HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (2 Nov 2024)

GB/T 20278-2013 English PDF (GB/T 20278-2022 Newer Version)

GB/T 20278-2013 (GB/T20278-2013, GBT 20278-2013, GBT20278-2013)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 20278-2022English1239 Add to Cart 8 days [Need to translate] Information security technology - Security technical requirements and testing assessment approaches for network vulnerability scanners Valid GB/T 20278-2022
GB/T 20278-2013English125 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Security technical requirements for network vulnerability scanners Obsolete GB/T 20278-2013
GB/T 20278-2006English919 Add to Cart 6 days [Need to translate] The technical requirements of the information security technology for network vulnerability scanning products Obsolete GB/T 20278-2006
Preview PDF: GB/T 20278-2013    Standards related to: GB/T 20278-2013

BASIC DATA
Standard ID GB/T 20278-2013 (GB/T20278-2013)
Description (Translated English) Information security technology - Security technical requirements for network vulnerability scanners
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 42,486
Older Standard (superseded by this standard) GB/T 20278-2006
Quoted Standard GB 17859-1999; GB/T 18336.3-2008; GB/T 25069-2010
Drafting Organization Ministry of Public Security of Computer Information System Security Product Quality Supervision and Inspection Center
Administrative Organization National Standardization Technical Committee for Information Security
Regulation (derived from) National Standards Bulletin 2013 No. 27
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China
Summary This standard specifies the security features of network vulnerability scanning product requirements, to ensure its own security requirements and safety requirements, and in accordance with the requirements of the different security technologies for netwo


GB/T 20278-2022 Information security technology - Security technical requirements and testing assessment approaches for network vulnerability scanners ICS 35.030 CCSL80 National Standards of People's Republic of China Replacing GB/T 20278-2013, GB/T 20280-2006 Information Security Technology Network Vulnerability Scanning Products Safety technical requirements and test evaluation methods Published on 2022-03-09 2022-10-01 Implementation State Administration for Market Regulation Released by the National Standardization Administration directory Preface I 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 1 5 Network Vulnerability Scanning Product Description 2 6 Safety technical requirements 2 6.1 Overview 2 6.2 Basic level security requirements5 6.3 Enhanced security requirements 11 7 Test evaluation methods 20 7.1 Test Environment 20 7.2 Test tools 20 7.3 Basic level test evaluation method 21 7.4 Enhanced test evaluation method 36 Reference 59 foreword This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents" drafted. This document replaces GB/T 20278-2013 "Information Security Technology Network Vulnerability Scanning Product Security Technical Requirements" and GB/T 20280-2006 "Information Security Technology Network Vulnerability Scanning Product Testing and Evaluation Method", which is related to GB/T 20278-2013 In addition to structural adjustments and editorial changes, the main technical changes are as follows. a) Added the content of "Network Vulnerability Scanning Product Description" (see Chapter 5); b) Added the requirement of "scanning message identification" (see 6.2.1.5.3 and 6.3.1.5.3); c) Added the requirement of "concurrent scanning" (see 6.2.1.7 and 6.3.1.7); d) Added the requirement of "support system safety" (see 6.2.2.4 and 6.3.2.5); e) Added the requirement of "communication confidentiality" (see 6.3.2.4); f) Added the content of "Environmental adaptability requirements (if applicable)", which mainly clarifies the product's ability to support IPv6, including Including scanning ability to support pure IPv6 network environment, self-management ability in IPv6 network environment and requirements of dual protocol stack (see 6.2.3 and 6.3.3); g) Added the content of "Test Evaluation Method" (see Chapter 7); h) removed the requirement of "scanning IP address restrictions" (see 8.1.8 of the.2013 edition); i) The requirement of "Ease of Use" was deleted (see 8.2.2.2 of the.2013 edition); j) Revised "Content of Vulnerability Scanning", and rearranged the 15 scanning requirements required in the original standard into 5 types of scanning requirements (see 6.2.1.2 and 6.3.1.2, 7.1.2 of the.2013 edition), in the enhanced level, the target object of cloud environment and industrial control equipment is also proposed. scanning requirements (see 6.3.1.2.6 and 6.3.1.2.7); k) Modify the "safety assurance requirements" at all levels to "safety assurance requirements" (see 6.2.4 and 6.3.4, 7.3 and 8.3 of the.2013 edition). Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents. This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This document is drafted by. The Third Research Institute of the Ministry of Public Security, Beijing Shenzhou Lvmeng Technology Co., Ltd., Netsun Information Technology (Beijing) Co., Ltd. Company, Beijing Tianrongxin Network Security Technology Co., Ltd., Qixingchen Information Technology Group Co., Ltd., Shanghai International Technology and Trade Co., Ltd. Co., Ltd., China Network Security Review Technology and Certification Center, Xi'an Jiaotong University Jabil Network Technology Co., Ltd., Beijing Zhongke Wangwei Information Technology Co., Ltd., Shanghai Information Security Evaluation and Certification Center, Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Review Testing Center), New H3C Technology Co., Ltd., China Electronics Technology Group Corporation 15th Research Institute (Information Industry Information Security Evaluation Center), National National Industrial Information Security Development Research Center, Shaanxi Provincial Network and Information Security Evaluation Center, State Grid Xinjiang Electric Power Co., Ltd. Electric Power Research Institute of Information Engineering, Chinese Academy of Sciences, Information and Communication Research Institute of China Electric Power Research Institute Co., Ltd., China Academy of Information and Communication Technology, Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd., Beijing Tonghe Beneficial Telecommunications Science and Technology Research Institute Co., Ltd., Shanghai Douxiangxin Information Technology Co., Ltd., Shenzhen Liansoft Technology Co., Ltd., Beijing Zhichuangyu Information Technology Co., Ltd. The main drafters of this document. Gu Jianxin, Song Haohao, Lu Zhen, Gu Jian, Shen Liang, Yin Hang, Chen Xinyu, Xiong Yi, Qin Lan, Cao Ning, Shen Yongbo, He Jianfeng, Song Wei, Xu Tonghai, Guo Yongzhen, Yang Hongqi, Liu Jian, Liu Zhiyao, Ju Tengfei, Li Mingxuan, Chen Jia, Yan Zhaoteng, Yan Minhui, Xu Zixian, Yu Zhongchen, Wen Lei, Xie Chen, Hou Jun, and Cui Zhao. The previous versions of this document and its superseded documents are as follows. ---First published in.2006 as GB/T 20278-2006, first revised in.2013; ---This is the second revision, incorporating GB/T 20280-2006 "Information Security Technology Network Vulnerability Scanning Product Test Evaluation" Price Method". Information Security Technology Network Vulnerability Scanning Products Safety technical requirements and test evaluation methods 1 Scope This document specifies the security technical requirements and testing and evaluation methods for network vulnerability scanning products. This document applies to the design, development and testing of vulnerability scanning products. 2 Normative references The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, dated citations documents, only the version corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document. GB/T 25069 Information Security Technical Terminology 3 Terms and Definitions The terms and definitions defined in GB/T 25069 and the following apply to this document. 3.1 scan scan The process of using technical tools to detect the target system and find the security weaknesses in the target system. 3.2 Remotely detect the security weaknesses of the target system through the network, check and analyze their security vulnerabilities, so as to find out the possible exploits of intruders. The security weaknesses used, and some preventive and remedial measures are proposed. 3.3 flag banner A piece of information sent by an application. Note. Usually includes information such as welcome words, application name and version. 3.4 supporting system The operating system that supports the network vulnerability scanning device running. 4 Abbreviations The following abbreviations apply to this document.
GB/T 20278-2013 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20278-2006 Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners ISSUED ON. DECEMBER 31, 2013 IMPLEMENTED ON. JULY 15, 2014 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China. Table of Contents 1 Scope ... 5  2 Normative References ... 5  3 Terms and Definitions ... 5  4 Abbreviations ... 6  5 Level Classification of Network Vulnerability Scanners ... 7  5.1 Description of Level Classification... 7  5.2 Level Classification ... 7  6 Service Environment ... 10  7 Security Technical Requirements for Basic-level ... 11  7.1 Security Function Requirements ... 11  7.2 Self-security Requirements ... 17  7.3 Security Assurance Requirements ... 19  8 Security Technical Requirements for Enhanced-level ... 23  8.1 Security Function Requirements ... 23  8.2 Self-security Requirements ... 31  8.3 Security Assurance Requirements ... 34  Foreword This Standard was drafted according to the rules in GB/T 1.1-2009. This Standard replaces GB/T 20278-2006 "Information Security Technology Technique Requirement for Network Vulnerability Scanners". The main differences in this Standard over GB/T 20278-2006 are as follows. - The name of the standard was changed to "Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners"; - The definition of "network vulnerability scan" was modified (see 3.3); - "vulnerability of NIS service" (see 7.3.1.8 of 2006-edition) was deleted; - "vulnerability of database" was deleted (see 7.3.1.18 of 2006-edition); - "RPC port" was deleted (see 7.3.4.1 of 2006-edition); - "NI service" was deleted (see 7.3.4.5 of 2006-edition); - "alarm function" was deleted (see 7.4.4.1 of 2006-edition); - "installation and operation control" was deleted (see 7.5 of 2006-edition); - "interaction with IDS product", "interaction with fire wall product", "interaction with other application programs" were deleted ( see 7.7.4.2, 7.7.4.3,7.7.7.4 and 8 of 2006-edition); - "performance requirements" was deleted; - The requirement of upgrading security measures during product upgrading was added; - The function of comparison and analysis between scanning results was added; - Authentication data protection, authentication failure handling, timeout locking or logout, remote management and other functions were added in the self-security requirements of product; - The integral structure of this Standard was adjusted; it is described according to the product security function requirements, self-security