GB/T 20275-2021 English PDF (GBT20275-2021)
GB/T 20275-2021 English PDF (GBT20275-2021)
GB/T 20275-2021: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
CCS L 80
Replacing GB/T 20275-2013
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the PEOPLE Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 6
5 Network-based Intrusion Detection System ... 6
6 Security Technology Requirements ... 6
6.1 Classification and Level Division of Requirements ... 6
6.2 Basic-level Security Requirements ... 10
6.3 Enhanced-level Security Requirements ... 19
7 Testing and Evaluation Approaches ... 34
7.1 Test environment ... 34
7.2 Test Tools ... 34
7.3 Basic Level ... 35
7.4 Enhanced Level ... 69
Bibliography ... 120
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
This document specifies the security technology requirements, testing and evaluation approaches for network-based intrusion detection system.
This document is applicable to the design, development, testing and evaluation of network- based intrusion detection system.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document through the normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 25069 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069, and the following terms and definitions are applicable to this document.
3.1 security incident
Security incident refers to an incident that causes harm to networks and information systems, or the data contained therein.
Alert refers to a message sent by the network-based intrusion detection system to the authorized administrator when an attack or intrusion occurs.
3.3 supporting system
Supporting system refers to an operating system that supports the operation of the network- based intrusion detection system.
6.2 Basic-level Security Requirements
6.2.1 Security function requirements
184.108.40.206 Data detection function requirements
220.127.116.11.1 Data collection
When the system performs detection and analysis, it shall have the capability of obtaining data packets in the protected network segment in real time.
18.104.22.168.2 Protocol analysis
The system shall perform protocol analysis on the collected data packets. 22.214.171.124.3 Attack behavior monitoring
The system shall at least monitor the following attack behaviors: port scanning, brute force attack, malicious code attack, denial of service attack, buffer overflow attack and weak vulnerability attack, etc.
126.96.36.199.4 Traffic monitoring
The system shall monitor the message traffic and byte traffic of the entire network or a specific protocol, address or port.
188.8.131.52 Intrusion analysis function requirements
184.108.40.206.1 Data analysis
The system shall analyze the collected data packets and find security incidents. 220.127.116.11.2 Incident merging
The system shall have the capability of combining alarms for the same security incidents that frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized administrators.
18.104.22.168 Intrusion response function requirements
22.214.171.124.1 Customized response
The system shall allow the administrator to customize different response modes for the specific destination host in the detected network segment.
126.96.36.199.2 Security alert
When the system detects an intrusion, it shall automatically take corresponding actions to issue security warnings.
188.8.131.52.3 Alert mode
One or multiple modes, such as: real-time screen prompts and E-mail alerts, shall be adopted for the alert.
184.108.40.206 Management control function requirements
220.127.116.11.1 Graphic interface
The system shall provide the administrator with a graphic interface to administrate and configure the intrusion detection system. The administrative configuration interface shall contain all the functions needed to configure and administrate the system. 18.104.22.168.2 Security incident library
The content in the system security incident library shall include the definition and analysis of incidents, detailed vulnerability repair schemes and countermeasures that can be taken. 22.214.171.124.3 Incident level division
The system shall divide the incidents in accordance with their severity, so that the authorized administrators can capture hazardous incidents from a large amount of information. 126.96.36.199.4 Policy configuration
The system shall provide a convenient and fast method and means for the policy configuration of the intrusion detection system, and be equipped with policy templates, and support for policy import and export.
188.8.131.52.5 Incident library upgrade
The system shall have the capability of upgrading the incident library. 184.108.40.206.6 System upgrade
The system shall have the capability of upgrading system programs.
220.127.116.11.7 Hardware failure handling
For hardware products, when the hardware fails, the administrator shall be notified in time. 18.104.22.168.8 Port separation
The detectors of the system shall be equipped with different ports, which are respectively used for system administration and network data monitoring.
22.214.171.124.9 Clock synchronization
The system shall provide a clock synchronization function to ensure the time consistency between each component of the system and the clock server.
126.96.36.199 Detection result processing requirements
188.8.131.52.1 Incident record
The system shall save the detected security incidents and record the security incident information.
The security incident information shall at least include the following contents: occurrence time, source address, destination address, incident level, incident type, incident name, incident definition, detailed incident process analysis and solution recommendations, etc. 184.108.40.206.2 Incident visualization
The administrator shall be able to clearly check security incidents in real time through the administration interface.
220.127.116.11.3 Report generation
The system shall be able to generate detailed detection result reports. 18.104.22.168.4 Report review
The system shall have the function of browsing the detection result reports. 22.214.171.124.5 Report output
The detection result reports shall be able to be output in a text format that is easy for the administrator to read, including but not limited to WORD files, HTML files, PDF files, WPS files or OFD files.
