Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 32917-2016 English PDF (GBT32917-2016)

GB/T 32917-2016 English PDF (GBT32917-2016)

Regular price $620.00 USD
Regular price Sale price $620.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 32917-2016
See Chinese contents: GB/T 32917-2016

GB/T 32917-2016: Information security technology -- Security technique requirements and testing and evaluation approaches for WEB application firewall

This standard specifies the security function requirements, self-security protection requirements, performance requirements, security assurance requirements of WEB application firewalls; provides corresponding test evaluation methods. This standard applies to the design, production, testing and procurement of WEB application firewalls.
GB/T 32917-2016
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
ISSUED ON. AUGUST 29, 2016
IMPLEMENTED ON. MARCH 01, 2017
Issued by. General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword... 4
Introduction... 5
1 Scope... 6
2 Normative references... 6
3 Terms, definitions and abbreviations... 6
3.1 Terms and definitions... 6
3.2 Abbreviations... 7
4 Security technical requirements... 7
4.1 Basic level... 7
4.1.1 Security function requirements... 7
4.1.2 Self-security protection... 10
4.1.3 Security assurance requirements... 11
4.2 Enhanced level... 16
4.2.1 Security function requirements... 16
4.2.2 Self-security protection... 19
4.2.3 Security assurance requirements... 21
4.3 Performance requirements... 26
4.3.1 HTTP throughput... 26
4.3.2 HTTP maximum request rate... 27
4.3.3 Maximum number of concurrent HTTP connections... 27
5 Test evaluation method... 27
5.1 Test environment... 27
5.2 Basic level... 29
5.2.1 Evaluation method for security function requirements test... 29
5.2.2 Self-security protection test evaluation method... 35
5.2.3 Test evaluation methods for security assurance requirements... 40 5.3 Enhanced level... 49
5.3.1 Test evaluation method of security function requirements... 49
5.3.2 Test evaluation method of self-security protection... 56
5.3.3 Test evaluation method of security assurance requirements... 62
5.4 Performance test evaluation method... 72
5.4.1 HTTP throughput... 72
5.4.2 HTTP maximum request rate... 73
5.4.3 Maximum number of concurrent HTTP connections... 73
6 Classification of security technical requirements of WEB application firewall ... 74
References... 76
Information security technology - Security technique
requirements and testing and evaluation approaches
for WEB application firewall
1 Scope
This standard specifies the security function requirements, self-security protection requirements, performance requirements, security assurance
requirements of WEB application firewalls; provides corresponding test
evaluation methods.
This standard applies to the design, production, testing and procurement of WEB application firewalls.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1.1
WEB application firewall
It is an information security product that performs protocol and content filtering on all WEB server access requests to WEB servers and WEB server responses based on pre-defined filtering rules and security protection rules, thereby realizing security protection functions for WEB servers and WEB b) Record alarm events, including. the date and time of the event, matching rules, description of the alarm event, etc.
4.1.2 Self-security protection
4.1.2.1 Identification and authentication
4.1.2.1.1 Unique identification
Authorized administrators shall be provided with a unique identity; at the same time, the authorized administrator?€?s identity shall be associated with all auditable events of the authorized administrator.
4.1.2.1.2 Identity authentication
Before performing any operations related to security functions, identify any administrator who claims to perform the duties of an authorized administrator. 4.1.2.1.3 Authentication data protection
It shall be ensured that the authentication data is not accessed and modified without authorization.
4.1.2.1.4 Authentication failure handling
When the administrator fails to reach the specified number of authentication attempts, he shall be able to.
a) Terminate the session.
4.1.2.2 Security audit
4.1.2.2.1 Audit data generation
The following audit logs shall be generated.
a) For all successful and failed WEB access events, audit records shall be generated. The audit log content shall include. the date, time, IP address, requested URL, success or failure identification, matching rules of each event;
b) The administrator's success and failure identification log; the audit log content shall include. the date, time, IP address, username, success or failure identification of each event.
4.1.2.2.2 Audit log management function
Management functions such as backup and query of audit data shall be
provided.
b) Describe the security domain of the product security function consistent with the security function requirements;
c) Describe why the product security function?€?s initialization process is secured;
d) Verify that the product security function can prevent damage;
e) Verify that the product security function can prevent the security feature from being bypassed.
4.1.3.1.2 Functional specification
The developer shall provide a complete functional specification; the functional specification shall meet the following requirements.
a) Fully describe the security function of the product;
b) Describe the purpose and usage of all security function interfaces;
c) Identify and describe all parameters related to each security function interface;
d) Describe the execution behavior of the security function requirements related to the security function interface;
e) Describe direct error messages caused by security function?€?s
implementation behaviors and exceptions;
f) Describe the security function demand?€?s support and irrelevant behavior related to the security function interface;
g) Verify that the security function requires traceability to the security function interface.
4.1.3.1.3 Product design
Developers shall provide product design documents; the product design
documents shall meet the following requirements.
