Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 28451-2012 English PDF (GBT28451-2012)

GB/T 28451-2012 English PDF (GBT28451-2012)

Regular price $755.00 USD
Regular price Sale price $755.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 28451-2012 to get it for Purchase Approval, Bank TT...

GB/T 28451-2012: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products

This standard specifies the functional requirements of network-based intrusion prevention products, the product own security requirements, the product assurance requirements; it also proposes the classification requirements for intrusion prevention products. This standard applies to the design, development, testing and evaluation of network-based intrusion prevention products.
GB/T 28451-2012
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.020
L 80
Information security technology - Technical
requirements and testing and evaluation approaches
for network-based intrusion prevention system
products
ISSUED ON: JUNE 29, 2012
IMPLEMENTED ON: OCTOBER 01, 2012
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 6
5 Technical requirements for intrusion prevention products ... 6
5.1 Description of composition ... 6
5.2 Classification of functional and security requirements ... 7
6 Composition of intrusion prevention products ... 9
6.1 Intrusion event analysis unit ... 9
6.2 Intrusion response unit ... 9
6.3 Intrusion event audit unit ... 9
6.4 Management control unit ... 9
7 Technical requirements for intrusion prevention products ... 10
7.1 Level 1 ... 10
7.2 Level 2 ... 15
7.3 Level 3 ... 24
8 Evaluation methods of intrusion prevention products ... 35
8.1 Test environment ... 35
8.2 Test tool ... 36
8.3 Level 1 ... 36
8.4 Level 2 ... 50
8.5 Level 3 ... 75
8.6 Performance test ... 104
Information security technology - Technical
requirements and testing and evaluation approaches
for network-based intrusion prevention system
products
1 Scope
This standard specifies the functional requirements of network-based intrusion prevention products, the product's own security requirements, the product assurance requirements; it also proposes the classification requirements for intrusion prevention products.
This standard applies to the design, development, testing and evaluation of network-based intrusion prevention products.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB 17859-1999 as well as the following terms and definitions apply to this document.
3.1
Network-based intrusion prevention system products
It is a product that is deployed on a network path in the form of a bridge or a gateway, finds network behaviors with intrusive characteristics by analyzing network traffic, intercepts them before they enter the protected network. This level specifies the minimum-security requirements for intrusion prevention products. The product has basic protocol analysis, intrusion detection and interception capabilities; generates records of intrusion events; restricts the control of product function configuration and data access through simple user identification and authentication, so that users have the ability to independently protect and prevent illegal users from harming the intrusion prevention products and protect the normal operation of intrusion prevention products.
5.1.2 Level 2
This level requires the division of security management roles, to refine the management of intrusion prevention products. The audit function is added, to make the actions of authorized administrators traceable. While the product realizes intrusion detection and interception, it also requires the function of timely warning. For event records, it also requires the ability to generate and output reports, as well as a hardware failure handling mechanism.
5.1.3 Level 3
This level requires intrusion prevention products to provide a general interface to the outside world; report results have functions such as template
customization. It also requires functions such as multiple authentication mechanisms, upgrade security, self-hiding, load balancing; puts forward higher requirements for the product's own security. Provide strong protection for the normal operation of the product.
5.1.4 Performance
This item specifies the performance requirements of intrusion prevention products, covering all levels.
5.2 Classification of functional and security requirements
The security classification of intrusion prevention products is as shown in Table 1 and Table 2. The grade evaluation of intrusion prevention products is based on Table 1 and Table 2, combined with the comprehensive evaluation of product assurance requirements. The intrusion prevention products that meet the level 1 requirements shall meet all the items that the level 1 products shall comply with as indicated in Table 1 and Table 2, as well as the relevant assurance requirements for the level 1 product. The intrusion prevention products that meet the level 2 requirements shall meet all the items that the level 2 products shall comply with as indicated in Table 1 and Table 2, as well as the relevant assurance requirements for the level 2 product. The intrusion prevention products that meet the level 3 requirements shall meet all the items that the level 3 products shall comply with as indicated in Table 1 and Table 2, as well 7.1.3.3.1 Function design
Developers shall provide documents explaining the security function design of intrusion prevention products.
Function design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed.
7.1.3.3.2 Representation correspondence
The developer shall provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product. 7.1.3.4 Guiding documents
7.1.3.4.1 Administrator guide
The developer shall provide the authorized administrator with an administrator guide including the following:
a) Management functions and interfaces that can be used by intrusion
prevention products;
b) How to securely manage intrusion prevention products;
c) The functions and permissions that shall be controlled in the secured processing environment;
d) All assumptions about user behavior related to the secured operation of intrusion prevention products;
e) All security parameters controlled by the administrator, if possible, it shall indicate the security value;
