Powered by Google www.ChineseStandard.net Database: 189759 (14 Apr 2024)

GB/T 28451-2012 (GBT28451-2012)

GB/T 28451-2012_English: PDF (GBT 28451-2012, GBT28451-2012)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 28451-2012English760 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products Valid GB/T 28451-2012

BASIC DATA
Standard ID GB/T 28451-2012 (GB/T28451-2012)
Description (Translated English) Information security technology. Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.020
Word Count Estimation 63,698
Quoted Standard GB 17859-1999; GB/T 25069-2010
Drafting Organization Ministry of Public Security of Computer Information System Security Product Quality Supervision and Inspection Center
Administrative Organization Standardization Technical Committee of the National Information Security
Regulation (derived from) National Standards Bulletin No. 13 of 2012
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China
Summary This standard specifies the network-based intrusion prevention products, functional requirements, product requirements and product guarantee their own security requirements, and proposed classification requirements of intrusion prevention products. This s

Standards related to: GB/T 28451-2012

GB/T 28451-2012
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.020
L 80
Information security technology - Technical
requirements and testing and evaluation approaches
for network-based intrusion prevention system
products
ISSUED ON: JUNE 29, 2012
IMPLEMENTED ON: OCTOBER 01, 2012
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3 
1 Scope ... 4 
2 Normative references ... 4 
3 Terms and definitions ... 4 
4 Abbreviations ... 6 
5 Technical requirements for intrusion prevention products ... 6 
5.1 Description of composition ... 6 
5.2 Classification of functional and security requirements ... 7 
6 Composition of intrusion prevention products ... 9 
6.1 Intrusion event analysis unit ... 9 
6.2 Intrusion response unit ... 9 
6.3 Intrusion event audit unit ... 9 
6.4 Management control unit ... 9 
7 Technical requirements for intrusion prevention products ... 10 
7.1 Level 1 ... 10 
7.2 Level 2 ... 15 
7.3 Level 3 ... 24 
8 Evaluation methods of intrusion prevention products ... 35 
8.1 Test environment ... 35 
8.2 Test tool ... 36 
8.3 Level 1 ... 36 
8.4 Level 2 ... 50 
8.5 Level 3 ... 75 
8.6 Performance test ... 104 
Information security technology - Technical
requirements and testing and evaluation approaches
for network-based intrusion prevention system
products
1 Scope
This standard specifies the functional requirements of network-based intrusion
prevention products, the product's own security requirements, the product
assurance requirements; it also proposes the classification requirements for
intrusion prevention products.
This standard applies to the design, development, testing and evaluation of
network-based intrusion prevention products.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB 17859-1999
as well as the following terms and definitions apply to this document.
3.1
Network-based intrusion prevention system products
It is a product that is deployed on a network path in the form of a bridge or a
gateway, finds network behaviors with intrusive characteristics by analyzing
network traffic, intercepts them before they enter the protected network.
This level specifies the minimum-security requirements for intrusion prevention
products. The product has basic protocol analysis, intrusion detection and
interception capabilities; generates records of intrusion events; restricts the
control of product function configuration and data access through simple user
identification and authentication, so that users have the ability to independently
protect and prevent illegal users from harming the intrusion prevention products
and protect the normal operation of intrusion prevention products.
5.1.2 Level 2
This level requires the division of security management roles, to refine the
management of intrusion prevention products. The audit function is added, to
make the actions of authorized administrators traceable. While the product
realizes intrusion detection and interception, it also requires the function of
timely warning. For event records, it also requires the ability to generate and
output reports, as well as a hardware failure handling mechanism.
5.1.3 Level 3
This level requires intrusion prevention products to provide a general interface
to the outside world; report results have functions such as template
customization. It also requires functions such as multiple authentication
mechanisms, upgrade security, self-hiding, load balancing; puts forward higher
requirements for the product's own security. Provide strong protection for the
normal operation of the product.
