GB/T 21028-2007_English: PDF (GB/T21028-2007)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 21028-2007 | English | 380 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Security techniques requirement for server
| Obsolete |
GB/T 21028-2007
|
Standard ID | GB/T 21028-2007 (GB/T21028-2007) | Description (Translated English) | Information security technology. Security techniques requirement for server | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 33,381 | Date of Issue | 2007-06-29 | Date of Implementation | 2007-12-01 | Drafting Organization | Langchao Electronic Information Industry Co., Ltd. | Administrative Organization | National Standardization Technical Committee for Information Security | Regulation (derived from) | China National Standard Announcement 2007 No.7 (Total No.107) - National-Standard-Commission | Proposing organization | National Safety Standardization Technical Committee | Issuing agency(ies) | Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China; Standardization Administration of China | Summary | This standard specifies the server needed safety requirements, different security technologies and security requirements of each level. This standard applies to the design level of server security level by five GB 17859-1999 demands being conducted, realization, purchase and use. Five test according to GB 17859-1999 security level requirements for server security conducted, management may refer to use. |
GB/T 21028-2007
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology –
Security Techniques Requirements for Server
ISSUED ON: JUNE 29, 2007
IMPLEMENTED ON: DECEMBER 01, 2007
Issued by: General Administration of Quality Supervision, Inspection
and Quarantine
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative References ... 6
3 Terms, Definitions and Abbreviations ... 7
3.1 Terms and definitions ... 7
3.2 Abbreviation ... 8
4 Requirements for Server Security Function ... 8
4.1 Device security ... 8
4.1.1 Device label ... 8
4.1.2 Support for reliable operation of device ... 9
4.1.3 Monitoring the working status of the device ... 9
4.1.4 Device electromagnetic protection ... 9
4.2 Operation security... 9
4.2.1 Security monitoring ... 9
4.2.2 Security audit ... 10
4.2.3 Malicious code protection ... 13
4.2.4 Backup and fault recovery ... 13
4.2.5 Trusted technical support ... 14
4.2.6 Trusted timestamp ... 14
4.3 Data security ... 15
4.3.1 ID authentication ... 15
4.3.2 Discretionary access control ... 16
4.3.3 Label ... 17
4.3.4 Mandatory access control ... 19
4.3.5 Data integrity ... 21
4.3.6 Data confidentiality ... 21
4.3.7 Dataflow control ... 22
4.3.8 Trusted path ... 22
5 Requirements of Server Security Classification ... 23
5.1 Level-1: user discretionary protection level ... 23
5.1.1 Security function requirements ... 23
5.1.2 Security assurance requirements ... 25
5.2 Level-2: system audit protection level ... 26
5.2.1 Security function requirements ... 26
5.2.2 Security assurance requirements ... 30
5.3 Level-3: security label protection level ... 31
5.3.1 Security function requirements ... 31
5.3.2 Security assurance requirements ... 36
5.4 Level-4: structured protection level ... 38
5.4.1 Security function requirements ... 38
5.4.2 Security assurance requirements ... 44
5.5 Level-5: access verification protection level ... 45
5.5.1 Security function requirements ... 45
5.5.2 Security assurance requirements ... 51
Appendix A (Informative) Relevant Concept Explanation ... 53
A.1 Composition and interrelationship ... 53
A.2 Special requirements for server security ... 53
A.3 Further explanation of subject and object ... 54
A.4 SSOS, SSF, SSP, SFP, and their relationships ... 55
A.5 Explanation on cryptographic technique ... 55
A.6 Explanation on electromagnetic protection ... 55
Bibliography ... 56
Information Security Technology –
Security Techniques Requirements for Server
1 Scope
This Standard specifies, based on the five security protection levels specified in GB
17859-1999, the security technical requirements required by the server and the
different security technical requirements for each security protection level.
This Standard is applicable to the design, implementation, purchase and use of the
hierarchical server in accordance with the requirements of the five security protection
levels specified in GB 17859-1999. The testing and management of server security
according to the requirements of the five security protection levels specified in GB
17859-1999 can be referred to.
