HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB/T 28451-2023 related PDF English

GB/T 28451-2023 (GB/T28451-2023, GBT 28451-2023, GBT28451-2023) & related versions
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)See DetailStatusSimilar PDF
GB/T 28451-2023English819 Add to Cart 6 days Information security technology -- Technical specification for network intrusion prevention system GB/T 28451-2023 Valid GBT 28451-2023
GB/T 28451-2012English760 Add to Cart 0-9 seconds. Auto delivery. Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products GB/T 28451-2012 Obsolete GBT 28451-2012



GB/T 28451-2023: PDF in English (GBT 28451-2023)
GB/T 28451-2012 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.020 L 80 Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products ISSUED ON: JUNE 29, 2012 IMPLEMENTED ON: OCTOBER 01, 2012 Issued by: General Administration of Quality Supervision, Inspection and Quarantine; Standardization Administration of PRC. Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Abbreviations ... 6  5 Technical requirements for intrusion prevention products ... 6  5.1 Description of composition ... 6  5.2 Classification of functional and security requirements ... 7  6 Composition of intrusion prevention products ... 9  6.1 Intrusion event analysis unit ... 9  6.2 Intrusion response unit ... 9  6.3 Intrusion event audit unit ... 9  6.4 Management control unit ... 9  7 Technical requirements for intrusion prevention products ... 10  7.1 Level 1 ... 10  7.2 Level 2 ... 15  7.3 Level 3 ... 24  8 Evaluation methods of intrusion prevention products ... 35  8.1 Test environment ... 35  8.2 Test tool ... 36  8.3 Level 1 ... 36  8.4 Level 2 ... 50  8.5 Level 3 ... 75  8.6 Performance test ... 104  Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products 1 Scope This standard specifies the functional requirements of network-based intrusion prevention products, the product's own security requirements, the product assurance requirements; it also proposes the classification requirements for intrusion prevention products. This standard applies to the design, development, testing and evaluation of network-based intrusion prevention products. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB 17859-1999 Classified criteria for security protection of computer information system GB/T 25069-2010 Information security technology - Glossary 3 Terms and definitions The terms and definitions as defined in GB/T 25069-2010 and GB 17859-1999 as well as the following terms and definitions apply to this document. 3.1 Network-based intrusion prevention system products It is a product that is deployed on a network path in the form of a bridge or a gateway, finds network behaviors with intrusive characteristics by analyzing network traffic, intercepts them before they enter the protected network. This level specifies the minimum-security requirements for intrusion prevention products. The product has basic protocol analysis, intrusion detection and interception capabilities; generates records of intrusion events; restricts the control of product function configuration and data access through simple user identification and authentication, so that users have the ability to independently protect and prevent illegal users from harming the intrusion prevention products and protect the normal operation of intrusion prevention products. 5.1.2 Level 2 This level requires the division of security management roles, to refine the management of intrusion prevention products. The audit function is added, to make the actions of authorized administrators traceable. While the product realizes intrusion detection and interception, it also requires the function of timely warning. For event records, it also requires the ability to generate and output reports, as well as a hardware failure handling mechanism. 5.1.3 Level 3 This level requires intrusion prevention products to provide a general interface to the outside world; report results have functions such as template customization. It also requires functions such as multiple authentication mechanisms, upgrade security, self-hiding, load balancing; puts forward higher requirements for the product's own security. Provide strong protection for the normal operation of the product. 5.1.4 Performance This item specifies the performance requirements of intrusion prevention products, covering all levels. 5.2 Classification of functional and security requirements The security classification of intrusion prevention products is as shown in Table 1 and Table 2. The grade evaluation of intrusion prevention products is based on Table 1 and Table 2, combined with the comprehensive evaluation of product assurance requirements. The intrusion prevention products that meet the level 1 requirements shall meet all the items that the level 1 products shall comply with as indicated in Table 1 and Table 2, as well as the relevant assurance requirements for the level 1 product. The intrusion prevention products that meet the level 2 requirements shall meet all the items that the level 2 products shall comply with as indicated in Table 1 and Table 2, as well as the relevant assurance requirements for the level 2 product. The intrusion prevention products that meet the level 3 requirements shall meet all the items that the level 3 products shall comply with as indicated in Table 1 and Table 2, as well 7.1.3.3.1 Function design Developers shall provide documents explaining the security function design of intrusion prevention products. Function design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed. 7.1.3.3.2 Representation correspondence The developer shall provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product. 