5.1.4 Performance
This item specifies the performance requirements of intrusion prevention
products, covering all levels.
5.2 Classification of functional and security requirements
The security classification of intrusion prevention products is as shown in Table
1 and Table 2. The grade evaluation of intrusion prevention products is based
on Table 1 and Table 2, combined with the comprehensive evaluation of product
assurance requirements. The intrusion prevention products that meet the level
1 requirements shall meet all the items that the level 1 products shall comply
with as indicated in Table 1 and Table 2, as well as the relevant assurance
requirements for the level 1 product. The intrusion prevention products that
meet the level 2 requirements shall meet all the items that the level 2 products
shall comply with as indicated in Table 1 and Table 2, as well as the relevant
assurance requirements for the level 2 product. The intrusion prevention
products that meet the level 3 requirements shall meet all the items that the
level 3 products shall comply with as indicated in Table 1 and Table 2, as well
7.1.3.3.1 Function design
Developers shall provide documents explaining the security function design of
intrusion prevention products.
Function design shall describe the security function and its external interface in
an informal way; describe the purpose and method of using the external security
function interface; provide details of exceptions and error messages when
needed.
7.1.3.3.2 Representation correspondence
The developer shall provide a correspondence analysis between all adjacent
pairs represented by the security function of the intrusion prevention product.
7.1.3.4 Guiding documents
7.1.3.4.1 Administrator guide
The developer shall provide the authorized administrator with an administrator
guide including the following:
a) Management functions and interfaces that can be used by intrusion
prevention products;
b) How to securely manage intrusion prevention products;
c) The functions and permissions that shall be controlled in the secured
processing environment;
d) All assumptions about user behavior related to the secured operation of
intrusion prevention products;
e) All security parameters controlled by the administrator, if possible, it shall
indicate the security value;
f) Every security-related event related to the management function, including
changes to the security features of the entity controlled by the security
function;
g) All IT environment’s security requirements related to authorized
administrators.
The Administrator guide shall be consistent with all other documents provided
for evaluation.
7.1.3.4.2 User guide
a) The test document shall include the test plan, test procedures, expected
test results, actual test results.
b) The test plan shall identify the security functions to be tested and describe
the objectives of the test. The test procedure shall identify the test to be
performed and describe the test profile of each security function, which
includes the sequential dependence of other test results.
c) The expected test result shall indicate the expected output after the test is
successful.
d) The actual test results shall show that each tested security function can
operate according to requirements.
7.2 Level 2
7.2.1 Product functional requirements
7.2.1.1 Requirements for intrusion event analysis function
7.2.1.1.1 Data collection
Intrusion prevention products shall have the ability to collect all data packets
flowing into the target network in real time.
7.2.1.1.2 Protocol analysis
Intrusion prevention products shall perform protocol analysis on the collected
data packets.
7.2.1.1.3 Intrusion discovery
Intrusion prevention products shall be able to detect intrusions in the protocol.
7.2.1.1.4 Intrusion evasion discovery
Intrusion prevention products shall be able to detect behaviors that evade or
deceive detection, such as IP fragment reassembly, TCP stream reassembly,
protocol port relocation, URL string deformation, SHELL deformation, etc.
7.2.1.1.5 Traffic monitoring
Intrusion prevention products shall monitor abnormal traffic in the target
environment.
7.2.1.2 Requirements for intrusion response function
7.2.1.4 Requirements for management control function
7.2.1.4.1 Management interface
Intrusion prevention products shall provide a user interface for management
and configuration of intrusion prevention products. The management
configuration interface shall contain all the functions needed to configure and
manage the product.
7.2.1.4.2 Intrusion event library
Intrusion prevention products shall provide an intrusion event library. The event
library shall include event name, detailed description, definition, etc.
7.2.1.4.3 Event classification
Intrusion prevention products shall classify events according to their severity,
so that authorized administrators can capture dangerous events from a large
amount of information.