2 Normative References
The provisions in following documents become the provisions of this Standard through
reference in this Standard. For dated references, the subsequent amendments
(excluding corrigendum) or revisions do not apply to this Standard, however, parties
who reach an agreement based on this Standard are encouraged to study if the latest
versions of these documents are applicable. For undated references, the latest edition
of the referenced document applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information
System
GB/T 20271-2006 Information Security Technology - Common Security
Techniques Requirement for Information System
GB/T 20272-2006 Information Security Technology - Security Techniques
Requirement for Operating System
GB/T 20273-2006 Information Security Technology - Security Techniques
Requirement for Database Management System
GB/T 20520-2006 Information Security Technology - Public Key Infrastructure -
Time Stamp Specification
use, etc.; and provide monitoring data analysis functions, if necessary.
4.2.1.2 Network security monitoring
The server shall monitor the incoming and outgoing network data flow in real time at
its network interface unit. According to the different requirements of different security
level against the network security monitoring, the network security monitoring shall:
a) Do not depend on the server operating system, and is not unavailable due to the
non-power-off failure of the server;
b) The incoming and outgoing network data flow is tested according to the
established security policies and rules;
c) Support security policies and rules for user-defined network security monitoring;
d) Have the function of monitoring the classification of network application behavior,
and have the ability to provide alarm and interruption according to the security
policies;
e) Provide centralized management functions in order to receive the security
policies and rules issued by the network security monitoring centralized
management platform; and provide audit data source to the network security
monitoring centralized management platform.
4.2.2 Security audit
4.2.2.1 Response of security audit
The security audit SSF shall respond to the audit events as follows:
a) Audit log records: when a security invasion event is detected, the audit data shall
be recorded in the audit log;
b) Real-time alarm generation: when a security invasion event is detected, the real-
time alarm information shall be generated, and alarm selectively according to the
setting of the alarm switch;
c) Termination of the offending process: when a security invasion event is detected,
the offending process shall be terminated;
d) Service cancellation: when a security invasion event is detected, the current
service shall be cancelled;
e) User account disconnection and invalidation: when a security invasion event is
detected, the current user account shall be disconnected, and invalidated.
current activities and the established usage model. When the user’s challenge
level exceeds the threshold condition, it can indicate that a threat to security is
about to occur.
c) Simple attack detection: it can detect the occurrence of the signature events that
pose a significant threat to the implementation of SSF. Thus, the SSF shall
maintain and indicate the internal representation of the signature events that
invaded the SSF; compare the detected system behavior records and the
signature events, when a match is found between the two ones, then an attack
on the SSF is imminent.
d) Complex attack detection: on the basis of the above simple attack detection,
multiple steps of invasion can be detected; a complete invasion situation can be
simulated based on a known sequence of events; point out a signature event or
time for event sequence that indicate a potential invasion of the SSF.
4.2.2.4 Security audit review
According to the different requirements of different security levels against the security
audit review, the security audit review can be divided into:
a) Basic audit review: provide the ability to read information from audit records,
namely, provide the ability for the authorized user to obtain and interpret the audit
information. When the user is a person, the information must be expressed in a
human-readable manner; when the user is an external IT entity, the audit
information must be expressed electronically without ambiguity.
b) Limited audit review: on the basis of basic audit review, the users without read
and access rights shall be prohibited from reading audit information.
c) Optional audit review: on the basis of limited audit review, it shall have the
function of selecting audit data to be reviewed according to criteria; and provide
the ability to search, classify, sort audit data according to some logical
relationship standard.
4.2.2.5 Selection of security audit event
Auditable events shall be selected according to the following attributes:
a) Object ID, user ID, subject ID, host ID, and event type;
b) Additional attributes that serve as the basis for audit selectivity.
4.2.2.6 Storage of security audit event
According to the different requirements of different security levels against the security
audit event, the storage of security audit event is divided into:
b) Incremental information backup and recovery: it shall provide the function of
regularly backing up newly added information in the operating system, database
system and application system; when some information in the system is lost or
destroyed due to some reasons, user is provided with the function of information
recovery according to the information reserved by the incremental information
backup;
c) Local system backup and recovery: it shall provide the function of regularly
backing up the operating status of some important local system sin the operating
system, database system and application system; when certain local system
occurs failure due to some reasons, user shall be provided with the function of
local system recovery according to the operating status reserved by the local
system backup;
d) System-wide backup and recovery: it shall provide the function of backing up the
system-wide operating status of important servers; when the system-wide failure
of server occurs due to some reasons, user shall provide support for the system-
wide recovery according to the operating status reserved by the system-wide
backup;
e) Tightly coupled cluster structure: the key servers shall adopt multi-server tightly
coupled cluster structure, so that ensure when one of the servers occurs failure
and stops operating, the business application system can run uninterrupted on
the remaining servers;
f) Remote backup and recovery: for key servers, remote backup and recovery
functions shall be set up according to the different requirements of business
continuity to ensure that when the server is interrupted due to catastrophic failure,
the business application system can restore operation within the required time
range.
