1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 28451-2012 English PDF (GBT28451-2012)
GB/T 28451-2012 English PDF (GBT28451-2012)
Regular price
$760.00 USD
Regular price
Sale price
$760.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 28451-2012 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 28451-2012
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 28451-2012: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
GB/T 28451-2012
Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
ICS 35.020
L80
National Standards of People's Republic of China
Information security technology. Technical requirements and test evaluation methods for network-based intrusion prevention products
Released on.2012-06-29
2012-10-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Composition of technical requirements for intrusion prevention products 2
5.1 Composition description 2
5.2 Classification of functional and safety requirements 3
6 Composition of intrusion prevention products 4
6.1 Intrusion Event Analysis Unit 4
6.2 Intrusion Response Unit 4
6.3 Intrusion Event Audit Unit 4
6.4 Management control unit 4
7 Technical requirements for intrusion prevention products 5
7.1 The first level 5
7.2 Level 2 8
7.3 Level 3 14
7.4 Performance requirements 20
8 Evaluation Methods of Intrusion Prevention Products 21
8.1 Test environment 21
8.2 Test tool 21
8.3 The first level 21
8.4 Level 2 29
8.5 Level 3 42
8.6 Performance Test 58
Preface
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Computer Information System Security Product Quality Supervision and Inspection Center of Ministry of Public Security, Beijing Venustech Information Security Technology
Co., Ltd., Beijing Shenzhou NSFOCUS Technology Co., Ltd., Fujian Strait Information Technology Co., Ltd., Shenyang Neusoft System Integration Engineering Co., Ltd.
Company, Beijing Anshi Lingxin Technology Development Co., Ltd., Wangyu Shenzhou Technology (Beijing) Co., Ltd.
The main drafters of this standard. Shen Liang, Gu Jianxin, Yu You, Gu Jian, Yuan Zhihui, Han Peng, Zhang Zhangxue, Yu Jiang, Du Yongfeng, Duan Jiping.
Information Security Technology Network Type Intrusion Prevention Products
Technical requirements and test evaluation methods
1 Scope
This standard specifies the functional requirements of network-based intrusion prevention products, the product's own safety requirements and product assurance requirements, and proposes intrusion
Classification requirements for defense products.
This standard applies to the design, development, testing and evaluation of network-based intrusion prevention products.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB 17859-1999 Classification criteria for security protection grades of computer information systems
GB/T 25069-2010 Information Security Technical Terms
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GB 17859-1999 apply to this document.
3.1
Network-based intrusion prevention products
Deployed on the network path in the form of a bridge or gateway, and found network behaviors with intrusion characteristics by analyzing network traffic,
Products that are intercepted before the network is protected.
3.2
TCP stream reassembly
The attacker sends the attack data sent in multiple data packets in a session connection to avoid detection by the intrusion prevention system.
Test behavior.
3.3
SHELL code deformation
In response to buffer overflow attacks, the attacker uses other methods to replace the original program instructions and combine them in a pseudo-random manner.
To avoid the detection behavior of the intrusion prevention system.
3.4
administrator
A collective term for authorized operators, security officers, and auditors who use intrusion prevention products.
3.5
Alert
When an intrusion prevention product finds an intrusion, it sends an emergency notification to the user.
3.6
Miscut
A situation in which an intrusion prevention product intercepts a session when there is no attack. For those who did not issue or issue an error when the attack occurred
The situation of warning information and interception does not affect the actual intrusion interception effect, so this definition of this standard does not include this situation.
3.7
Missed cut
When the attack behavior supported by the product occurs, the intrusion prevention product fails to intercept the attack.
4 Abbreviations
5 Technical requirements for intrusion prevention products
5.1 Composition description
5.1.1 First level
This level specifies the minimum security requirements for intrusion prevention products. The product has basic protocol analysis, intrusion detection and interception capabilities, and
Intrusion event generation records, through simple user identification and authentication to restrict the control of product function configuration and data access, so that users have
Equipped with the ability of autonomous security protection to prevent illegal users from harming intrusion prevention products and protect the normal operation of intrusion prevention products.
