Path:
Home >
GB/T >
Page207 > GB/T 25068.5-2021
Price & Delivery
US$409.00 · In stock · Download in 9 secondsGB/T 25068.5-2021: Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See
step-by-step procedureStatus: Valid
GB/T 25068.5: Historical versions
| Std ID | Version | USD | Buy | Deliver [PDF] in | Title (Description) |
| GB/T 25068.5-2021 | English | 409 |
Add to Cart
|
4 days [Need to translate]
|
Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks
|
| GB/T 25068.5-2010 | English | 799 |
Add to Cart
|
3 days [Need to translate]
|
Information technology -- Security techniques -- IT network security -- Part 5: Securing communications across networks using virtual private networks
|
Click to Preview a similar PDF
Basic data
| Standard ID | GB/T 25068.5-2021 (GB/T25068.5-2021) |
| Description (Translated English) | Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks |
| Sector / Industry | National Standard (Recommended) |
| Classification of Chinese Standard | L80 |
| Word Count Estimation | 22,231 |
| Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration |
GB/T 25068.5-2021: Information technology - Security techniques - Network security - Part 5: Securing communications across networks using virtual private networks
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information technology - Security techniques - Network security - Part 5.Securing communications across networks using virtual private networks
ICS 35.040
L80
National Standards of People's Republic of China
Replace GB/T 25068.5-2010
Information Technology Security Technology Cyber Security
Part 5.Inter-network communication using virtual private network
safety protection
(ISO /IEC 27033-5.2013, MOD)
Released on 2021-03-09
2021-10-01 implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Management Committee
Table of contents
Foreword Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Overview 2
5.1 Introduction 2
5.2 VPN Type 3
6 Security threat 4
7 Safety requirements 4
7.1 Overview 4
7.2 Confidentiality 5
7.3 Completeness 5
7.4 Identification 5
7.5 Authorization 5
7.6 Usability 5
7.7 Tunnel Endpoint Security 6
8 Security Control 6
8.1 Safety aspects 6
8.2 Virtual Circuit 6
9 VPN related technologies 6
9.1 Overview 6
9.2 Regulations and legal aspects 7
9.3 VPN management aspects 7
9.4 VPN architecture aspects 7
9.4.1 Overview 7
9.4.2 Endpoint Security 8
9.4.3 End point security 8
9.4.4 Malware protection 8
9.4.5 Identification 9
9.4.6 Intrusion Detection and Defense System 9
9.4.7 Security Gateway 9
9.4.8 Network Design 9
9.4.9 Other connections 9
9.4.10 Separation tunnel 9
9.4.11 Log audit and network monitoring 9
9.4.12 Management of technical vulnerabilities 10
9.4.13 Public network routing encryption 10
9.5 VPN Technical Considerations 10
9.5.1 Background 10
9.5.2 VPN device management 10
9.5.3 VPN security monitoring 10
10 Product Selection Guide 11
10.1 Choice of bearer protocol 11
10.2 VPN device 11
Appendix A (informative appendix) TISec technology 12
Reference 16
Information Technology Security Technology Cyber Security
Part 5.Inter-network communication using virtual private network
safety protection
1 Scope
This part of GB/T 25068 specifies the use of virtual private network (VPN) to connect to the Internet and connect remote users to the network.
Security requirements, and guidelines for the selection, implementation and monitoring of control technologies necessary for using VPN to provide network security.
This section applies to those responsible for selecting and implementing technical control personnel necessary to provide network security when using VPNs, as well as subsequent
VPN security network monitoring personnel.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 9387 (all parts) Open System Interconnection Basic Reference Model [ISO 7498 (all parts)]
GB/T 17901.1-2020 Information Technology Security Technology Key Management Part 1.Framework (ISO /IEC 11770-1.
2010, MOD)
GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001.2013,
IDT)
GB/T 22081 Information Technology Security Technical Information Security Control Practice Guide (GB/T 22081-2016, ISO /IEC 27002.
2013, IDT)
GB/T 25068.1-2020 Information Technology Security Technology Cyber Security Part 1.Overview and Concepts (ISO /IEC 27033-1.2015,
IDT)
GB/T 31722-2015 Information Technology Security Technology Information Security Risk Management (ISO /IEC 27005.2008, IDT)
3 Terms and definitions
GB/T 9387 (all parts), GB/T 22080-2016, GB/T 22081, GB/T 25068.1-2020, GB/T 31722-
The terms and definitions defined in.2015 and the following apply to this document.
