Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 31505-2015 English PDF (GBT31505-2015)

GB/T 31505-2015 English PDF (GBT31505-2015)

Regular price $510.00 USD
Regular price Sale price $510.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 31505-2015
See Chinese contents: GB/T 31505-2015

GB/T 31505-2015: [Replaced by GB/T 20281-2020] Information security technology -- Technique requirements and testing and evaluation approaches for host-based firewall and personal firewall

This standard specifies the security technical requirements, evaluation methods, security classification of host-based firewalls. This standard applies to the design, development and testing of host-based firewall and personal firewall.
GB/T 31505-2015
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technique
requirements and testing and evaluation approaches
for host-based firewall and personal firewall
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Descriptions of host-based firewall and personal firewall ... 5
5 Security technical requirements ... 5
5.1 General description ... 5
5.2 Basic level requirements ... 6
5.3 Enhanced level requirements ... 13
6 Test evaluation method ... 26
6.1 Test environment ... 26
6.2 Basic level test ... 26
6.3 Enhanced level test ... 41
Information security technology - Technique
requirements and testing and evaluation approaches
for host-based firewall and personal firewall
1 Scope
This standard specifies the security technical requirements, evaluation methods, security classification of host-based firewalls.
This standard applies to the design, development and testing of host-based firewall and personal firewall.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 18336.3-2008 Information technology - Security techniques -
Evaluation criteria for IT security - Part 3: Security assurance requirements GB/T 25069 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069 as well as the following terms and definitions apply to this document.
3.1
Host-based firewall and personal firewall
It is also known the host-based firewall or personal firewall, which is a software which runs on standalone computer. It can monitor the inbound and outbound network connections on the host; perform network address-based and application-based access control through predefined rules. It also
usually has other security functions such as anti-malware, intrusion
detection, network alert, etc.
5.2.1.5.3 Timeout lock or logout
The product shall have login timeout lock or logout function. If there is no operation within the set time period, the session is terminated; it needs the identity authentication again for the purpose of re-operation. The maximum timeout period can only be set by an authorized administrator.
5.2.1.6 Security management
5.2.1.6.1 Identification uniqueness
The product shall provide a unique identifier for the user; at the same time associate the user's identifier with all auditable events of the user.
5.2.1.6.2 Administrator attribute definition
If the product supports policy center for distributed deployment and centralized management, the policy center shall be able to divide the roles of administrators: a) Administrator roles with at least two different permissions, such as security officer, auditor, etc.;
b) According to different functional modules, customize various different authority roles and assign roles to administrators.
5.2.1.6.3 Remote management encryption
If the product supports the policy center and implements remote management of the temporary policy center, it shall take confidential measures to protect the remote management information implemented by the policy center.
5.2.1.6.4 Trusted management host
If the product supports the policy center and the console provides remote management functions, it shall be able to limit the host addresses that can be remotely managed.
5.2.1.7 Security audit
The product shall have a security audit function; the specific technical requirements are as follows:
a) Type of recording event:
1) Network communication information matching packet filtering rules;
2) The administrator's login success and failure;
3) The operation of changing the security policy;
When delivering each version of the product to the user, the delivery document shall describe all procedures necessary to maintain security.
5.2.2.2.2 Installation, generation, startup of program
The developer shall provide documentation explaining the process of product installation, generation and startup.
5.2.2.3 Development
5.2.2.3.1 Description of informal function specification
The developer shall provide a functional specification, which shall meet the following requirements:
a) Use informal styles to describe product security functions and external interfaces;
b) Is internally consistent;
c) Describe the purpose and usage of all external interfaces; provide details of effects, exceptions and error messages when appropriate;
d) Completely express product security functions.
5.2.2.3.2 Descriptive high-level design
Developers shall provide high-level designs for product security functions; high- level designs shall meet the following requirements:
a) Representation shall be informal;
b) Is internally consistent;
c) Describe the structure of the security function based on subsystem;
d) Describe the security functions provided by each security function
subsystem;
e) Identify any basic hardware, firmware or software required by the security function, as well as a representation of the functions provided by the
supporting protection mechanisms implemented in these hardware,
firmware or software;
f) Identify all interfaces of the security function level;
g) Identify which interfaces of the security function subsystems are externally visible.
packet. When the same type and code field are matched, it will be
processed according to the packet processing method in the
corresponding rule;
2) According to the local port (including single port and < or> port range) and < or> remote port (including single port and < or> port range) in the UDP network data packet, perform rule matching;
3) According to the local port (including single port and < or> port range) and < or> remote port (including single port and < or> port range) in the TCP network data packet, as well as the flag bit of the TCP data packet, perform rule matching filter.
