|
US$189.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38798-2020: Technical requirements for security of integrated broadband access network
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38798-2020 | English | 189 |
Add to Cart
|
3 days [Need to translate]
|
Technical requirements for security of integrated broadband access network
| Valid |
GB/T 38798-2020
|
PDF similar to GB/T 38798-2020
Basic data | Standard ID | GB/T 38798-2020 (GB/T38798-2020) | | Description (Translated English) | Technical requirements for security of integrated broadband access network | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | M42 | | Classification of International Standard | 33.040.50 | | Word Count Estimation | 10,147 | | Date of Issue | 2020-04-28 | | Date of Implementation | 2020-11-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 38798-2020: Technical requirements for security of integrated broadband access network---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Technical requirements for security of integrated broadband access network
ICS 33.040.50
M42
National Standards of People's Republic of China
Comprehensive broadband access network security technical requirements
2020-04-28 released
2020-11-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Foreword Ⅰ
Introduction Ⅱ
1 Scope 1
2 Normative references 1
3 Abbreviations 1
4 User plane security requirements 2
4.1 Frame Filter 2
4.2 Multicast/broadcast/DLF packet storm suppression 2
4.3 Protocol message rate limit 2
4.4 MAC address control function 2
5 Control plane security requirements 2
5.1 Equipment certification 2
5.2 Controllable Multicast 2
5.3 Filter function 3
5.4 Anti-DOS Attack 3
5.5 ARP proxy function 3
5.6 Heartbeat mechanism 3
5.7 Registration and authentication function of SIP protocol 3
6 Management plane security requirements 3
6.1 Administrator password 3
6.2 Device access method 3
6.3 Network management system security requirements 4
7 Equipment reliability requirements 6
7.1 Active/standby switchover of the main control board 6
7.2 Switching between active and standby power supplies 6
7.3 Environmental monitoring 6
8 Equipment electrical safety requirements 6
8.1 Insulation resistance 6
8.2 Grounding resistance 6
8.3 Overvoltage and overcurrent protection 6
8.4 Electromagnetic compatibility 7
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed by the Ministry of Industry and Information Technology of the People's Republic of China.
This standard is under the jurisdiction of the National Communication Standardization Technical Committee (SAC/TC485).
Drafting organization of this standard. China Academy of Information and Communications Technology.
The main drafters of this standard. Zhuo Ansheng, Liu Qian, Cheng Qiang, Chen Jie.
Introduction
In order to avoid illegal theft of network resources, illegal use of network services, and malicious attacks, and to improve the security and reliability of next-generation network equipment,
ITU-T formulated ITU-TX.805 "End-to-end Communication System Security Framework" in.2003, which defines a complete end-to-end communication system
The unified security framework specifies three network layers. application layer, business layer, and infrastructure layer, and defines users and control
And manage three planes. Each level of each level includes access control, authentication, non-repudiation, data confidentiality, communication security, and integrity
The eight aspects of sex, usability and privacy consider its security.
In recent years, with the development of Internet services and the development of broadband access networks to broadband, integration and software, comprehensive broadband access
The network faces a more complex security environment than a single service and single network in the past, and the upgrading of technology has also generated more security threats.
And defenses. Therefore, it is imperative to formulate security standards for broadband access networks.
With reference to the relevant guidelines of ITU-TX.805, combined with the characteristics of integrated broadband access network equipment, this standard covers three aspects. user, control, and management.
Each plane defines its security in terms of access control, authentication, communication security and availability.
Comprehensive broadband access network security technical requirements
1 Scope
This standard specifies the user plane security requirements, control plane security requirements, management plane security requirements,
Equipment reliability and electrical safety requirements.
This standard applies to the integrated broadband access network equipment of the public telecommunication network, and the integrated broadband access network equipment of the private telecommunication network can also be referred to
use.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 9254 Information Technology Equipment Radio Disturbance Limits and Measurement Methods
GB/T 17618 Information Technology Equipment Immunity Limits and Measurement Methods
YD/T 1082 Technical requirements and test methods for overvoltage and overcurrent protection and basic environmental adaptability of access network equipment
3 Abbreviations
VoIP. Voice over Internet (VoiceoverInternetProtocol)
4 User plane security requirements
4.1 Frame filtering
Based on different device types, it should support the physical port, Ethernet encapsulation protocol, source/destination MAC address, source/destination IP address,
The Ethernet priority tag and TCP/UDP port number filter the uplink and downlink Ethernet data frames.