3.1
Private
Limited to authorized users.
3.2
Tunnel
Between networked devices, the data path hidden in other protocols with higher visibility.
3.3
Virtual private network
Based on physical network system resources, a restricted-use virtual network constructed through tunneling technology.
3.4
Virtual circuit
Data channels between network devices established using packet or cell switching technologies such as X.25, ATM, or Frame Relay.
3.5
Protocolencapsulation
By transmitting the protocol data unit wrapped in another protocol, one data stream is encapsulated in another data stream.
Note. This method can be used to establish tunnels in virtual private network technology.
4 Abbreviations
5 overview
5.1 Introduction
As a method of network interconnection and a method of connecting remote users to the network, VPN technology has been developing rapidly.
There is a wide range of VPN definitions. According to its simplest definition, VPN provides a way to connect to existing networks or peer-to-peer
Connect to the mechanism of establishing one or more secure data channels. It is only allocated to restricted user groups for exclusive use, and can be dynamically built when needed.
Establish and revoke. The host network can be private or public.
The schematic diagram of VPN is shown in Figure 1.It has a cross-domain public network to connect the secure data channel of the endpoint and gateway, and a cross-domain public network.
The public network is used to connect the secure data channels of the two gateways.
Figure 1 Schematic diagram of VPN
Remote access using VPN is realized on top of ordinary point-to-point connection. First, establish a connection between the local user and the remote location
Establish an ordinary point-to-point connection. Some VPNs are provided as a managed service. In these VPNs, secure and reliable connectivity,
Management and addressing functions (the same as those on the private network) are provided on a shared infrastructure. The additional security given in this section can be used
Control to enhance VPN functions.
The data and codes that traverse the VPN should be restricted to the organization that uses the VPN, and should be kept separate from other users of the underlying network.
Data and codes belonging to other users should not have the ability to access the same VPN channel. When the scope of additional security controls may need to be evaluated
At the same time, the credibility of the organization that owns or provides the VPN in terms of confidentiality and other security should be considered.
5.2 VPN type
As mentioned above, there are many ways to express VPN.
From an architectural perspective, VPN includes.
---Single point-to-point connection (for example, the client accesses the organization network remotely via the site gateway, or the site gateway connects to another
Site gateway);
--- Point-to-cloud connection (for example, implemented through MPLS technology).
From the perspective of the OSI basic reference model, there are three main types of VPNs.
---Layer 2 VPN provides simulated LAN facilities. It uses a VPN running on the host network (e.g. provider network)
Connect to link the organization's site or provide a remote connection to the organization. Typical providers in this field usually provide virtual private
Line Service (VPWS) or Virtual Local Area Network Service (VPLS). Among them, VPWS provides a virtual "wired connection", VPLS
Provide a more complete analog LAN service.
---Layer 3 VPN provides simulated WAN facilities. It uses a VPN running on the network infrastructure to provide a model for the site
The proposed "OSI network layer" connection. It is worth noting that it has the ability to use private IP addressing schemes on public infrastructures.
force. This practice is not allowed on "normal" public IP connections. In a layer 3 VPN, private addresses can be
It is used after NAT (Network Address Translation) on the public network. Although this approach is indeed feasible, it will make IPSec
The establishment and use of VPNs have become complicated. Refer to GB/T 36968-2018 for IPSecVPN technology.
---High-level VPN is used to protect the security of cross-public network transactions. Usually they provide a security link between applications that communicate with each other.
Channel to ensure the confidentiality and integrity of transaction data. This type can also be called a Layer 4 VPN, because the VPN connection
It is often built on top of TCP, and TCP is a layer 4 protocol. Refer to GM/T 0024-2014 for high-level VPN technology.
6 Security threats
In the foreseeable future, network user organizations can expect that effective attacks against their systems will increase. Unauthorized
Access is very harmful, for example, it will lead to DoS attacks, abuse of resources, or arbitrary access to valuable information.
Generally speaking, attacks on VPNs appear in the form of intrusion attacks or DoS attacks. When outsiders or malicious attackers
Control a part of the network and the intrusion occurs. These intrusions can be implemented by computers or other network devices (including mobile devices).
The intrusion can come from anywhere connected to the network. These attacks may also come from other VPNs, Internet or service providers
itself. These types of attacks can be resisted by filtering unexpected data streams from unexpected sources at the network entrance. This type of invasion
A typical example is unauthorized access to secure tunnels by unauthorized entities.