7.1.3.4 Guiding documents 7.1.3.4.1 Administrator guide The developer shall provide the authorized administrator with an administrator guide including the following: a) Management functions and interfaces that can be used by intrusion prevention products; b) How to securely manage intrusion prevention products; c) The functions and permissions that shall be controlled in the secured processing environment; d) All assumptions about user behavior related to the secured operation of intrusion prevention products; e) All security parameters controlled by the administrator, if possible, it shall indicate the security value; f) Every security-related event related to the management function, including changes to the security features of the entity controlled by the security function; g) All IT environment’s security requirements related to authorized administrators. The Administrator guide shall be consistent with all other documents provided for evaluation. 7.1.3.4.2 User guide a) The test document shall include the test plan, test procedures, expected test results, actual test results. b) The test plan shall identify the security functions to be tested and describe the objectives of the test. The test procedure shall identify the test to be performed and describe the test profile of each security function, which includes the sequential dependence of other test results. c) The expected test result shall indicate the expected output after the test is successful. d) The actual test results shall show that each tested security function can operate according to requirements. 7.2 Level 2 7.2.1 Product functional requirements 7.2.1.1 Requirements for intrusion event analysis function 7.2.1.1.1 Data collection Intrusion prevention products shall have the ability to collect all data packets flowing into the target network in real time. 7.2.1.1.2 Protocol analysis Intrusion prevention products shall perform protocol analysis on the collected data packets. 7.2.1.1.3 Intrusion discovery Intrusion prevention products shall be able to detect intrusions in the protocol. 7.2.1.1.4 Intrusion evasion discovery Intrusion prevention products shall be able to detect behaviors that evade or deceive detection, such as IP fragment reassembly, TCP stream reassembly, protocol port relocation, URL string deformation, SHELL deformation, etc. 7.2.1.1.5 Traffic monitoring Intrusion prevention products shall monitor abnormal traffic in the target environment. 7.2.1.2 Requirements for intrusion response function 7.2.1.4 Requirements for management control function 7.2.1.4.1 Management interface Intrusion prevention products shall provide a user interface for management and configuration of intrusion prevention products. The management configuration interface shall contain all the functions needed to configure and manage the product. 7.2.1.4.2 Intrusion event library Intrusion prevention products shall provide an intrusion event library. The event library shall include event name, detailed description, definition, etc. 7.2.1.4.3 Event classification Intrusion prevention products shall classify events according to their severity, so that authorized administrators can capture dangerous events from a large amount of information. 7.2.1.4.4 Event definition Intrusion prevention products shall allow authorized administrators to customize policy events. 7.2.1.4.5 Protocol definition In addition to supporting the default network protocol set, intrusion prevention products shall also allow authorized administrators to define new protocols or relocate the protocol ports. 7.2.1.4.6 Traffic control Intrusion prevention products have the function of controlling abnormal traffic. 7.2.1.4.7 Hardware failure handling Intrusion prevention products shall provide hardware failure handling mechanisms. 7.2.1.4.8 Policy configuration Intrusion prevention products shall provide functions to configure intrusion prevention strategies and response measures. 7.2.1.4.9 Product upgrade Intrusion prevention products shall have the ability to update and upgrade product versions and event libraries. 7.2.3.3.1 Function design Developers shall provide documents explaining the security function design of intrusion prevention products. The functional design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed. 7.2.3.3.2 High-level design Developers shall provide documents explaining the high-level design of the security functions of intrusion prevention products. High-level design shall be expressed in an informal way and be internally consistent. In order to explain the structure of the security function, the high- level design shall decompose the security function into each security function subsystem for description; clarify how to separate the subsystem that helps to strengthen the security function of the intrusion prevention product from other subsystems. For each security function subsystem, the high-level design shall describe the security functions it provides; identify all its interfaces and which interfaces are externally visible; describe the purpose and methods of use of all its interfaces; provide the details of the functions, exceptions, error message of the security function subsystem. The high-level design shall also identify all the basic hardware, firmware, software required by the security of intrusion prevention products; support the protection mechanisms implemented by these hardware, firmware, or software. 