1
/
su
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 32917-2016 English PDF (GBT32917-2016)
GB/T 32917-2016 English PDF (GBT32917-2016)
Prezzo di listino
$620.00 USD
Prezzo di listino
Prezzo scontato
$620.00 USD
Prezzo unitario
/
per
Spese di spedizione calcolate al check-out.
Impossibile caricare la disponibilità di ritiro
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 32917-2016
Historical versions: GB/T 32917-2016
Preview True-PDF (Reload/Scroll if blank)
GB/T 32917-2016: Information security technology -- Security technique requirements and testing and evaluation approaches for WEB application firewall
GB/T 32917-2016
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
ISSUED ON. AUGUST 29, 2016
IMPLEMENTED ON. MARCH 01, 2017
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword... 4
Introduction... 5
1 Scope... 6
2 Normative references... 6
3 Terms, definitions and abbreviations... 6
3.1 Terms and definitions... 6
3.2 Abbreviations... 7
4 Security technical requirements... 7
4.1 Basic level... 7
4.1.1 Security function requirements... 7
4.1.2 Self-security protection... 10
4.1.3 Security assurance requirements... 11
4.2 Enhanced level... 16
4.2.1 Security function requirements... 16
4.2.2 Self-security protection... 19
4.2.3 Security assurance requirements... 21
4.3 Performance requirements... 26
4.3.1 HTTP throughput... 26
4.3.2 HTTP maximum request rate... 27
4.3.3 Maximum number of concurrent HTTP connections... 27
5 Test evaluation method... 27
5.1 Test environment... 27
5.2 Basic level... 29
5.2.1 Evaluation method for security function requirements test... 29
5.2.2 Self-security protection test evaluation method... 35
5.2.3 Test evaluation methods for security assurance requirements... 40
5.3 Enhanced level... 49
5.3.1 Test evaluation method of security function requirements... 49
5.3.2 Test evaluation method of self-security protection... 56
5.3.3 Test evaluation method of security assurance requirements... 62
5.4 Performance test evaluation method... 72
5.4.1 HTTP throughput... 72
5.4.2 HTTP maximum request rate... 73
5.4.3 Maximum number of concurrent HTTP connections... 73
6 Classification of security technical requirements of WEB application firewall
... 74
References... 76
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
1 Scope
This standard specifies the security function requirements, self-security
protection requirements, performance requirements, security assurance
requirements of WEB application firewalls; provides corresponding test
evaluation methods.
This standard applies to the design, production, testing and procurement of
WEB application firewalls.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1.1
WEB application firewall
It is an information security product that performs protocol and content
filtering on all WEB server access requests to WEB servers and WEB server
responses based on pre-defined filtering rules and security protection rules,
thereby realizing security protection functions for WEB servers and WEB
b) Record alarm events, including. the date and time of the event, matching
rules, description of the alarm event, etc.
4.1.2 Self-security protection
4.1.2.1 Identification and authentication
4.1.2.1.1 Unique identification
Authorized administrators shall be provided with a unique identity; at the same
time, the authorized administrator’s identity shall be associated with all
auditable events of the authorized administrator.
4.1.2.1.2 Identity authentication
Before performing any operations related to security functions, identify any
administrator who claims to perform the duties of an authorized administrator.
4.1.2.1.3 Authentication data protection
It shall be ensured that the authentication data is not accessed and modified
without authorization.
4.1.2.1.4 Authentication failure handling
When the administrator fails to reach the specified number of authentication
attempts, he shall be able to.
a) Terminate the session.
4.1.2.2 Security audit
4.1.2.2.1 Audit data generation
The following audit logs shall be generated.
a) For all successful and failed WEB access events, audit records shall be
generated. The audit log content shall include. the date, time, IP address,
requested URL, success or failure identification, matching rules of each
event;
b) The administrator's success and failure identification log; the audit log
content shall include. the date, time, IP address, username, success or
failure identification of each event.
4.1.2.2.2 Audit log management function
Management functions such as backup and query of audit data shall be
provided.
b) Describe the security domain of the product security function consistent
with the security function requirements;
c) Describe why the product security function’s initialization process is
secured;
d) Verify that the product security function can prevent damage;
e) Verify that the product security function can prevent the security feature
from being bypassed.
4.1.3.1.2 Functional specification
The developer shall provide a complete functional specification; the functional
specification shall meet the following requirements.
a) Fully describe the security function of the product;
b) Describe the purpose and usage of all security function interfaces;
c) Identify and describe all parameters related to each security function
interface;
d) Describe the execution behavior of the security function requirements
related to the security function interface;
e) Describe direct error messages caused by security function’s
implementation behaviors and exceptions;
f) Describe the security function demand’s support and irrelevant behavior
related to the security function interface;
g) Verify that the security function requires traceability to the security function
interface.
4.1.3.1.3 Product design
Developers shall provide product design documents; the product design
documents shall meet the following requirements.
a) Describe the product structure according to the subsystem;
b) Identify all subsystems of the product security function;
c) Describe the behavior of each sub-system that is not related to security
function requirements in sufficient detail, to determine that it is not related
to security function requirements;
d) Summarize the security function demand support and irrelevant behavior
a) Describe all the steps necessary to securely receive the delivered product
consistent with the developer's delivery procedure;
b) Describe all the steps necessary to securely install the product and its
operating environment.
4.1.3.3 Life cycle support
4.1.3.3.1 Configuration management capabilities
The developer's configuration management capabilities shall meet the following
requirements.
a) Provide unique identification for different versions of the product;
b) Use the configuration management system to maintain all configuration
items that make up the product; uniquely identify the configuration items;
c) Provide configuration management documents, which describe methods...
