Powered by Google www.ChineseStandard.net Database: 189760 (20 Apr 2024)

GM/T 0052-2016 (GMT0052-2016)

GM/T 0052-2016_English: PDF (GMT 0052-2016, GMT0052-2016)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GM/T 0052-2016English150 Add to Cart 0--9 seconds. Auto-delivery Cryptographic equipment management - Monitoring management specification of VPN device Valid GM/T 0052-2016

BASIC DATA
Standard ID GM/T 0052-2016 (GM/T0052-2016)
Description (Translated English) Cryptographic equipment management - Monitoring management specification of VPN device
Sector / Industry Chinese Industry Standard (Recommended)
Classification of Chinese Standard L80
Word Count Estimation 19,127
Date of Issue 2016-12-23
Date of Implementation 2016-12-23
Regulation (derived from) State Password Administration Notice No.31

Standards related to: GM/T 0052-2016

GM/T 0052-2016
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 58557-2017
Cryptographic equipment management –
Monitoring management specification of VPN device
ISSUED ON. DECEMBER 23, 2016
IMPLEMENTED ON. DECEMBER 23, 2016
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3 
Introduction .. 4 
1 Scope .. 5 
2 Normative references ... 5 
3 Terms and definitions ... 5 
4 Abbreviations .. 6 
5 Monitoring management system of VPN device ... 7 
5.1 Architecture ... 7 
5.2 Functional requirements ... 7 
5.3 Management application layer ... 8 
5.4 Management platform layer .. 8 
5.5 Monitoring equipment layer of VPN device .. 8 
5.6 Secure communication ... 9 
5.7 Monitoring management process of VPN device ... 10 
6 Monitoring data collection rules for VPN devices .. 13 
6.1 Filtering rules .. 13 
6.2 Detection rules based on the IPSec VPN protocol .. 13 
6.3 Detection rules based on the SSL VPN protocol ... 14 
7 Monitoring management message definition of VPN device ... 15 
7.1 Overview ... 15 
7.2 Monitoring equipment configuration messages of VPN devices .. 17 
7.3 Filtering rule messages... 18 
7.4 Monitoring equipment alert messages of VPN devices ... 19 
Appendix A (Informative) XML definition example of message .. 22 
A.1 XML definition of monitoring equipment configuration messages for VPN
devices ... 22 
A.2 XML definition of monitoring equipment filtering rule message of VPN
devices ... 22 
A.3 XML definition of monitoring equipment alert message of VPN devices ... 24 
References ... 25 
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
GM/T 0052 Cryptographic equipment management - VPN device monitoring
management specification is one of the cryptography device management
standards. This type of standard consists of a basic specification and a series
of management application specifications and currently includes.
- Basic specifications. GM/T 0050 Cryptography device management -
Equipment management technical specifications;
- Management application specification. GM/T 0051 Cryptography device
management - Specifications of symmetric key management technology;
- Management application specification. GM/T 0052 Cryptographic
equipment management - VPN device monitoring management
specification;
- Management application specification. GM/T 0053 Cryptographic device
management - Remote monitoring and compliance verification interface
data specification.
Any contents of this standard related to the contents of cryptographic algorithms
are implemented in accordance with relevant national laws and regulations.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Shanghai Information Security
Engineering Technology Research Center, Shanghai Jiao Tong University
School of Information Security, Shanghai Pengyue Jinghong Information
Technology Development Co., Ltd., Shanghai Huatang Network Co., Ltd.,
Weishitong Information Industry Co., Ltd., Shanghai Tianrongxin Network
Security Technology Co., Ltd., Shanghai Xinhao Information Technology Co.,
Ltd.
Main drafters of this Standard. Wang Hao, Tian Li, Zhou Zhihong, Huang
Zhirong, Liao Wei, Zou Ru, Yuan Feng, Pan Shuyuan, Wang Hegang, Li
Junshan, Zhang Yuanchen, Lv Mingzhong, Pan Limin, Li Gaojian.
Cryptographic equipment management -
Monitoring management specification of VPN device
1 Scope
This standard specifies the monitoring management of VPN device in important
information systems and networks, to detect and locate illegal VPN device in
the network and to detect illegal operations of the legal equipment in use.
This standard applies to the development and application of VPN device
monitoring management systems and monitoring equipment. It can also be
