1 Scope
This standard specifies the detailed technical requirements for the security level protection devision of Virtual Private Network (VPN) in GB 17859-1999.
This standard is applicable to the design and implementation of VPN according to the requirements of security level protection in GB 17859-1999. The requirements for the security level protection may also be referred to and applied for the test and management of VPN.
2 Normative References
The following normative documents contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, subsequent amendments (excluding amending errors in the text) to, or revisions of, any of these publications do not apply. However, all parties coming to an agreement according to this standard are encouraged to study whether the latest editions of these documents are applicable. For undated references, the latest edition of the normative documents referred to applies.
Contents
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Terms and Definitions
3.2 Aacronyms
4 General Description of VPN
4.1 Overview
4.2 Secure Environment
4.2.1 Security Threat
4.2.2 Security Application Assumption
5 Technical Requirements of Security Function
5.1 Identification and Authentication
5.1.1 User Identification
5.1.2 User Authentication
5.1.3 Authentication Failure Handling
5.1.4 User Subject Binding
5.2 Security Audit
5.2.1 Response of Security Audit
5.2.2 Generation of Security Audit Data
5.2.3 Security Audit Analysis
5.2.4 Security Audit Consult
5.2.5 Storage of Security Audit Event
5.2.6 Security Audit and Evaluation of Network Environment
5.3 Non-repudiation of Communication
5.3.1 Non-repudiation of Origin
5.3.2 Non-repudiation of Receipt
5.4 Label
5.5 Discretionary Access Control
5.6 Mandatory Access Control
5.7 Storage pPotection of User Data
5.8 Protection of User Data Transmission
5.8.1 Protection of User Data Transmission in VPN
5.8.2 Protection of Data Output from VPN to Public Network
5.8.3 Protection of Data Input from Public Network to VPN
5.9 Protection of User Data Integrity
5.9.1 Integrity of Stored Data
5.9.2 Integrity of Transmit Data
5.9.3 Integrity of Processing Data
5.10 Residual Information Protection
5.11 Convert Channel Analysis
5.11.1 Normal Covert Channel Analysis
5.11.2 Systematized Covert Channel Analysis
5.11.3 Complete Covert Channel Analysis
5.12 Trusted Path
5.13 Password Support
6 Technical Requirements on Security Assurance
6.1 Self Security Protection of VPN Security Function
6.1.1 Security Run Test
6.1.2 Failure Protection
6.1.3 Availability of VPN Security Function Data Output
6.1.4 Confidentiality of VPN Security Function Data Output
6.1.5 Integrity of VPN Security Function Data Output
6.1.6 Transmission of VPN Security Function Data in VPN
6.1.7 Physical Security Protection
6.1.8 Trusted Recovery
6.1.9 Replay Detection
6.1.10 Reference Arbitration
6.1.11 Domain Splitting
6.1.12 Status Synchronization Protocol
6.1.13 Time Stamp
6.1.15 Security Function Detection
6.1.16 Employment of Resource
6.1.17 Access Control of TCB of VPN
6.1.18 Trusted Path / (Signal) Channel
6.2 Design And Realization of VPN
6.2.1 Configuration Management
6.2.2 Distribution and Operation
6.2.3 Development
6.2.4 Instructive Document
6.2.5 Life Cycle Support
6.2.6 Test
6.2.7 Vulnerability Evaluation
6.3 Security Management of Trusted Computing Base (TCB) of VPN
6.3.1 Function Management
6.3.2 Management of Security Attribute
6.3.3 Management of TCB Security Function Data of VPN
6.3.4 Security Role Management
6.3.5 Time Limit Authorization
6.3.6 Revocation
7 Classification Requirements of VPN Security Protection
7.1 Level 1: User Discretionary Protection Level
7.1.1 Technical requirements of security function
7.1.2 Technical Requirements of Security Assurance
7.2 Level 2: System Audit Protection Level
7.2.1 Technical Requirements of Security Function
7.2.2 Technical Requirements of Security Assurance
7.3 Level 3: Security Label Protection Level
7.3.1 Technical Requirements of Security Function
7.3.2 Technical Requirements of Security Assurance
7.4 Level 4: Structurization Protection Level
7.4.1 Technical Requirements of Security Function
7.4.2 Technical Requirements of Security Assurance
7.5 Level 5: Access Verification Protection Level
7.5.1 Technical Requirements of Security Function
7.5.2 Technical Requirements of Security Assurance
Appendix A (Informative) Explanation of Standard Concept
A.1 Composition and Interrelationship
A.2 Classification of VPN Security Level
A.3 Subject and Object in VPN
A.4 TCB, Security Function and Security Function Policy in VPN
A.5 Cryptographic Technique
References
Standard
GA/T 686-2007 Information security technology - Technical requirements of virtual private network security (English Version)
Standard No.
GA/T 686-2007
Status
superseded
Language
English
File Format
PDF
Word Count
21000 words
Price(USD)
520.0
Implemented on
2007-5-1
Delivery
via email in 1 business day
Detail of GA/T 686-2007
Standard No.