4.2.5 Trusted technical support
By setting up a password-based trusted technical support module on the server, in
order to establish a trusted chain on the server from system booting and loading to
application services, so that ensure the authenticity of various running program, and
provide the support for security functions such as realizing the data confidentiality and
integrity protection by using password mechanisms, as well as for the authentication
of server user ID, and connected device authentication.
4.2.6 Trusted timestamp
The server shall provide a reliable clock and clock synchronization system for its
operation; and provide a trusted timestamp service according to the requirement of
GB/T 20520-2006.
classification are the basis for implementing multilevel security model.
4.3.3.3 Output of label
When data is output from the SSC inside to the outside its control scope, the sensitive
labels of the data may be retained or not retained as required. According to the different
requirements of different security levels against the label output, the label output can
be divided into:
a) Output of user data without sensitive label: when outputting user data outside the
SSC under the control of SFP, there shall be no sensitive label associated with
the data;
b) Output of user data with sensitive label: when outputting user data outside the
SSC under the control of SFP, there shall be sensitive label associated with the
data; and ensure that the sensitive label is associated with the output data.
4.3.3.4 Input of label
When data is input from outside the SSF control scope to its inside control scope, there
shall be corresponding sensitive label so that the input data can be protected.
According to the different requirements of different security levels against the label
input, the label input can be divided into:
a) Input of user data without sensitive label: the SSF shall:
--- When inputting user data from outside the SSC under the control of SFP, the
access control of SFP shall be performed;
--- Omit any sensitive labels related to data input from outside the SSC;
--- Implement additional input control rules and set sensitive label for input data.
b) Input of user data with sensitive label: the SSF shall:
--- When inputting user data from outside the SSC under the control of SFP, the
access control SFP shall be performed;
--- The SSF shall use the sensitive label related to the input data;
--- The SSF shall provide the exact link between the sensitive label and the
received user data;
--- The SSF shall ensure that the interpretation of sensitive label for the input
user data is consistent with the interpretation of the original sensitive label.
For the user data transmitted between different SSFs or between users on different
SSFs, according to the different confidentiality requirements of different data types,
perform the confidentiality protection at different level, ensuring the data is not leaked
or stolen during transmission.
4.3.6.3 Security reuse of object
In a system that dynamically manages resources, the remaining information in the
object resources (recording media such as registers, memory and disks) shall not
cause information leakage. According to the different requirements of different security
levels against the user data confidentiality protection, the security reuse of object
includes:
a) Subset information protection: the object resources of a certain subset within the
scope of SSOS security control, when released and reassigned to certain user
or a process running on behalf of such user, shall not leak the original information
of such object;
b) Complete information protection: all object resources within the scope of SSOS
security control, when released and reassigned to certain user or a process
running on behalf of such user, shall not leak the original information of such
object;
c) Special information protection: on the basis of complete information protection,
for certain information that requires special protection, special methods shall be
taken to completely remove the residual information in the object resources, such
as the removal of residual magnetism.
4.3.7 Dataflow control
In a server that implements the data flow in a dataflow manner, the dataflow control
mechanism shall be used to achieve the security control of data flow, and prevent data
information with a high-level security from flowing the low-level areas.
4.3.8 Trusted path
The trusted path between the user and the SSF shall:
a) Provide true endpoint identification; and protect the communication data from
modification and leakage;
b) Initiate the communication using the trusted path by SSF itself, local user or
remote user;
c) Use trusted path for identification of the original user or the requirements for other
services of the trusted path.
According to the requirements in 5.1.1 of GB/T 20273-2006, design, achieve and
purchaser the database management system required by the server at the user
discretionary protection level from the following aspects:
a) ID authentication: according to the description in 4.3.1, ensure the
uniqueness and authenticity of the ID of user logged in the database
management system;
b) Discretionary access control: according to the description in 4.3.2, control
the access of the database management system; allow the legitimate
operations and deny the illegal operations;
c) Data integrity: according to the description in 4.3.5, the user data
transmitted within the database management system shall be provided
with functions to ensure the integrity of the user data.
