Powered by Google www.ChineseStandard.net Database: 189759 (21 Apr 2024)

GB/T 20278-2013 (GBT20278-2013)

GB/T 20278-2013_English: PDF (GBT 20278-2013, GBT20278-2013)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 20278-2013English125 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Security technical requirements for network vulnerability scanners Obsolete GB/T 20278-2013

BASIC DATA
Standard ID GB/T 20278-2013 (GB/T20278-2013)
Description (Translated English) Information security technology - Security technical requirements for network vulnerability scanners
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 42,486
Older Standard (superseded by this standard) GB/T 20278-2006
Quoted Standard GB 17859-1999; GB/T 18336.3-2008; GB/T 25069-2010
Drafting Organization Ministry of Public Security of Computer Information System Security Product Quality Supervision and Inspection Center
Administrative Organization National Standardization Technical Committee for Information Security
Regulation (derived from) National Standards Bulletin 2013 No. 27
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China
Summary This standard specifies the security features of network vulnerability scanning product requirements, to ensure its own security requirements and safety requirements, and in accordance with the requirements of the different security technologies for netwo

Standards related to: GB/T 20278-2013

GB/T 20278-2013
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20278-2006
Information Security Technology - Security
Technical Requirements for Network
Vulnerability Scanners
ISSUED ON. DECEMBER 31, 2013
IMPLEMENTED ON. JULY 15, 2014
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
1 Scope ... 5 
2 Normative References ... 5 
3 Terms and Definitions ... 5 
4 Abbreviations ... 6 
5 Level Classification of Network Vulnerability Scanners ... 7 
5.1 Description of Level Classification... 7 
5.2 Level Classification ... 7 
6 Service Environment ... 10 
7 Security Technical Requirements for Basic-level ... 11 
7.1 Security Function Requirements ... 11 
7.2 Self-security Requirements ... 17 
7.3 Security Assurance Requirements ... 19 
8 Security Technical Requirements for Enhanced-level ... 23 
8.1 Security Function Requirements ... 23 
8.2 Self-security Requirements ... 31 
8.3 Security Assurance Requirements ... 34 
Foreword
This Standard was drafted according to the rules in GB/T 1.1-2009.
This Standard replaces GB/T 20278-2006 "Information Security Technology Technique
Requirement for Network Vulnerability Scanners". The main differences in this
Standard over GB/T 20278-2006 are as follows.
- The name of the standard was changed to "Information Security Technology -
Security Technical Requirements for Network Vulnerability Scanners";
- The definition of "network vulnerability scan" was modified (see 3.3);
- "vulnerability of NIS service" (see 7.3.1.8 of 2006-edition) was deleted;
- "vulnerability of database" was deleted (see 7.3.1.18 of 2006-edition);
- "RPC port" was deleted (see 7.3.4.1 of 2006-edition);
- "NI service" was deleted (see 7.3.4.5 of 2006-edition);
- "alarm function" was deleted (see 7.4.4.1 of 2006-edition);
- "installation and operation control" was deleted (see 7.5 of 2006-edition);
- "interaction with IDS product", "interaction with fire wall product", "interaction with
other application programs" were deleted ( see 7.7.4.2, 7.7.4.3,7.7.7.4 and 8 of
2006-edition);
- "performance requirements" was deleted;
- The requirement of upgrading security measures during product upgrading was
added;
- The function of comparison and analysis between scanning results was added;
- Authentication data protection, authentication failure handling, timeout locking or
logout, remote management and other functions were added in the self-security
requirements of product;
- The integral structure of this Standard was adjusted; it is described according to
the product security function requirements, self-security requirements and security
assurance requirements; in addition, the requirement items of product self-security
were detailed, and the contents of audit function requirements were defined.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Technology Security of Standardization
Administration of China (SAC/TC 260).
Certain content of this document may involve patent. The issuing organization of this
Standard shall not undertake the responsibility of identifying these patents.
Drafting organizations of this Standard. Quality Supervision Testing Center of Ministry
of Public Security for Computer information system security product, Venustech
Information & Technology Co., Ltd. AND Netpower Information & Technology Co., Ltd.
Chief drafters of this Standard. Gu Jianxin, Lu Zhen, Yu You, Gu Jian, Zhao Ting, Wang
