Search result: GB/T 20279-2024 (GB/T 20279-2015 Older version)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 20279-2024 | English | 999 |
Add to Cart
|
7 days [Need to translate]
|
Cybersecurity technology - Technical specification for network and terminal separation products
| Valid |
GB/T 20279-2024
|
| GB/T 20279-2015 | English | 135 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Security technical requirements of network and terminal separation products
| Valid |
GB/T 20279-2015
|
| GB/T 20279-2006 | English | RFQ |
ASK
|
9 days [Need to translate]
|
Safety technology requirements for information security, network and terminal equipment across the high parts
| Obsolete |
GB/T 20279-2006
|
| Standard ID | GB/T 20279-2024 (GB/T20279-2024) | | Description (Translated English) | Cybersecurity technology - Technical specification for network and terminal separation products | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 50,576 | | Date of Issue | 2024-09-29 | | Date of Implementation | 2025-04-01 | | Older Standard (superseded by this standard) | GB/T 20279-2015,GB/T 20277-2015 | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration |
GB/T 20279-2024. Network security technology network and terminal isolation product technical specification
ICS 35.030
CCSL80
National Standard of the People's Republic of China
Replaces GB/T 20279-2015, GB/T 20277-2015
Network security technology network and terminal isolation products
Technical Specifications
2025-04-01 Implementation
State Administration for Market Regulation
The National Standardization Administration issued
Table of Contents
Preface III
1 Range 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 2
5 General 3
6 Safety technical requirements 5
6.1 Security Function Requirements 5
6.2 Self-security requirements 9
6.3 Performance requirements 10
6.4 Security requirements 11
7 Evaluation Methods 13
7.1 Safety function evaluation 13
7.2 Self-security assessment 23
7.3 Performance Evaluation 26
7.4 Security Assessment 26
Appendix A (Normative) Classification of network and terminal isolation products and classification of security technical requirements 33
Appendix B (Normative) Classification and evaluation methods of network and terminal isolation products 39
Preface
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents"
Drafting.
This document replaces GB/T 20279-2015 "Information security technology network and terminal isolation product security technical requirements" and GB/T 20277-
2015 "Information Security Technology Network and Terminal Isolation Product Test and Evaluation Method", GB/T 20279-2015 and GB/T 20277-2015
Compared with the previous version, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
--- Changed the product classification of network isolation products (see Chapter 5, Chapter 4 of GB/T 20279-2015 edition);
--- Added general rules (see Chapter 5);
--- Changed the information flow control strategy requirements (see 6.1.1.1, 5.2.2.1.1.1, 5.2.2.2.1.1,
--- Changed the information flow control function requirements (see 6.1.1.2, 5.2.2.1.1.2, 5.2.2.2.1.2,
--- Added application and protocol support requirements (see 6.1.2);
--- Added information filtering requirements (see 6.1.3);
--- Change the anti-attack requirements to attack protection requirements (see 6.1.5, 5.2.2.1.2, 5.2.2.2.2,
5.2.3.1.2 and 5.2.3.2.2);
---Change the domain isolation requirement to the security isolation requirement (see 6.1.6, 5.2.2.1.6, 5.2.2.2.6,
5.2.3.1.6 and 5.2.3.2.6);
---Change the fault tolerance requirement to high availability requirement (see 6.1.7, 5.2.2.1.7, 5.2.2.2.7 and
5.2.3.2.7);
--- Added linkage requirements (see 6.1.10);
---Change the environmental adaptability requirements to IPv6 support requirements (see 6.1.11, 5.4 of GB/T 20279-2015 edition);
---Added virtualization deployment requirements (see 6.1.12);
--- Added its own safety requirements (see 6.2);
--- Changed the performance requirements (see 6.3, 5.5 of GB/T 20279-2015 edition);
--- Changed the safety assurance requirements (see 6.4, 5.3 of GB/T 20279-2015 edition);
--- Added the classification of network and terminal isolation products and the classification of security technical requirements (see Appendix A);
---Added the classification of network and terminal isolation products and the level classification of evaluation methods (see Appendix B).
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents.
This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260).
This document was drafted by. the Third Research Institute of the Ministry of Public Security, the National Industrial Information Security Development Research Center, China Cybersecurity Review and Certification and
Market Supervision Big Data Center, China Electronics Technology Standardization Institute, Beijing Topsec Network Security Technology Co., Ltd., Beijing Anmeng Information
Technology Co., Ltd., Zhongfu Information Co., Ltd., Tsinghua University, Shenzhen Lipu Information Technology Co., Ltd., Venusstar Information Technology
Technology Group Co., Ltd., Zhuhai Special Economic Zone Weisi Co., Ltd., Torui Tianxing Network Security Information Technology Co., Ltd., Qi'anxin Network
Shen Information Technology (Beijing) Co., Ltd., Institute of Software, Chinese Academy of Sciences, First Research Institute of the Ministry of Public Security, Tencent Cloud Computing (Beijing) Co., Ltd.
