Skip to product information
1 of 7

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 37956-2019 English PDF (GBT37956-2019)

GB/T 37956-2019 English PDF (GBT37956-2019)

Regular price $160.00 USD
Regular price Sale price $160.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds (Download full-editable-PDF + Invoice).
Quotation: Click GB/T 37956-2019>>Add to cart>>Quote
Editable-PDF Preview (Reload if blank, scroll for next page)

GB/T 37956-2019: Information security technology -- Technology requirement for website security cloud protection platform
This Standard specifies the technical requirements of the website security cloud protection platform, including platform functional requirements and platform security requirements. This Standard is applicable to the development, operation, and use of website security cloud protection platforms, and provides a reference for government departments, enterprises, public organizations, and other organizations or individuals to purchase website security cloud protection platforms.
GB/T 37956-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technology
requirement for website security cloud protection
platform
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 5
5 Overview ... 6
6 Platform function requirements ... 6
6.1 Website security protection ... 6
6.2 Website compliance check ... 10
6.3 Resource management ... 10
6.4 Policy management ... 11
6.5 Statistical analysis ... 12
6.6 System expansion ... 12
7 Platform security requirements ... 12
7.1 System and communication protection ... 12
7.2 Access control ... 13
7.3 Configuration management ... 13
7.4 Security incident handling ... 13
7.5 Platform disaster recovery backup ... 13
7.6 User data protection ... 14
7.7 Audit ... 15
References ... 16
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents.
This Standard shall be under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260).
The drafting organizations of this Standard: China Industrial Control Systems Cyber Emergency Response Team, Beijing Kownsec Information Technology
Co., Ltd., Third Research Institute of the Ministry of Public Security of PRC, China Information Security Research Institute Co., Ltd., Legendsec Information Technology (Beijing) Inc., Alibaba Cloud Computing Co. Ltd., Hangzhou
DBAPPSecurity Co., Ltd., Sangfor Technologies Inc.
The drafters of this Standard: Zhang Ge, Yu Meng, Zhang Zheyu, Zhao
Guangming, Song Haohao, Yin Libo, He Xiaolong, Liu Ying, Zuo Xiaodong, Gu Jian, Yang Chen, Wang Pengtao, Wang Xiaoqing, Zhou Jun, Song Zhiming,
Chen Xuexiu, Li Hongpei, Wu Yanyan, Tang Wang, Jiang Hao, Liu Wensheng, Xiao Junfang, Li Jun, Guo Xian, Zhao Wei, Zhou Xin, Liu Bozhong, Chen Yan, Lu Zhen, Mao Runhua, Zhang Chi.
Information security technology - Technology
requirement for website security cloud protection
platform
1 Scope
This Standard specifies the technical requirements of the website security cloud protection platform, including platform functional requirements and platform security requirements.
This Standard is applicable to the development, operation, and use of website security cloud protection platforms, and provides a reference for government departments, enterprises, public organizations, and other organizations or individuals to purchase website security cloud protection platforms.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 25069-2010, Information security technology - Glossary
GB/T 31167-2014, Information security technology - Security guide of cloud computing services
GB/T 31168-2014, Information security technology - Security capability
requirements of cloud computing services
GB/T 32917-2016, Information security technology - Security technique
requirements and testing and evaluation approaches for WEB application
firewall
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010 and the following ones are applicable to this document.
3.1 Website security cloud protection platform
The collection of security protection nodes that provides website security protection by the cloud service model, and uses centralized management and control, collaborative defense, and other methods to update protection policies and rules in a timely manner, and to detect, analyze, and filter the website access requests and responses.
3.2 Website security protection cloud platform providers
Organizations or institutions which are responsible for establishing and operating the infrastructure, network topology, and protection function components that are related to the website security cloud protection platform, and perform security protection and ensure website security on this platform. 3.3 Website security cloud protection platform users
Organizations or individuals that use the website security cloud protection platform.
