1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 28454-2020 English PDF (GBT28454-2020)
GB/T 28454-2020 English PDF (GBT28454-2020)
Regular price
$845.00 USD
Regular price
Sale price
$845.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 28454-2020
Historical versions: GB/T 28454-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 28454-2020: Information technology -- Security techniques -- Selection, deployment and operation of intrusion detection and prevention systems (IDPS)
GB/T 28454-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28454-2012
Information technology - Security techniques - Selection,
deployment and operation of intrusion detection and
prevention system (IDPS)
操作
(ISO/IEC 27039:2015, MOD)
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 01, 2020
Issued by: State Administration for Market Regulation;
National Standardization Administration.
Table of Contents
Foreword ... 3
Introduction ... 6
1 Scope ... 8
2 Normative references ... 8
3 Terms and definitions ... 9
4 Abbreviations ... 15
5 Background ... 16
6 General principles ... 17
7 Selection ... 18
7.1 Introduction ... 18
7.2 Information security risk assessment ... 18
7.3 Host or network IDPS ... 19
7.4 Considerations ... 20
7.5 Tools to supplement IDPS ... 28
7.6 Scalability... 33
7.7 Technical support ... 33
7.8 Training ... 34
8 Deployment ... 34
8.1 General... 34
8.2 Phased deployment ... 36
8.3 NIDPS deployment ... 36
8.4 HIDPS deployment ... 39
8.5 Protection of IDPS information security ... 40
9 Operations ... 41
9.1 General... 41
9.2 IDPS tuning ... 41
9.3 IDPS vulnerability ... 42
9.4 Handling IDPS alarms ... 42
9.5 Response options ... 45
9.6 Legal considerations ... 45
Appendix A (Informative) Intrusion detection and prevention systems (IDPS):
Framework and issues to consider ... 47
References ... 71
Information technology - Security techniques - Selection,
deployment and operation of intrusion detection and
prevention system (IDPS)
1 Scope
This standard gives guidance for organizations to deploy intrusion detection and
prevention systems (IDPS). This standard details the selection, deployment, and
operation of IDPS. This standard also provides the background information on which
these guidelines are developed.
This standard is applicable to organizations preparing to deploy intrusion detection and
prevention systems (IDPS).
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 18336 (all parts) Information technology - Security techniques - Evaluation
criteria for IT security [ISO/IEC 15408 (all parts)]
GB/T 20275 Information security technology - Technical requirements and testing
and evaluation approaches for network-based intrusion detection system
GB/T 20985.1-2017 Information technology - Security techniques - Information
security incident management - Part 1: Principles of incident management (ISO/IEC
27035-1:2006, IDT)
GB/T 25068.2 Information technology - Security techniques - Network security -
Part 2: Guidelines for the design and implementation of network security (ISO/IEC
18028-2:2006, IDT)
GB/T 28451 Information security technology - Technical requirements and testing
and evaluation approaches for network-based intrusion prevention system products
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary (ISO/IEC 27000:2016,
7 Selection
7.1 Introduction
There are many types of IDPS products to choose from, including free products (can be
deployed on low-cost hosts) and more expensive commercial paid products (requiring
the latest hardware support). Since there are many IDPS products to choose from, it is
necessary to comprehensively consider the needs of the organization to select the
product that best meets the requirements. In addition, different IDPS products will have
compatibility issues. When the same organization uses different IDPS products (due to
organizational mergers and wide geographical distribution, it has to use different IDPS
products), it also needs to pay attention to the integration issues of different IDPS.
The IDPS manual provided by the supplier gives the types of attacks that IDPS can
detect, but it cannot describe how well IDPS can detect intrusions in large-traffic
networks, nor can it describe the difficulty of deploying, operating and maintaining
IDPS, because in high-traffic networks, it cannot describe the difficulty of deploying,
operating, maintaining IDPS. Without understanding the organization's network traffic,
it is impossible to accurately describe how IDPS can effectively avoid false negatives
and false positives. At the same time, it is also necessary to independently evaluate the
active response and passive response capabilities of IDPS according to the
organization's own requirements (at this time, the need for deep packet inspection and
reassembly is mainly considered, without considering network performance and cost).