7.2.3.3.3 Representation correspondence The developer shall provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product. 7.2.3.4 Guiding documents 7.2.3.4.1 Administrator guide The developer shall provide the authorized administrator with an administrator guide including the following: a) Management functions and interfaces that can be used by intrusion prevention product administrators; b) How to securely manage intrusion prevention products; c) The functions and permissions that shall be controlled in the secured development environment of the intrusion prevention product; b) The development security documents shall also provide evidence of security measures implemented during the development and maintenance of intrusion prevention products. 7.2.3.6 Test 7.2.3.6.1 Scope Developers shall provide analysis results of test coverage. The analysis result of test coverage shall show that the test identified in the test document corresponds to the security function described in the security function design; meanwhile the correspondence is complete. 7.2.3.6.2 Test depth The developer shall provide in-depth analysis of the test. In the in-depth analysis, it shall be stated that the test of the security function identified in the test document is sufficient to show that the security function is consistent with the high-level design. 7.2.3.6.3 Function test Developers shall test security functions and provide the following test documents: a) The test document shall include the test plan, test procedures, expected test results and actual test results; b) The test plan shall identify the security functions to be tested and describe the objectives of the test. The test procedure shall identify the tests to be performed and describe the test profile of each security function, which includes the sequential dependence of other test results; c) The expected test result shall show the expected output after the test is successful; d) The actual test results shall show that each tested security function can operate according to requirements. 7.2.3.6.4 Independence test The developer shall provide evidence to prove that the intrusion prevention product provided by the developer has been independently tested and passed by a third-party test. deceive detection, such as IP fragment reassembly, TCP stream reassembly, protocol port relocation, URL string deformation, SHELL deformation. 7.3.1.1.5 Traffic monitoring Intrusion prevention products shall monitor abnormal traffic in the target environment. 7.3.1.2 Requirements for intrusion response function 7.3.1.2.1 Interception capability Intrusion prevention products shall intercept the discovered intrusion in advance, to prevent the intrusion from entering the target network. 7.3.1.2.2 Security alert Intrusion prevention products shall take corresponding actions to issue security alerts when they discover and block intrusions. 7.3.1.2.3 Alert mode The alert methods of intrusion prevention products should adopt one or more methods such as real-time screen prompts, E-mail alerts, sound alerts. 7.3.1.2.4 Event merge Intrusion prevention products shall have the ability to combine alerts for the same security events that occur frequently to avoid alert storms. 7.3.1.3 Requirements for intrusion event audit function 7.3.1.3.1 Event generation Intrusion prevention products shall be able to generate audit records in time for interception behavior. 7.3.1.3.2 Event record Intrusion prevention products shall record and save intercepted intrusion events. The intrusion event information shall at least include the name of the event, the date and time of the event, the source IP address, source port, destination IP address, destination port, hazard level, etc. 7.3.1.3.3 Report generation Intrusion prevention products shall be able to generate detailed results reports. 7.3.1.3.4 Report review Intrusion prevention products shall ensure the security of the event library and version upgrade; ensure that the upgrade package is provided by the developer. 7.3.2.3.4 Self-hiding Intrusion prevention products shall at least provide bridge access methods and take measures such as hiding IP addresses to make themselves invisible on the network, to reduce the possibility of being attacked. 7.3.2.4 Security audit 7.3.2.4.1 Audit data generation Intrusion prevention products shall at least generate audit records for the following auditable events: a) Attempt to log in to the intrusion prevention product management port and manage the identity authentication request; b) All operations to change the security policy; c) All attempts to modify security attributes. At least the date and time of the event, the type of event, the identity of the subject, the result (success or failure) of the event shall be recorded in each audit record. 7.3.2.4.2 Audit review Intrusion prevention products shall provide authorized administrators with the function of reading all audit information from audit records; they can sort audit records. 