Responsible company, Xi'an Jiaotong University Jabil Network Technology Co., Ltd., Beijing Shuanxing Technology Co., Ltd., Shandong Shouhan Information Technology Co., Ltd.,
Changyang Technology (Beijing) Co., Ltd., Zhengzhou Xindajiean Information Technology Co., Ltd., H3C Technologies Co., Ltd., State Grid Block
Chain Technology (Beijing) Co., Ltd., Blue Shield Information Security Technology Co., Ltd., Guangzhou Tianmao Information System Co., Ltd., China Southern Power Grid
Electric Power Technology Co., Ltd., China Electronics Technology Network Security Technology Co., Ltd., Nanjing Shenyi Network Technology Co., Ltd., Blue Elephant Standard
(Beijing) Technology Co., Ltd., Hangzhou Lingxin Digital Information Technology Co., Ltd., and Chengdu Saibo Security Technology Development Co., Ltd.
The main drafters of this document are. Lu Zhen, Zhu Guobang, Li Xuan, Gu Jian, Gu Jianxin, Shen Liang, An Gaofeng, Liu Zhifei, Ma Ao, Yang Chen, Sun Yan,
Zhang Dongju, Wang Chonghua, Shen Yongbo, Shen Wenjie, Jiang Jun, Lu Wenli, Jiao Mengmeng, Zuo Anji, Zhang Xiyu, Lu Dongliang, Yan Min, Yang Chunhua, Hu Weina,
Wang Luhan, Zhang Lingyun, Qiao Huayang, Yu Guo, Liu Yuhong, Yang Geng, Zhao Hua, Liu Weihua, He Jianfeng, Shi Zhuyu, Jiao Shaobo, Wan Xiaolan, Li Shiqi,
Chang Yuanyuan, Liu Qiang, Zou Kai, Lin Di, Li Kepeng, Han Xiude, Zhang Dawei, Zhao Huimin, Qian Yunjie, Ding Wensuo, Yang Wei, Zhang Zhenyu, Lin Dansheng,
Li Huimin and Guo Aibo.
The previous versions of this document and the documents it replaces are as follows.
---GB/T 20279, first issued in.2006 and first revised in.2015;
---GB/T 20277, first issued in.2006 and first revised in.2015;
---This is the second revision.
Network security technology network and terminal isolation products
Technical Specifications
1 Scope
This document specifies the classification, grading, security technical requirements and evaluation methods of network and terminal isolation products.
This document applies to the design, development, and testing of network and endpoint isolation products.
2 Normative references
The contents of the following documents constitute essential clauses of this document through normative references in this document.
For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to
This document.
GB/T 18336.3-2024 Cybersecurity technology Information technology security assessment criteria Part 3.Security assurance components
GB/T 25069-2022 Information Security Technical Terminology
GB/T 30279-2020 Information security technology - Guidelines for the classification and grading of network security vulnerabilities
GB 42250-2022 Information security technology - Safety technical requirements for network security products
3 Terms and definitions
GB/T 18336.3-2024, GB/T 25069-2022, GB/T 30279-2020 and GB 42250-2022 and the following
The following terms and definitions apply to this document.
3.1
securitydomain
A collection of assets and resources that are subject to a common security policy.
[Source. GB/T 25069-2022, 3.36]
3.2
A technology that uses physical methods to ensure that different security domains cannot be connected directly or indirectly.
Note. Implement physical disconnection of different security domains, including disconnection in physical conduction and physical storage.
3.3
protocol conversionprotocolconversion
A technology that extracts application data from public protocols based on the network and encapsulates it into a system-specific private protocol for data transmission.
3.4
Information ferry informationferry
The information is transmitted from the security domain where the information source is located to the intermediate cache area, and then the information in the intermediate cache area is transmitted to the security domain where the information destination is located.
Global data transmission technology.
Note. At any one time, the intermediate cache area is connected to only one security domain.
......
GB/T 20279-2015
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20279-2006
Information Security Technology - Security
Technical Requirements of Network and
Terminal Separation Products
ISSUED ON. MAY 15, 2015
IMPLEMENTED ON. JANUARY 1, 2016
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Description of Network and Terminal Separation Products ... 6
5 Security Technical Requirements ... 9
5.1 Overall Description ... 9
5.1.1 Classification of Security Technical Requirements ... 9
5.1.2 Security Level ... 9
5.2 Security Function Requirements ... 10
5.2.1 Terminal Separation Products... 10
5.2.2 Network Separation Product ... 13
5.2.3 Network Unilateral Transmission Product ... 30
5.3 Security Assurance Requirements ... 45
5.3.1 Requirements for Basic-level ... 45
5.3.2 Requirements for Enhanced-level ... 49
5.4 Environmental Adaptation Requirements ... 57
5.4.1 Next generation internet Support (if any) ... 57
5.4.2 Support IPv6 Transition Network Environment (optional) ... 58
5.5 Performance Requirements ... 59
5.5.1 Exchange Rate ... 59
5.5.2 Hardware Switching Time ... 59
Bibliography ... 60
Foreword
This Standard was drafted according to the rules specified in GB/T 1.1-2009.