5.1.2 Level 2
This level requires the division of security management roles to refine the management of intrusion prevention products. The audit function is added to allow authorized administrators
Is traceable. While the product realizes intrusion detection and interception, it also requires the function of timely warning, and also requires event recording
Can generate and output reports, and require hardware failure handling mechanisms.
5.1.3 Level 3
This level requires intrusion prevention products to provide general external interfaces, report results have functions such as template customization, and it also requires multiple authentication machines.
Functions such as control system, upgrade security, self-hiding, load balancing, etc., put forward higher requirements for the product’s own safety, and provide for the normal operation of the product.
Stronger protection.
5.1.4 Performance
This item specifies the performance requirements of intrusion prevention products, covering all levels.
5.2 Classification of functional and safety requirements
The security classification of intrusion prevention products is shown in Table 1 and Table 2.The rating of intrusion prevention products is based on Table 1 and Table 2.
Based on a comprehensive assessment of product assurance requirements, intrusion prevention products that meet the first level should meet the first level products indicated in Table 1 and Table 2.
All items that the product should meet, as well as the relevant assurance requirements for the first-level product; the second-level intrusion prevention product should meet Table 1, Table 2.
All the items that should be met by the second-level products indicated in the, and the relevant assurance requirements for the second-level products; meet the third-level intrusion prevention products
The product should meet all the items that should be met by the third-level products indicated in Table 1 and Table 2, as well as the relevant guarantee requirements for the third-level products.
Table 1 Classification table of functional requirements of intrusion prevention products
6 Composition of intrusion prevention products
6.1 Intrusion event analysis unit
Use relevant analysis and detection technology to extract and analyze all the data flowing into the target network.
6.2 Intrusion Response Unit
Intercept and respond to the intrusion according to the defined strategy.
6.3 Intrusion event audit unit
When an intrusion event that violates the security policy occurs, the time, subject and object of the event are recorded and counted.
6.4 Management control unit
Responsible for intrusion prevention product customization strategy, review log, product status management, and submit to authorized users for management in a visual form.
7 Technical requirements for intrusion prevention products
7.1 First level
7.1.1 Product functional requirements
7.1.1.1 Intrusion event analysis function requirements
7.1.1.1.1 Data collection
Intrusion prevention products should have the ability to collect all data packets flowing into the target network in real time.
7.1.1.1.2 Protocol analysis
Intrusion prevention products should perform protocol analysis on the collected data packets.
7.1.1.1.3 Intrusion Discovery
Intrusion prevention products should be able to detect intrusions in the agreement.
7.1.1.1.4 Flow Monitoring
Intrusion prevention products should monitor abnormal traffic in the target environment.
7.1.1.2 Intrusion response function requirements
Intrusion prevention products should intercept the discovered intrusion in advance to prevent the intrusion from entering the target network.
7.1.1.3 Intrusion event audit function requirements
7.1.1.3.1 Event generation
Intrusion prevention products should be able to generate audit records in time for interception behavior.
7.1.1.3.2 Event Record
Intrusion prevention products should record and save intercepted intrusion events. The intrusion event information should at least include the event name,
Date and time, source IP address, source port, destination IP address, destination port, harm level, etc.
7.1.1.4 Management control function requirements
7.1.1.4.1 Management interface
Intrusion prevention products should provide a user interface for management and configuration of intrusion prevention products. The management configuration interface should include configuration and management
All the functions needed for the product.
7.1.1.4.2 Intrusion Event Library
Intrusion prevention products should provide an intrusion event library. The event library should include event name, detailed description, definition, etc.
7.1.1.4.3 Event classification
Intrusion prevention products should classify incidents according to their severity, so that authorized administrators can capture a large amount of information
Dangerous event.
7.1.1.4.4 Hardware failure handling
Intrusion prevention products should provide hardware failure handling mechanisms.
7.1.1.4.5 Policy configuration
Intrusion prevention products should provide functions to configure intrusion prevention strategies and response measures.
7.1.1.4.6 Product upgrade
Intrusion prevention products should have the ability to update and upgrade the product event database.
7.1.1.4.7 Management interface independence
Intrusion prevention products should have independent management interfaces.