7.3.2.4.3 Restricted audit access In addition to authorized administrators with clear read access rights, intrusion prevention products shall prohibit unauthorized users from reading audit records. 7.3.3 Product assurance requirements 7.3.3.1 Configuration management 7.3.3.1.1 Configuration management capabilities Developers shall use configuration management systems and provide configuration management documents; meanwhile provide unique identification for different versions of intrusion prevention products. 7.3.3.2.2 Installation generation Developers shall provide documentation explaining the installation, generation and activation of intrusion prevention products. 7.3.3.3 Security function development 7.3.3.3.1 Function design Developers shall provide documents explaining the security function design of intrusion prevention products. The security function design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed. 7.3.3.3.2 High-level design Developers shall provide documents explaining the high-level design of the security functions of intrusion prevention products. The high-level design shall be expressed in an informal way and is internally consistent. In order to explain the structure of the security function, the high- level design shall decompose the security function into various security function subsystems for description; clarify how to separate the subsystems that help strengthen the product security function from other subsystems. For each security function subsystem, the high-level design shall describe the security functions it provides; identify all its interfaces and which interfaces are externally visible; describe the purpose and methods of use of all its interfaces; provide the details of functions, exceptions, error messages of the security function subsystem. The high-level design shall also identify all the basic hardware, firmware and software required by the security of intrusion prevention products; support the protection mechanisms implemented by these hardware, firmware or software. 7.3.3.3.3 Realization of security functions Developers shall provide implementation representations for the selected subset of product security features. The realization means that the product security function shall be defined unambiguously and in detail, so that a subset of the security function can be generated without further design. Implementation representation shall be internally consistent. 7.3.3.3.4 Low-level design function; g) All IT environment security requirements related to authorized administrators. The Administrator guide shall be consistent with all other documents provided for evaluation. 7.3.3.4.2 User guide The developer shall provide a user guide that includes the following: a) Security functions and interfaces available to non-administrative users of intrusion prevention products; b) The usage of security functions and interfaces provided by intrusion prevention products to users; c) All functions and permissions that users can obtain but shall be controlled by the secured processing environment; d) The responsibilities of users in the secured operation of intrusion prevention products; e) All security requirements of the IT environment related to users. The user guide shall be consistent with all other documents provided for evaluation. 7.3.3.5 Development security requirements Developers shall provide development security documents including the following: a) The development security documents shall describe the necessary physical, procedural, personnel and other aspects of the security measures necessary to protect the confidentiality and integrity of the design and implementation of the intrusion prevention product in the development environment of the intrusion prevention product; b) The development of security documents shall also provide evidence of security measures implemented during the development and maintenance of intrusion prevention products. 7.3.3.6 Test 7.3.3.6.1 Scope b) Test evaluation results 1) Intrusion prevention products shall be able to access the network by means of bridges or gateways; 2) Intrusion prevention products shall be able to obtain enough network data packets to analyze intrusion events. 8.3.1.1.2 Protocol analysis Protocol analysis test: a) Test evaluation method 1) Check the security policy configuration document of the intrusion prevention product; check whether the description of the security event has attributes such as protocol type; 2) Check the product manual; find the description of the protocol analysis method; take sample to generate protocol events according to the protocol analysis type declared by the product, to form the attack event test set; 3) Configure the product's intrusion prevention strategy as the maximum strategy set; 4) Send all events in the attack event test set; record the product's detection results. b) Test evaluation results 1) Record the corresponding attack name and type of the product intercepted intrusion; 2) The protocol events that can be monitored in the product manual mainly include the following types: ARP, ICMP, IP, TCP, UDP, RPC, HTTP, FTP, TFTP, SNMP, TELNET, DNS, SMTP, POP3, NETBIOS, NFS, SMB, MSN, P2P, etc.; sampling test shall not find any contradictions; 3) List all intrusion analysis methods supported by the product. 