4.2 Multicast/broadcast/DLF packet storm suppression
Should support the suppression of the rate of Layer 2 multicast/broadcast/DLF messages, this function should be enabled by default in the upstream direction.
Should support the suppression method based on the overall situation, it is recommended to support the suppression method based on VLAN and port.
4.3 Protocol message rate limit
Should support the speed limit processing of specific protocol messages (for example, DHCP, IGMP, ICMP, etc.).
4.4 MAC address control function
It should support limiting the number of MAC addresses learned by the port, and the limited number should be flexibly configured.
When the depth of the MAC address table is reached, the device should support ignoring the new MAC address until the old MAC address ages.
5 Control plane security requirements
5.1 Equipment certification
It should support the ability of equipment legality authentication, and refuse equipment that has not passed authentication to access the network to obtain services.
5.2 Controllable Multicast
It should support the multicast authority control function to prevent illegal users from obtaining multicast services.
5.3 Filter function
Should support filtering IGMP query frames and DHCPOFFER/ACK/NAK frames from user ports.
It should support the configuration of legal multicast sources on the network side and the configuration of filtering illegal multicast sources.
5.4 Prevent DOS attacks
Should support the DOS attack resistance capability of the device to prevent the attack target, such as PingofDeath, SYNFlood, LAND, etc.
attack.
5.5 Proxy ARP function
In order to prevent the formation of broadcast storms, the ARP protocol proxy function should be supported. For devices that support Layer 3 functions, ARP proxy should be supported
Features.
5.6 Heartbeat mechanism
The equipment that provides VoIP services should support periodic heartbeat messages sent to the softswitch/IMS, and should be able to correctly respond to the softswitch/IMS sent
Heartbeat message sent.
5.7 Registration and authentication function of SIP protocol
For devices that use SIP to provide VoIP services, they support the authentication function when registering with the softswitch/IMS.
6 Management plane security requirements
6.1 Administrator password
Regardless of the management method, the management users of the equipment need to be authenticated and authenticated. Authentication and authentication are the basis of system access. versus
Security data related to administrator rights should be properly protected.
No matter in the equipment or the network management system, the password should not be stored in plain text.
6.2 Device access method
6.2.1 SNMP access
Devices that support SNMP access should support SNMPvl or SNMPv2c, and should support SNMPv3.
When SNMPvl and SNMPv2c are used, they should be able to be combined with the access control list to control illegal network management access equipment, and not
Use public/private as the default community name, the default read-only community name and read-write community name cannot be the same, and have prompt management
The function of the member to modify the group name.
When supporting SNMPv3, it supports security mechanisms such as USM.
It is advisable to implement access control to the network management station, and restrict users to access the equipment through certain IP addresses using SNMP.
6.2.2 Local CONSOLE access
Devices that support local CONSOLE access should support out-of-band operation and maintenance through the CONSOLE interface it carries.
In the process of interaction between the maintenance terminal and the device, the same security protection capabilities as Telnet access methods should be provided.
6.2.3 Telnet access
Devices that support Telnet access should support the following security requirements.
a) The user should provide the user name/password for subsequent operations, and the user address and operation should be recorded in the log;
b) During Telnet access, a hierarchical management mechanism for user accounts should be provided, and a function of controlling Telnet user permissions should be provided;
c) The number of simultaneous users should be limited;
d) If there is no interaction within the set time, the user should be automatically logged out, providing the terminal timeout lock function;
e) It is possible to limit the IP addresses through which users can use Telnet services to access the device;
f) It can defend against Telnet password probing attacks, and can use the delayed response mechanism for the same IP address, or use
Limit the number of login attempts from the same IP address;
g) Should support to close the Telnet service.
6.2.4 Web access
Devices that support web access should support the following security requirements.
a) The user should provide the user name/password for subsequent operations, and the user address and operation should be recorded in the log;
b) It is possible to limit which IP addresses the user uses to access the device using HTTP;
c) Should support closing HTTP service;
d) Should support the SSL/T LS security protocol or provide other security measures to protect the integrity of the management user data.
6.2.5 TR-069 access
Devices that support TR-069 access should support the following security requirements.
a) The terminal equipment and RMS interface should adopt the combination of SSL/T LS encryption and WWW-Authentication.
Security of the current interface;
b) During the establishment of SSL/T LS secure channel, RMS does not need to authenticate the legitimacy of the terminal device through a certificate. end
The end device should support certificate-based and non-certificate-based key exchange authentication methods for RMS legality certification.