d) Filter actions include:
1) Interception;
2) Access;
3) Continue to match the next rule.
5.3.1.2 Revision of security rules
The product shall provide default security rules, which can be revised by users: a) Users can choose to use or abandon the security rules as provided by the host-based firewall and personal firewall;
b) Users can add, delete, modify custom security rules according to the format requirements in 5.3.1.1.
5.3.1.3 Application network access control
The security function of the product shall be able to control the permission of each application on the host to use the network; the control of application access to the network shall include the following three methods:
a) Access allowed: Allow the application to use the network;
b) Access prohibited: Prohibit the application from using the network;
c) Inquiry when accessing the network: When the application accesses the network, it shall be able to provide users with detailed reports and inquiries about the access operations it will perform; meanwhile it can accordingly handle the behavior of the application accessing the network according to the query results.
5.3.1.4 Intrusion prevention
c) It shall contain rationality, that is, to demonstrate that the model is consistent with all security policies that can be modeled and is
complete;
d) It shall clarify the correspondence between the security policy model and the functional specification, that is, to demonstrate that the
security functions in all functional specifications are consistent with the security policy model and are complete.
5.3.2.4 Guiding documents
5.3.2.4.1 Administrator guide
The developer shall provide an administrator guide, which shall be consistent with all other documents provided for evaluation.
The administrator guide shall state the following:
a) Management functions and interfaces available to the administrator;
b) How to manage products securely;
c) Functions and permissions that shall be controlled in a secured processing environment;
d) All assumptions about user behavior related to the secured operation of the product;
e) All security parameters controlled by the administrator, if possible, it shall indicate the security value;
f) Every security-related event related to the management function, including changes to the security characteristics of the entity controlled by the security function;
g) All IT environment security requirements related to administrators.
5.3.2.4.2 User guide
The developer shall provide a user guide, which shall be consistent with all other documents provided for evaluation.
The user guide shall state the following:
a) Security functions and interfaces available to non-administrator users of the product;
b) How to use the security functions and interfaces provided by the product The analysis result of the test coverage shall show that the
correspondence between the test identified in the test document and the security function of the product described in the functional specification is complete.
5.3.2.6.2 Test: High-level design
The developer shall provide in-depth analysis of the test.
In-depth analysis shall confirm that the tests identified in the test document are sufficient to verify that the product's functionality is operating according to its high-level design.
5.3.2.6.3 Function test
Developers shall test security functions, document the results and provide test documentation.
The test document shall include the following:
a) The test plan shall identify the security functions to be tested and describe the test objectives;
b) During the testing process, it shall identify the tests to be performed and describe the test overview of each security function; the test overview shall include the order dependency on other test results;
c) The expected test results shall show the expected output after the test is successful;
d) The actual test results shall show that each security function tested can operate in accordance with provisions.
5.3.2.6.4 Independence test
5.3.2.6.4.1 Consistency
Developers shall provide products suitable for testing; the test set provided shall be consistent with the test set used in self-testing product functions. 5.3.2.6.4.2 Sampling
Developers shall provide a set of considerable resources for sampling testing of security functions.
5.3.2.7 Vulnerability assessment
5.3.2.7.1 Misuse
1) Configure filtering rules based on different packet directions, to
generate corresponding network sessions;
2) Configure filtering rules based on different remote IP addresses, to generate corresponding network sessions;
3) Configure filtering rules based on different protocol types, to generate corresponding network sessions;
4) Configure filtering rules for different filtering actions, to generate corresponding network sessions;
5) Configure user-defined filter rules, the filter condition is a combination of some or all of the above filter conditions, to generate the
corresponding network session;
6) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result:
The product shall be able to implement correct IP packet filtering
according to the configured security rules.
6.2.1.2 Revision of security rules
The test evaluation methods and expected results of the security rule revision of host-based firewall and personal firewall products are as follows:
a) Test evaluation method:
1) Perform network connectivity testing according to the default protection policy as provided by the product;
2) Change the default policy and perform the network connectivity test
again, until it covers all the policy sets provided by the product;
3) Add, delete, modify custom security rules, to test network connectivity; 4) Record the test results and make a judgment on whether the results
fully meet the requirements of the above-mentioned test evaluation
methods.
b) Expected result:
The product shall be able to implement new security policies in
accordance with the revised security rules.
2) It shall be ensured that each administrator ID is globally unique; it is not allowed to use one administrator ID for multiple administrators.
6.2.1.6.2 Administrator attribute definition