8.3.1.1.3 Intrusion discovery Intrusion discovery test a) Test evaluation method 1) Configure the intrusion prevention strategy of the intrusion prevention b) Test evaluation results 1) Be able to successfully intercept the intrusion; 2) It shall be able to record the corresponding attacks of intercepted intrusions. 8.3.1.3 Intrusion event audit function test 8.3.1.3.1 Event generation Event generation test: a) Test evaluation method 1) Log in to the console interface; 2) Check the management interface, to see if the intrusion interception situation can be viewed in real time and clearly. b) Test evaluation results 1) Has a display interface for viewing intrusion interception events; 2) The display interface has a clear functional area, which can display detailed information of intercepted events. 8.3.1.3.2 Event record Event recording test: a) Test evaluation method 1) Log in to the console interface; 2) View the detailed information of the recorded interception event on the display interface. b) Test evaluation results The detailed information of the intercepted event displayed on the display interface shall include the name of the event, the date and time the event occurred, the source IP address, the source port, the destination IP address, the destination port, the damage level, etc. 8.3.1.4 Management control function test 8.3.1.4.1 Management interface a) Test evaluation method Check what hardware failure handling mechanism the intrusion prevention product has. b) Test evaluation results When the product hardware fails, it shall not affect the smoothness of the network. 8.3.1.4.5 Policy configuration Strategy configuration test: a) Test evaluation method 1) Log in to the product management interface, to view the default policy provided by the product; 2) Check whether to allow editing or modification to generate a new policy; 3) Check whether it can edit or modify the response measures of each policy. b) Test evaluation results 1) The product shall provide a default strategy and can be directly applied; 2) Users shall be allowed to edit policies; 3) Has a wizard function for users to edit policies; 4) Support the import and export of policies; 5) Users shall be allowed to edit different response measures of the policies; 6) Record the types and names of policies provided by the product. 8.3.1.4.6 Product upgrade Product upgrade test: a) Test evaluation method Check the upgrade method of the intrusion signature database. b) Test evaluation results 1) The intrusion signature database can be manually or automatically there is no ambiguity; 2) Configuration items. The configuration items are required to have a unique identification, so as to have a clearer description of the composition of intrusion prevention products. b) Test evaluation results For review records and final results (conformity/nonconformity), the developer shall provide a unique version number and configuration items. 8.3.3.2 Delivery and operation Delivery and operation evaluation: a) Test evaluation method The evaluator shall review whether the developer has provided documentation explaining the process of installation, generation, startup, use of intrusion prevention products. Users can understand the installation, generation, startup and use process through this document. b) Test evaluation results The review records and final results (conformity/nonconformity) shall meet the requirements of the test evaluation method. 8.3.3.3 Security function development 8.3.3.3.1 Function design Functional design evaluation: a) Test evaluation method The evaluator shall review whether the information provided by the developer meets the following requirements: 1) Functional design shall use informal styles to describe product security functions and their external interfaces; 2) The functional design shall be internally consistent; 3) The functional design shall describe the purpose and method of using all external product security functional interfaces; where appropriate, provide details of the results affecting exceptions and error messages; 4) The functional design shall completely express the product security function. administrator guide includes the following: 1) Management functions and interfaces that can be used by intrusion prevention products; 2) How to securely manage intrusion prevention products; 3) Functions and permissions that shall be controlled in a secure...... ......

BASIC DATA
Standard ID GB/T 28451-2023 (GB/T28451-2023)
Description (Translated English) Information security technology -- Technical specification for network intrusion prevention system
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.030
Word Count Estimation 40,431
Date of Issue 2023-05-23
Date of Implementation 2023-12-01
Older Standard (superseded by this standard) GB/T 28451-2012
Drafting Organization The Third Research Institute of the Ministry of Public Security, Xi'an Jiaotong University Jabil Network Technology Co., Ltd., Beijing Shenzhou NSFOCUS Technology Co., Ltd., Sangfor Technology Co., Ltd., Venustech Information Technology Group Co., Ltd., Landun Information Security Technology Co., Ltd., Beijing Tianrong Xinxin Network Security Technology Co., Ltd., China Network Security Review Technology and Certification Center, Shanghai Information Security Evaluation and Certification Center, China Electric Power Research Institute Co., Ltd., New H3C Technology Co., Ltd., Qi'an Xinwangshen Information Technology (Beijing) Co., Ltd.
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, National Standardization Management Committee