3.4 Platform users website data
Website-related data of website security cloud protection platform users. Note: It includes website information, original access traffic, access logs, operation logs, attack logs, etc.
3.5 Website operators
Organizations or individuals that are responsible for the later operation, maintenance and management of the website.
4 Abbreviations
The following abbreviations apply to this document.
ACK: Acknowledgement
API: Application programming interface
CC: Challenge Collapsar
DNS: Domain Name System
HTTP: Hyper Text Transfer Protocol
ICMP: Internet Control Message Protocol
IP: Internet Protocol
SYN: Synchronous
TCP: Transport Control Protocol
UDP: User Datagram Protocol
URL: Uniform Resource Locator
WEB: World Wide Web
5 Overview
The website security cloud protection platform is composed of interconnected and uniformly-dispatched security protection nodes. Through the cloud service model, the platform centrally and quickly deploys and updates protection policies, filters and cleans malicious requests on websites, and improves the ability of website security protection.
The technical requirements of the website security cloud protection platform are divided into two aspects: platform functional requirements and platform security requirements. The functional requirements include website security protection, website compliance checking, resource management, and policy management; the security requirements include system and communication protection,
access control, configuration management, security incident handling, and platform disaster recovery backup.
According to the sensitivity of the business and information that are carried by the protection website, the technical requirements of the website security cloud protection platform are divided into general requirements and enhanced
requirements. The general requirements are the basic functions and security requirements that a website security cloud protection platform shall have in developing a website security protection business. The enhanced requirements are supplements and enhancements to the general requirements. Website
security cloud protection platform users can choose the website security cloud protection platform of corresponding security requirements according to the sensitivity of their own business type and the carried information. 6.3 and 6.4 of GB/T 31167-2014 give corresponding methods to determine the sensitivity of the business type and the carried information.
6 Platform function requirements
6.1 Website security protection
6.1.1 WEB attack defense
6.1.1.1 General requirements
It shall support the identification of WEB attack types and block direct or indirect attacks, including:
a) security protection functions that are required by 4.1.1.2.2 in GB/T 32917- 2016;
b) brute-force protection;
c) Webshell identification and interception;
d) directory traversal protection;
e) Cookie injection attack protection;
f) malicious code execution protection.
6.1.1.2 Enhanced requirements
It shall have other WEB attack protection functions.
6.1.2 DDoS attack defense
6.1.2.1 General requirements
It shall support DDoS cleaning, and have the functions to prevent denial of service attacks such as SYN Flood, ACK Flood, ICMP Flood, UDP Flood, HTTP Flood, DNS Flood, and CC attack.
6.1.2.2 Enhanced requirements
None.
6.1.3 Protection policy configuration
6.1.3.1 General requirements
It shall meet the following requirements:
a) provide default security protection policies;
b) provide strategy models, such as detection and protection;
c) support platform users to configure and select protection policies.
6.1.3.2 Enhanced requirements
It shall support platform users to review blocked access requests and
corresponding protection policies, and to report false negatives and false positives.
6.1.4 Cooperative defense
6.1.4.1 General requirements
It shall meet the following requirements:
a) Support the identification of attack of common domain names, IP
addresses, and other information; record and analyze attacker behaviors; block malicious attacker IP addresses and the like across the entire cloud protection scope;
b) For the malicious attack of IP addresses and other information that are provided by trusted third parties, it shall support identification, analysis and block within the entire cloud protection scope.
6.1.4.2 Enhanced requirements
None.
6.1.5 Content security
6.1.5.1 Sensitive information filtration
6.1.5.1.1 General requirements
It shall support custom sensitive words, and filter the sensitive words in the text content of the website.
6.1.5.1.2 Enhanced requirements
It can support the filtration of contents such as pictures involving sensitive information.