7.2.1.4.4 Event definition
Intrusion prevention products shall allow authorized administrators to customize
policy events.
7.2.1.4.5 Protocol definition
In addition to supporting the default network protocol set, intrusion prevention
products shall also allow authorized administrators to define new protocols or
relocate the protocol ports.
7.2.1.4.6 Traffic control
Intrusion prevention products have the function of controlling abnormal traffic.
7.2.1.4.7 Hardware failure handling
Intrusion prevention products shall provide hardware failure handling
mechanisms.
7.2.1.4.8 Policy configuration
Intrusion prevention products shall provide functions to configure intrusion
prevention strategies and response measures.
7.2.1.4.9 Product upgrade
Intrusion prevention products shall have the ability to update and upgrade
product versions and event libraries.
7.2.3.3.1 Function design
Developers shall provide documents explaining the security function design of
intrusion prevention products.
The functional design shall describe the security function and its external
interface in an informal way; describe the purpose and method of using the
external security function interface; provide details of exceptions and error
messages when needed.
7.2.3.3.2 High-level design
Developers shall provide documents explaining the high-level design of the
security functions of intrusion prevention products.
High-level design shall be expressed in an informal way and be internally
consistent. In order to explain the structure of the security function, the high-
level design shall decompose the security function into each security function
subsystem for description; clarify how to separate the subsystem that helps to
strengthen the security function of the intrusion prevention product from other
subsystems. For each security function subsystem, the high-level design shall
describe the security functions it provides; identify all its interfaces and which
interfaces are externally visible; describe the purpose and methods of use of all
its interfaces; provide the details of the functions, exceptions, error message of
the security function subsystem. The high-level design shall also identify all the
basic hardware, firmware, software required by the security of intrusion
prevention products; support the protection mechanisms implemented by these
hardware, firmware, or software.
7.2.3.3.3 Representation correspondence
The developer shall provide a correspondence analysis between all adjacent
pairs represented by the security function of the intrusion prevention product.
7.2.3.4 Guiding documents
7.2.3.4.1 Administrator guide
The developer shall provide the authorized administrator with an administrator
guide including the following:
a) Management functions and interfaces that can be used by intrusion
prevention product administrators;
b) How to securely manage intrusion prevention products;
c) The functions and permissions that shall be controlled in the secured
development environment of the intrusion prevention product;
b) The development security documents shall also provide evidence of
security measures implemented during the development and
maintenance of intrusion prevention products.
7.2.3.6 Test
7.2.3.6.1 Scope
Developers shall provide analysis results of test coverage.
The analysis result of test coverage shall show that the test identified in the test
document corresponds to the security function described in the security function
design; meanwhile the correspondence is complete.
7.2.3.6.2 Test depth
The developer shall provide in-depth analysis of the test.
In the in-depth analysis, it shall be stated that the test of the security function
identified in the test document is sufficient to show that the security function is
consistent with the high-level design.
7.2.3.6.3 Function test
Developers shall test security functions and provide the following test
documents:
a) The test document shall include the test plan, test procedures, expected
test results and actual test results;
b) The test plan shall identify the security functions to be tested and describe
the objectives of the test. The test procedure shall identify the tests to be
performed and describe the test profile of each security function, which
includes the sequential dependence of other test results;
c) The expected test result shall show the expected output after the test is
successful;
d) The actual test results shall show that each tested security function can
operate according to requirements.
7.2.3.6.4 Independence test
The developer shall provide evidence to prove that the intrusion prevention
product provided by the developer has been independently tested and passed
by a third-party test.
deceive detection, such as IP fragment reassembly, TCP stream reassembly,
protocol port relocation, URL string deformation, SHELL deformation.
7.3.1.1.5 Traffic monitoring
Intrusion prevention products shall monitor abnormal traffic in the target
environment.
7.3.1.2 Requirements for intrusion response function
7.3.1.2.1 Interception capability
Intrusion prevention products shall intercept the discovered intrusion in
advance, to prevent the intrusion from entering the target network.