7.1.2 Product safety requirements
7.1.2.1 Identification and identification
7.1.2.1.1 User authentication
Intrusion prevention products should authenticate users before they perform any operations related to security functions.
7.1.2.1.2 Treatment of authentication failure
Intrusion prevention products should prevent users from further attempts after user authentication attempts have failed consecutively for a specified number of times.
7.1.2.1.3 Authentication data protection
Intrusion prevention products should protect the authentication data from unauthorized access and modification.
7.1.2.2 User Management
7.1.2.2.1 Identification uniqueness
Intrusion prevention products should ensure that the set user ID is globally unique.
7.1.2.2.2 User attribute definition
Intrusion prevention products should save a security attribute table for each user. The attributes should include user identification, authentication data, authorization information or user
Group information, other security attributes, etc.
7.1.2.3 Security function protection
Intrusion prevention products should be limited to designated authorized users to access event data and prohibit other users from operating on event data.
7.1.3 Product assurance requirements
7.1.3.1 Configuration Management
Developers should provide unique identifiers for different versions of intrusion prevention products.
Each version of intrusion prevention products should use their unique identification as a label.
7.1.3.2 Delivery and operation
Developers should provide documentation explaining the installation, generation and activation of intrusion prevention products.
7.1.3.3 Safety function development
7.1.3.3.1 Function design
Developers should provide documents explaining the security function design of intrusion prevention products.
The functional design should describe the safety function and its external interface in an informal way, and describe the purpose and purpose of using the external safety function interface.
Method, when needed, also provide details of exceptions and error messages.
7.1.3.3.2 Representation correspondence
The developer should provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product.
7.1.3.4 Guiding documents
7.1.3.4.1 Administrator Guide
The developer should provide the authorized administrator with an administrator guide including the following.
a) Management functions and interfaces that can be used by intrusion prevention products;
b) How to safely manage intrusion prevention products;
c) The functions and permissions that should be controlled in the safe processing environment;
d) All assumptions about user behavior related to the safe operation of intrusion prevention products;
e) All security parameters controlled by the administrator, if possible, should indicate the security value;
f) Every security-related event related to the management function, including changes to the security features of the entity controlled by the security function;
g) All IT environment security requirements related to authorized ad...
Get Quotation: Click GB/T 28451-2012 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 28451-2012
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 28451-2012: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
GB/T 28451-2012
Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
ICS 35.020
L80
National Standards of People's Republic of China
Information security technology. Technical requirements and test evaluation methods for network-based intrusion prevention products
Released on.2012-06-29
2012-10-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Composition of technical requirements for intrusion prevention products 2
5.1 Composition description 2
5.2 Classification of functional and safety requirements 3
6 Composition of intrusion prevention products 4
6.1 Intrusion Event Analysis Unit 4
6.2 Intrusion Response Unit 4
6.3 Intrusion Event Audit Unit 4
6.4 Management control unit 4
7 Technical requirements for intrusion prevention products 5
7.1 The first level 5
7.2 Level 2 8
7.3 Level 3 14
7.4 Performance requirements 20
8 Evaluation Methods of Intrusion Prevention Products 21
8.1 Test environment 21
8.2 Test tool 21
8.3 The first level 21
8.4 Level 2 29
8.5 Level 3 42
8.6 Performance Test 58
Preface
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. Computer Information System Security Product Quality Supervision and Inspection Center of Ministry of Public Security, Beijing Venustech Information Security Technology
Co., Ltd., Beijing Shenzhou NSFOCUS Technology Co., Ltd., Fujian Strait Information Technology Co., Ltd., Shenyang Neusoft System Integration Engineering Co., Ltd.
Company, Beijing Anshi Lingxin Technology Development Co., Ltd., Wangyu Shenzhou Technology (Beijing) Co., Ltd.
The main drafters of this standard. Shen Liang, Gu Jianxin, Yu You, Gu Jian, Yuan Zhihui, Han Peng, Zhang Zhangxue, Yu Jiang, Du Yongfeng, Duan Jiping.
Information Security Technology Network Type Intrusion Prevention Products
Technical requirements and test evaluation methods
1 Scope
This standard specifies the functional requirements of network-based intrusion prevention products, the product's own safety requirements and product assurance requirements, and proposes intrusion
Classification requirements for defense products.