Therefore, it is not enough to only rely on the IDPS manual provided by the supplier to
understand the capabilities of IDPS. IDPS products need to be selected according to the
organization's own needs.
GB/T 18336 can be used for third-party evaluation of IDPS. At this time, unlike the
IDPS manual, the "security goal" document can describe the performance of the IDPS
more accurately and reliably, which will be an important consideration in selecting an
IDPS.
During the IDPS selection process, it needs to focus on the relevant factors 7.2 ~ 7.7.
7.2 Information security risk assessment
Before selecting an IDPS, it first needs to conduct an information security risk
assessment based on relevant factors (such as the nature of the information used by the
information system, how this information needs to be protected, the type of
communication systems used, other operational and environmental factors), to identify
the attacks and intrusions (threats) to the information systems of organization (which
may have vulnerabilities). Then, based on the organization's information security
objectives, low-cost controls that can effectively reduce risks are identified for these
potential threats. These controls can serve as the basis for selecting an IDPS.
Note: Information security risk assessment and management is the subject of GB/T 22080.
After the IDPS is installed and operational, the risk management process needs to be
continuously implemented based on changes in system operations and changes in the
threat environment, to periodically review the effectiveness of controls.
7.3 Host or network IDPS
7.3.1 Overview
The deployment of IDPS needs to be based on the organization's information security
risk assessment and asset protection priorities. At the same time, when selecting IDPS,
it needs to study the most effective method for IDPS to monitor the situation, that is,
choose NIDPS and HIDPS to deploy together: first deploy NIDPS in stages (because
NIDPS installation and maintenance are usually easiest), then deploy HIDPS on the key
servers.
Each option has its advantages and disadvantages. For example, when IDPS is deployed
outside the external firewall, since the external firewall can effectively block a large
number of alarm events that need to be scanned, IDPS does not need to conduct in-
depth analysis of most alarm events.
Where there are security level requirements for IDPS products, follow GB/T 20275 and
GB/T 28451.
7.3.2 Network-based IDPS (NIDPS)
When deploying NIDPS, place sensors mainly in the following locations:
- Inside the exte...
Get QUOTATION in 1-minute: Click GB/T 28454-2020
Historical versions: GB/T 28454-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 28454-2020: Information technology -- Security techniques -- Selection, deployment and operation of intrusion detection and prevention systems (IDPS)
GB/T 28454-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28454-2012
Information technology - Security techniques - Selection,
deployment and operation of intrusion detection and
prevention system (IDPS)
操作
(ISO/IEC 27039:2015, MOD)
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 01, 2020
Issued by: State Administration for Market Regulation;
National Standardization Administration.
Table of Contents
Foreword ... 3
Introduction ... 6
1 Scope ... 8
2 Normative references ... 8
3 Terms and definitions ... 9
4 Abbreviations ... 15
5 Background ... 16
6 General principles ... 17
7 Selection ... 18
7.1 Introduction ... 18
7.2 Information security risk assessment ... 18
7.3 Host or network IDPS ... 19
7.4 Considerations ... 20
7.5 Tools to supplement IDPS ... 28
7.6 Scalability... 33
7.7 Technical support ... 33
7.8 Training ... 34
8 Deployment ... 34
8.1 General... 34
8.2 Phased deployment ... 36
8.3 NIDPS deployment ... 36
8.4 HIDPS deployment ... 39
8.5 Protection of IDPS information security ... 40
9 Operations ... 41
9.1 General... 41
9.2 IDPS tuning ... 41
9.3 IDPS vulnerability ... 42
9.4 Handling IDPS alarms ... 42
9.5 Response options ... 45
9.6 Legal considerations ... 45
Appendix A (Informative) Intrusion detection and prevention systems (IDPS):
Framework and issues to consider ... 47
References ... 71
Information technology - Security techniques - Selection,
deployment and operation of intrusion detection and
prevention system (IDPS)
1 Scope
This standard gives guidance for organizations to deploy intrusion detection and
prevention systems (IDPS). This standard details the selection, deployment, and
operation of IDPS. This standard also provides the background information on which
these guidelines are developed.