In some VPN design models that lack centralized management, all sites are connected to each other but data flow control is not performed to resist intrusion
It will be difficult.
DoS attacks are another type of threat faced by VPNs. DoS attacks and intrusions come from other VPNs, Internet or service providers
The core of quotient. The main difference between these two types of attacks is that for DoS attacks, the attacker needs to access or control a certain device.
DoS attacks on service provider equipment can also cause some VPNs to deny service. Although protecting the network from DoS attacks sometimes
It is difficult. The defense against DoS attacks mainly lies in a good VPN network design.
The security issues of VPNs include.
---Separation of the address space and routing between VPNs carried on the label switching network;
---Ensure that the internal structure of the tag switching network core is invisible to the external network (for example, adding information to potential attackers)
To limit);
---Provide measures to resist denial of service attacks;
---Provide measures to resist unauthorized access attacks;
---Resistance to tag spoofing (although it is possible to insert wrong tags into the tag switching network from the outside, but due to address separation, fraud
A scam packet can only damage the VPN that generated the spoof packet).
7 Safety requirements
7.1 Overview
The main security goal of VPN is to resist unauthorized access. Therefore, VPN can be used to accomplish more network security goals.
---Protect the information in the network and the systems connected to the network and the services they use;
---Protect supporting network infrastructure;
---Protect the network management system.
In order to achieve the above goals, the implementation of VPN should ensure.
---The confidentiality of data transmitted between VPN endpoints;
---The integrity of the data transmitted between VPN endpoints;
---The authenticity of VPN users and administrators;
---Authorization management of VPN users and administrators;
---The availability of VPN endpoints and network infrastructure.
In short, this means that the underlying tunnel used to construct the VPN should be implemented in a way that meets the security goals. These are summarized in Figure 2
Security goals.
It is advisable to use cryptographic technology-based mechanisms when achieving confidentiality, integrity and authentication requirements, and support the approval of the national cryptographic management authority
The cryptographic algorithm used, using cryptographic products certified and approved by the national cryptographic management authority, and complying with relevant cryptographic national standards and industries
Figure 2 General security requirements for VPNs mapped to lower-layer tunnels
7.2 Confidentiality
The confidentiality of data and codes transmitted in the tunnel should not be compromised. The use of tunneling technology may mean that the transmitted data and code pair
Other users in the network are invisible. However, this does not mean that this data stream is always kept secret. Especially the data in the tunnel
And the code flow cannot resist deterministic detection using data analyzers or probes. Therefore, keep the data and code transmitted in the tunnel
Confidentiality depends critically on the possibility of such detection. In short, this is one of the credibility factors that exist in the underlying network that supports the VPN.
First, it will vary depending on the ownership of the transmission network. If the transmission network is not in a trusted domain (for more information about trusted domains, see
GB/T 25068.1-2021), or if the transmitted data and codes are considered sensitive, additional security control measures may be required.
Shilai further protects confidentiality. In these cases, the tunnel mechanism used should support encryption, or the data items sent should be in the VPN
It should be encrypted offline before uploading. The security of the tunnel endpoint should not be ignored (see 7.7).
7.3 Completeness
The integrity of the data and codes transmitted in the tunnel should not be damaged. The mechanism used to implement the VPN tunnel should support the transmitted data
Data and code integrity check. The technologies used include message authentication codes, message authentication codes, and mechanisms to prevent replay. If in the tunnel
This type of protection cannot be used during implementation, or if the transmitted data and codes are particularly sensitive, the integrity protection control should be implemented in the terminal system.
Now, such integrity protection will be provided in an end-to-end manner.
7.4 Identification
It is advisable to provide message authentication across the public IP network between the participating ends of the VPN. The authentication control should support the establishment and operation of the tunnel
It can ensure that each end of the tunnel communicates with the real peer (perhaps a remote access system) and that the received data comes from the correct
The authorized source can be identified by using TePA-EA technology (see GB/T 15843.3-2016).
7.5 Authorization
The establishment and operation of the tunnel should be supported by access control, and TePA-AC (see GB/T 28455-2010),
ACL (Access Control List) and other technologies to ensure that each end of the tunnel is connected to the authorized peer (may be a remote access system).
System) communications and received data and codes come from authorized sources.