The test evaluation methods and expected results defined by the administrator attribute of the host-based firewall and personal firewall products are as follows: a) Test evaluation method: Check whether the security function of the system allows the definition of multiple roles of administrators. Record the test results and make a judgment on whether the results fully meet the
requirements of the above-mentioned test evaluation methods.
b) Expected result:
1) The system shall allow administrators with multiple roles to be defined; 2) Each role can have multiple administrators; each administrator can only belong to one role;
3) It shall be ensured that each role identification is globally unique; one role identification is not allowed to be used for multiple roles.
6.2.1.6.3 Remote management encryption
The test evaluation methods and expected results of remote management
encryption for host-based firewall and personal firewall products are as follows: a) Test evaluation method: Check whether the remote management data of
the host-based firewall and personal firewall product is transmitted
confidentially. Record the test results and make a judgment on whether
the results fully meet the requirements of the above-mentioned test
evaluation methods.
b) Expected result: The product can ensure the confidential transmission of remote management data.
6.2.1.6.4 Trusted management host
The test evaluation methods and expected results of the trusted management host for host-based firewall and personal firewall products are as follows: a) Test evaluation method: Check whether the host-based firewall and
personal firewall product can restrict the host address that can be remotely managed. Record the test results and make a judgment on whether the
results fully meet the requirements of the above-mentioned test evaluation methods.
- The content of the network communication information log matching
the filtering rules shall include the following information:
communication date and time, filtering action, remote IP address,
local port, remote port, remarks;
- Other logs shall record the date, time, user identification, event
description and results of the event; if remote login is used to manage the product, the log content shall include the address of the
management host.
3) Log management:
- The host-based firewall and personal firewall product shall be able to query the content of the network communication information log
matching the filtering rules according to the communication date and
time, filtering actions, remote IP address, local port, remote port;
- The host-based firewall and personal firewall product shall be able to query other log content according to the date and time of the event,
user identification, event description, result and other conditions;
- Restart the host after shutting down, the log record shall not
disappear;
- When the remaining data storage space reaches the threshold, the
host-based firewall and personal firewall product shall be able to
provide an alarm function;
- Before the data storage space is exhausted, host-based firewall and
personal firewall products shall be able to use automatic dumping
and other methods to back up data to other storage spaces.
6.2.2 Security assurance evaluation
6.2.2.1 Configuration management
6.2.2.1.1 Version number
The test evaluation methods and expected results of the version number are as follows:
a) Test evaluation method:
1) The evaluator shall review whether the configuration management
support file provided by the developer contains the following content:
version number; the version number used by the developer shall be
completely corresponding to the product sample that shall be
a) Test evaluation method:
The evaluator shall review the test coverage evidence provided by the
developer. In the test coverage evidence, whether it shows that the test identified in the test document corresponds to the security function of the product described in the functional specification.
b) Expected result:
The content of the document provided by the developer shall meet the
above requirements.
6.2.2.5.2 Function test
The test evaluation methods and expected results of the functional test are as follows:
a) Test evaluation method:
1) The evaluator shall review the test documentation provided by the
developer, to see whether it includes the test plan, test procedures,
expected test results and actual test results;
2) The evaluator shall review whether the test plan identifies the security function to be tested and whether it describes the test objectives;
3) The evaluator shall review whether the test procedure identifies the test to be performed and whether it describes the test profile of each
security function (the profile includes the order dependency on other
test results);
4) The evaluator shall review whether the expected test results indicate the expected output after the test is successful;
5) The evaluator shall review whether the actual test results show that each tested security function can operate according to provisions.
b) Expected result:
The content of the document provided by the developer shall meet the
above requirements.
6.2.2.5.3 Independence test
6.2.2.5.3.1 Consistency
The consistency test evaluation methods and expected results are as follows: The testing and evaluation methods and expected results of developer
vulnerability analysis are as follows:
a) Test evaluation method:
1) The evaluator shall review the vulnerability analysis document provided by the developer, to see whether it analyzes the various functions of
the product from the obvious ways that the user may violate the security policy;
2) The evaluator shall review whether the developer clearly records the measures taken for the identified vulnerability;
3) For each vulnerability, the evaluator shall review whether there is
sufficient evidence to prove that the vulnerability cannot be used in the environment where the product is used.
b) Expected result:
The documentation provided by the developer shall meet the above
requirements.
6.3 Enhanced level test
6.3.1 Security function test
6.3.1.1 IP packet filtering
The test evaluation methods and expected results of IP packet filtering of host- based fi...

View full details