GB/T 21028-2007 English PDF (GBT21028-2007)
GB/T 21028-2007 English PDF (GBT21028-2007)
See Chinese contents: GB/T 21028-2007
GB/T 21028-2007: Information security technology -- Security techniques requirement for server
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
Information Security Technology ?€?
Security Techniques Requirements for Server
ISSUED ON: JUNE 29, 2007
IMPLEMENTED ON: DECEMBER 01, 2007
Issued by: General Administration of Quality Supervision, Inspection
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative References ... 6
3 Terms, Definitions and Abbreviations ... 7
3.1 Terms and definitions ... 7
3.2 Abbreviation ... 8
4 Requirements for Server Security Function ... 8
4.1 Device security ... 8
4.1.1 Device label ... 8
4.1.2 Support for reliable operation of device ... 9
4.1.3 Monitoring the working status of the device ... 9
4.1.4 Device electromagnetic protection ... 9
4.2 Operation security... 9
4.2.1 Security monitoring ... 9
4.2.2 Security audit ... 10
4.2.3 Malicious code protection ... 13
4.2.4 Backup and fault recovery ... 13
4.2.5 Trusted technical support ... 14
4.2.6 Trusted timestamp ... 14
4.3 Data security ... 15
4.3.1 ID authentication ... 15
4.3.2 Discretionary access control ... 16
4.3.3 Label ... 17
4.3.4 Mandatory access control ... 19
4.3.5 Data integrity ... 21
4.3.6 Data confidentiality ... 21
4.3.7 Dataflow control ... 22
4.3.8 Trusted path ... 22
5 Requirements of Server Security Classification ... 23
5.1 Level-1: user discretionary protection level ... 23
5.1.1 Security function requirements ... 23
5.1.2 Security assurance requirements ... 25
5.2 Level-2: system audit protection level ... 26
5.2.1 Security function requirements ... 26
5.2.2 Security assurance requirements ... 30
5.3 Level-3: security label protection level ... 31
5.3.1 Security function requirements ... 31
5.3.2 Security assurance requirements ... 36
5.4 Level-4: structured protection level ... 38
5.4.1 Security function requirements ... 38
5.4.2 Security assurance requirements ... 44
5.5 Level-5: access verification protection level ... 45
5.5.1 Security function requirements ... 45
5.5.2 Security assurance requirements ... 51
Appendix A (Informative) Relevant Concept Explanation ... 53
A.1 Composition and interrelationship ... 53
A.2 Special requirements for server security ... 53
A.3 Further explanation of subject and object ... 54
A.4 SSOS, SSF, SSP, SFP, and their relationships ... 55
A.5 Explanation on cryptographic technique ... 55
A.6 Explanation on electromagnetic protection ... 55
Bibliography ... 56
Information Security Technology ?€?
Security Techniques Requirements for Server
This Standard specifies, based on the five security protection levels specified in GB 17859-1999, the security technical requirements required by the server and the different security technical requirements for each security protection level. This Standard is applicable to the design, implementation, purchase and use of the hierarchical server in accordance with the requirements of the five security protection levels specified in GB 17859-1999. The testing and management of server security according to the requirements of the five security protection levels specified in GB 17859-1999 can be referred to.
2 Normative References
The provisions in following documents become the provisions of this Standard through reference in this Standard. For dated references, the subsequent amendments (excluding corrigendum) or revisions do not apply to this Standard, however, parties who reach an agreement based on this Standard are encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20271-2006 Information Security Technology - Common Security
Techniques Requirement for Information System
GB/T 20272-2006 Information Security Technology - Security Techniques
Requirement for Operating System
GB/T 20273-2006 Information Security Technology - Security Techniques
Requirement for Database Management System
GB/T 20520-2006 Information Security Technology - Public Key Infrastructure - Time Stamp Specification
use, etc.; and provide monitoring data analysis functions, if necessary. 22.214.171.124 Network security monitoring
The server shall monitor the incoming and outgoing network data flow in real time at its network interface unit. According to the different requirements of different security level against the network security monitoring, the network security monitoring shall: a) Do not depend on the server operating system, and is not unavailable due to the non-power-off failure of the server;
b) The incoming and outgoing network data flow is tested according to the established security policies and rules;
c) Support security policies and rules for user-defined network security monitoring; d) Have the function of monitoring the classification of network application behavior, and have the ability to provide alarm and interruption according to the security policies;
e) Provide centralized management functions in order to receive the security policies and rules issued by the network security monitoring centralized management platform; and provide audit data source to the network security monitoring centralized management platform.