126.96.36.199 Performance requirements
188.8.131.52.1 False alarm rate
The system shall control the false alarm rate within 15% and shall not have a great impact on the normal application of the system. The false alarm rate of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators. 184.108.40.206.2 Missing report rate
The system shall control the missing report rate within 15% and shall not have a great impact on the normal application of the system. The missing report rate of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators. 220.127.116.11.3 High traffic background intrusion detection capability
100 M system single-port monitoring traffic ??? 90 Mbps, Gigabit system single-port monitoring traffic ??? 0.9 Gbps, 10-Gigabit system single-port monitoring traffic ??? 9 Gbps. The traffic monitoring capability of the system that supports operation under the IPv6 network environment shall satisfy the above-mentioned indicators.
18.104.22.168.4 High concurrent connection background intrusion detection capability The number of concurrent connections of 100 M system single-port monitoring ??? 100,000, the number of concurrent connections of Gigabit system single-port monitoring ??? 1 million, the number of concurrent connections of 10-Gigabit system single-port monitoring ??? 1.5 million. The capability of the system that supports operation under the IPv6 network environment in monitoring the number of concurrent connections shall satisfy the above-mentioned indicators. 22.214.171.124.5 High new TCP connection rate background intrusion detection capability The number of new TCP connections per second of 100 M system single-port monitoring ??? 60,000, the number of new TCP connections per second of Gigabit system ??? 100,000, the number of new TCP connections per second of 10-Gigabit system ??? 150,000. The capability of the system that supports operation under the IPv6 network environment in monitoring the new TCP connection rate shall satisfy the above-mentioned indicators.
6.2.2 Self-security protection requirements
126.96.36.199 Identity authentication
188.8.131.52.1 Administrator authentication
Before the administrator performs any operations related to security functions, the system shall authenticate the administrator.
184.108.40.206.2 Authentication information requirements
When adopting password-based authentication information, the system shall check the complexity of the password set by the administrator, so as to ensure that the administrator password satisfies the complexity requirements. When there is a default password, the system shall prompt the administrator to modify the default password, so as to reduce the risk of user identity being impersonated. The system shall provide the function of regular replacement of authentication information. When the usage time of authentication information reaches the threshold of usage period, the administrator shall be prompted to modify it. 220.127.116.11.3 Authentication failure handling
When the administrator authentication consecutively fails for a specified number of times, the system shall prevent the administrator from making further authentication requests and generate audit events of relevant information. The maximum number of failures is only set by the administrator.
18.104.22.168.4 Authentication data protection
The system shall protect authentication data from unauthorized access and modification. 22.214.171.124.5 Timeout setting
The system shall have the function of re-authentication when the administrator logs in over time. If there is no operation within the set time period, the session shall be locked or terminated, and identity authentication needs to be performed again to re-administrate the system. The maximum timeout period is only set by authorized administrators.
126.96.36.199.6 Administration address restrictions
The system shall restrict the network address that the administrator can log in to. 188.8.131.52 Administrator management
184.108.40.206.1 Identity uniqueness
The system shall ensure that the set administrator ID is globally unique. 220.127.116.11.2 Administrator attribute definition
The system shall save a security attribute table for each administrator, and the attributes shall include: administration identity, authentication data, authorization information or administration group information, and other security attributes, etc.
18.104.22.168.3 Security behavior management
The system shall have the capability of restricting the prohibition and modification of system functions merely to authorized administrators.
22.214.171.124 Security audit
126.96.36.199.1 Audit log generation
The system shall generate audit logs for the following incidents:
a) Login and logout of administrator account, system startup, system upgrade, important configuration changes, adding / deleting / modifying administrators, saving / deleting audit logs, etc.;
b) Alerts for the abnormal status of the system and its modules.
The system shall record the date, time, user ID, incident description and result in each audit log record. If the mode of remote login is adopted, the IP address of the administration host shall also be recorded.
188.8.131.52.2 Audit log comprehensibility
The mode, in which the audit data is recorded, shall make it easy for administrators to comprehend, so as to facilitate the analysis of the audit logs.
184.108.40.206.3 Audit log review
The system shall provide authorized administrators with the audit log review function, so as to make it convenient for administrators to review audit results.
220.127.116.11.4 Restricted audit log review
Except for authorized administrators with explicit access rights, the system shall prohibit access to audit logs for all other users.