5.1.1.4 Application system
5.1.1.4.1 ID authentication
According to the description in 4.3.1, as per the requirements of 6.1.3.1 in GB/T
20271-2006, design and achieve the ID authentication function of the application
system from the following aspects:
a) ID identification: any user who needs to enter the application system shall
be identified (create an account); the user identification of the application
system generally sues a user name or user identifier (UID);
b) ID authentication: use password for authentication; authentication is
performed every time a user logs in to the application system; the
password shall be invisible, and securely protected when stored; for the
users registered in the application system, associate the user with its
served subject through the user-subject binding function.
5.1.1.4.2 Discretionary access control
According to the description in 4.3.2, as per the requirements in 6.1.3.2 of GB/T
20271-2006, design and achieve the discretionary access control function of the
application system from the following aspects:
a) Allow the named users to control the sharing of the objects as users and/or
user groups and prevent the unauthorized users from sharing objects;
b) The granularity of discretionary access control is coarse-grained.
5.1.1.4.3 Data integrity
b) Distribution and operation: according to the requirements in 6.1.5.2 of GB/T
20271-2006, achieve the distribution and operation of server user
discretionary operation level;
c) Development: according to the requirements in 6.1.5.3 of GB/T 20271-2006,
achieve the development of server user discretionary protection level;
d) Guidance documents: according to the requirements in 6.1.5.4 of GB/T
20271-2006, achieve the guidance documents of server user discretionary
protection level;
e) Life cycle support: according to the requirements in 6.1.5.5 of GB/T 20271-
2006, achieve the life cycle support of server user discretionary protection
level;
f) Test: according to the requirements in 6.1.5.6 of GB/T 20271-2006, achieve
the test of server user discretionary protection level.
5.1.2.3 SSOS security management
According to the requirements of 6.1.6 of GB/T 20271-2006, achieve the SSOS
security management of server user discretionary protection level.
5.2 Level-2: system audit protection level
5.2.1 Security function requirements
5.2.1.1 Hardware system
5.2.1.1.1 Device label
According to the requirements of device labels and component labels in 4.1.1, design
and achieve the security function of server device labels; and take protective
measures for the labels (such as stamping the official seal).
5.2.1.1.2 Support for reliable operation of device
According to the requirements of basic operation support and security available
support in 4.1.2, design and achieve the security function supported by the reliable
operation of server device. The minimum configuration of server hardware shall meet
the requirements of software system operation; the key components (including hard
disk, motherboard, memory, processor, network card, etc.) shall be matched
with their labels, ensure their security, and prevent the replacement and removal;
the chassis panel shall be protected, for instance lock protection.
5.2.1.1.3 Electromagnetic protection of device
According to the requirements of host software protection in 4.2.3, design and achieve
the malicious code protection functions.
5.2.1.5.2 Backup and failure recovery
According to the requirements of self-information backup and recovery, incremental
information backup and recovery, and local system backup and recovery in 4.2.4,
design and achieve the server backup and failure recovery functions.
5.2.2 Security assurance requirements
5.2.2.1 SSOS self-security protection
a) SSF physical security protection: it should, according to the requirements in
6.2.4.1 of GB/T 20271-2006, achieve the SSF physical security protection of
server system audit protection level;
b) SSF operation security protection: it should, according to the requirements in
6.2.4.2 of GB/T 20271-2006, achieve the SSF operation security protection of
server system audit protection level;
c) SSF data security protection: it should, according to the requirements in 6.2.4.3
of GB/T 20271-2006, achieve the SSF data security protection of server system
audit protection level;
d) Resource utilization: it should, according to the requirements in 6.2.4.4 of GB/T
20271-2006, achieve the resource utilization of server system audit protection
level;
e) SSOS access control: it should, according to the requirements in 6.2.4.5 of
GB/T 20271-2006, achieve the SSOS access control of server system audit
protection level.
5.2.2.2 SSOS design and achievement
a) Configuration management: it should, according to the requirements in 6.2.5.1
of GB/T 20271-2006, achieve the configuration management of server system
audit protection level;
b) distribution and operation: it should, according to the requirements in 6.2.5.2 of
GB/T 20271-2006, achieve the distribution and operation of server system audit
protection level;
c) Development: it should, according to the requirements in 6.2.5.3 of GB/T 20271-
2006, achieve the development of server system audit protection level;
d) Guidance document: it should, according to the requirements in 6.2.5.4 of GB/T
authentication/token-based dynamic password authentication/ biometric
authentication/digital certificate authentication and other mechanisms are
used for ID authentication; authentication shall be performed every time the user
logs in the application system; the authentication information shall be invisible;
encryption technology shall be taken to protect the authentication
information; for users registered in the application system, users shall be
associated with the served subjects through the user-subject binding function.