This standard applies to the design, development, testing and evaluation of network-based intrusion prevention products.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB 17859-1999 Classification criteria for security protection grades of computer information systems
GB/T 25069-2010 Information Security Technical Terms
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GB 17859-1999 apply to this document.
3.1
Network-based intrusion prevention products
Deployed on the network path in the form of a bridge or gateway, and found network behaviors with intrusion characteristics by analyzing network traffic,
Products that are intercepted before the network is protected.
3.2
TCP stream reassembly
The attacker sends the attack data sent in multiple data packets in a session connection to avoid detection by the intrusion prevention system.
Test behavior.
3.3
SHELL code deformation
In response to buffer overflow attacks, the attacker uses other methods to replace the original program instructions and combine them in a pseudo-random manner.
To avoid the detection behavior of the intrusion prevention system.
3.4
administrator
A collective term for authorized operators, security officers, and auditors who use intrusion prevention products.
3.5
Alert
When an intrusion prevention product finds an intrusion, it sends an emergency notification to the user.
3.6
Miscut
A situation in which an intrusion prevention product intercepts a session when there is no attack. For those who did not issue or issue an error when the attack occurred
The situation of warning information and interception does not affect the actual intrusion interception effect, so this definition of this standard does not include this situation.
3.7
Missed cut
When the attack behavior supported by the product occurs, the intrusion prevention product fails to intercept the attack.
4 Abbreviations
5 Technical requirements for intrusion prevention products
5.1 Composition description
5.1.1 First level
This level specifies the minimum security requirements for intrusion prevention products. The product has basic protocol analysis, intrusion detection and interception capabilities, and
Intrusion event generation records, through simple user identification and authentication to restrict the control of product function configuration and data access, so that users have
Equipped with the ability of autonomous security protection to prevent illegal users from harming intrusion prevention products and protect the normal operation of intrusion prevention products.
5.1.2 Level 2
This level requires the division of security management roles to refine the management of intrusion prevention products. The audit function is added to allow authorized administrators
Is traceable. While the product realizes intrusion detection and interception, it also requires the function of timely warning, and also requires event recording
Can generate and output reports, and require hardware failure handling mechanisms.
5.1.3 Level 3
This level requires intrusion prevention products to provide general external interfaces, report results have functions such as template customization, and it also requires multiple authentication machines.
Functions such as control system, upgrade security, self-hiding, load balancing, etc., put forward higher requirements for the product’s own safety, and provide for the normal operation of the product.
Stronger protection.
5.1.4 Performance
This item specifies the performance requirements of intrusion prevention products, covering all levels.
5.2 Classification of functional and safety requirements
The security classification of intrusion prevention products is shown in Table 1 and Table 2.The rating of intrusion prevention products is based on Table 1 and Table 2.
Based on a comprehensive assessment of product assurance requirements, intrusion prevention products that meet the first level should meet the first level products indicated in Table 1 and Table 2.
All items that the product should meet, as well as the relevant assurance requirements for the first-level product; the second-level intrusion prevention product should meet Table 1, Table 2.
All the items that should be met by the second-level products indicated in the, and the relevant assurance requirements for the second-level products; meet the third-level intrusion prevention products
The product should meet all the items that should be met by the third-level products indicated in Table 1 and Table 2, as well as the relevant guarantee requirements for the third-level products.
Table 1 Classification table of functional requirements of intrusion prevention products
6 Composition of intrusion prevention products
6.1 Intrusion event analysis unit
Use relevant analysis and detection technology to extract and analyze all the data flowing into the target network.
6.2 Intrusion Response Unit
Intercept and respond to the intrusion according to the defined strategy.
6.3 Intrusion event audit unit
When an intrusion event that violates the security policy occurs, the time, subject and object of the event are recorded and counted.
6.4 Management control unit
Responsible for intrusion prevention product customization strategy, review log, product status management, and submit to authorized users for management in a visual form.
7 Technical requirements for intrusion prevention products
7.1 First level
7.1.1 Product functional requirements
7.1.1.1 Intrusion event analysis function requirements
7.1.1.1.1 Data collection
Intrusion prevention products should have the ability to collect all data packets flowing into the target network in real time.
