HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (18 Jan 2025)

GB/T 51434-2021 English PDF

GB/T 51434-2021_English: PDF (GB/T51434-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 51434-2021English859 Add to Cart 6 days [Need to translate] Technical standard for internet security facilities engineering Valid GB/T 51434-2021


BASIC DATA
Standard ID GB/T 51434-2021 (GB/T51434-2021)
Description (Translated English) Technical standard for internet security facilities engineering
Sector / Industry National Standard (Recommended)
Word Count Estimation 43,459
Date of Issue 2021-04-09
Date of Implementation 2021-10-01
Summary This standard is applicable to the new construction, reconstruction and expansion projects of Internet network security facilities, and covers the technical requirements for the entire process of planning, design, construction, acceptance, and operation and maintenance of Internet network security facilities.


GB/T 51434-2021 English name.Technical standard for internet security facilities engineering 1 General 1.0.1 This standard is formulated in order to standardize the construction of Internet network security facilities in my country, ensure that network security facilities and Internet business systems are planned, constructed, and used simultaneously, and that they are technologically advanced, economically reasonable, and safe and applicable. 1.0.2 This standard applies to new construction, reconstruction and expansion projects of Internet network security facilities, covering the technical requirements for the entire process of Internet network security facility engineering planning, design, construction, acceptance, operation and maintenance. 1.0.3 The construction of Internet network security facilities should implement the national network security management guidelines and policies and technical and economic policies. 1.0.4 The construction of Internet network security facilities should fully investigate and analyze the network security requirements and operation and maintenance requirements of the Internet business system, and should consider the impact of new services and new technologies on the structure, function and performance of network security facilities. 1.0.5 The construction of Internet network security facilities should make full use of existing network security facilities, and conduct intensive construction through security capability sharing and centralized management and control. 1.0.6 In addition to implementing this standard, the construction of Internet network security facilities should also comply with the current national standard "Information Security Technology Information System Security Project Management Requirements" GB/T 20282 and other relevant standards. 2 Terms and abbreviations 2.1 Terminology 2.1.1 internet service system A business system that provides information services to the public through a computer network is composed of hardware and software equipment such as servers, switches, routers, databases, operating systems, and application software. 2.1.2 internet security facilities internet security facilities Technical facilities such as network security protection facilities, security monitoring facilities, security response facilities, and security recovery facilities constructed to ensure the security, confidentiality, and availability of Internet business systems. 2.1.3 internet security facilities engineering The process of planning, designing, implementing, checking and accepting, operating and maintaining Internet network security facilities. 2.1.4 Network security protection facilities A network security facility that protects the security, confidentiality and availability of Internet business systems from external damage. 2.1.5 Network security detecting facilities Network security facilities that monitor security threats, security vulnerabilities, and security incidents of Internet business systems. 2.1.6 security response facilities network security response facilities A network security facility that provides technical support for response and disposal work such as analysis, source tracing, blocking, and evidence collection of network attacks. 2.1.7 Security recovery facilities network security recovery facilities Network security facilities to quickly restore data and services after emergencies such as network security attacks and natural disasters such as earthquakes and floods. 2.1.8 recovery time objective recovery time objective After a disaster occurs, the time requirement for an information system or business function to recover from a standstill. 2.1.9 recovery point objective recovery point objective After a disaster, the system and data must be restored to the point in time requirements. 2.2 Abbreviations IP (Internet Protocol) Internet protocol RPO (Recovery Point Objective) recovery point objective RTO (Recovery Time Objective) recovery time objective SDN (Software Defined Network) software defined network SNMP (Simple Network Management Protocol) Simple Network Management Protocol SSH (Secure Shell) secure shell protocol 3 Engineering planning of network security facilities 3.0.1 The engineering planning of network security facilities should ensure the continuous and stable operation of Internet services, effectively defend and monitor network security threats and attacks, and support emergency response to security incidents and business disaster recovery. 3.0.2 The engineering planning of network security facilities shall meet the needs of network security protection, network security monitoring, network security response, and network security recovery in the short-term and long-term development of Internet business systems, and shall comply with the current national standard "Information Security Technology Network Security Relevant provisions of GB/T 22239 Basic Requirements for Classified Protection. 3.0.3 The functional performance requirements and construction scale of network security facilities shall be determined according to the Internet business development plan, number of users, network bandwidth, network asset scale, and network security management requirements. 3.0.4 The organization plan of network security facilities and the short-term and long-term evolution routes shall be determined according to the use of existing network security facilities, the development plan and business forecast of Internet business systems, and the development of network security technologies. 3.0.5 The project planning of network security facilities should properly handle the relationship between the whole and the parts, and the global network security facilities should adopt the mode of centralized construction and capacity sharing. 3.0.6 The engineering planning of network security facilities should carry out the technical and economic comparison of various schemes. 