5.3.1.4.2 Discretionary access control
It shall, according to the description in 4.3.2, as per the requirements in 6.3.3.3 of
GB/T 20271-2006, design and achieve the discretionary access control of application
system from the following aspects:
a) Allow the named users to control the sharing of the objects as users; and prevent
the unauthorized users form sharing objects;
b) Use the access control list to access, control and determine the subjects’ access
permissions to the objects;
c) The granularity of discretionary access control shall be medium granularity;
d) The discretionary access control shall be combined with ID authentication and
audit; through confirming the authenticity of the user’s ID and recording various
successful and unsuccessful accesses by the user, so that the users can assume
clear responsibility for their actions.
5.3.1.4.3 Label
It shall, according to the description in 4.3.3, as per the requirements in 6.3.3.4
of GB/T 20271-2006, design and achieve the label function of the application
system from the following aspects:
a) The sensitivity label of the application system users shall be set by the
system security officer after the user creates a registered account;
b) The sensitive label of the application system object shall be generated by
default or by security officer through the operation interface when the data
is entered into the security control scope.
5.3.1.4.4 Mandatory access control
It shall, according to the description in 4.3.4, as per the requirements in 6.3.3.5
of GB/T 20271-2006, design and achieve the mandatory access control function
of the application system from the following aspects:
a) The scope of the mandatory access control shall be limited to the defined
system form the following aspects:
a) When accessing the service, check the integrity of the user data submitted to the
application system as a string;
b) For the data transmission within the application system, for instance, inter-
process communication, the functions ensuring the data integrity shall be
provided;
c) For the user data processed in the application system, corresponding security
functions hall be designed according to the requirements of rollback; perform the
transaction rollback of the abnormal conditions to ensure the integrity of the data.
5.3.1.4.8 Data confidentiality
It shall, according to the description in 4.3.6, as per the requirements in 6.3.3.8 of
GB/T 20271-2006, design and achieve the user data confidentiality function of the
application system.
5.3.1.5 Safe operation
5.3.1.5.1 Security monitoring
According to the requirements of host security monitoring and network security
monitoring in 4.2.1, design and achieve the server security monitoring functions.
5.3.1.5.2 Malicious code protection
According to the requirements of host software protection and overall protection in
4.2.3, design and achieve the malicious code protection functions.
5.3.1.5.3 Backup and failure recovery
According to the requirements of user self-information backup and recovery,
incremental information backup and recovery, local system backup and recovery, and
full system backup and recovery in 4.2.4, design and achieve the server backup and
failure recovery functions.
5.3.1.5.4 Trusted timestamp
According to the requirements of trusted timestamp in 4.2.6, design and achieve
the trusted timestamp functions of server.
5.3.2 Security assurance requirements
5.3.2.1 SSOS self-security protection
a) SSF physical security protection: it shall, according to the requirements in
5.3.2.3 SSOS management
It shall, according to the requirements in 6.3.6 of GB/T 20271-2006, achieve the SSOS
security management of server security label protection level.
5.4 Level-4: structured protection level
5.4.1 Security function requirements
5.4.1.1 Hardware system
5.4.1.1.1 Device label
It shall, according to the requirements of device label and component label in 4.1.1,
design and achieve the security functions of server device label; take protective
measures (for instance, stamping official seal) on the label; the component label
shall take the digital label.
5.4.1.1.2 Support of device reliable operation
It shall, according to the requirements of basic operation support, security available
support, and uninterrupted operation support in 4.1.2, design and achieve the security
functions of server device reliable operation support; the minimum configuration of the
server hardware shall meet the requirements of software system operation; key
components shall be matched with their labels to ensure their security, and prevent the
replacement and removal; the chassis panel shall be provided protective measures.
Uninterpreted operation requirements shall satisfy the key components with security
functions such as fault tolerance, redundancy, and hot plugging, etc. Components that
support the hot plugging function include hard disk, fan, power supply, PCI adapter,
network card, memory, CUP, et......
......
|