GB/T 20278-2013 (GB/T20278-2013, GBT 20278-2013, GBT20278-2013)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 20278-2022 | English | 1239 |
Add to Cart
|
8 days [Need to translate]
|
Information security technology - Security technical requirements and testing assessment approaches for network vulnerability scanners
| Valid |
GB/T 20278-2022
|
GB/T 20278-2013 | English | 125 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Security technical requirements for network vulnerability scanners
| Obsolete |
GB/T 20278-2013
|
GB/T 20278-2006 | English | 919 |
Add to Cart
|
6 days [Need to translate]
|
The technical requirements of the information security technology for network vulnerability scanning products
| Obsolete |
GB/T 20278-2006
|
Preview PDF: GB/T 20278-2013 Standards related to: GB/T 20278-2013
Standard ID | GB/T 20278-2013 (GB/T20278-2013) | Description (Translated English) | Information security technology - Security technical requirements for network vulnerability scanners | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 42,486 | Older Standard (superseded by this standard) | GB/T 20278-2006 | Quoted Standard | GB 17859-1999; GB/T 18336.3-2008; GB/T 25069-2010 | Drafting Organization | Ministry of Public Security of Computer Information System Security Product Quality Supervision and Inspection Center | Administrative Organization | National Standardization Technical Committee for Information Security | Regulation (derived from) | National Standards Bulletin 2013 No. 27 | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China | Summary | This standard specifies the security features of network vulnerability scanning product requirements, to ensure its own security requirements and safety requirements, and in accordance with the requirements of the different security technologies for netwo |
GB/T 20278-2022
Information security technology - Security technical requirements and testing assessment approaches for network vulnerability scanners
ICS 35.030
CCSL80
National Standards of People's Republic of China
Replacing GB/T 20278-2013, GB/T 20280-2006
Information Security Technology Network Vulnerability Scanning Products
Safety technical requirements and test evaluation methods
Published on 2022-03-09
2022-10-01 Implementation
State Administration for Market Regulation
Released by the National Standardization Administration
directory
Preface I
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 1
5 Network Vulnerability Scanning Product Description 2
6 Safety technical requirements 2
6.1 Overview 2
6.2 Basic level security requirements5
6.3 Enhanced security requirements 11
7 Test evaluation methods 20
7.1 Test Environment 20
7.2 Test tools 20
7.3 Basic level test evaluation method 21
7.4 Enhanced test evaluation method 36
Reference 59
foreword
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents"
drafted.
This document replaces GB/T 20278-2013 "Information Security Technology Network Vulnerability Scanning Product Security Technical Requirements" and
GB/T 20280-2006 "Information Security Technology Network Vulnerability Scanning Product Testing and Evaluation Method", which is related to GB/T 20278-2013
In addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) Added the content of "Network Vulnerability Scanning Product Description" (see Chapter 5);
b) Added the requirement of "scanning message identification" (see 6.2.1.5.3 and 6.3.1.5.3);
c) Added the requirement of "concurrent scanning" (see 6.2.1.7 and 6.3.1.7);
d) Added the requirement of "support system safety" (see 6.2.2.4 and 6.3.2.5);
e) Added the requirement of "communication confidentiality" (see 6.3.2.4);
f) Added the content of "Environmental adaptability requirements (if applicable)", which mainly clarifies the product's ability to support IPv6, including
Including scanning ability to support pure IPv6 network environment, self-management ability in IPv6 network environment and requirements of dual protocol stack
(see 6.2.3 and 6.3.3);
g) Added the content of "Test Evaluation Method" (see Chapter 7);
h) removed the requirement of "scanning IP address restrictions" (see 8.1.8 of the.2013 edition);
i) The requirement of "Ease of Use" was deleted (see 8.2.2.2 of the.2013 edition);
j) Revised "Content of Vulnerability Scanning", and rearranged the 15 scanning requirements required in the original standard into 5 types of scanning requirements (see
6.2.1.2 and 6.3.1.2, 7.1.2 of the.2013 edition), in the enhanced level, the target object of cloud environment and industrial control equipment is also proposed.
scanning requirements (see 6.3.1.2.6 and 6.3.1.2.7);
k) Modify the "safety assurance requirements" at all levels to "safety assurance requirements" (see 6.2.4 and 6.3.4, 7.3 and 8.3 of the.2013 edition).
Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents.
This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This document is drafted by. The Third Research Institute of the Ministry of Public Security, Beijing Shenzhou Lvmeng Technology Co., Ltd., Netsun Information Technology (Beijing) Co., Ltd.
Company, Beijing Tianrongxin Network Security Technology Co., Ltd., Qixingchen Information Technology Group Co., Ltd., Shanghai International Technology and Trade Co., Ltd.