4.2.2 Security audit
126.96.36.199 Response of security audit
The security audit SSF shall respond to the audit events as follows:
a) Audit log records: when a security invasion event is detected, the audit data shall be recorded in the audit log;
b) Real-time alarm generation: when a security invasion event is detected, the real- time alarm information shall be generated, and alarm selectively according to the setting of the alarm switch;
c) Termination of the offending process: when a security invasion event is detected, the offending process shall be terminated;
d) Service cancellation: when a security invasion event is detected, the current service shall be cancelled;
e) User account disconnection and invalidation: when a security invasion event is detected, the current user account shall be disconnected, and invalidated. current activities and the established usage model. When the user?€?s challenge level exceeds the threshold condition, it can indicate that a threat to security is about to occur.
c) Simple attack detection: it can detect the occurrence of the signature events that pose a significant threat to the implementation of SSF. Thus, the SSF shall maintain and indicate the internal representation of the signature events that invaded the SSF; compare the detected system behavior records and the
signature events, when a match is found between the two ones, then an attack on the SSF is imminent.
d) Complex attack detection: on the basis of the above simple attack detection, multiple steps of invasion can be detected; a complete invasion situation can be simulated based on a known sequence of events; point out a signature event or time for event sequence that indicate a potential invasion of the SSF.
188.8.131.52 Security audit review
According to the different requirements of different security levels against the security audit review, the security audit review can be divided into:
a) Basic audit review: provide the ability to read information from audit records, namely, provide the ability for the authorized user to obtain and interpret the audit information. When the user is a person, the information must be expressed in a human-readable manner; when the user is an external IT entity, the audit information must be expressed electronically without ambiguity.
b) Limited audit review: on the basis of basic audit review, the users without read and access rights shall be prohibited from reading audit information.
c) Optional audit review: on the basis of limited audit review, it shall have the function of selecting audit data to be reviewed according to criteria; and provide the ability to search, classify, sort audit data according to some logical relationship standard.
184.108.40.206 Selection of security audit event
Auditable events shall be selected according to the following attributes: a) Object ID, user ID, subject ID, host ID, and event type;
b) Additional attributes that serve as the basis for audit selectivity. 220.127.116.11 Storage of security audit event
According to the different requirements of different security levels against the security audit event, the storage of security audit event is divided into:
b) Incremental information backup and recovery: it shall provide the function of regularly backing up newly added information in the operating system, database system and application system; when some information in the system is lost or destroyed due to some reasons, user is provided with the function of information recovery according to the information reserved by the incremental information backup;
c) Local system backup and recovery: it shall provide the function of regularly backing up the operating status of some important local system sin the operating system, database system and application system; when certain local system occurs failure due to some reasons, user shall be provided with the function of local system recovery according to the operating status reserved by the local system backup;
d) System-wide backup and recovery: it shall provide the function of backing up the system-wide operating status of important servers; when the system-wide failure of server occurs due to some reasons, user shall provide support for the system- wide recovery according to the operating status reserved by the system-wide backup;
e) Tightly coupled cluster structure: the key servers shall adopt multi-server tightly coupled cluster structure, so that ensure when one of the servers occurs failure and stops operating, the business application system can run uninterrupted on the remaining servers;
f) Remote backup and recovery: for key servers, remote backup and recovery functions shall be set up according to the different requirements of business continuity to ensure that when the server is interrupted due to catastrophic failure, the business application system can restore operation within the required time range.
4.2.5 Trusted technical support
By setting up a password-based trusted technical support module on the server, in order to establish a trusted chain on the server from system booting and loading to application services, so that ensure the authenticity of various running program, and provide the support for security functions such as realizing the data confidentiality and integrity protection by using password mechanisms, as well as for the authentication of server user ID, and connected device authentication.
4.2.6 Trusted timestamp
The server shall provide a reliable clock and clock synchronization system for its operation; and provide a trusted timestamp service according to the requirement of GB/T 20520-2006.
classification are the basis for implementing multilevel security model. 18.104.22.168 Output of label
When data is output from the SSC inside to the outside its control scope, the sensitive labels of the data may be retained or not retained as required. According to the different requirements of different security levels against the label output, the label output can be divided into:
a) Output of user data without sensitive label: when outputting user data outside the SSC under the control of SFP, there shall be no sensitive label associated with the data;
b) Output of user data with sensitive label: when outputting user data outside the SSC under the control of SFP, there shall be sensitive label associated with the data; and ensure that the sensitive label is associated with the output data. 22.214.171.124 Input of label
When data is input from outside the SSF control scope to its inside control scope, there shall be corresponding sensitive label so that the input data can be protected. According to the different requirements of different security levels against the label input, the label input can be divided into:
a) Input of user data without sensitive label: the SSF shall:
--- When inputting user data from outside the SSC under the control of SFP, the access control of SFP shall be performed;
--- Omit any sensitive labels related to data input from outside the SSC; --- Implement additional input control rules and set sensitive label for input data. b) Input of user data with sensitive label: the SSF shall:
--- When inputting user data from outside the SSC under the control of SFP, the access control SFP shall be performed;
--- The SSF shall use the sensitive label related to the input data;
--- The SSF shall provide the exact link between the sensitive label and the received user data;
--- The SSF shall ensure that the interpretation of sensitive label for the input user data is consistent with the interpretation of the original sensitive label. For the user data transmitted between different SSFs or between users on different SSFs, according to the different confidentiality requirements of different data types, perform the confidentiality protection at different level, ensuring the data is not leaked or stolen during transmission.