7.6 Availability
The availability of tunnels and VPNs is a function of the availability of supporting network infrastructure and endpoint systems. Resistant to the tunneling mechanism
Security control facilities for denial of service attacks should be combined wherever possible.
For the agreement of a specific service level, it is advisable to test multiple flexible tunnel mechanisms as a backup.
7.7 Tunnel Endpoint Security
The security requirements of VPN endpoints should also be considered. Generally, each VPN endpoint should ensure that there is only
Controlled network data flow. This usually means turning off routing and at least using packet filters or firewall technology. See 9.4.2 for more details
(Endpoint Security) and 9.4.3 (Termination Point Security).
8 Security Control
8.1 Security
Although the tunnel is hidden from ordinary network users, it is not invisible, so it is not inherently safe. Used to construct tunnels
The basic division process (divided into virtual circuits or label switching channels) or encapsulation process is determined by the attacker using a network analyzer or detector.
When qualitatively probed, it will not be protected. If the tunnel is implemented without using encryption technology, the attacker will be able to access its data stream. Even if used
Encryption technology cannot hide the tunnel and its endpoints.
In addition, protecting tunnel endpoints from unauthorized logical or (and) physical access may also be unnecessary. For safety
For VPN, it is necessary to use security control measures for the tunnel according to the organization's security strategy and risk tolerance level. Can these security risks be accepted?
It depends on the organization's security strategy.
If the network access security between network communication nodes is protected, it is necessary to provide network access security and data transmission security between nodes.
Full protection. Network access security includes the identification of the legitimacy of the access network node and the authenticity of its platform. Data transmission security includes
Ensure the confidentiality, integrity and anti-replay of data during transmission. The use of existing IP security and trustworthy technology can meet the above requirements
Requirement, such as using the TISec technology given in Appendix A.
Note. Even if the data is encrypted, the appearance of the data stream may be as important as the communication data. For example, if the VPN endpoint is determined, the location of the individual user
It can also be determined that this may expose personal privacy, and if it is in law enforcement or military operations, it may reveal their mission.
8.2 Virtual Circuit
The security control used to establish the lower-layer secure channel can use the virtual circuit in the conventional wide-area telecommunication facility, such as leased line, which uses frame
Technologies such as relay or ATM. In these technologies, it is important for telecommunications operators to maintain private users’ leased line facilities with the publicly provided facilities.
In terms of the degree of separation between shared access to Internet services, the underlying network is also basically safe. The technology used in the virtual circuit makes the channel
Has a certain degree of confidentiality, but does not have absolute security. VPNs built on this traditional virtual circuit are considered compromised
The possibility is relatively small, because violations of security operations or attacks usually need to come from within the service provider’s core network.
9 VPN related technologies
9.1 Overview
VPN is constructed using the system resources of the physical network. For example, through the use of encryption and/or virtual network tunnels that traverse the real network
Road link construction.
VPN can be fully implemented in the private network under the control of its own organization, can also be implemented through the network of the public domain, or through both
The combination of the network to achieve. It is entirely possible for VPN to be built on an existing dedicated wide area network. Because usually can provide relatively low cost
Internet access makes this public network system gradually become an economy that supports wide-area VPN and remote access VPN in many applications.
Effective tool.
Another solution is to use a secure channel built across the Internet service provider's network to establish this channel. In this case, the public
The common Internet effectively becomes the underlying transmission system. For the confidentiality of VPN, this means higher uncertainty. Tunnel is
The data channel between networked devices is established across the existing network infrastructure. It is transparent to normal network operations. in
In many real-life scenarios, its usage is equivalent to a normal network connection. When necessary, the tunnel can be easily opened or closed as needed, and
There is no need to make any changes to the underlying physical network infrastructure. Therefore, VPNs created with tunnels are more effective than networks based on physical connections.
flexible.
The following techniques can be used to create a tunnel.
---Virtual circuit;
---Label exchange;
---Protocol encapsulation.
A tunnel created as a virtual circuit is usually used as a leased line in a conventional WAN facility using packet switching technology (such as frame relay or
ATM) is established. These technologies can ensure that the data flow between the tunnels is separated.
Label switching is another way to create tunnels. All data packets flowing through a tunnel are assigned an identification label. This standard
Signing can ensure that every packet with a different label is excluded from the specified network traversal path.
Although the technology used in the tunnel can ensure the proper separation of the data flow between the tunnel and the underlying network, it cannot meet general confidentiality.
Claim. If confidentiality is required, encryption technology is needed to provide the required level of security.