4 Engineering Design of Network Security Facilities 4.1 General provisions 4.1.1 The network security facility construction route and technical scheme given by the network security facility engineering design should be consistent with the network security planning, and should be further deepened on the basis of the network security planning combined with specific business scenarios. 4.1.2 The engineering design of network security facilities shall meet the requirements of construction projects such as functions, performance, quality, and engineering investment related to Internet business security assurance. 4.1.3 The network security system design, network security technical scheme design, and network security facility index design should be determined according to the characteristics of Internet services and the relevant requirements for network security level protection. 4.1.4 For new technologies and new applications such as cloud computing, mobile Internet, Internet of Things, SDN, and big data, customized network security design solutions should be adopted, and should comply with the current national standard "Information Security Technology Network Security Level Protection Security Design Technology Requirements" GB/T 25070 related regulations. 4.1.5 Network security reconstruction and expansion projects shall ensure the rational use and full integration of existing network security facilities. 4.1.6 The engineering design of network security facilities shall take into account the specific requirements of Internet business characteristics for security protection facilities, security monitoring facilities, security response facilities, and security recovery facilities, and rationally configure and combine applicable network security facilities to support the entire process of network security management.. 4.1.7 The engineering design of network security facilities should achieve network security protection in depth, accurate monitoring, rapid response, and reliable recovery. 4.1.8 The engineering design of network security facilities should include the following contents. 1 Investigate and sort out the status quo of the network and system; 2 Clarify the safety guarantee objectives, including the guarantee objects, function and performance objectives, investment cost objectives, etc.; 3 Network security threats and risk assessment analysis; 4 Network security system design, including protection system design, monitoring system design, response system design, recovery system design, etc.; 5 Network security facility performance design, including network attack scale prediction, data scale calculation, security performance analysis, etc.; 6 Network security facility function, performance analysis and parameter design; 7 equipment selection; 8 Survey the site environment, and determine the final equipment installation configuration, cable layout and other plans. 5.2.2 The construction unit shall establish a construction organization according to the construction organization plan, clarify the division of labor and responsibility, sign a confidentiality agreement, and conduct technical disclosure and necessary technical training. 5.2.3 The construction unit should inspect the construction site before entering the construction site, and the construction conditions should meet the following requirements. 1 The basic facilities such as power supply, air conditioning, fire protection and security protection in the computer room shall meet the corresponding acceptance requirements; 2 The environmental conditions such as temperature, humidity, lighting, ventilation, and net height in the machine room should meet the requirements for construction safety operations, and the equipment installation site should be clean and dust-free; 3 The office space, equipment and facilities storage and storage places, and the deployment of relevant engineering management tools required for construction site management shall meet the construction management requirements; 4 Dangerous items such as flammable and explosive materials should not be stored in the computer room. 5.2.4 The construction unit shall inspect the equipment and materials before construction starts, and shall comply with the following regulations. 1 When inspecting equipment and materials, the construction unit or supervisory unit, construction unit and supplier should be present at the same time, and records should be made; 2.The equipment and equipment shall not be damaged when unpacking and checking. The equipment name, model, specification, quantity, etc. shall meet the requirements of the design and engineering contract. 3 Active equipment should be energized and tested one by one, and the testing content should include items such as safety, reliability and electromagnetic compatibility; 4 The software product shall be inspected for its use license and scope of use, shall comply with the design and engineering contract requirements, and the software documentation shall be complete; 5 The testing of product function and performance shall meet the requirements of national product standards, and products with special requirements may be carried out according to contract regulations or design requirements; 6 The function, performance and technical indicators of equipment and materials should meet the design requirements and product instructions; 7 Equipment and materials should be classified and stored after inspection, and should be stacked neatly. 5.2.5 Before entering the site for construction, the construction personnel should be familiar with relevant information such as construction drawings and engineering characteristics, construction scheme, process requirements, construction quality standards and acceptance standards. 5.2.6 The construction unit shall conduct safety and civilized construction education for construction personnel before entering the site for construction. 5.3 Network security device installation 5.3.1 The installation of network security equipment shall meet the requirements of engineering design, product specification and installation process. 5.3.2 Equipment belonging to the same security domain should be installed in the same physical area. 5.3.3 The installation of network security equipment should be stable, firm and easy to operate, maintain and repair. 5.3.4 The function label or product number on the network security equipment shall be correct and clear, and shall not be damaged or lost. 5.3.5 The cables inside the cabinet should be routed along the wire slots inside the cabinet and bound firmly, the cables should avoid crossing, and the power cables and signal cables should be routed separately from both sides of the cabinet. 5.3.6 Network security equipment should be reliably grounded, and anti-static measures should meet equipment and engineering design requirements. 