f) Every security-related event related to the management function, including changes to the security features of the entity controlled by the security function;
g) All IT environment?€?s security requirements related to authorized
administrators.
The Administrator guide shall be consistent with all other documents provided for evaluation.
7.1.3.4.2 User guide
a) The test document shall include the test plan, test procedures, expected test results, actual test results.
b) The test plan shall identify the security functions to be tested and describe the objectives of the test. The test procedure shall identify the test to be performed and describe the test profile of each security function, which includes the sequential dependence of other test results.
c) The expected test result shall indicate the expected output after the test is successful.
d) The actual test results shall show that each tested security function can operate according to requirements.
7.2 Level 2
7.2.1 Product functional requirements
7.2.1.1 Requirements for intrusion event analysis function
7.2.1.1.1 Data collection
Intrusion prevention products shall have the ability to collect all data packets flowing into the target network in real time.
7.2.1.1.2 Protocol analysis
Intrusion prevention products shall perform protocol analysis on the collected data packets.
7.2.1.1.3 Intrusion discovery
Intrusion prevention products shall be able to detect intrusions in the protocol. 7.2.1.1.4 Intrusion evasion discovery
Intrusion prevention products shall be able to detect behaviors that evade or deceive detection, such as IP fragment reassembly, TCP stream reassembly, protocol port relocation, URL string deformation, SHELL deformation, etc. 7.2.1.1.5 Traffic monitoring
Intrusion prevention products shall monitor abnormal traffic in the target environment.
7.2.1.2 Requirements for intrusion response function
7.2.1.4 Requirements for management control function
7.2.1.4.1 Management interface
Intrusion prevention products shall provide a user interface for management and configuration of intrusion prevention products. The management
configuration interface shall contain all the functions needed to configure and manage the product.
7.2.1.4.2 Intrusion event library
Intrusion prevention products shall provide an intrusion event library. The event library shall include event name, detailed description, definition, etc. 7.2.1.4.3 Event classification
Intrusion prevention products shall classify events according to their severity, so that authorized administrators can capture dangerous events from a large amount of information.
7.2.1.4.4 Event definition
Intrusion prevention products shall allow authorized administrators to customize policy events.
7.2.1.4.5 Protocol definition
In addition to supporting the default network protocol set, intrusion prevention products shall also allow authorized administrators to define new protocols or relocate the protocol ports.
7.2.1.4.6 Traffic control
Intrusion prevention products have the function of controlling abnormal traffic. 7.2.1.4.7 Hardware failure handling
Intrusion prevention products shall provide hardware failure handling
mechanisms.
7.2.1.4.8 Policy configuration
Intrusion prevention products shall provide functions to configure intrusion prevention strategies and response measures.
7.2.1.4.9 Product upgrade
Intrusion prevention products shall have the ability to update and upgrade product versions and event libraries.
7.2.3.3.1 Function design
Developers shall provide documents explaining the security function design of intrusion prevention products.
The functional design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed.
7.2.3.3.2 High-level design
Developers shall provide documents explaining the high-level design of the security functions of intrusion prevention products.
High-level design shall be expressed in an informal way and be internally consistent. In order to explain the structure of the security function, the high- level design shall decompose the security function into each security function subsystem for description; clarify how to separate the subsystem that helps to strengthen the security function of the intrusion prevention product from other subsystems. For each security function subsystem, the high-level design shall describe the security functions it provides; identify all its interfaces and which interfaces are externally visible; describe the purpose and methods of use of all its interfaces; provide the details of the functions, exceptions, error message of the security function subsystem. The high-level design shall also identify all the basic hardware, firmware, software required by the security of intrusion prevention products; support the protection mechanisms implemented by these hardware, firmware, or software.
7.2.3.3.3 Representation correspondence
The developer shall provide a correspondence analysis between all adjacent pairs represented by the security function of the intrusion prevention product. 7.2.3.4 Guiding documents
7.2.3.4.1 Administrator guide
The developer shall provide the authorized administrator with an administrator guide including the following:
a) Management functions and interfaces that can be used by intrusion
prevention product administrators;
b) How to securely manage intrusion prevention products;
c) The functions and permissions that shall be controlled in the secured development environment of the intrusion prevention product;
b) The development security documents shall also provide evidence of
security measures implemented during the development and
maintenance of intrusion prevention products.
7.2.3.6 Test
7.2.3.6.1 Scope
Developers shall provide analysis results of test coverage.
The analysis result of test coverage shall show that the test identified in the test document corresponds to the security function described in the security function design; meanwhile the correspondence is complete.
7.2.3.6.2 Test depth
The developer shall provide in-depth analysis of the test.
In the in-depth analysis, it shall be stated that the test of the security function identified in the test document is sufficient to show that the security function is consistent with the high-level design.
