GB 40050-2021 English PDF (GB40050-2021)
GB 40050-2021 English PDF (GB40050-2021)
Regular price
$175.00 USD
Regular price
Sale price
$175.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB 40050-2021
Historical versions: GB 40050-2021
Preview True-PDF (Reload/Scroll if blank)
GB 40050-2021: Critical network devices security common requirements
GB 40050-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Critical network devices security common
requirements
ISSUED ON: FEBRUARY 20, 2021
IMPLEMENTED ON: AUGUST 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Security function requirements ... 7
5.1 Device identification security ... 7
5.2 Redundancy, backup recovery and anomaly detection ... 7
5.3 Prevention of vulnerabilities and malicious programs ... 8
5.4 Security of startup and update of pre-installed software ... 8
5.5 User identification and authentication ... 9
5.6 Access control security ... 10
5.7 Log audit security ... 10
5.8 Communication security ... 11
5.9 Data security ... 12
5.10 Password requirements... 12
6 Security guarantee requirements ... 12
6.1 Design and development... 12
6.2 Production and delivery ... 13
6.3 Operation and maintenance ... 14
References ... 16
Critical network devices security common
requirements
1 Scope
This document specifies the general security function requirements and
security assurance requirements for critical network device.
This document applies to critical network device; provides a basis for network
operators to purchase critical network device; is also suitable for guiding the
research and development, testing, and service of critical network device.
2 Normative references
The provisions in following documents become the provisions of this Standard
through reference in this Standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this Standard;
however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 25069 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069, as well as the following
terms and definitions, apply to this document.
3.1
Component
A module or component, that is composed of several parts, which are
assembled together AND can realize a specific function.
3.2
Malicious program
A program, which is specifically designed to attack the system, damage or
destroy the confidentiality, integrity, or availability of the system.
5 Security function requirements
5.1 Device identification security
The identification of critical network device shall meet the following security
requirements.
a) The whole hardware and main components shall have unique
identification.
Note 1: Common main components of routers and switches: main control board,
business board, switching network board, fan module, power supply, storage
system software board, hard disk or flash memory card, etc. Common main
components of servers: central processing unit, hard disk, memory, fan module,
power supply, etc.
Note 2: Common unique identification methods: serial number, etc.
b) Different versions of pre-installed software, patch packages/upgrade
packages shall be uniquely identified.
Note 3: Common unique identification method of version: version number, etc.
5.2 Redundancy, backup recovery and anomaly detection
The redundancy, backup recovery and anomaly detection functions of critical
network device shall meet the following security requirements.
a) The whole device shall support the main-standby switching function. OR
the key components shall support the redundancy function; provide the
automatic switching function. When the device or the key components are
abnormal, switch to the redundant device or redundant components, to
reduce the security risk.
Note: Common key components of routers and switches, that support redundant
functions: main control board, switching network board, power supply module,
fan module, etc. Common key components of servers, that support redundant
functions: hard disks, power modules, fan modules, etc.
b) It shall support the backup and recovery function of pre-installed software
and configuration files. When using the recovery function, it shall support
the integrity check of pre-installed software and configuration files.
c) It shall support abnormal state detection; generate relevant error message.
5.5 User identification and authentication
The user identification and authentication functions of critical network device
shall meet the following security requirements.
a) The user shall be identified and authenticated. The identification shall be
unique.
Note 1: Common methods of identity authentication: passwords, shared keys,
digital certificates or biometrics, etc.
b) When using the password authentication method, it shall support the
mandatory modification of the default password OR the setting of the
password, when the device is managed for the first time. OR it shall
support the random initial password; support the setting of the password
life cycle; support the password complexity check function. When the user
inputs password, there shall be no echo password, in plaintext.
c) Support password complexity checking function. Password complexity
checking includes at least one of password length checking, password
character type checking, password and account independence checking.
Note 2: Different types of critical network device have different password
complexity requirements and implementation methods. Examples of common
password length requirements: the password length is not less than 8 digits;
examples of common password character types: it contains at least two types of
numbers, lowercase letters, uppercase letters, punctuation marks, special
symbols; examples of common password requirements that are irrelevant to the
account: The password does not include account numbers, etc.
d) It shall support the activation of security policies or have security functions,
to prevent user authentication information guessing attacks.
Note 3: Common security policies or security functions to prevent user
authentication information guessing attacks include enabling password
complexity checking by default, limiting the number of consecutive illegal login
attempts, or supporting limiting the number of management access connections,
two-factor authentication (such as password + certificate, password + biometric
authentication, etc.). When authentication fails, the device provides
undifferentiated feedback, to avoid prompting specific information such as "user
name error" and "password error".
e) It shall support the activation of security policies OR have security
functions, to prevent the user's session from being idle for too long, after
login.
that affect the security of device operation.
Note 1: Common key user operations include adding/deleting accounts,
modifying authentication information, modifying key configuration, file
uploading/downloading, user logging in/logging out, modifying user permissions,
restarting/closing the device, downloading programming logic, modifying
operating parameters, etc.
b) It shall provide the local storage function of log information, support the
log information output.
c) The log audit function shall record the necessary log elem...