Co., Ltd., China Network Security Review Technology and Certification Center, Xi'an Jiaotong University Jabil Network Technology Co., Ltd., Beijing Zhongke Wangwei Information Technology
Co., Ltd., Shanghai Information Security Evaluation and Certification Center, Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Review
Testing Center), New H3C Technology Co., Ltd., China Electronics Technology Group Corporation 15th Research Institute (Information Industry Information Security Evaluation Center), National
National Industrial Information Security Development Research Center, Shaanxi Provincial Network and Information Security Evaluation Center, State Grid Xinjiang Electric Power Co., Ltd. Electric Power Research
Institute of Information Engineering, Chinese Academy of Sciences, Information and Communication Research Institute of China Electric Power Research Institute Co., Ltd., China Academy of Information and Communication Technology,
Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd., Beijing Tonghe Beneficial Telecommunications Science and Technology Research Institute Co., Ltd., Shanghai Douxiangxin
Information Technology Co., Ltd., Shenzhen Liansoft Technology Co., Ltd., Beijing Zhichuangyu Information Technology Co., Ltd.
The main drafters of this document. Gu Jianxin, Song Haohao, Lu Zhen, Gu Jian, Shen Liang, Yin Hang, Chen Xinyu, Xiong Yi, Qin Lan, Cao Ning, Shen Yongbo,
He Jianfeng, Song Wei, Xu Tonghai, Guo Yongzhen, Yang Hongqi, Liu Jian, Liu Zhiyao, Ju Tengfei, Li Mingxuan, Chen Jia, Yan Zhaoteng, Yan Minhui, Xu Zixian,
Yu Zhongchen, Wen Lei, Xie Chen, Hou Jun, and Cui Zhao.
The previous versions of this document and its superseded documents are as follows.
---First published in.2006 as GB/T 20278-2006, first revised in.2013;
---This is the second revision, incorporating GB/T 20280-2006 "Information Security Technology Network Vulnerability Scanning Product Test Evaluation"
Price Method".
Information Security Technology Network Vulnerability Scanning Products
Safety technical requirements and test evaluation methods
1 Scope
This document specifies the security technical requirements and testing and evaluation methods for network vulnerability scanning products.
This document applies to the design, development and testing of vulnerability scanning products.
2 Normative references
The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, dated citations
documents, only the version corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to
this document.
GB/T 25069 Information Security Technical Terminology
3 Terms and Definitions
The terms and definitions defined in GB/T 25069 and the following apply to this document.
3.1
scan scan
The process of using technical tools to detect the target system and find the security weaknesses in the target system.
3.2
Remotely detect the security weaknesses of the target system through the network, check and analyze their security vulnerabilities, so as to find out the possible exploits of intruders.
The security weaknesses used, and some preventive and remedial measures are proposed.
3.3
flag banner
A piece of information sent by an application.
Note. Usually includes information such as welcome words, application name and version.
3.4
supporting system
The operating system that supports the network vulnerability scanning device running.
4 Abbreviations
The following abbreviations apply to this document.
GB/T 20278-2013
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20278-2006
Information Security Technology - Security
Technical Requirements for Network
Vulnerability Scanners
ISSUED ON. DECEMBER 31, 2013
IMPLEMENTED ON. JULY 15, 2014
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 6
5 Level Classification of Network Vulnerability Scanners ... 7
5.1 Description of Level Classification... 7
5.2 Level Classification ... 7
6 Service Environment ... 10
7 Security Technical Requirements for Basic-level ... 11
7.1 Security Function Requirements ... 11
7.2 Self-security Requirements ... 17
7.3 Security Assurance Requirements ... 19
8 Security Technical Requirements for Enhanced-level ... 23
8.1 Security Function Requirements ... 23
8.2 Self-security Requirements ... 31
8.3 Security Assurance Requirements ... 34
Foreword
This Standard was drafted according to the rules in GB/T 1.1-2009.
This Standard replaces GB/T 20278-2006 "Information Security Technology Technique
Requirement for Network Vulnerability Scanners". The main differences in this
Standard over GB/T 20278-2006 are as follows.
- The name of the standard was changed to "Information Security Technology -
Security Technical Requirements for Network Vulnerability Scanners";
- The definition of "network vulnerability scan" was modified (see 3.3);
- "vulnerability of NIS service" (see 7.3.1.8 of 2006-edition) was deleted;
- "vulnerability of database" was deleted (see 7.3.1.18 of 2006-edition);
- "RPC port" was deleted (see 7.3.4.1 of 2006-edition);
- "NI service" was deleted (see 7.3.4.5 of 2006-edition);
- "alarm function" was deleted (see 7.4.4.1 of 2006-edition);
- "installation and operation control" was deleted (see 7.5 of 2006-edition);
- "interaction with IDS product", "interaction with fire wall product", "interaction with
other application programs" were deleted ( see 7.7.4.2, 7.7.4.3,7.7.7.4 and 8 of
2006-edition);
- "performance requirements" was deleted;
- The requirement of upgrading security measures during product upgrading was
added;
- The function of comparison and analysis between scanning results was added;
- Authentication data protection, authentication failure handling, timeout locking or
logout, remote management and other functions were added in the self-security
requirements of product;
- The integral structure of this Standard was adjusted; it is described according to
the product security function requirements, self-security requirements and security
assurance requirements; in addition, the requirement items of product self-security
were detailed, and the contents of audit function requirements were defined.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Technology Security of Standardization
Administration of China (SAC/TC 260).