7.2.3.6.3 Function test
Developers shall test security functions and provide the following test documents:
a) The test document shall include the test plan, test procedures, expected test results and actual test results;
b) The test plan shall identify the security functions to be tested and describe the objectives of the test. The test procedure shall identify the tests to be performed and describe the test profile of each security function, which includes the sequential dependence of other test results;
c) The expected test result shall show the expected output after the test is successful;
d) The actual test results shall show that each tested security function can operate according to requirements.
7.2.3.6.4 Independence test
The developer shall provide evidence to prove that the intrusion prevention product provided by the developer has been independently tested and passed by a third-party test.
deceive detection, such as IP fragment reassembly, TCP stream reassembly, protocol port relocation, URL string deformation, SHELL deformation.
7.3.1.1.5 Traffic monitoring
Intrusion prevention products shall monitor abnormal traffic in the target environment.
7.3.1.2 Requirements for intrusion response function
7.3.1.2.1 Interception capability
Intrusion prevention products shall intercept the discovered intrusion in advance, to prevent the intrusion from entering the target network.
7.3.1.2.2 Security alert
Intrusion prevention products shall take corresponding actions to issue security alerts when they discover and block intrusions.
7.3.1.2.3 Alert mode
The alert methods of intrusion prevention products should adopt one or more methods such as real-time screen prompts, E-mail alerts, sound alerts.
7.3.1.2.4 Event merge
Intrusion prevention products shall have the ability to combine alerts for the same security events that occur frequently to avoid alert storms.
7.3.1.3 Requirements for intrusion event audit function
7.3.1.3.1 Event generation
Intrusion prevention products shall be able to generate audit records in time for interception behavior.
7.3.1.3.2 Event record
Intrusion prevention products shall record and save intercepted intrusion events. The intrusion event information shall at least include the name of the event, the date and time of the event, the source IP address, source port, destination IP address, destination port, hazard level, etc.
7.3.1.3.3 Report generation
Intrusion prevention products shall be able to generate detailed results reports. 7.3.1.3.4 Report review
Intrusion prevention products shall ensure the security of the event library and version upgrade; ensure that the upgrade package is provided by the developer. 7.3.2.3.4 Self-hiding
Intrusion prevention products shall at least provide bridge access methods and take measures such as hiding IP addresses to make themselves invisible on the network, to reduce the possibility of being attacked.
7.3.2.4 Security audit
7.3.2.4.1 Audit data generation
Intrusion prevention products shall at least generate audit records for the following auditable events:
a) Attempt to log in to the intrusion prevention product management port and manage the identity authentication request;
b) All operations to change the security policy;
c) All attempts to modify security attributes.
At least the date and time of the event, the type of event, the identity of the subject, the result (success or failure) of the event shall be recorded in each audit record.
7.3.2.4.2 Audit review
Intrusion prevention products shall provide authorized administrators with the function of reading all audit information from audit records; they can sort audit records.
7.3.2.4.3 Restricted audit access
In addition to authorized administrators with clear read access rights, intrusion prevention products shall prohibit unauthorized users from reading audit records.
7.3.3 Product assurance requirements
7.3.3.1 Configuration management
7.3.3.1.1 Configuration management capabilities
Developers shall use configuration management systems and provide
configuration management documents; meanwhile provide unique identification for different versions of intrusion prevention products.
7.3.3.2.2 Installation generation
Developers shall provide documentation explaining the installation, generation and activation of intrusion prevention products.
7.3.3.3 Security function development
7.3.3.3.1 Function design
Developers shall provide documents explaining the security function design of intrusion prevention products.
The security function design shall describe the security function and its external interface in an informal way; describe the purpose and method of using the external security function interface; provide details of exceptions and error messages when needed.
7.3.3.3.2 High-level design
Developers shall provide documents explaining the high-level design of the security functions of intrusion prevention products.
The high-level design shall be expressed in an informal way and is internally consistent. In order to explain the structure of the security function, the high- level design shall decompose the security function into various security function subsystems for description; clarify how to separate the subsystems that help strengthen the product security function from other subsystems. For each security function subsystem, the high-level design shall describe the security functions it provides; identify all its interfaces and which interfaces are externally visible; describe the purpose and methods of use of all its interfaces; provide the details of functions, exceptions, error messages of the security function subsystem. The high-level design shall also identify all the basic hardware, firmware and software required by the security of intrusion
prevention products; support the protection mechanisms implemented by these hardware, firmware or software.
7.3.3.3.3 Realization of security functions
Developers shall provide implementation representations for the selected subset of product security features.
The realization means that the product security function shall be defined unambiguously a...

View full details