126.96.36.199 Security reuse of object
In a system that dynamically manages resources, the remaining information in the object resources (recording media such as registers, memory and disks) shall not cause information leakage. According to the different requirements of different security levels against the user data confidentiality protection, the security reuse of object includes:
a) Subset information protection: the object resources of a certain subset within the scope of SSOS security control, when released and reassigned to certain user or a process running on behalf of such user, shall not leak the original information of such object;
b) Complete information protection: all object resources within the scope of SSOS security control, when released and reassigned to certain user or a process running on behalf of such user, shall not leak the original information of such object;
c) Special information protection: on the basis of complete information protection, for certain information that requires special protection, special methods shall be taken to completely remove the residual information in the object resources, such as the removal of residual magnetism.
4.3.7 Dataflow control
In a server that implements the data flow in a dataflow manner, the dataflow control mechanism shall be used to achieve the security control of data flow, and prevent data information with a high-level security from flowing the low-level areas. 4.3.8 Trusted path
The trusted path between the user and the SSF shall:
a) Provide true endpoint identification; and protect the communication data from modification and leakage;
b) Initiate the communication using the trusted path by SSF itself, local user or remote user;
c) Use trusted path for identification of the original user or the requirements for other services of the trusted path.
According to the requirements in 5.1.1 of GB/T 20273-2006, design, achieve and purchaser the database management system required by the server at the user discretionary protection level from the following aspects:
a) ID authentication: according to the description in 4.3.1, ensure the uniqueness and authenticity of the ID of user logged in the database
b) Discretionary access control: according to the description in 4.3.2, control the access of the database management system; allow the legitimate
operations and deny the illegal operations;
c) Data integrity: according to the description in 4.3.5, the user data transmitted within the database management system shall be provided
with functions to ensure the integrity of the user data.
188.8.131.52 Application system
184.108.40.206.1 ID authentication
According to the description in 4.3.1, as per the requirements of 220.127.116.11 in GB/T 20271-2006, design and achieve the ID authentication function of the application system from the following aspects:
a) ID identification: any user who needs to enter the application system shall be identified (create an account); the user identification of the application system generally sues a user name or user identifier (UID);
b) ID authentication: use password for authentication; authentication is performed every time a user logs in to the application system; the
password shall be invisible, and securely protected when stored; for the users registered in the application system, associate the user with its served subject through the user-subject binding function.
18.104.22.168.2 Discretionary access control
According to the description in 4.3.2, as per the requirements in 22.214.171.124 of GB/T 20271-2006, design and achieve the discretionary access control function of the application system from the following aspects:
a) Allow the named users to control the sharing of the objects as users and/or user groups and prevent the unauthorized users from sharing objects;
b) The granularity of discretionary access control is coarse-grained.
126.96.36.199.3 Data integrity
b) Distribution and operation: according to the requirements in 188.8.131.52 of GB/T 20271-2006, achieve the distribution and operation of server user
discretionary operation level;
c) Development: according to the requirements in 184.108.40.206 of GB/T 20271-2006, achieve the development of server user discretionary protection level;
d) Guidance documents: according to the requirements in 220.127.116.11 of GB/T 20271-2006, achieve the guidance documents of server user discretionary protection level;
e) Life cycle support: according to the requirements in 18.104.22.168 of GB/T 20271- 2006, achieve the life cycle support of server user discretionary protection level;
f) Test: according to the requirements in 22.214.171.124 of GB/T 20271-2006, achieve the test of server user discretionary protection level.
126.96.36.199 SSOS security management
According to the requirements of 6.1.6 of GB/T 20271-2006, achieve the SSOS security management of server user discretionary protection level.
5.2 Level-2: system audit protection level
5.2.1 Security function requirements
188.8.131.52 Hardware system
184.108.40.206.1 Device label
According to the requirements of device labels and component labels in 4.1.1, design and achieve the security function of server device labels; and take protective measures for the labels (such as stamping the official seal).
220.127.116.11.2 Support for reliable operation of device
According to the requirements of basic operation support and security available support in 4.1.2, design and achieve the security function supported by the reliable operation of server device. The minimum configuration of server hardware shall meet the requirements of software system operation; the key components (including hard disk, motherboard, memory, processor, network card, etc.) shall be matched with their labels, ensure their security, and prevent the replacement and removal; the chassis panel shall be protected, for instance lock protection.
18.104.22.168.3 Electromagnetic protection of device
According to the requirements of host software protection in 4.2.3, design and achieve the malicious c...