5.3.7 The physical safety of network security equipment shall be protected during the installation process, and the impact on other facilities shall be avoided during the construction process. 5.3.8 A windshield blind plate should be installed in the rack where no equipment is installed, and the windshield blind plate should be able to prevent the mixed flow of hot and cold air. 5.3.9 Reconstruction and expansion projects of network security facilities shall comply with the following regulations. 1 The network security equipment added in the reconstruction and expansion project should be installed in the same area as the equipment with the same function; 2 A safe construction plan should be prepared, protective measures should be taken for existing facilities, and the implementation of reconstruction and expansion projects should avoid affecting existing facilities; 3.When installing or expanding equipment on the powered rack, check the load of the power supply system at all levels, and ensure that the power supply system meets the power-on requirements for new or expanded equipment; 4.When installing circuit boards or functional modules on operating equipment, construction should be carried out according to product instructions, operation manuals and design requirements, and protective measures should be taken; 5 An emergency fallback plan should be prepared, and the existing business should be restored as soon as possible in the event of an accident. 5.4 Network security device configuration 5.4.1 After the installation of network security equipment is completed, the equipment shall be configured and shall meet the requirements for subsequent operation and maintenance. Network security device configuration should include, but not limited to, device account configuration, account password configuration, device authorization configuration, device log configuration, device protocol configuration, and security policy configuration. 5.4.2 Device account configuration should meet the following requirements. 1.Accounts should be assigned according to users. Different users should not share the same account, and user accounts and communication accounts between devices must not be shared; 2 Accounts irrelevant to equipment operation and maintenance should be deleted or locked; 3.Multi-account groups should be established according to system requirements and user business needs, and user accounts should be assigned to corresponding account groups; 4.Remote login by users with administrator privileges should be restricted. Remote operations with administrator privileges should be performed by remote login as a user with normal privileges and then switched to an account with administrator privileges. 5.4.3 Account password configuration should meet the following requirements. 1 Devices using static password authentication technology should be configured with secure password length, complexity, validity period and encryption strength, and default passwords or empty passwords are not allowed; 2 Devices using static password authentication technology should limit the number of consecutive login failures, and the account used by the user should be locked after multiple consecutive login failures. 5.4.4 Device authorization configuration shall comply with the following regulations. 1.Within the device permission configuration capability, the minimum permissions required should be configured according to the user's business needs; 2 When creating a new file or directory, the default access permission of the user should be controlled, and the access permission that the new file or directory should not have should be blocked. 5.4.5 The equipment log configuration shall comply with the following regulations. 1.The device should be equipped with the function of recording user login. The recorded content should include the account used by the user to log in, whether the login is successful, the login time, and the IP address used by the user during remote login. 2.The device should be equipped with the function for users to record device operations. The recorded operations should include but not limited to account creation, deletion and permission modification, password modification, reading and modifying device configuration, and reading and modifying personal privacy data of business users. Each record should include user account number, operation time, operation content and operation result. 3.The device should be configured with a system logging function to record security events related to the system. 4 The device can be configured with a remote log function, and the log content of the device concerned can be transmitted to the log server through the remote log function. 5.The device shall assign log file read, modify and delete permissions by account. 5.4.6 The equipment protocol configuration shall comply with the following regulations. 1 The equipment using IP protocol for remote maintenance should be configured to use encryption protocols such as SSH; 2 The device should set SNMP access security restrictions, allowing only specific hosts to access through SNMP. 5.4.7 Security policy configuration should meet the following requirements. 1 Security policy configuration should be based on the network security policy scheme in the security design, and should meet the requirements of security domain division and network security protection, monitoring, response and recovery; 2 The security policy configuration should meet the requirements of the linkage between various security facilities to form an integrated network security system. 5.4.8 Other equipment configurations should meet the following requirements. 1.When network security defects such as security vulnerabilities are found in the equipment during the configuration process, remedial measures such as security reinforcement should be taken immediately; 2 The device should close unnecessary services and ports; 3.The latest security patch should be installed on the device, and the patch should be tested and confirmed before installation. 5.5 Construction management requirements 5.5.1 For network security facility projects with an investment of more than 10 million yuan or involving multiple construction units, it is advisable to hire project supervision units to participate in project construction management. 5.5.2 The construction unit shall ensure the realization of the project quality objectives through quality monitoring analysis and improvement activities during the construction of network security facilities. 5.5.3 The construction unit shall establish a coordination mechanism for the network security facility project, and shall maintain coordination with the construction unit, supervision unit and other third parties. ......

Similar standards: GB/T 50726-2023  GB/T 51040-2023