6.1.5.2 Error page handling
6.1.5.2.1 General requirements
It shall meet the following requirements:
a) Support the customization of the error page that is returned by the website server; the error message cannot leak the content that is related to the security of the website;
b) Support showing error messages to authorized personnel only.
6.1.5.2.2 Enhanced requirements
None.
6.1.5.3 Tamper response
6.1.5.3.1 General requirements
It shall support the function of providing a platform user-designated untampered page mirror within a predefined time and alerting when an abnormality is found. 6.1.5.3.2 Enhanced requirements
It shall support automatic monitoring to detect page tampering within a predefined time.
6.1.6 Website monitoring
6.1.6.1 General requirements
It shall meet the following requirements:
a) It shall support website availability monitoring;
b) It shall monitor and record the situation where the website is attacked, including attack type and attack time, and alert the platform users when abnormalities are found.
6.1.6.2 Enhanced requirements
None.
6.1.7 Website access control
6.1.7.1 General requirements
It shall meet the following requirements:
a) support the setting of IP address whitelist or website URL whitelist to reserve access channels for website visitors;
b) support the setting of IP address blacklist to block visitors who are included in the IP address blacklist;
c) support the implementation of access control of any access request to the website within a predefined time period, to set to block/ pass;
d) support to set access requests for predefined URL pages to block/ pass; e) a combination of the above access control policies.
6.1.7.2 Enhanced requirements
None.
6.2 Website compliance check
6.2.1 General requirements
It shall support compliance checks before accessing the website, and refuse non-compliant access such as undocumented sites.
6.2.2 Enhanced requirements
It shall support regular review of the compliance of accessed websites. 6.3 Resource management
6.3.1 Resource operation monitoring
6.3.1.1 General requirements
It shall meet the following requirements:
a) Support unified monitoring of software and hardware platform resources such as DNS, bandwidth, and protection nodes that support the platform's operation;
b) Support unified detection of resource usage such as network bandwidth, traffic processing delay, host system load, and site access success rate of the protection node/ host;
c) Support timely detection of abnormal use of resources and alarm;
d) Support regular analysis of resource usage and platform bearing business volume; assess current business, platform user capacity expansion and new user access needs; generate analysis reports;
e) It shall provide query, statistics and report output functions for resource usage records.
6.3.1.2 Enhanced requirements
None.
6.3.2 Centralized management and control of resources
6.3.2.1 General requirements
It shall meet the following requirements:
a) Support the centralized deployment of platform resources such as DNS, bandwidth, and protection nodes that support the platform's operation;
b) Support the deployment of website access traffic via DNS in the WAN or the protection node according to the analysis results of the protection node/ host resource usage;
c) Support centralized analysis and maintenance of website and user
configuration information, platform log information and other resources; d) Support the centralized deployment of platform resources under
uninterrupted service.
6.3.2.2 Enhanced requirements
None.
6.4 Policy management
6.4.1 Centralized policy management and control
6.4.1.1 General requirements
It shall meet the requirements of centralized maintenance and management of website protection policies, and support centralized addition, modification, and deactivation of policy configuration.
6.4.1.2 Enhanced requirements
None.
6.4.2 Policy optimization update
6.4.2.1 General requirements
It shall meet the following requirements:
a) Support timely optimization of website security protection policies; b) Support the timely tracking, discovery and response to unknown attack methods and web security vulnerabilities;
c) Support timely addition of corresponding security protection rules or update of security protection policies after WEB security vulnerability notification.
6.4.2.2 Enhanced requirements
None.
6.5 Statistical analysis
6.5.1 General requirements
It shall meet the following requirements:
a) Support statistical analysis of alarm logs in a certain period of time; b) Support statistical analysis of the number of events of different attack types;
c) Support statistical analysis of attack geographic areas;
d) Support statistical analysis of attack source IP;
e) The visual chart of the above data statistics, which supports display in time dimensions such as day, week and custom time.
6.5.2 Enhanced requirements
None.
6.6 System expansion
6.6.1 General requirements
None.
