facilitate further analysis of the security incident records and audit logs.
6.2.2.5 Communication security
The system shall ensure that data transmitted among the various components (including but not
limited to configuration and control information, alert and incident data, etc.) is not leaked.
6.2.2.6 Operation security
The system shall take measures, for example, hiding the IP address of the detector, to make
itself invisible on the network, so as to reduce the possibility of being attacked.
6.2.2.7 Supporting system security
The supporting system of the system shall:
a) Make necessary tailoring, and do not provide redundant components or network
services;
b) During the restart process, the security policy and log information shall not be lost;
c) Do not contain already-known medium, high and ultra-critical security vulnerabilities.
6.2.3 Environmental adaptability requirements (if applicable)
6.2.3.1 Support pure IPv6 network environment
The system shall support pure IPv6 network environment, be able to normally operate under
pure IPv6 network environment and realize the detection of the target network intrusion.
6.2.3.2 Self-management under IPv6 network environment
The system shall support self-management under IPv6 network environment, so as to realize
the management and operation of products.
6.2.3.3 Dual protocol stack
The system shall support IPv4 / IPv6 dual-stack network environment, be able to operate
normally under IPv4 / IPv6 dual-stack network environment and realize the detection of the
target network intrusion.
6.2.4 Security guarantee requirements
6.2.4.1 Development
6.2.4.1.1 Security architecture
The developer shall provide a security architecture description of product security functions
and self-security protection. The security architecture description shall satisfy the following
requirements:
a) Consistent with the level of abstract description implemented on the security
functions and self-security protection in the product design documents;
b) Describe the security domain of the product security functions and self-security
protection consistent with the security functions and self-security protection
requirements;
c) Describe why the initialization process of product security functions and self-security
protection is secure;
d) Demonstrate that the product security functions and self-security protection can
prevent damages;
e) Demonstrate that the product security functions and self-security protection can
prevent bypassing of security features.
6.2.4.1.2 Functional specification
The developer shall provide a complete functional specification, which shall satisfy the
following requirements:
a) Completely describe the product security functions and self-security protection;
b) Describe the purpose and usage of all interfaces for security functions and self-
security protection;
c) Identify and describe all parameters related to each interface of security functions and
self-security protection;
d) Describe the security functions and self-security protection implementation behaviors
related to the interfaces of security functions and self-security protection;
e) Describe the immediate error messages resulting from the handling of security
functions and self-security protection implementation behaviors;
f) Demonstrate the traceability of the security functions and self-security protection
requirements to the security functions and self-security protection interfaces.
6.2.4.1.3 Product design
The developer shall provide product design documents, which shall satisfy the following
requirements:
a) Describe the product structure in terms of subsystems;
b) Identify and describe all subsystems of the product security functions and self-
security protection;
c) Describe the interaction among all subsystems of the security functions and self-
security protection;
d) The provided mapping relations can demonstrate that all the behaviors described in
the design can be mapped to the security functions and self-security protection
interfaces calling it.
6.2.4.2 Guidance documents
6.2.4.2.1 Operating user guide
The developer shall provide a clear and reasonable operating user guide. The operating user
guide shall be consistent with all other documents provided for evaluation. The description of
each user role shall satisfy the following requirements:
a) Describe the functions and privileges accessible to controlled users in the secure
processing environment, including appropriate warning messages;
b) Describe how to use the available interfaces provided by the product in a secure mode;
c) Describe available functions and interfaces, especially all security parameters
controlled by the user;
d) Clearly describe each type of security-related incident related to the user-accessible
functions that need to be performed, including changes to the security features of
entities controlled by the security functions and self-security protection;
e) Identify all possible states of product operation (including failures caused by
operation or operational errors), as well as their casual relations and connections with
maintaining secure operation;
f) Thoroughly realize the security policy implemented by security objectives.
6.2.4.2.2 Preparation procedure
The developer shall provide product and its preparation procedure. The description of the
preparation procedure shall satisfy the following requirements:
a) Describe all steps necessary to securely receive the delivered product consistent with
the developer’s delivery procedure;
b) Describe all steps necessary to securely install the product and the environment in
which it operates.
6.2.4.3 Life cycle support
6.2.4.3.1 Configuration management capabilities
The configuration management capabilities of the developer shall satisfy the following
requirements:
a) Provide unique identification for different versions of the product;
b) Adopt the configuration management system to maintain all configuration items that
constitute the product, and uniquely identify the configuration items;
c) Provide configuration management documents, which describe the method used to
uniquely identify the configuration items.
6.2.4.3.2 Configuration management scope
The developer shall provide a list of product configuration items and describe the developer of
the configuration items. The list of configuration items includes at least the evaluation evidence
of the product and security guarantee requirements and the constituent parts of the product.
6.2.4.3.3 Delivery procedure
...