7.1.1.1.2 Protocol analysis
Intrusion prevention products should perform protocol analysis on the collected data packets.
7.1.1.1.3 Intrusion Discovery
Intrusion prevention products should be able to detect intrusions in the agreement.
7.1.1.1.4 Flow Monitoring
Intrusion prevention products should monitor abnormal traffic in the target environment.
7.1.1.2 Intrusion response function requirements
Intrusion prevention products should intercept the discovered intrusion in advance to prevent the intrusion from entering the target network.
7.1.1.3 Intrusion event audit function requirements
7.1.1.3.1 Event generation
Intrusion prevention products should be able to generate audit records in time for interception behavior.
7.1.1.3.2 Event Record
Intrusion prevention products should record and save intercepted intrusion events. The intrusion event information should at least include the event name,
Date and time, source IP address, source port, destination IP address, destination port, harm level, etc.
7.1.1.4 Management control function requirements
7.1.1.4.1 Management interface
Intrusion prevention products should provide a user interface for management and configuration of intrusion prevention products. The management configuration interface should include configuration and management
All the functions needed for the product.
7.1.1.4.2 Intrusion Event Library
Intrusion prevention products should provide an intrusion event library. The event library should include event name, detailed description, definition, etc.
7.1.1.4.3 Event classification
Intrusion prevention products should classify incidents according to their severity, so that authorized administrators can capture a large amount of information
Dangerous event.
7.1.1.4.4 Hardware failure handling
Intrusion prevention products should provide hardware failure handling mechanisms.
7.1.1.4.5 Policy configuration
Intrusion prevention products should provide functions to configure intrusion prevention strategies and response measures.
7.1.1.4.6 Product upgrade
Intrusion prevention products should have the ability to update and upgrade the product event database.
7.1.1.4.7 Management interface independence
Intrusion prevention products should have independent management interfaces.
7.1.2 Product safety requirements
7.1.2.1 Identification and identification
7.1.2.1.1 User authentication
Intrusion prevention products should authenticate users before they perform any operations related to security functions.
7.1.2.1.2 Treatment of authentication failure
Intrusion prevention products should prevent users from further attempts after user authentication attempts have failed consecutively for a specified number of times.
7.1.2.1.3 Authentication data protection
Intrusion prevention products should protect the authentication data from unauthorized access and modification.
7.1.2.2 User Management
7.1.2.2.1 Identification uniqueness
Intrusion prevention products should ensure that the set user ID is globally unique.
7.1.2.2.2 User attribute definition
Intrusion prevention products should save a security attribute table for each user. The attributes should include user identification, authentication data, authorization information or user
Group information, other security attributes, etc.
7.1.2.3 Security function protection
Intrusion prevention products should be limited to designated authorized users to access event data and prohibit other users from operating on event data.
7.1.3 Product assurance requirements
7.1.3.1 Configuration Management
Developers should provide unique identifiers for different versions of intrusion prevention products.
Each version of intrusion prevention products should use their unique identification as a label.
7.1.3.2 Delivery and operation
Developers should provide documentation explaining the installation, generation and activation of intrusion prevention products.
7.1.3.3 Safety function development
7.1.3.3.1 Function design
Developers should provide documents explaining the security function design of intrusion prevention products.
The functional design should describe the safety function and its external interface in an informal way, and describe the purpose and purpose of using the external safety function interface.
Method, when needed, also provide details of exceptions and error messages.
7.1.3.3.2 Representation correspondence
The developer should provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product.
7.1.3.4 Guiding documents
7.1.3.4.1 Administrator Guide
The developer should provide the authorized administrator with an administrator guide including the following.
a) Management functions and interfaces that can be used by intrusion prevention products;
b) How to safely manage intrusion prevention products;
c) The functions and permissions that should be controlled in the safe processing environment;
d) All assumptions about user behavior related to the safe operation of intrusion prevention products;
e) All security parameters controlled by the administrator, if possible, should indicate the security value;
f) Every security-related event related to the management function, including changes to the security features of the entity controlled by the security function;
g) All IT environment security requirements related to authorized ad...
Share