6.6.2 Enhanced requirements
It shall support the provision of various API interfaces to external systems, including log interfaces, security policy interfaces, report interfaces, etc. 7 Platform security requirements
7.1 System and communication protection
7.1.1 General requirements
It shall meet the general requirements of 6.2.1, 6.6.1 and 6.11.1 in GB/T 31168- 2014.
7.1.2 Enhanced requirements
It shall meet the enhanced requirements of 6.2.2 [except a), g)], 6.3.2 and 6.11.2 in GB/T 31168-2014.
7.2 Access control
7.2.1 General requirements
It shall meet the general requirements of 7.2.1, 7.4.1, 7.5.1, 7.6.1, 7.7.1, 7.8.1, 7.9.1, 7.11.1, 7.12.1 and 7.13.1 in GB/T 31168-2014.
7.2.2 Enhanced requirements
It shall meet the enhanced requirements of 7.2.2, 7.3.2, 7.8.2 and 7.11.2 in GB/T 31168-2014.
7.3 Configuration management
7.3.1 General requirements
It shall meet the general requirements of 8.3.1, 8.4.1 and 8.6.1 in GB/T 31168- 2014.
7.3.2 Enhanced requirements
It shall meet the enhanced requirements of 8.3.2, 8.4.2 and 8.6.2 in GB/T 31168-2014.
7.4 Security incident handling
7.4.1 General requirements
It shall meet the following requirements:
a) Support timely release of risk alerts and early warnings of security incidents that affect the platform itself and platform users;
b) Support the rapid implementation of emergency response after major and above security incidents;
c) Support the recording of the process and results of security incident disposal and timely generation of disposal reports.
7.4.2 Enhanced requirements
None.
7.5 Platform disaster recovery backup
7.5.1 General requirements
It shall meet the following requirements:
a) Establish a backup communication service. When the main
communication service is unavailable, ensure that platform users access the platform through the backup communication service within the time
period that meets business needs;
b) Support platform data-level disaster recovery;
c) Support the recording of disaster backup and recovery processes;
d) Support disaster recovery speed/ time in accordance with the contract or service level agreement.
7.5.2 Enhanced requirements
It shall meet the following requirements:
a) Support application-level disaster recovery;
b) Support disaster recovery in different places.
7.6 User data protection
7.6.1 General requirements
The platform users website data shall meet the following requirements:
a) It is clear that the user's website data belongs to the user and is not provided to any third party;
b) Support user data isolation; platform users can only access their own security protection resources;
c) Support the retention of user data within the scope that is permitted by laws and regulations; support the user-defined storage period of the
platform;
d) When using platform users website data (including data derivatives), user authorization shall be obtained in advance, and the data can only be used for processes such as vulnerability analysis and attack data mining which improve the platform's security protection capabilities;
e) Support the handover of platform users website data when they exit the platform service and destroy all their website data.
7.6.2 Enhanced requirements
None.
7.7 Audit
7.7.1 General requirements
It shall meet the general requirements of 11.1.1, 11.2.1, 11.3.1, 11.7.1 and 11.11.1 in GB/T 31168-2014.
7.7.2 Enhanced requirements
It shall meet the enhanced requirements of 11.2.2, 11.3.2, and 11.7.2 in GB/T 31168-2014.
References
[1] GB/T 28451-2012, Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion prevention system products
[2] GB/T 28827.1-2012, Information technology service - Operations and
maintenance - Part 1: General requirements
[3] GB/T 30276-2013, Information security technology - Vulnerability
management criterion specification
[4] GB/T 32914-2016, Information security technology - Information security service provider management requirements
[5] Office of the Central Cyberspace Affairs Commission, An Emergency
Response Plan for Internet Security Incidents, January 10, 2017.
[6] NIST SP800-53-r4 Security and Privacy Controls for Federal Information Systems and Organizations, June 2013.
__________ END __________
View full details