GA/T 686-2007
English Name
Information security technology - Technical requirements of virtual private network security
GA/T 686-2007, GA 686-2007, GAT 686-2007, GA/T686-2007, GA/T 686, GA/T686, GA686-2007, GA 686, GA686, GAT686-2007, GAT 686, GAT686
Introduction of GA/T 686-2007
1 Scope
This standard specifies the detailed technical requirements for the security level protection devision of Virtual Private Network (VPN) in GB 17859-1999.
This standard is applicable to the design and implementation of VPN according to the requirements of security level protection in GB 17859-1999. The requirements for the security level protection may also be referred to and applied for the test and management of VPN.
2 Normative References
The following normative documents contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, subsequent amendments (excluding amending errors in the text) to, or revisions of, any of these publications do not apply. However, all parties coming to an agreement according to this standard are encouraged to study whether the latest editions of these documents are applicable. For undated references, the latest edition of the normative documents referred to applies.
Contents of GA/T 686-2007
Contents
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Terms and Definitions
3.2 Aacronyms
4 General Description of VPN
4.1 Overview
4.2 Secure Environment
4.2.1 Security Threat
4.2.2 Security Application Assumption
5 Technical Requirements of Security Function
5.1 Identification and Authentication
5.1.1 User Identification
5.1.2 User Authentication
5.1.3 Authentication Failure Handling
5.1.4 User Subject Binding
5.2 Security Audit
5.2.1 Response of Security Audit
5.2.2 Generation of Security Audit Data
5.2.3 Security Audit Analysis
5.2.4 Security Audit Consult
5.2.5 Storage of Security Audit Event
5.2.6 Security Audit and Evaluation of Network Environment
5.3 Non-repudiation of Communication
5.3.1 Non-repudiation of Origin
5.3.2 Non-repudiation of Receipt
5.4 Label
5.5 Discretionary Access Control
5.6 Mandatory Access Control
5.7 Storage pPotection of User Data
5.8 Protection of User Data Transmission
5.8.1 Protection of User Data Transmission in VPN
5.8.2 Protection of Data Output from VPN to Public Network
5.8.3 Protection of Data Input from Public Network to VPN
5.9 Protection of User Data Integrity
5.9.1 Integrity of Stored Data
5.9.2 Integrity of Transmit Data
5.9.3 Integrity of Processing Data
5.10 Residual Information Protection
5.11 Convert Channel Analysis
5.11.1 Normal Covert Channel Analysis
5.11.2 Systematized Covert Channel Analysis
5.11.3 Complete Covert Channel Analysis
5.12 Trusted Path
5.13 Password Support
6 Technical Requirements on Security Assurance
6.1 Self Security Protection of VPN Security Function
6.1.1 Security Run Test
6.1.2 Failure Protection
6.1.3 Availability of VPN Security Function Data Output
6.1.4 Confidentiality of VPN Security Function Data Output
6.1.5 Integrity of VPN Security Function Data Output
6.1.6 Transmission of VPN Security Function Data in VPN
6.1.7 Physical Security Protection
6.1.8 Trusted Recovery
6.1.9 Replay Detection
6.1.10 Reference Arbitration
6.1.11 Domain Splitting
6.1.12 Status Synchronization Protocol
6.1.13 Time Stamp
6.1.15 Security Function Detection
6.1.16 Employment of Resource
6.1.17 Access Control of TCB of VPN
6.1.18 Trusted Path / (Signal) Channel
6.2 Design And Realization of VPN
6.2.1 Configuration Management
6.2.2 Distribution and Operation
6.2.3 Development
6.2.4 Instructive Document
6.2.5 Life Cycle Support
6.2.6 Test
6.2.7 Vulnerability Evaluation
6.3 Security Management of Trusted Computing Base (TCB) of VPN
6.3.1 Function Management
6.3.2 Management of Security Attribute
6.3.3 Management of TCB Security Function Data of VPN
6.3.4 Security Role Management
6.3.5 Time Limit Authorization
6.3.6 Revocation
7 Classification Requirements of VPN Security Protection
7.1 Level 1: User Discretionary Protection Level
7.1.1 Technical requirements of security function
7.1.2 Technical Requirements of Security Assurance
7.2 Level 2: System Audit Protection Level
7.2.1 Technical Requirements of Security Function
7.2.2 Technical Requirements of Security Assurance
7.3 Level 3: Security Label Protection Level
7.3.1 Technical Requirements of Security Function
7.3.2 Technical Requirements of Security Assurance
7.4 Level 4: Structurization Protection Level
7.4.1 Technical Requirements of Security Function
7.4.2 Technical Requirements of Security Assurance
7.5 Level 5: Access Verification Protection Level
7.5.1 Technical Requirements of Security Function
7.5.2 Technical Requirements of Security Assurance
Appendix A (Informative) Explanation of Standard Concept
A.1 Composition and Interrelationship
A.2 Classification of VPN Security Level
A.3 Subject and Object in VPN
A.4 TCB, Security Function and Security Function Policy in VPN
A.5 Cryptographic Technique
References