Please pay attention that some contents of this document may involve patents. The
issuing organization of this Standard does not undertake the responsibility to identify
these patents.
This Standard replaces GB/T 20279-2006 "Information Security Technology Security
Techniques Requirements of Separation Components of Network and Terminal
Equipment".
The main differences between this Standard and GB/T 20279-2006 are as follows.
- The products were classified into terminal separation products, network separation
products and network unilateral transmission products;
- The products were uniformly divided into basic-level and enhanced-level;
- The description of terminal separation products, network separation products
and network unilateral transmission products were added;
- The requirement of the capability of supporting next generation internet protocol
was added;
- The basic principles of technical requirements were added in appendix, including
basic principles of security function requirements and basic principles of security
assurance requirements.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Technology Security of Standardization
Administration of China (SAC/TC 260).
Drafting organizations of this Standard. Quality Supervision Testing Center of
Computer Information System Security Products of the Ministry of Public Security,
Zhuhai Victory Idea Co., Ltd., Nanjing Shenyi Network Technology Co., Ltd. AND The
Third Research Institute of Ministry of Public Security.
Chief drafters of this Standard. Lu Zhen, Gu Jian, Yu You, Li Xuan, Deng Qi, Zuo Anji,
Lu Wenli and Liu Bin.
Information Security Technology-Security Technical
Requirements of Network and Terminal Separation
Products
1 Scope
This Standard specifies the security function requirements, security assurance
requirements, environmental adaptation requirements and performance requirements
of network and terminal separation products.
This Standard is applicable to the design, development and test of network and
terminal separation products.
2 Normative References
The following documents are essential for the application of this document. For the
dated references, only the dated editions apply to this document. For undated
references, the latest editions (including amendments) apply to this document.
GB 17859-1999 Classified Criteria for Security Protection of Computer
Information System
GB/T 18336.3-2008 Information Technology - Security Techniques - Evaluation
Criteria For IT Security - Part 3. Security Assurance
Requirements
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purpose of this Standard, the following terms and definitions as well as those
defined in GB 17859-1999 and GB/T 25069-2010 apply.
3.1
Security domain
The computer or network area with the same security protection demand and security
policy.
3.2
Physical disconnection
The case that the networks in different security domains cannot be directly or indirectly
connected.
Note. In one physical network environment, the physical disconnection of networks in different
security domains shall technically ensure disconnection of information in physical transmission
and physical storage.
3.3
Protocol conversion
The separation and reestablishment of protocol. Separate the application data in the
network-based common protocol from one end of separation product in a certain
security domain, package to transmit special system protocol to the other end of
separation product in other security domain, then separate the special protocol and
package it into the required format.
3.4
Protocol separation
The networks in different security domains are physically connected, it is ensured that
the protected information is logically separated through protocol conversion, and only
the information with limited content required by the system for transmission may pass
through.
3.5
Information ferry
It is a mode of information exchange, physical transmission channel only exists during
transmission.
Note. During data transmission, the information is transmitted to the middle cache, the
connection between middle cache and the security domain of the information destination is cut;
and then connect the transmission channel between middle cache and the security domain of
the information destination, transmit the information to the security domain of the information
destination, and physically cut the connection between the security domain of information
source and middle cache. Middle cache is only connected with security domain at one end at
any one time.
3.6
Unilateral transmission unit
A pair of transmission units with physical unilateral transmission characteristic, this
transmission unit consists of a pair of independent sending and receiving units, which
can only work in simplex mode, sending unit only has single sending function, and
receiving unit only has single receiving function, they form a creditable unilateral
channel, which is free from any feedback information.
3.7
Terminal separation product
The security separation card or security separation computer which connects two
different security domains simultaneously and achieves physical separation of security
domains by adopting physical disconnection technology.
3.8
Network separation product
The product between two different security domains and achieving security separation
of security domains and information exchange on network by adopting protocol
separation technology.
3.9
Network unilateral transmission product
The only channel between two different security domains and achieving unilateral
transmission of structure information physically, and it is ensured that only the
information to which security policy permits for transmission may pass through, without
any data transmission or feedback in the opposite direction.