Zhijia, Wang Honghong and Ming Xu.
Information Security Technology - Security Technical
Requirements for Network Vulnerability Scanners
1 Scope
This Standard specifies the security function requirements, self-security requirements
and security assurance requirements of network vulnerability scanners, and classifies
their levels according to different security technical requirements for network
vulnerability scanners.
This Standard is applicable to the development, production and detection of network
vulnerability scanners.
2 Normative References
The following documents are essential for the application of this document. For the
dated references, only the dated editions apply to this document. For undated
references, the latest editions (including amendments) apply to this document.
GB 17859-1999 Classified Criteria for Security Protection of Computer
Information System
GB/T 18336.3-2008 Information Technology - Security Techniques -
Evaluation Criteria for IT Security - Part 3. Security
Assurance Requirements
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purpose of this Standard, the terms and definitions specified in GB/T 17859-
1999 and GB/T 25069-2010 as well as the following ones apply.
3.1
Scan
The process of using technical tools to detect the security risks that are existed in target
system.
3.2
Vulnerability
The weakness in network system that may be made use of and cause hazard.
3.3
Network vulnerability scan
Remotely detect target system for security risk through network, inspect and analyze
its security vulnerability thereby to find out the security loophole that may be utilized
by intruder, and recommend some preventative and remedial measures.
3.4
Banner
A piece of information sent by application program, generally including words of
welcome, application name and version, etc.
4 Abbreviations
For the purpose of this Standard, the following abbreviations apply.
CGI. Common Gateway Interface
CVE. Common Vulnerabilities and Exposures
DNS. Domain Name System
DoS. Denial of Service
FTP. File Transfer Protocol
IP. Internet Protoco1
NETBIOS. NETwork Basic Input Output System
NFS. Network File System
POP3. Post Office Protocol 3
RPC. Remote Procedure Call
SMB. Server Message Block
SMTP. Simple Mail Transfer Protocol
SNMP. Simple Network Management Protocol
TCP. Transmission Control Protocol
UDP. User Datagram Protocol
5 Level Classification of Network Vulnerability Scanners
5.1 Description of Level Classification
5.1.1 Basic-level
This level specifies basic functional requirements for network vulnerability scanners, It
limits the use of the product function and the control of data access through certain
user identification and identity authentication, making product be possessed with the
ability of autonomous security protection, guaranteeing that the network vulnerability
scanners can operate normally and with audit function so that the operation behaviors
of administrators and scanning events are traceable. It provides basic analysis
processing capability according to the scanning result through obtaining scanning
information and generates report. Its self-security requirements shall be in accordance
with the relevant requirements of system audit protection level in GB 17859-1999, and
security assurance requirements shall be in accordance with the requirement of EAL
Level 2 specified in GB/T 18336.3-2008.
5.1.2 Enhanced-level
Network vulnerability scanners of this level not only meet all the aforesaid basic-level
requirements, but also further divide different security management roles, so as to
detail the control of product management rights, in addition, the input and output as
well as comparison of scanning result, the scanning under known account number /
password, upgrading security measures, IP address scanning restriction, interactivity
requirements, audit storage safety and other contents are added, making the functional
requirements of products more complete and the use more convenient. The self-
security requirements of product shall be in accordance with the requirements of
security label protection level specified in GB 17859-1999, the security assurance
requirements of product cover all stages of the product from development to
application, in accordance with the requirements of EAL Level 4 specified in GB/T
18336.3-2008, and on this basis, lifting vulnerability analysis requirement to be able to
resist the attack initiated by attacker with medium attack capability.
5.2 Level Classification
The level classification of network vulnerability scanners are shown in Tables 1, 2 and
3. The level assessment of network vulnerability scanners is obtained
comprehensively in accordance with these three tables, the network vulnerability
scanners in acco...
...