This standard is applicable to organizations preparing to deploy intrusion detection and
prevention systems (IDPS).
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 18336 (all parts) Information technology - Security techniques - Evaluation
criteria for IT security [ISO/IEC 15408 (all parts)]
GB/T 20275 Information security technology - Technical requirements and testing
and evaluation approaches for network-based intrusion detection system
GB/T 20985.1-2017 Information technology - Security techniques - Information
security incident management - Part 1: Principles of incident management (ISO/IEC
27035-1:2006, IDT)
GB/T 25068.2 Information technology - Security techniques - Network security -
Part 2: Guidelines for the design and implementation of network security (ISO/IEC
18028-2:2006, IDT)
GB/T 28451 Information security technology - Technical requirements and testing
and evaluation approaches for network-based intrusion prevention system products
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary (ISO/IEC 27000:2016,
7 Selection
7.1 Introduction
There are many types of IDPS products to choose from, including free products (can be
deployed on low-cost hosts) and more expensive commercial paid products (requiring
the latest hardware support). Since there are many IDPS products to choose from, it is
necessary to comprehensively consider the needs of the organization to select the
product that best meets the requirements. In addition, different IDPS products will have
compatibility issues. When the same organization uses different IDPS products (due to
organizational mergers and wide geographical distribution, it has to use different IDPS
products), it also needs to pay attention to the integration issues of different IDPS.
The IDPS manual provided by the supplier gives the types of attacks that IDPS can
detect, but it cannot describe how well IDPS can detect intrusions in large-traffic
networks, nor can it describe the difficulty of deploying, operating and maintaining
IDPS, because in high-traffic networks, it cannot describe the difficulty of deploying,
operating, maintaining IDPS. Without understanding the organization's network traffic,
it is impossible to accurately describe how IDPS can effectively avoid false negatives
and false positives. At the same time, it is also necessary to independently evaluate the
active response and passive response capabilities of IDPS according to the
organization's own requirements (at this time, the need for deep packet inspection and
reassembly is mainly considered, without considering network performance and cost).
Therefore, it is not enough to only rely on the IDPS manual provided by the supplier to
understand the capabilities of IDPS. IDPS products need to be selected according to the
organization's own needs.
GB/T 18336 can be used for third-party evaluation of IDPS. At this time, unlike the
IDPS manual, the "security goal" document can describe the performance of the IDPS
more accurately and reliably, which will be an important consideration in selecting an
IDPS.
During the IDPS selection process, it needs to focus on the relevant factors 7.2 ~ 7.7.
7.2 Information security risk assessment
Before selecting an IDPS, it first needs to conduct an information security risk
assessment based on relevant factors (such as the nature of the information used by the
information system, how this information needs to be protected, the type of
communication systems used, other operational and environmental factors), to identify
the attacks and intrusions (threats) to the information systems of organization (which
may have vulnerabilities). Then, based on the organization's information security
objectives, low-cost controls that can effectively reduce risks are identified for these
potential threats. These controls can serve as the basis for selecting an IDPS.
Note: Information security risk assessment and management is the subject of GB/T 22080.
After the IDPS is installed and operational, the risk management process needs to be
continuously implemented based on changes in system operations and changes in the
threat environment, to periodically review the effectiveness of controls.
7.3 Host or network IDPS
7.3.1 Overview
The deployment of IDPS needs to be based on the organization's information security
risk assessment and asset protection priorities. At the same time, when selecting IDPS,
it needs to study the most effective method for IDPS to monitor the situation, that is,
choose NIDPS and HIDPS to deploy together: first deploy NIDPS in stages (because
NIDPS installation and maintenance are usually easiest), then deploy HIDPS on the key
servers.
Each option has its advantages and disadvantages. For example, when IDPS is deployed
outside the external firewall, since the external firewall can effectively block a large
number of alarm events that need to be scanned, IDPS does not need to conduct in-
depth analysis of most alarm events.
Where there are security level requirements for IDPS products, follow GB/T 20275 and
GB/T 28451.
7.3.2 Network-based IDPS (NIDPS)
When deploying NIDPS, place sensors mainly in the following locations:
- Inside the exte...
Share