4 Description of Network and Terminal Separation Products
According to form and function, network and terminal separation products may be
classified into terminal separation products, network separation products and network
unilateral transmission products, the purpose is to establish security control point
between different network terminals and network security domains to provide
controllable access service among different network terminals and network security
domains. In addition, the protocol stack of network and terminal separation products
of the next generation Internet network environment shall not only support IPv4
technology, but also I...
......
GB/T 20279-2006
Safety technology requirements for information security, network and terminal equipment across the high parts
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology
Network and terminal equipment isolation components safety technical requirements
Released on.2006-05-31
Implementation of.2006-12-01
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China
China National Standardization Administration issued
Content
Foreword III
Introduction IV
1 range 1
2 Normative references 1
3 Terms and Definitions 1
4 Security environment 2
4.1 Physical aspects 2
4.2 Personnel 2
4.3 Connectivity 2
5 isolation parts classification safety technical requirements 2
5.1 Physical disconnection of the isolation component 2
5.1.1 Basic Level Requirements 2
5.1.2 Enhanced Level Requirements 4
5.2 One-way isolation component 7
5.2.1 Basic level requirements 7
5.2.2 Enhanced Level Requirements 8
5.3 Protocol isolation component 11
5.3.1 Level 1 11
5.3.2 Second level 13
5.3.3 Third level 18
5.4 Gatekeeper isolation component 23
5.4.1 Level 1 23
5.4.2 Second level 26
5.4.3 Third level 30
Reference 37
Foreword
This standard is proposed and managed by the National Information Security Standardization Technical Committee.
This standard was drafted. Ministry of Public Security Computer Information System Security Product Quality Supervision and Inspection Center.
The main drafters of this standard. Zhu Jianping, Lu Yi, Shen Liang, Qiu Yihua, Zhang Wei, Zhang Xiaoxiao, Gu Yu, Shen Tao, Zhao Ting, Zou Chunming, Gu Jian.
introduction
This standard is an important part of the series of standards for information security level protection technical requirements, to guide designers how to design and implement
The isolation component with the required safety level mainly describes the technology from the perspective of dividing the safety protection level of the isolation component.
Requirements, which mainly indicate the safety of the isolation components to achieve the safety requirements of each protection level based on GB 17859-1999
Technical measures, as well as differences in the implementation of various security technologies in different security levels.
This standard is based on the classification of the safety level of GB 17859-1999, for the technical characteristics of the isolation components, the corresponding safety level
The safety function technical requirements and safety assurance technical requirements are described in detail.
In this standard text, bold fonts indicate new or enhanced functional requirements in higher levels.
Information security technology
Network and terminal equipment isolation components safety technical requirements
1 range
This standard specifies the detailed technical requirements required for the classification of safety protection for isolated components, and gives each safety guarantee.
Different technical requirements for protection levels.
This standard is applicable to the design and implementation of isolation components. The testing and management of isolation components can also be used as reference.
2 Normative references
The terms in the following documents become the terms of this standard by reference to this standard. All dated references, followed by all
Modifications (not including errata content) or revisions do not apply to this standard, however, parties to agreements based on this standard are encouraged to
Whether the latest version of these files can be used. For undated references, the latest edition applies to this standard.
GB 17859-1999 Computer Information System Security Protection Level Division Guidelines
GB/T 20271-2006 Information security technology information system general safety technical requirements
3 Terms and definitions
The following terms and definitions established in GB 17859-1999 and GB/T 20271-2006 apply to this standard.
3.1
Refers to networks that are in different security domains that cannot be connected directly or indirectly. In a physical network environment, implementation is not
The network of the security domain is physically disconnected, and technically, information should be disconnected from physical conduction and physical storage.
3.2
In the isolation component, the definition of protocol conversion is the stripping and reconstruction of the protocol. At the end of the isolation component of a security domain, based on
The application data in the public protocol of the network is stripped out, and the encapsulation is passed to the isolation component of the other security domain of the system-specific protocol.
End, then strip the proprietary protocol and package it into the required format.
3.3
Refers to the network in different security domains is physically connected, through the means of protocol conversion to ensure that the protected information is logically
Isolated, only content-restricted information that is required to be transmitted by the system can pass.
3.4
One way of information exchange, the physical transport channel exists only when the transmission is in progress. When information is transmitted, the information is first secured by the information source.
One end of the domain is transferred to the intermediate cache area, and the connection between the intermediate cache area and the security domain of the information destination is physically disconnected;
The transport channel of the cache area and the security domain where the information is destined, transmits the information to the security domain where the information is intended, and is physically broken on the channel.
Open the connection between the security domain where the information source resides and the intermediate cache area. At any one time, the intermediate cache area is only connected to one end of the security domain.
3.5
An information security component that physically disconnects information, such as a physical isolation card.
......
|