Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF & invoice In 1 second!

GB/T 20280-2006 English PDF (GBT20280-2006)

GB/T 20280-2006 English PDF (GBT20280-2006)

Regular price $140.00 USD
Regular price Sale price $140.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds (Download full-editable-PDF + Invoice).
Quotation: Click GB/T 20280-2006>>Add to cart>>Quote
Editable-PDF Preview (Reload if blank, scroll for next page)

GB/T 20280-2006: Information security technology -- Testing and evaluation approaches for network vulnerability scanners
This Standard specifies the testing and evaluation approaches for network vulnerability scanners that adopt Transmission Control Protocol and Internet Protocol (TCP/IP).
GB/T 20280-2006
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology -
Testing and Evaluation Approaches for Network
Vulnerability Scanners
ISSUED ON. MAY 31, 2006
IMPLEMENTED ON. DECEMBER 1, 2006
Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Stipulation of Symbol, Abbreviation and Notation ... 6
4.1 Symbols and Abbreviations ... 6
4.2 Stipulation of Notation ... 6
5 Overview of Network Vulnerability Scanners ... 7
6 Testing Environment ... 7
7 Testing and Evaluation Approaches and Procedure ... 8
7.1 Basic-type ... 8
7.1.1 Basic function ... 8
7.1.3 Security assurance requirements ... 18
7.2 Enhanced-type ... 23
7.2.1 Basic function and performance ... 23
7.2.2 Enhancement function ... 23
7.2.3 Security assurance requirements ... 27
Appendix A (Normative) Testing Evidence Provided by Product Manufacturer to Testing Organization ... 40
A.1 Basic-type ... 40
A.2 Enhanced-type ... 40
Bibliography ... 41
Figure 1 Test Environment Topological Graph for Network Vulnerability
Scanners ... 7
Table 1 Environment Specification ... 7
Foreword
Appendix A of this Standard is normative.
This Standard was proposed by and shall be under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China.
This Standard is responsibly drafted by Beijing Netpower Technology Ltd. AND Network Security Bureau of the Ministry of Public Security.
Chief drafters of this Standard. Xiao Jiang, Lu Yi, Yang Wei, Liu Wei, Liu Bing and Ding Yuzheng.
Introduction
This Standard specifies testing and evaluation approaches for network vulnerability scanners, including testing and evaluation content, testing and evaluation function objective and testing environment of network vulnerability scanners; it gives specific objectives for basic function, enhanced function and security assurance requirements of products that must be reached.
This Standard is aimed to provide technical support and guidance for the development, production and certification of network vulnerability scanners.
If evaluation activity in conformity with this Standard is applied correctly, its results can be confirmed; testing objects can conduct a vulnerability inspection on network and put forward suggestions for solving discovered potential security hazards so that product quality can be improved.
Information Security Technology -
Testing and Evaluation Approaches for
Network Vulnerability Scanners
1 Scope
This Standard specifies the testing and evaluation approaches for network vulnerability scanners that adopt Transmission Control Protocol and Internet Protocol (TCP/IP).
This Standard is applicable to the testing and evaluation, R and D and application of security products for manual or automatic network vulnerability scan on computer information system.
This Standard is not applicable to products specialized for vulnerability scan on database system.
2 Normative References
The following standard contains the provisions which, through reference into this document, constitute the provisions of this document. For the dated reference, the subsequent amendments (excluding corrigendum) or revisions of these publications do not apply. However, the parties who reach an agreement according to this Standard are encouraged to study whether the latest edition of these documents can be used. For undated references, their latest editions apply.
GB/T 5271.8-2001 Information Technology – Vocabulary - Part 8. Security (idt ISO/IEC 2382-8.1998) GB/T 20278-2006 Information Security Technology Technique Requirement for Network Vulnerability Scanners 3 Terms and Definitions
For the purpose of this Standard, terms and definitions established in GB/T 5271.8-2001 and GB/T 20278-2006 apply.
4 Stipulation of Symbol, Abbreviation and Notation
4.1 Symbols and Abbreviations
CGI Common Gateway Interface
CVE Common Vulnerabilities and Exposures
DNS Domain Name System
DOS Denial of Service
FTP File Transfer Protocol
IDS Intrusion Detection System
IP Internet Protocol
NETBIOS Network Basic Input Output System
NFS Network File System
POP Post Office Protocol
RPC Remote Procedure Call
SMB Server Message Block Protocol
SNMP Simple Network Management Protocol
TCP Transport Control Protocol
UDP User Datagram Protocol
4.2 Stipulation of Notation
a) Selection. It is used for emphasizing one or more than one options in the statement of certain functional requirement, represented by underlined italics. b) Note. This Standard performs a classified discussion on testing and evaluation of network vulnerability scanners. The provisions in this Standard, unless stated, are all the requirements of basic products. The testing and evaluation item, testing content and testing and evaluation result of enhanced products shall be represented in italics.
Scanned host machine shall at least operate the following services. HTTP, FTP, POP3, SMTP, SQL SERVER, ORACLE; UNIX and LINUX server shall operate NFS service. Server shall run common Trojans.
Server shall operate other service with vulnerability, and services with relative common vulnerability and causing relative serious hazard shall be selected. 7 Testing and Evaluation Approaches and Procedure
7.1 Basic-type
7.1.1 Basic function
7.1.1.1 Requirements for self-security
7.1.1.1.1 Identity authentication
a) Evaluation contents. refer to the contents in 7.2.1 of GB/T 20278-2006. b) Testing and evaluation approaches
1) According to version release statement, administrator manual,
installation management document etc. of network vulnerability
scanners, start network vulnerability scanners A and B in Figure 1;
2) Log in and start network vulnerability scanners A and B in Figure 1, as an authorized administrator; operate and create such operations as
ordinary administrator.
c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches.
7.1.1.1.2 Application limit
a) Evaluation contents. refer to the contents in 7.2.2 of GB/T 20278-2006. b) Testing and evaluation approaches. version release statement, user manual, high-level design document, testing document etc. of network vulnerability scanners, start network vulnerability scanners A and B in Figure 1 and
perform such operations as management allocation, starting scan;
c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches, e.g. whether network vulnerability scanners can limit the scannable specific IP address of products.
7.1.1.1.3 Sensitive information protection
a) Evaluation contents. refer to the contents in 7.2.3 of GB/T 20278-2006. b) Testing and evaluation approaches. version release statement, user manual, high-level design document, testing document etc. of network vulnerability scanners, start network vulnerability scanners A and B in Figure 1 and
perform such operations as management allocation, starting scan;
c) Testing and evaluation result. record testing result and judge whether the result conforms to requirements of testing and evaluation approaches, such as whether policy information shall be encrypted, sensitive information shall be avoided etc.
7.1...
View full details