7.3.1.2.2 Security alert
Intrusion prevention products shall take corresponding actions to issue security
alerts when they discover and block intrusions.
7.3.1.2.3 Alert mode
The alert methods of intrusion prevention products should adopt one or more
methods such as real-time screen prompts, E-mail alerts, sound alerts.
7.3.1.2.4 Event merge
Intrusion prevention products shall have the ability to combine alerts for the
same security events that occur frequently to avoid alert storms.
7.3.1.3 Requirements for intrusion event audit function
7.3.1.3.1 Event generation
Intrusion prevention products shall be able to generate audit records in time for
interception behavior.
7.3.1.3.2 Event record
Intrusion prevention products shall record and save intercepted intrusion events.
The intrusion event information shall at least include the name of the event, the
date and time of the event, the source IP address, source port, destination IP
address, destination port, hazard level, etc.
7.3.1.3.3 Report generation
Intrusion prevention products shall be able to generate detailed results reports.
7.3.1.3.4 Report review
Intrusion prevention products shall ensure the security of the event library and
version upgrade; ensure that the upgrade package is provided by the developer.
7.3.2.3.4 Self-hiding
Intrusion prevention products shall at least provide bridge access methods and
take measures such as hiding IP addresses to make themselves invisible on
the network, to reduce the possibility of being attacked.
7.3.2.4 Security audit
7.3.2.4.1 Audit data generation
Intrusion prevention products shall at least generate audit records for the
following auditable events:
a) Attempt to log in to the intrusion prevention product management port and
manage the identity authentication request;
b) All operations to change the security policy;
c) All attempts to modify security attributes.
At least the date and time of the event, the type of event, the identity of the
subject, the result (success or failure) of the event shall be recorded in each
audit record.
7.3.2.4.2 Audit review
Intrusion prevention products shall provide authorized administrators with the
function of reading all audit information from audit records; they can sort audit
records.
7.3.2.4.3 Restricted audit access
In addition to authorized administrators with clear read access rights, intrusion
prevention products shall prohibit unauthorized users from reading audit
records.
7.3.3 Product assurance requirements
7.3.3.1 Configuration management
7.3.3.1.1 Configuration management capabilities
Developers shall use configuration management systems and provide
configuration management documents; meanwhile provide unique identification
for different versions of intrusion prevention products.
7.3.3.2.2 Installation generation
Developers shall provide documentation explaining the installation, generation
and activation of intrusion prevention products.
7.3.3.3 Security function development
7.3.3.3.1 Function design
Developers shall provide documents explaining the security function design of
intrusion prevention products.
The security function design shall describe the security function and its external
interface in an informal way; describe the purpose and method of using the
external security function interface; provide details of exceptions and error
messages when needed.
7.3.3.3.2 High-level design
Developers shall provide documents explaining the high-level design of the
security functions of intrusion prevention products.
The high-level design shall be expressed in an informal way and is internally
consistent. In order to explain the structure of the security function, the high-
level design shall decompose the security function into various security function
subsystems for description; clarify how to separate the subsystems that help
strengthen the product security function from other subsystems. For each
security function subsystem, the high-level design shall describe the security
functions it provides; identify all its interfaces and which interfaces are
externally visible; describe the purpose and methods of use of all its interfaces;
provide the details of functions, exceptions, error messages of the security
function subsystem. The high-level design shall also identify all the basic
hardware, firmware and software required by the security of intrusion
prevention products; support the protection mechanisms implemented by these
hardware, firmware or software.
7.3.3.3.3 Realization of security functions
Developers shall provide implementation representations for the selected
subset of product security features.
The realization means that the product security function shall be defined
unambiguously and in detail, so that a subset of the security function can be
generated without further design. Implementation representation shall be
internally consistent.
7.3.3.3.4 Low-level design
function;
g) All IT environment security requirements related to authorized
administrators.
The Administrator guide shall be consistent with all other documents provided
for evaluation.