VPN tunnels can be created on different layers of the OSI model. The virtual circuit can form a tunnel on the second layer. The labeling technology allows the tunnel to be
Layer 2 or Layer 3 creation. Protocol encapsulation technology can be used on all layers except the physical layer (most of them are implemented at layer 3 and above)
Shi).
Tunnels can also be created using protocol encapsulation technology, that is, data units of one protocol are packaged and carried in another protocol. example
For example, use the tunnel mode of the TUE protocol in the TISec technology or the tunnel mode of the IPSecESP protocol to encapsulate IP packets, and insert additional
After the IP header is transmitted on the IP network.
9.2 Regulations and legal aspects
It is recommended to consider the regulations of different regulatory or legislative bodies (including national government departments) related to network connection and the use of VPN
Any regulatory or legal safety requirements.
Need to pay attention to the following regulations and/or laws.
---Privacy/data protection;
---The use of cryptographic technology;
---Operational risk management/governance.
9.3 VPN management
When considering the use of VPN, all personnel whose job responsibilities are related to VPN should understand the business needs and interest appeals. In addition, they and
All VPN users should also understand the security risks of this connection and the related control domains. Business needs and interest appeals may affect
Many decisions and actions in the following process. consider VPN connections, identify potential control domains, and final selection, design, implementation, and security control
System maintenance. In short, in the entire process of choosing a VPN, business needs and interest demands must be considered.
9.4 VPN architecture
9.4.1 Overview
When choosing a VPN, the following architectural factors should be considered.
---Endpoint security;
---Termination point security;
---Malware protection;
---Identification;
---Intrusion Detection and Defense System (IPDS);
---Security gateway (including firewall);
---Network design;
---Other connections;
---Separation tunnel;
---Log audit and network monitoring;
---Management of technical vulnerabilities;
---Public network routing encryption.
The above factors are summarized as follows.
9.4.2 Endpoint Security
The role of VPN is to provide a secure communication channel that spans some network media. However, when building a VPN, it cannot
Monitoring depends on the specific content of its data stream. If any endpoint is compromised, this damage may spread to the session traversing the VPN. Endpoint
Security applies not only to the devices themselves, but also to the applications on these devices and the procedures/physical aspects related to the use of VPNs.
In order to run endpoint security controls smoothly, the total number of endpoints should be minimized.
Some endpoint user devices used for remote access (e.g. mobile/telework computing devices) may not be subject to the same management as VPNs.
理控制。 Physical control. These devices may be connected to different networks, for example, distributed access to the Internet and private networks at different times. These ones
The network may bring additional risks, and appropriate security controls should be considered. For example, using TISec technology to achieve network communication between nodes
Security, through secure network access and data transmission, to obtain the control of the Internet and corporate private networks in time periods. Considering such
For the security of endpoint devices, the security controls in GB/T 22081 should be taken into consideration, including.
---Equipment safety;
---Resist malicious and mobile code;
---Cultivation, education and training of information security awareness for equipment users;
---Technical vulnerability management of VPN-related technologies and equipment.
Other security controls should also be considered, such as packet filters or personal firewalls.
9.4.3 End point security
One of the key factors affecting VPN security is how to terminate the VPN on each endpoint. If the termination point is set directly at the core of the endpoint
(For example, set in the security zone of the network), the security will directly depend on the security of the remote partner. If the termination point is set in a non-safe area
It is very likely that the communication will be deceived.
The standard method for VPN termination is to deploy a dedicated VPN endpoint in the border network, allowing it to further process the traffic from the VPN.
Information capabilities (for example, determining whether to allow access to applications/systems in a secure zone). The quarantine termination point allows access to the VPN and its users
Greater control.
Note. The isolation zone will be described in the border network or DMZ part of ISO /IEC 27033-4.
In any of the above cases, the VPN endpoint should authenticate entities (such as users or devices) before allowing access. E.g,
For users, this type of authentication is usually a username and password, and other forms of authentication (called "strong authentication") may also be required.
Such as tokens, cards or biometric technology. Authentication between endpoints to establish a VPN connection is another form of authentication.
9.4.4 Malware protection
When there is no malware in the information system, the only way for such code to be introduced is through the data (or proxy) executed by the recipient.
code). Many programs allow code (scripts) to be embedded in seemingly inconspicuous data. VPN endpoints can provide good control points to achieve
Malware protection can control the transmission of such data.
...