a) Describe the product structure according to the subsystem;
b) Identify all subsystems of the product security function;
c) Describe the behavior of each sub-system that is not related to security function requirements in sufficient detail, to determine that it is not related to security function requirements;
d) Summarize the security function demand support and irrelevant behavior a) Describe all the steps necessary to securely receive the delivered product consistent with the developer's delivery procedure;
b) Describe all the steps necessary to securely install the product and its operating environment.
4.1.3.3 Life cycle support
4.1.3.3.1 Configuration management capabilities
The developer's configuration management capabilities shall meet the following requirements.
a) Provide unique identification for different versions of the product; b) Use the configuration management system to maintain all configuration items that make up the product; uniquely identify the configuration items; c) Provide configuration management documents, which describe methods
for uniquely identifying configuration items;
d) The configuration management system shall provide measures so that
only authorized changes can be made to configuration items;
e) The configuration management document includes a configuration
management plan, which describes how to use the configuration
management system to develop products;
f) The implemented configuration management is consistent with the
configuration management plan.
4.1.3.3.2 Configuration management scope
The developer shall provide a list of product configuration items and indicate the developer of the configuration items. The list of configuration items shall contain the following.
a) Evaluation evidence of product and security assurance requirements and product components and realization expressions;
b) The configuration item list shall uniquely identify the configuration item; c) For each security function-related configuration item, the configuration item list shall briefly describe the developer of the configuration item. 4.1.3.3.3 Delivery procedures
Developers shall use certain delivery procedures to deliver products and h) Illegal upload protection;
i) Illegal download protection;
j) HTTP Flood protection;
k) Cookie injection attack protection;
l) Webshell identification and interception;
m) Protection against other WEB attacks.
4.2.1.3 Other functions
4.2.1.3.1 Custom error page function
It shall be possible to customize the error page returned by the WEB server. 4.2.1.3.2 Whitelist function
It shall support the whitelist function; only allow specific objects to access the specified WEB resources.
4.2.1.3.3 Support HTTPS
It shall be able to decode HTTPS-based WEB server access requests and
provide the following functions for the decoded content. 4.2.1.1 HTTP
filtering function, 4.2.1.2 security protection function, 4.2.1.3.1 custom error page function, 4.2.1.3.2 whitelist function.
4.2.1.3.4 Rule base management
It shall have the following rule base management functions.
a) According to the user's WEB application environment, provide a matching security protection rule base; it can be upgraded automatically or manually; b) Add, delete, modify custom filter rules.
4.2.1.3.5 Alarm function
It shall be able to alert on violations and meet the following requirements. a) Support at least one of screen alarm, email alarm, SNMP trap alarm, SMS alarm, etc.;
b) Record alarm events, including. the date and time of the event, matching rules, description of the alarm event, etc.;
d) Describe the security function?€?s implementation behavior related to the security function interface;
e) Describe the direct error messages caused by the behavioral processing of the security function;
f) Verify the traceability of the security function requirements to the security function interface;
g) Describe all behaviors related to the security function interface during the implementation of the security function;
h) Describe all direct error messages that may be caused by the
invocation of the security function interface.
4.2.3.1.3 Implementation representation
The developer shall provide an implementation representation of all
security functions; the implementation representation shall meet the
following requirements.
a) Provide the mapping between the product design description and
the realization representation example; prove its consistency;
b) Define product security functions according to the level of detail; the level of detail reaches the level that security functions can be
generated without further design;
c) Provided in the form used by developers.
4.2.3.1.4 Product design
Developers shall provide product design documents; product design
documents shall meet the following requirements.
a) Describe the product structure according to the subsystem;
b) Identify and describe all sub-systems of product security functions; c) Describe the interaction between all subsystems of the security function; d) The provided mapping relationship can verify that all the behaviors
described in the design can be mapped to the security function interface that calls it;
e) Describe the security function according to the module;
f) Provide the mapping relationship between security function
consistent with the developer's delivery procedure;
b) Describe all the steps necessary to securely install the product and its operating environment.
4.2.3.3 Life cycle support
4.2.3.3.1 Configuration management capabilities
The developer's configuration management capabilities shall meet the following requirements.
a) Provide unique identification for different versions of the product; b) Use the configuration management system to maintain all configuration items that make up the product; uniquely identify the configuration items; c) Provide configuration management documents, which describe methods
for uniquely identifying configuration items;
d) Provide automated measures so that only authorized changes can be
made to configuration items;
e) The configuration management system provides an automatic way
to support the production of products;
