1
/
von
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 20281-2020 English PDF (GBT20281-2020)
GB/T 20281-2020 English PDF (GBT20281-2020)
Normaler Preis
$575.00 USD
Normaler Preis
Verkaufspreis
$575.00 USD
Grundpreis
/
pro
Versand wird beim Checkout berechnet
Verfügbarkeit für Abholungen konnte nicht geladen werden
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 20281-2020
Historical versions: GB/T 20281-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 20281-2020: Information security technology -- Security technical requirements and testing assessment approaches for firewall
GB/T 20281-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20010-2005, GB/T 20281-2015, GB/T 31505-2015 and
GB/T 32917-2016
Information Security Technology - Security Technical
Requirements and Testing Assessment Approaches
for Firewall
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions... 5
4 Abbreviations ... 6
5 Overview ... 7
6 Security Technical Requirements ... 8
7 Testing and Assessment Methods ... 28
Appendix A (normative) Classification of Firewalls and Security Technical
Requirements... 83
Appendix B (normative) Classification of Firewalls and Testing and Assessment
Methods ... 91
Information Security Technology - Security Technical
Requirements and Testing Assessment Approaches
for Firewall
1 Scope
This Standard specifies the classification, security technical requirements, and testing
assessment methods for firewall.
This Standard is applicable to the design, development and testing of firewall.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
What is defined in GB/T 25069-2010, and the following terms and definitions are
applicable to this document.
3.1 Firewall
Firewall refers to a network security product that analyzes the passing data flow and
implements access control and security protection functions.
NOTE: in accordance with different security purposes and implementation principles, it is
generally divided into network-based firewall, WEB application firewall, database
firewall and host-based firewall, etc.
3.2 Network-based Firewall
Network-based firewall is a network security product that is deployed between different
security domains, analyzes the passing data flow, and possess network layer and
application layer access control, and security protection functions.
6.1.1.2.1 Static routing
The products shall support the function of static routing and be able to configurate
static routing.
6.1.1.2.2 Policy routing
Products with multiple network interfaces with the same attributes (multiple external
network interfaces, multiple internal network interfaces or multiple DMZ network
interfaces) shall support the function of policy routing, which include, but are not limited
to:
a) Source and destination IP-based policy routing;
b) Interface-based policy routing;
c) Protocol and port-based policy routing;
d) Application type-based policy routing;
e) Multi-link load-based automatic routing selection.
6.1.1.2.3 Dynamic routing
The products shall support the function of dynamic routing, which includes one or
multiple dynamic routing protocols in RIP, OSPF or BGP.
6.1.1.3 High availability
6.1.1.3.1 Redundant deployment
The products shall support one or multiple redundant deployment modes in “master-
standby”, “master-master” or “cluster”.
6.1.1.3.2 Load balancing
The products shall support the function of load balancing and be able to balance
network traffic to multiple servers based on security policies.
6.1.1.4 Device virtualization (optional)
6.1.1.4.1 Virtual system
If the products support logical division into multiple virtual subsystems, isolation and
independent management shall be supported among the virtual subsystems, which
include, but are not limited to:
a) Respectively set up administrators for the virtual subsystems, so as to
implement management configuration to the virtual subsystems;
b) Tunnel: encapsulate IPv6 in IPv4 to traverse IPv4 network, such as: IPv6 over
IPv4, IPv6 to IPv4, ISATAP, etc.
6.1.2 Network layer access
6.1.2.1 Access control
6.1.2.1.1 Packet filtering
The requirements for the products’ packet filtering function are as follows:
a) Security policy shall adopt the principle of least security, namely, unless
explicitly permitted, otherwise prohibited;
b) Security policy shall include source IP address and destination IP address-
based access control;
c) Security policy shall include source port and destination port-based access
control;
d) Security policy shall include protocol type-based access control;
e) Security policy shall include MAC address-based access control;
f) Security policy shall include time-based access control;
g) Support user-defined security policy, which includes some or all combinations
of MAC address, IP address, port, protocol type and time.
6.1.2.1.2 Network address translation
The requirements for the products’ network address translation are as follows:
a) Support SNAT and DNAT;
b) SNAT shall implement “many-to-one” address translation, so that when the
internal network host accesses the external network, its source IP address is
translated;
c) DNAT shall implement “one-to-many” address translation, which maps the IP
address / port of DMZ to the legal IP address / port of the external network,
so that the external network host can implement access to the DMZ server by
accessing the mapped address and port;
d) Support dynamic SNAT technology; implement “many-to-many” SNAT.
6.1.2.1.3 State detection
The products shall support state detection technology-based packet filtering function
The products shall support the user authentication-based network access control
function, which includes, but is not limited to:
a) Local user authentication mode;
b) Authentication mode that combines third-party authentication systems, such
as: Radius and LDAP server-based authentication.
6.1.3.2 Application type control
The products shall support identification and control of various application types based
on application characteristics, which include, but are not limited to:
a) HTTP protocol;
b) Database protocol;
c) Commonly seen protocols: FTP, TELNET, SMTP, POP3 and IMAP;
d) Instant chat, P2P, network streaming, online games, stock trading and other
applications;
e) Applications with escape or tunnel encryption characteristics, for example,
encryption proxy applications;
f) Customized applications.
6.1.3.3 Application content control
6.1.3.3.1 WEB application
The products shall support the control of access to WEB application based on the
following content, which includes, but is not limited to:
a) URL; have a library of classified websites;
b) Keywords of HTTP transfer content;
c) HTTP request modes, including GET, POST, PUT and HEAD, etc.;
d) HTTP request file type;
e) Length of each field in HTTP protocol head, including general-header,
request-header and response-header, etc.;
f) HTTP upload file type;
g) HTTP request frequency;
h) Response content returned by HTTP, for example, error message returned by
and destination port, etc.;
3) Description of attack event.
c) Log management: <...