used to guide the detection of such monitoring equipment.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0022-2014 IPSec VPN technical specifications
GM/T 0024-2014 SSL VPN technical specifications
GM/T 0050-2016 Cryptography device management -Equipment
management technical specifications
GM/T 0053-2016 Cryptographic device management - Remote monitoring
and compliance verification interface data specification.
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
VPN device
Devices that use VPN technology to implement secure communications
services in the network. The VPN device in this standard refers to the IPsec
VPN and SSL VPN devices, including the network cryptographic machines
forensic analysis;
d) Maintain (add, change, and delete) a list of violation algorithms;
e) Maintain a list of filtered IP and establish a white list mechanism;
f) Count the number of communication of VPN devices in the entire network;
g) Provide query and statistical analysis of historical data.
5.3 Management application layer
The management application involved in this standard is the monitoring
management of VPN device.
For the monitoring management of VPN device, it shall capture and detect the
data packets in the VPN key negotiation phase to analyze the VPN device
application conditions in the network, to alert the illegal VPN device, to ensure
the legal compliance of the VPN device.
5.4 Management platform layer
Requirements for the management platform layer follow clause 5.5 of GM/T
0050-2016.
5.5 Monitoring equipment layer of VPN device
The monitoring equipment of the VPN device is managed by the management
agent, it follows clause 5.6 of GM/T 0050-2016 and clauses 5.3 and 5.4 of GM/T
0053-2016.
The monitoring equipment of VPN device is deployed in the entry-exit of the
monitored network. It performs monitoring management for all VPN device in
the network by means of bypass packet capture, is responsible for receiving
the policies and instructions issued by the management application layer
through the equipment management platform and security tunnel, parses the
instruction, and returns the result of the execution.
The logical structure of the VPN device monitoring equipment is shown in
Figure 2.
parsing and operating in accordance with the instruction content.
The monitoring equipment of the VPN device is managed by the management
agent. All messages between the VPN device and the equipment management
platform are sent through the security tunnel. The message PDU and usage
instructions of the security tunnel follow clause 6 of GM/T 0050-2016.
The interaction information between the management application layer and the
monitoring equipment of the VPN device includes two aspects.
a) The monitoring equipment of the VPN device reports information to the
management application layer, including illegal VPN alert information;
b) The information issued by the management application layer to the
monitoring equipment of the VPN device, including the configuration
information and filtering rule information of the monitoring equipment of
the VPN device.
5.7 Monitoring management process of VPN device
The monitoring management system workflow is as follows.
a) Deploy the monitoring device of the VPN device to the network backbone
node, initialize it, and configure the uplink IP address;
b) After the VPN device's monitoring device is powered on, it automatically
initiates a connection with the management application layer to perform
identity authentication, including two-way IP binding and device ID
authentication with the uplink device;
c) After the management application layer authenticates the identity of the
monitoring equipment of the VPN device, it performs initialized
configuration for this monitoring equipment;
d) The VPN monitoring device filters the captured data packets and collects
various types of VPN packets in accordance with the configuration rules.
e) Check the captured VPN packets and determine if the VPN device is in
the white list in accordance with the IP address information, skip the
follow-up inspection steps and do not need further inspection;
f) If the VPN device is not on the white list, then extract the value of the
cryptographic algorithm attribute (referring to the key algorithm attribute
value of the first phase of the key exchange protocol), if the extraction fails,
it skips to step i);
g) Compare the extracted algorithm attribute values with the definitions of
6 Monitoring ...
...