f) The configuration management document includes a configuration
management plan, which describes how to use the configuration
management system to develop products. The implemented configuration
management is consistent with the configuration management plan;
g) The configuration management plan describes the procedures used
to accept modified or newly created configuration items that are part
of the product.
4.2.3.3.2 Configuration management scope
The developer shall provide a list of product configuration items and indicate the developer of the configuration items. The list of configuration items shall contain the following.
a) Evaluation evidence of products and security assurance requirements, product components and realization expressions, security defect
reports and their resolution status;
b) The configuration item list shall uniquely identify the configuration item; c) For each security function-related configuration item, the configuration analysis description shall meet the following requirements.
a) Verify the consistency between the test in the test document and the security function subsystem and security function demand?€?s execution
module in the product design;
b) Verify that all security function subsystems and security function
demand?€?s execution modules in the product design have been tested.
4.2.3.4.3 Function test
Developers shall test product security features, document the results and provide test documentation. The test document shall include the following. a) Test plan. Identify the tests to be executed and describe the plan for executing each test. These plans include any sequential dependencies on other test results;
b) Expected test result. Indicate the expected output after the test is successful;
c) Actual test results. Be consistent with expected test results.
4.2.3.4.4 Independent test
Developers shall provide a set of resources equivalent to those used in self- testing security functions, for sampling tests of security functions.
4.2.3.5 Vulnerability assessment
Based on the identified potential vulnerabilities, the product can resist the following attacks.
a) Attacks by attackers with enhanced basic attack potential.
Note. To resist attacks by attackers with enhanced basic attack potential, it is necessary to comprehensively consider the following five specific factors. attack time, attacker ability, knowledge of the product, access time to the product or number of attack samples, attack equipment used, See Appendix B in Reference [10] for details.
4.3 Performance requirements
4.3.1 HTTP throughput
The HTTP throughput of the WEB application firewall shall not be less than 90% of the wire speed.
The test evaluation methods and results of the content filtering returned by the WEB server are as follows.
a) Test evaluation method.
The management host configures the filtering rules based on the content keywords returned by the WEB server; initiates the corresponding HTTP
request from the test terminal, to detect whether it can block the WEB
server containing the keywords from returning the page according to the filtering rules.
b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresponding security technical requirements.
5.2.1.2 Security protection function
5.2.1.2.1 WEB application protection function
The test evaluation methods and results of WEB application protection function are as follows.
a) Test evaluation method.
1) Enable the WEB application protection function of the WEB application firewall through the management host; configure the corresponding
application protection rules;
2) Initiate attacks against popular vulnerabilities in mainstream WEB
server software (such as Apache, IIS, etc.) from the test terminal, to
detect whether it can be protected;
3) Initiate attacks against popular vulnerabilities in mainstream WEB
application development scripts (such as PHP, ASP, JavaScript, etc.)
from the test terminal, to check whether it can be protected.
b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresponding security technical requirements.
5.2.1.2.2 WEB attack protection function
The test evaluation methods and results of the WEB attack protection function are as follows.
a) Test evaluation method.
1) The inspector attempts to log in to the product to be tested for
management, to see whether it is prompted to perform identity
authentication;
2) Enter the correct username and corresponding password, to try to log in;
3) Enter the correct username and wrong password, to try to log in;
4) Enter the wrong username, to try to log in.
b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresponding security technical requirements.
5.2.2.1.3 Authentication data protection
The test and evaluation methods and results for identifying data protection are as follows.
a) Test evaluation method.
1) Log in to the product to be tested as an authorized administrator and an unauthorized administrator, respectively, to modify the passwords of other administrators;
2) According to the document provided by the developer, open the file or database table of the authentication data storage, to verify whether the authentication data needs authorization; check whether the
authentication data is stored encrypted.
b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresponding security technical requirements.
5.2.2.1.4 Authentication failure handling
The test evaluation methods and results for identifying failure handling are as follows.
a) Test evaluation method.
1) Set the maximum number of failed login attempts (fixed times are also available);
2) Simulate multiple administrator login failure events, until the test b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresponding security technical requirements.
5.2.2.2.3 Understandable format
The test evaluation methods and results in an understandable format are as follows.
a) Test evaluation method.
The inspector checks the product audit data stored in the permanent audit record, to check whether the audit data is understandable or not.
b) Test evaluation results.
Record the test results and make a judgment on whether the results fully meet the corresp...

View full details