7.3.3.4.2 User guide
The developer shall provide a user guide that includes the following:
a) Security functions and interfaces available to non-administrative users of
intrusion prevention products;
b) The usage of security functions and interfaces provided by intrusion
prevention products to users;
c) All functions and permissions that users can obtain but shall be controlled
by the secured processing environment;
d) The responsibilities of users in the secured operation of intrusion
prevention products;
e) All security requirements of the IT environment related to users.
The user guide shall be consistent with all other documents provided for
evaluation.
7.3.3.5 Development security requirements
Developers shall provide development security documents including the
following:
a) The development security documents shall describe the necessary
physical, procedural, personnel and other aspects of the security
measures necessary to protect the confidentiality and integrity of the
design and implementation of the intrusion prevention product in the
development environment of the intrusion prevention product;
b) The development of security documents shall also provide evidence of
security measures implemented during the development and
maintenance of intrusion prevention products.
7.3.3.6 Test
7.3.3.6.1 Scope
b) Test evaluation results
1) Intrusion prevention products shall be able to access the network by
means of bridges or gateways;
2) Intrusion prevention products shall be able to obtain enough network
data packets to analyze intrusion events.
8.3.1.1.2 Protocol analysis
Protocol analysis test:
a) Test evaluation method
1) Check the security policy configuration document of the intrusion
prevention product; check whether the description of the security event
has attributes such as protocol type;
2) Check the product manual; find the description of the protocol analysis
method; take sample to generate protocol events according to the
protocol analysis type declared by the product, to form the attack event
test set;
3) Configure the product's intrusion prevention strategy as the maximum
strategy set;
4) Send all events in the attack event test set; record the product's
detection results.
b) Test evaluation results
1) Record the corresponding attack name and type of the product
intercepted intrusion;
2) The protocol events that can be monitored in the product manual mainly
include the following types: ARP, ICMP, IP, TCP, UDP, RPC, HTTP, FTP,
TFTP, SNMP, TELNET, DNS, SMTP, POP3, NETBIOS, NFS, SMB,
MSN, P2P, etc.; sampling test shall not find any contradictions;
3) List all intrusion analysis methods supported by the product.
8.3.1.1.3 Intrusion discovery
Intrusion discovery test
a) Test evaluation method
1) Configure the intrusion prevention strategy of the intrusion prevention
b) Test evaluation results
1) Be able to successfully intercept the intrusion;
2) It shall be able to record the corresponding attacks of intercepted
intrusions.
8.3.1.3 Intrusion event audit function test
8.3.1.3.1 Event generation
Event generation test:
a) Test evaluation method
1) Log in to the console interface;
2) Check the management interface, to see if the intrusion interception
situation can be viewed in real time and clearly.
b) Test evaluation results
1) Has a display interface for viewing intrusion interception events;
2) The display interface has a clear functional area, which can display
detailed information of intercepted events.
8.3.1.3.2 Event record
Event recording test:
a) Test evaluation method
1) Log in to the console interface;
2) View the detailed information of the recorded interception event on the
display interface.
b) Test evaluation results
The detailed information of the intercepted event displayed on the display
interface shall include the name of the event, the date and time the event
occurred, the source IP address, the source port, the destination IP
address, the destination port, the damage level, etc.
8.3.1.4 Management control function test
8.3.1.4.1 Management interface
a) Test evaluation method
Check what hardware failure handling mechanism the intrusion prevention
product has.
b) Test evaluation results
When the product hardware fails, it shall not affect the smoothness of the
network.
8.3.1.4.5 Policy configuration
Strategy configuration test:
a) Test evaluation method
1) Log in to the product management interface, to view the default policy
provided by the product;
2) Check whether to allow editing or modification to generate a new policy;
3) Check whether it can edit or modify the response measures of each
policy.
b) Test evaluation results
1) The product shall provide a default strategy and can be directly applied;
2) Users shall be allowed to edit policies;
3) Has a wizard function for users to edit policies;
4) Support the import and export of policies;
5) Users shall be allowed to edit different response measures of the
policies;
6) Record the types and names of policies provided by the product.