18.104.22.168.5 Optional audit review
Retrieval or sorting of audit logs in accordance with certain conditions shall be supported. 22.214.171.124 Data security
126.96.36.199.1 Security management
The system shall only allow authorized administrators to access security incident records and audit logs and prohibit other users from operating the security incident records and audit logs. 188.8.131.52.2 Data storage alert
The system shall automatically generate an alert when the data storage space is about to be exhausted, and the size of the remaining storage space that triggers the alert shall be set by the administrator.
184.108.40.206.3 Outgoing data transmission
The system shall support the outgoing transmission of security incident records and audit logs, so as to facilitate further analysis of the security incident records and audit logs. 220.127.116.11 Communication security
The system shall ensure that data transmitted among the various components (including but not limited to configuration and control information, alert and incident data, etc.) is not leaked. 18.104.22.168 Operation security
The system shall take measures, for example, hiding the IP address of the detector, to make itself invisible on the network, so as to reduce the possibility of being attacked. 22.214.171.124 Supporting system security
The supporting system of the system shall:
a) Make necessary tailoring, and do not provide redundant components or network services;
b) During the restart process, the security policy and log information shall not be lost; c) Do not contain already-known medium, high and ultra-critical security vulnerabilities. 6.2.3 Environmental adaptability requirements (if applicable)
126.96.36.199 Support pure IPv6 network environment
The system shall support pure IPv6 network environment, be able to normally operate under pure IPv6 network environment and realize the detection of the target network intrusion. 188.8.131.52 Self-management under IPv6 network environment
The system shall support self-management under IPv6 network environment, so as to realize the management and operation of products.
184.108.40.206 Dual protocol stack
The system shall support IPv4 / IPv6 dual-stack network environment, be able to operate normally under IPv4 / IPv6 dual-stack network environment and realize the detection of the target network intrusion.
6.2.4 Security guarantee requirements
220.127.116.11.1 Security architecture
The developer shall provide a security architecture description of product security functions and self-security protection. The security architecture description shall satisfy the following requirements:
a) Consistent with the level of abstract description implemented on the security functions and self-security protection in the product design documents; b) Describe the security domain of the product security functions and self-security protection consistent with the security functions and self-security protection requirements;
c) Describe why the initialization process of product security functions and self-security protection is secure;
d) Demonstrate that the product security functions and self-security protection can prevent damages;
e) Demonstrate that the product security functions and self-security protection can prevent bypassing of security features.
18.104.22.168.2 Functional specification
The developer shall provide a complete functional specification, which shall satisfy the following requirements:
a) Completely describe the product security functions and self-security protection; b) Describe the purpose and usage of all interfaces for security functions and self- security protection;
c) Identify and describe all parameters related to each interface of security functions and self-security protection;
d) Describe the security functions and self-security protection implementation behaviors related to the interfaces of security functions and self-security protection; e) Describe the immediate error messages resulting from the handling of security functions and self-security protection implementation behaviors;
f) Demonstrate the traceability of the security functions and self-security protection requirements to the security functions and self-security protection interfaces. 22.214.171.124.3 Product design
The developer shall provide product design documents, which shall satisfy the following requirements:
a) Describe the product structure in terms of subsystems;
b) Identify and describe all subsystems of the product security functions and self- security protection;
c) Describe the interaction among all subsystems of the security functions and self- security protection;
d) The provided mapping relations can demonstrate that all the behaviors described in the design can be mapped to the security functions and self-security protection interfaces calling it.
126.96.36.199 Guidance documents
188.8.131.52.1 Operating user guide
The developer shall provide a clear and reasonable operating user guide. The operating user guide shall be consistent with all other documents provided for evaluation. The description of each user role shall satisfy the following requirements:
a) Describe the functions and privileges accessible to controlled users in the secure processing environment, including appropriate warning messages;
b) Describe how to use the available interfaces provided by the product in a secure mode; c) Describe available functions and interfaces, especially all security parameters controlled by the user;
d) Clearly describe each type of security-related incident related to the user-accessible functions that need to be performed, including changes to the security features of entities controlled by the security functions and self-security protection; e) Identify all possible states of product operation (including failures caused by operation or operational errors), as well as their casual relations and connections with maintaining secure operation;
f) Thoroughly realize the security policy implemented by security objectives. 184.108.40.206.2 Preparation procedure
The developer shall provide product and its preparation procedure. The description of the preparation procedure shall satisfy the following requirements:
a) Describe all steps necessary to securely receive the delivered product consistent with the developer?€?s delivery procedure;
b) Describe all steps necessary to securely install the product and the environment in which it operates.
220.127.116.11 Life cycle support
18.104.22.168.1 Configuration management capabilities
The configuration management capabilities of the developer shall satisfy the following requirements:
a) Provide unique identificati...