Get QUOTATION in 1-minute: Click GB/T 32917-2016
Historical versions: GB/T 32917-2016
Preview True-PDF (Reload/Scroll if blank)
GB/T 32917-2016: Information security technology -- Security technique requirements and testing and evaluation approaches for WEB application firewall
GB/T 32917-2016
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
ISSUED ON. AUGUST 29, 2016
IMPLEMENTED ON. MARCH 01, 2017
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword... 4
Introduction... 5
1 Scope... 6
2 Normative references... 6
3 Terms, definitions and abbreviations... 6
3.1 Terms and definitions... 6
3.2 Abbreviations... 7
4 Security technical requirements... 7
4.1 Basic level... 7
4.1.1 Security function requirements... 7
4.1.2 Self-security protection... 10
4.1.3 Security assurance requirements... 11
4.2 Enhanced level... 16
4.2.1 Security function requirements... 16
4.2.2 Self-security protection... 19
4.2.3 Security assurance requirements... 21
4.3 Performance requirements... 26
4.3.1 HTTP throughput... 26
4.3.2 HTTP maximum request rate... 27
4.3.3 Maximum number of concurrent HTTP connections... 27
5 Test evaluation method... 27
5.1 Test environment... 27
5.2 Basic level... 29
5.2.1 Evaluation method for security function requirements test... 29
5.2.2 Self-security protection test evaluation method... 35
5.2.3 Test evaluation methods for security assurance requirements... 40
5.3 Enhanced level... 49
5.3.1 Test evaluation method of security function requirements... 49
5.3.2 Test evaluation method of self-security protection... 56
5.3.3 Test evaluation method of security assurance requirements... 62
5.4 Performance test evaluation method... 72
5.4.1 HTTP throughput... 72
5.4.2 HTTP maximum request rate... 73
5.4.3 Maximum number of concurrent HTTP connections... 73
6 Classification of security technical requirements of WEB application firewall
... 74
References... 76
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
1 Scope
This standard specifies the security function requirements, self-security
protection requirements, performance requirements, security assurance
requirements of WEB application firewalls; provides corresponding test
evaluation methods.
This standard applies to the design, production, testing and procurement of
WEB application firewalls.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1.1
WEB application firewall
It is an information security product that performs protocol and content
filtering on all WEB server access requests to WEB servers and WEB server
responses based on pre-defined filtering rules and security protection rules,
thereby realizing security protection functions for WEB servers and WEB
b) Record alarm events, including. the date and time of the event, matching
rules, description of the alarm event, etc.
4.1.2 Self-security protection
4.1.2.1 Identification and authentication
4.1.2.1.1 Unique identification
Authorized administrators shall be provided with a unique identity; at the same
time, the authorized administrator’s identity shall be associated with all
auditable events of the authorized administrator.
4.1.2.1.2 Identity authentication
Before performing any operations related to security functions, identify any
administrator who claims to perform the duties of an authorized administrator.
4.1.2.1.3 Authentication data protection
It shall be ensured that the authentication data is not accessed and modified
without authorization.
4.1.2.1.4 Authentication failure handling
When the administrator fails to reach the specified number of authentication
attempts, he shall be able to.
a) Terminate the session.
4.1.2.2 Security audit
4.1.2.2.1 Audit data generation
The following audit logs shall be generated.
a) For all successful and failed WEB access events, audit records shall be
generated. The audit log content shall include. the date, time, IP address,
requested URL, success or failure identification, matching rules of each
event;
b) The administrator's success and failure identification log; the audit log
content shall include. the date, time, IP address, username, success or
failure identification of each event.
4.1.2.2.2 Audit log management function
Management functions such as backup and query of audit data shall be
provided.
b) Describe the security domain of the product security function consistent
with the security function requirements;
c) Describe why the product security function’s initialization process is
secured;
d) Verify that the product security function can prevent damage;
e) Verify that the product security function can prevent the security feature
from being bypassed.
4.1.3.1.2 Functional specification
The developer shall provide a complete functional specification; the functional
specification shall meet the following requirements.
a) Fully describe the security function of the product;
b) Describe the purpose and usage of all security function interfaces;
c) Identify and describe all parameters related to each security function
interface;
d) Describe the execution behavior of the security function requirements
related to the security function interface;
e) Describe direct error messages caused by security function’s
implementation behaviors and exceptions;
f) Describe the security function demand’s support and irrelevant behavior
related to the security function interface;
g) Verify that the security function requires traceability to the security function
interface.
4.1.3.1.3 Product design
Developers shall provide product design documents; the product design
documents shall meet the following requirements.
a) Describe the product structure according to the subsystem;
b) Identify all subsystems of the product security function;
c) Describe the behavior of each sub-system that is not related to security
function requirements in sufficient detail, to determine that it is not related
to security function requirements;
d) Summarize the security function demand support and irrelevant behavior
a) Describe all the steps necessary to securely receive the delivered product
consistent with the developer's delivery procedure;
b) Describe all the steps necessary to securely install the product and its
operating environment.
4.1.3.3 Life cycle support
4.1.3.3.1 Configuration management capabilities
The developer's configuration management capabilities shall meet the following
requirements.
a) Provide unique identification for different versions of the product;
b) Use the configuration management system to maintain all configuration
items that make up the product; uniquely identify the configuration items;
c) Provide configuration management documents, which describe methods...
Share