6.3 Security requirements for network management system
6.3.1 Security Policy Management
The network management system should be able to provide unified security policy control, including the following items.
a) Login policy management. Provides setting the number of illegal logins to the system and the lock time, setting the validity period of the management user account, and setting the login
Record overtime logout time, account login time period, limit the maximum number of connections of the same account, etc.;
b) Provide the function of managing users;
c) Management user password setting strategy. restrict the password length and password composition set by the management user, provide the password reset function, and set
The number of days the account password is valid, etc.;
d) Support the IP management strategy of the management user login, and bind the login management user with the IP address.
6.3.2 Role Management
The role represents a specific set of permissions, including the client IP address range that the management user can log in, and the management user can enter
Operations, management of resources that users can manage, etc.
Through security management, roles can be dynamically created, deleted, and modified to form a new set of permissions to be assigned to management users to achieve control
The purpose of managing user rights.
The role management function should include the following items.
a) Add, delete and modify roles;
b) Assign management resources (range of manageable objects) and operation permissions to roles;
c) In terms of operating authority, the network management system should be able to provide three types of default roles.
---System administrator. can perform all the function items provided by the network management system, including the function of authority assignment;
---Configuration administrator. can execute the functions provided by the network management system that have data modification permissions on the device and the system itself (not including
Permission allocation function), such as resource maintenance, equipment configuration, version upgrade, system maintenance, etc.;
---Monitoring administrator. can perform functions such as monitoring of equipment provided by the network management system and query and audit of the network management system itself
Yes, such as resource query, alarm monitoring, performance statistics, log query, etc.
The network management system should provide flexible role creation functions. For example, version administrators and statistics management can be created separately according to the needs of management users.
Manager and other roles.
In terms of management resources, these operating permissions should be able to specify the scope of management.
6.3.3 Account Management
Manage and maintain the management user accounts that use the network management system, including.
a) Add account;
b) Delete account;
c) Modify account information;
d) Query account information.
Management user account information includes.
a) User account;
b) User password;
c) Password validity period;
d) User role;
e) Additional explanation.
Support the same administrator account to belong to multiple role groups.
6.3.4 User login management
The network management system should be able to provide complete user login management functions, including.
a) Only users registered in the server can log in to the network management system. If the access control list function is activated, the customer
The end should satisfy the users who exist in the ACL table of the network management system to log in to the network management system;
b) The logged-in user only has authorized designated operations;
c) Login failure alarm. When multiple login failures using the same management account are used in a row, the network management system should generate an illegal login alarm, and
The management account is locked;
d) Manually log out the logged-in user;
e) Manually or automatically lock the client terminal or exit after timeout.
6.3.5 Online user management
The network management system should be able to monitor online users and monitor the login status of online users in real time, including.
a) Login user;
b) login time;
c) Operation terminal information.
The network management system should be able to manage online users, and super users can view the operations done by ordinary users and force them to log out.
6.3.6 Log Management
The management user can query the logs according to the given conditions and sort the queried logs.
The query conditions are.
a) Query at a given time or time period;
b) Inquiry for a given user;
c) The given log type.
The information that can be queried includes.
a) Log types, including operation logs, system logs, and security logs;
b) operating time;
c) Operator;
d) Operation name;
e) Operation object;
f) Operation content;
g) Operation terminal;
h) Operation result (for example, success or failure).
7 Equipment reliability requirements
7.1 Active/standby switchover of the main control board
The hot backup function of the main control board should be supported. During the switching of the main control board, all service configurations and service connections should not be error or lost.
The quality of business should not be affected.
The main control board switching should support two modes of manual switching and automatic switching.
7.2 Switching between active and standby power supplies
Two power supply modules should be supported. In the event of any power supply failure, the equipment should work normally, and the service quality should not be affected.
influences.
7.3 Environmental monitoring
It shall support the functions of collecting and reporting environmental information such as the working condition of equipment fans and internal temperature.
8 Equipment electrical safety requirements
8.1 Insulation resistance
Under normal circumstances, the insulation resistance of the equipment should not be less than 50MΩ.
8.2 Grounding resistance
The grounding resistance of the equipment should be less than 5Ω.
8.3 Overvoltage and overcurrent protection
The equipment should be equipped with overvoltage and overcurrent protectors. The overvoltage and overcurrent protector protects the core part of the device when the external power supply is abnormal.
The equipment shall meet the requirements of YD/T 1082 for simulating lightning impact, power line induction, power line contact and other indicators.
8.4 Electromagnetic compatibility
The electromagnetic compatibility index of the equipment should meet the requirements of GB/T 9254 and GB/T 17618.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38798-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38798-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38798-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38798-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|