Get QUOTATION in 1-minute: Click GB/T 20281-2020
Historical versions: GB/T 20281-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 20281-2020: Information security technology -- Security technical requirements and testing assessment approaches for firewall
GB/T 20281-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20010-2005, GB/T 20281-2015, GB/T 31505-2015 and
GB/T 32917-2016
Information Security Technology - Security Technical
Requirements and Testing Assessment Approaches
for Firewall
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions... 5
4 Abbreviations ... 6
5 Overview ... 7
6 Security Technical Requirements ... 8
7 Testing and Assessment Methods ... 28
Appendix A (normative) Classification of Firewalls and Security Technical
Requirements... 83
Appendix B (normative) Classification of Firewalls and Testing and Assessment
Methods ... 91
Information Security Technology - Security Technical
Requirements and Testing Assessment Approaches
for Firewall
1 Scope
This Standard specifies the classification, security technical requirements, and testing
assessment methods for firewall.
This Standard is applicable to the design, development and testing of firewall.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
What is defined in GB/T 25069-2010, and the following terms and definitions are
applicable to this document.
3.1 Firewall
Firewall refers to a network security product that analyzes the passing data flow and
implements access control and security protection functions.
NOTE: in accordance with different security purposes and implementation principles, it is
generally divided into network-based firewall, WEB application firewall, database
firewall and host-based firewall, etc.
3.2 Network-based Firewall
Network-based firewall is a network security product that is deployed between different
security domains, analyzes the passing data flow, and possess network layer and
application layer access control, and security protection functions.
6.1.1.2.1 Static routing
The products shall support the function of static routing and be able to configurate
static routing.
6.1.1.2.2 Policy routing
Products with multiple network interfaces with the same attributes (multiple external
network interfaces, multiple internal network interfaces or multiple DMZ network
interfaces) shall support the function of policy routing, which include, but are not limited
to:
a) Source and destination IP-based policy routing;
b) Interface-based policy routing;
c) Protocol and port-based policy routing;
d) Application type-based policy routing;
e) Multi-link load-based automatic routing selection.
6.1.1.2.3 Dynamic routing
The products shall support the function of dynamic routing, which includes one or
multiple dynamic routing protocols in RIP, OSPF or BGP.
6.1.1.3 High availability
6.1.1.3.1 Redundant deployment
The products shall support one or multiple redundant deployment modes in “master-
standby”, “master-master” or “cluster”.
6.1.1.3.2 Load balancing
The products shall support the function of load balancing and be able to balance
network traffic to multiple servers based on security policies.
6.1.1.4 Device virtualization (optional)
6.1.1.4.1 Virtual system
If the products support logical division into multiple virtual subsystems, isolation and
independent management shall be supported among the virtual subsystems, which
include, but are not limited to:
a) Respectively set up administrators for the virtual subsystems, so as to
implement management configuration to the virtual subsystems;
b) Tunnel: encapsulate IPv6 in IPv4 to traverse IPv4 network, such as: IPv6 over
IPv4, IPv6 to IPv4, ISATAP, etc.
6.1.2 Network layer access
6.1.2.1 Access control
6.1.2.1.1 Packet filtering
The requirements for the products’ packet filtering function are as follows:
a) Security policy shall adopt the principle of least security, namely, unless
explicitly permitted, otherwise prohibited;
b) Security policy shall include source IP address and destination IP address-
based access control;
c) Security policy shall include source port and destination port-based access
control;
d) Security policy shall include protocol type-based access control;
e) Security policy shall include MAC address-based access control;
f) Security policy shall include time-based access control;
g) Support user-defined security policy, which includes some or all combinations
of MAC address, IP address, port, protocol type and time.
6.1.2.1.2 Network address translation
The requirements for the products’ network address translation are as follows:
a) Support SNAT and DNAT;
b) SNAT shall implement “many-to-one” address translation, so that when the
internal network host accesses the external network, its source IP address is
translated;
c) DNAT shall implement “one-to-many” address translation, which maps the IP
address / port of DMZ to the legal IP address / port of the external network,
so that the external network host can implement access to the DMZ server by
accessing the mapped address and port;
d) Support dynamic SNAT technology; implement “many-to-many” SNAT.
6.1.2.1.3 State detection
The products shall support state detection technology-based packet filtering function
The products shall support the user authentication-based network access control
function, which includes, but is not limited to:
a) Local user authentication mode;
b) Authentication mode that combines third-party authentication systems, such
as: Radius and LDAP server-based authentication.
6.1.3.2 Application type control
The products shall support identification and control of various application types based
on application characteristics, which include, but are not limited to:
a) HTTP protocol;
b) Database protocol;
c) Commonly seen protocols: FTP, TELNET, SMTP, POP3 and IMAP;
d) Instant chat, P2P, network streaming, online games, stock trading and other
applications;
e) Applications with escape or tunnel encryption characteristics, for example,
encryption proxy applications;
f) Customized applications.
6.1.3.3 Application content control
6.1.3.3.1 WEB application
The products shall support the control of access to WEB application based on the
following content, which includes, but is not limited to:
a) URL; have a library of classified websites;
b) Keywords of HTTP transfer content;
c) HTTP request modes, including GET, POST, PUT and HEAD, etc.;
d) HTTP request file type;
e) Length of each field in HTTP protocol head, including general-header,
request-header and response-header, etc.;
f) HTTP upload file type;
g) HTTP request frequency;
h) Response content returned by HTTP, for example, error message returned by
and destination port, etc.;
3) Description of attack event.
c) Log management: <...
Share