8.3.1.4.6 Product upgrade
Product upgrade test:
a) Test evaluation method
Check the upgrade method of the intrusion signature database.
b) Test evaluation results
1) The intrusion signature database can be manually or automatically
there is no ambiguity;
2) Configuration items. The configuration items are required to have a
unique identification, so as to have a clearer description of the
composition of intrusion prevention products.
b) Test evaluation results
For review records and final results (conformity/nonconformity), the
developer shall provide a unique version number and configuration items.
8.3.3.2 Delivery and operation
Delivery and operation evaluation:
a) Test evaluation method
The evaluator shall review whether the developer has provided
documentation explaining the process of installation, generation, startup,
use of intrusion prevention products. Users can understand the installation,
generation, startup and use process through this document.
b) Test evaluation results
The review records and final results (conformity/nonconformity) shall meet
the requirements of the test evaluation method.
8.3.3.3 Security function development
8.3.3.3.1 Function design
Functional design evaluation:
a) Test evaluation method
The evaluator shall review whether the information provided by the
developer meets the following requirements:
1) Functional design shall use informal styles to describe product security
functions and their external interfaces;
2) The functional design shall be internally consistent;
3) The functional design shall describe the purpose and method of using
all external product security functional interfaces; where appropriate,
provide details of the results affecting exceptions and error messages;
4) The functional design shall completely express the product security
function.
administrator guide includes the following:
1) Management functions and interfaces that can be used by intrusion
prevention products;
2) How to securely manage intrusion prevention products;
3) Functions and permissions that shall be controlled in a secured
processing environment;
4) All assumptions about user behavior related to the secured operation
of intrusion prevention products;
5) All security parameters controlled by the administrator; if possible, it
shall indicate the security value;
6) Every security-related event related to the management function,
including changes to the security features of the entity controlled by the
security function;
7) All the security requirements of the IT environment related to authorized
administrators.
b) Test evaluation results
Review records and final results (conformity/nonconformity), the review
content of the evaluator includes at least seven aspects of the test
evaluation method.
The administrator guide as provided by the developer shall be complete.
8.3.3.4.2 User guide
User guide evaluation:
a) Test evaluation method
The reviewer shall review whether the developer provides a user guide for
users of intrusion prevention products; whether this user guide includes
the following:
1) Security functions and interfaces available to non-administrative users
of intrusion prevention products;
2) The usage of security functions and interfaces provided by intrusion
prevention products to users;
3) All functions and permissions that users can obtain but shall be
codes, documents, prototypes.
b) Test evaluation results
Review records and final results (conformity/nonconformity); the review
content of the evaluator includes at least four aspects of the test
evaluation method.
The documentation provided by the developer shall be complete.
8.3.3.6 Test
8.3.3.6.1 Scope
Range evaluation:
a) Test evaluation method
The evaluator shall review the test coverage analysis results provided by the
developer; whether it shows that the test identified in the test document
corresponds to the security function described in the security function design.
b) Test evaluation results
Review records and final results (conformity/nonconformity); the test
identified in the test document provided by the developer shall correspond
to the security function described in the security function design.
8.3.3.6.2 Function test
Function test evaluation:
a) Test evaluation method
1) Evaluate whether the test documents provided by the developer include
test plans, test procedures, expected test results, actual test results;
2) Evaluate whether the test plan identifies the security function to be
tested and whether it describes the test objectives;
3) Evaluate whether the test procedure identifies the test to be performed;
whether it describes the test profile of each security function (the profile
includes the order dependence on other test results);
4) Evaluate whether the expected test result shows the expected output
after the test is successful;
5) Evaluate whether the actual test results show that each tested security
function can operate according to requirements.
b) Test evaluation results
1) Be able to ...
...