Get QUOTATION in 1-minute: Click GB 40050-2021
Historical versions: GB 40050-2021
Preview True-PDF (Reload/Scroll if blank)
GB 40050-2021: Critical network devices security common requirements
GB 40050-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Critical network devices security common
requirements
ISSUED ON: FEBRUARY 20, 2021
IMPLEMENTED ON: AUGUST 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Security function requirements ... 7
5.1 Device identification security ... 7
5.2 Redundancy, backup recovery and anomaly detection ... 7
5.3 Prevention of vulnerabilities and malicious programs ... 8
5.4 Security of startup and update of pre-installed software ... 8
5.5 User identification and authentication ... 9
5.6 Access control security ... 10
5.7 Log audit security ... 10
5.8 Communication security ... 11
5.9 Data security ... 12
5.10 Password requirements... 12
6 Security guarantee requirements ... 12
6.1 Design and development... 12
6.2 Production and delivery ... 13
6.3 Operation and maintenance ... 14
References ... 16
Critical network devices security common
requirements
1 Scope
This document specifies the general security function requirements and
security assurance requirements for critical network device.
This document applies to critical network device; provides a basis for network
operators to purchase critical network device; is also suitable for guiding the
research and development, testing, and service of critical network device.
2 Normative references
The provisions in following documents become the provisions of this Standard
through reference in this Standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this Standard;
however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 25069 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069, as well as the following
terms and definitions, apply to this document.
3.1
Component
A module or component, that is composed of several parts, which are
assembled together AND can realize a specific function.
3.2
Malicious program
A program, which is specifically designed to attack the system, damage or
destroy the confidentiality, integrity, or availability of the system.
5 Security function requirements
5.1 Device identification security
The identification of critical network device shall meet the following security
requirements.
a) The whole hardware and main components shall have unique
identification.
Note 1: Common main components of routers and switches: main control board,
business board, switching network board, fan module, power supply, storage
system software board, hard disk or flash memory card, etc. Common main
components of servers: central processing unit, hard disk, memory, fan module,
power supply, etc.
Note 2: Common unique identification methods: serial number, etc.
b) Different versions of pre-installed software, patch packages/upgrade
packages shall be uniquely identified.
Note 3: Common unique identification method of version: version number, etc.
5.2 Redundancy, backup recovery and anomaly detection
The redundancy, backup recovery and anomaly detection functions of critical
network device shall meet the following security requirements.
a) The whole device shall support the main-standby switching function. OR
the key components shall support the redundancy function; provide the
automatic switching function. When the device or the key components are
abnormal, switch to the redundant device or redundant components, to
reduce the security risk.
Note: Common key components of routers and switches, that support redundant
functions: main control board, switching network board, power supply module,
fan module, etc. Common key components of servers, that support redundant
functions: hard disks, power modules, fan modules, etc.
b) It shall support the backup and recovery function of pre-installed software
and configuration files. When using the recovery function, it shall support
the integrity check of pre-installed software and configuration files.
c) It shall support abnormal state detection; generate relevant error message.
5.5 User identification and authentication
The user identification and authentication functions of critical network device
shall meet the following security requirements.
a) The user shall be identified and authenticated. The identification shall be
unique.
Note 1: Common methods of identity authentication: passwords, shared keys,
digital certificates or biometrics, etc.
b) When using the password authentication method, it shall support the
mandatory modification of the default password OR the setting of the
password, when the device is managed for the first time. OR it shall
support the random initial password; support the setting of the password
life cycle; support the password complexity check function. When the user
inputs password, there shall be no echo password, in plaintext.
c) Support password complexity checking function. Password complexity
checking includes at least one of password length checking, password
character type checking, password and account independence checking.
Note 2: Different types of critical network device have different password
complexity requirements and implementation methods. Examples of common
password length requirements: the password length is not less than 8 digits;
examples of common password character types: it contains at least two types of
numbers, lowercase letters, uppercase letters, punctuation marks, special
symbols; examples of common password requirements that are irrelevant to the
account: The password does not include account numbers, etc.
d) It shall support the activation of security policies or have security functions,
to prevent user authentication information guessing attacks.
Note 3: Common security policies or security functions to prevent user
authentication information guessing attacks include enabling password
complexity checking by default, limiting the number of consecutive illegal login
attempts, or supporting limiting the number of management access connections,
two-factor authentication (such as password + certificate, password + biometric
authentication, etc.). When authentication fails, the device provides
undifferentiated feedback, to avoid prompting specific information such as "user
name error" and "password error".
e) It shall support the activation of security policies OR have security
functions, to prevent the user's session from being idle for too long, after
login.
that affect the security of device operation.
Note 1: Common key user operations include adding/deleting accounts,
modifying authentication information, modifying key configuration, file
uploading/downloading, user logging in/logging out, modifying user permissions,
restarting/closing the device, downloading programming logic, modifying
operating parameters, etc.
b) It shall provide the local storage function of log information, support the
log information output.
c) The log audit function shall record the necessary log elem...