requirements and security assurance requirements; in addition, the requirement items of product self-security were detailed, and the contents of audit function requirements were defined. This Standard was proposed by and shall be under the jurisdiction of National Technical Committee on Information Technology Security of Standardization Administration of China (SAC/TC 260). Certain content of this document may involve patent. The issuing organization of this Standard shall not undertake the responsibility of identifying these patents. Drafting organizations of this Standard. Quality Supervision Testing Center of Ministry of Public Security for Computer information system security product, Venustech Information & Technology Co., Ltd. AND Netpower Information & Technology Co., Ltd. Chief drafters of this Standard. Gu Jianxin, Lu Zhen, Yu You, Gu Jian, Zhao Ting, Wang Zhijia, Wang Honghong and Ming Xu. Information Security Technology - Security Technical Requirements for Network Vulnerability Scanners 1 Scope This Standard specifies the security function requirements, self-security requirements and security assurance requirements of network vulnerability scanners, and classifies their levels according to different security technical requirements for network vulnerability scanners. This Standard is applicable to the development, production and detection of network vulnerability scanners. 2 Normative References The following documents are essential for the application of this document. For the dated references, only the dated editions apply to this document. For undated references, the latest editions (including amendments) apply to this document. GB 17859-1999 Classified Criteria for Security Protection of Computer Information System GB/T 18336.3-2008 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3. Security Assurance Requirements GB/T 25069-2010 Information Security Technology - Glossary 3 Terms and Definitions For the purpose of this Standard, the terms and definitions specified in GB/T 17859- 1999 and GB/T 25069-2010 as well as the following ones apply. 3.1 Scan The process of using technical tools to detect the security risks that are existed in target system. 3.2 Vulnerability The weakness in network system that may be made use of and cause hazard. 3.3 Network vulnerability scan Remotely detect target system for security risk through network, inspect and analyze its security vulnerability thereby to find out the security loophole that may be utilized by intruder, and recommend some preventative and remedial measures. 3.4 Banner A piece of information sent by application program, generally including words of welcome, application name and version, etc. 4 Abbreviations For the purpose of this Standard, the following abbreviations apply. CGI. Common Gateway Interface CVE. Common Vulnerabilities and Exposures DNS. Domain Name System DoS. Denial of Service FTP. File Transfer Protocol IP. Internet Protoco1 NETBIOS. NETwork Basic Input Output System NFS. Network File System POP3. Post Office Protocol 3 RPC. Remote Procedure Call SMB. Server Message Block SMTP. Simple Mail Transfer Protocol SNMP. Simple Network Management Protocol TCP. Transmission Control Protocol UDP. User Datagram Protocol 5 Level Classification of Network Vulnerability Scanners 5.1 Description of Level Classification 5.1.1 Basic-level This level specifies basic functional requirements for network vulnerability scanners, It limits the use of the product function and the control of data access through certain user identification and identity authentication, making product be possessed with the ability of autonomous security protection, guaranteeing that the network vulnerability scanners can operate normally and with audit function so that the operation behaviors of administrators and scanning events are traceable. It provides basic analysis processing capability according to the scanning result through obtaining scanning information and generates report. Its self-security requirements shall be in accordance with the relevant requirements of system audit protection level in GB 17859-1999, and security assurance requirements shall be in accordance with the requirement of EAL Level 2 specified in GB/T 18336.3-2008. 5.1.2 Enhanced-level Network vulnerability scanners of this level not only meet all the aforesaid basic-level requirements, but also further divide different security management roles, so as to detail the control of product management rights, in addition, the input and output as well as comparison of scanning result, the scanning under known account number / password, upgrading security measures, IP address scanning restriction, interactivity requirements, audit storage safety and other contents are added, making the functional requirements of products more complete and the use more convenient. The self- security requirements of product shall be in accordance with the requirements of security label protection level specified in GB 17859-1999, the security assurance requirements of product cover all stages of the product from development to application, in accordance with the requirements of EAL Level 4 specified in GB/T 18336.3-2008, and on this basis, lifting vulnerability analysis requirement to be able to resist the attack initiated by attacker with medium attack capability. 5.2 Level Classification The level classification of network vulnerability scanners are shown in Tables 1, 2 and 3. The level assessment of network vulnerability scanners is obtained comprehensively in accordance with these three tables, the network vulnerability scanners in acco... ......