Certain content of this document may involve patent. The issuing organization of this
Standard shall not undertake the responsibility of identifying these patents.
Drafting organizations of this Standard. Quality Supervision Testing Center of Ministry
of Public Security for Computer information system security product, Venustech
Information & Technology Co., Ltd. AND Netpower Information & Technology Co., Ltd.
Chief drafters of this Standard. Gu Jianxin, Lu Zhen, Yu You, Gu Jian, Zhao Ting, Wang
Zhijia, Wang Honghong and Ming Xu.
Information Security Technology - Security Technical
Requirements for Network Vulnerability Scanners
1 Scope
This Standard specifies the security function requirements, self-security requirements
and security assurance requirements of network vulnerability scanners, and classifies
their levels according to different security technical requirements for network
vulnerability scanners.
This Standard is applicable to the development, production and detection of network
vulnerability scanners.
2 Normative References
The following documents are essential for the application of this document. For the
dated references, only the dated editions apply to this document. For undated
references, the latest editions (including amendments) apply to this document.
GB 17859-1999 Classified Criteria for Security Protection of Computer
Information System
GB/T 18336.3-2008 Information Technology - Security Techniques -
Evaluation Criteria for IT Security - Part 3. Security
Assurance Requirements
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purpose of this Standard, the terms and definitions specified in GB/T 17859-
1999 and GB/T 25069-2010 as well as the following ones apply.
3.1
Scan
The process of using technical tools to detect the security risks that are existed in target
system.
3.2
Vulnerability
The weakness in network system that may be made use of and cause hazard.
3.3
Network vulnerability scan
Remotely detect target system for security risk through network, inspect and analyze
its security vulnerability thereby to find out the security loophole that may be utilized
by intruder, and recommend some preventative and remedial measures.
3.4
Banner
A piece of information sent by application program, generally including words of
welcome, application name and version, etc.
4 Abbreviations
For the purpose of this Standard, the following abbreviations apply.
CGI. Common Gateway Interface
CVE. Common Vulnerabilities and Exposures
DNS. Domain Name System
DoS. Denial of Service
FTP. File Transfer Protocol
IP. Internet Protoco1
NETBIOS. NETwork Basic Input Output System
NFS. Network File System
POP3. Post Office Protocol 3
RPC. Remote Procedure Call
SMB. Server Message Block
SMTP. Simple Mail Transfer Protocol
SNMP. Simple Network Management Protocol
TCP. Transmission Control Protocol
UDP. User Datagram Protocol
5 Level Classification of Network Vulnerability Scanners
5.1 Description of Level Classification
5.1.1 Basic-level
This level specifies basic functional requirements for network vulnerability scanners, It
limits the use of the product function and the control of data access through certain
user identification and identity authentication, making product be possessed with the
ability of autonomous security protection, guaranteeing that the network vulnerability
scanners can operate normally and with audit function so that the operation behaviors
of administrators and scanning events are traceable. It provides basic analysis
processing capability according to the scanning result through obtaining scanning
information and generates report. Its self-security requirements shall be in accordance
with the relevant requirements of system audit protection level in GB 17859-1999, and
security assurance requirements shall be in accordance with the requirement of EAL
Level 2 specified in GB/T 18336.3-2008.
5.1.2 Enhanced-level
Network vulnerability scanners of this level not only meet all the aforesaid basic-level
requirements, but also further divide different security management roles, so as to
detail the control of product management rights, in addition, the input and output as
well as comparison of scanning result, the scanning under known account number /
password, upgrading security measures, IP address scanning restriction, interactivity
requirements, audit storage safety and other contents are added, making the functional
requirements of products more complete and the use more convenient. The self-
security requirements of product shall be in accordance with the requirements of
security label protection level specified in GB 17859-1999, the security assurance
requirements of product cover all stages of the product from development to
application, in accordance with the requirements of EAL Level 4 specified in GB/T
18336.3-2008, and on this basis, lifting vulnerability analysis requirement to be able to
resist the attack initiated by attacker with medium attack capability.
5.2 Level Classification
The level classification of network vulnerability scanners are shown in Tables 1, 2 and
3. The level assessment of network vulnerability scanners is obtained
comprehensively in accordance with these three tables, the network vulnerability
scanners in acco...
......
|