1 Scope
This standard specifies basis security techniques requirements necessary for network system of every security grade according to the division of five security protection grades in GB 17859-1999 and the roles of network system in information system.
This standard is applicable to design and realization of network system according to the requirements of hierarchization and for reference for testing and management of network system security as required.
2 Normative References
The provisions in the following documents, through reference in this standard, constitute the provisions of this standard. For dated reference, subsequent amendments to, excluding correction to, or revisions of, any of these publications do not apply. However, all parties coming to an agreement according to this standard are encouraged to study whether the latest editions of these documents are applicable. For undated references, the latest edition of the normative document referred to applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20271-2006 Information Security Technology Common Security Techniques Requirement for Information System
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
For the purpose of this standard, the terms and definitions given in GB/T 17859-1999 and the following ones apply.
3.1.1
Network security
Characterization of the confidentiality, integrity and availability of information subjected to storage, transmission and treatment in the network environment.
3.1.2
Basis technology of network security
All the basis security technology necessary to realize all kinds of network system security.
3.1.3
Security subsystem of network
A generic term for safety protection system in network, including hardware, firmware, software and combination responsible for execute security policy, which establishes a basic network security environment protection and provides additional user service required by security network.
Note: SSON (security subsystem of network) is network TCB (trusted computing base) according to definition of TCB in GB 17859-1999.
3.1.4
SSON security policy
A group of rules to manage, protect and distribute SSON resource. One SSON may have one or more security policies.
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
3.2 Abbreviation
4 Composition and Interrelationship of Network Security
5 Basic Requirements for Network Security Function
5.1 Identity Authentication
5.1.1 User Identification
5.1.2 User Authentication
5.1.3 User-Subject Binding
5.1.4 Authentication Failure Handling
5.2 Discretionary Access Control
5.2.1 Access Control Policy
5.2.2 Access Control Function
5.2.3 Scope of Access Control
5.2.4 Granularity of Access Control
5.3 Tag
5.3.1 Subject Tag
5.3.2 Object Tag
5.3.3 Tag Integrity
5.3.4 Output of Information with Tag
5.4 Mandatory Access Control
5.4.1 Access Control Policy
5.4.2 Access Control Function
5.4.3 Scope of Access Control
5.4.4 Granularity of Access Control
5.4.5 Access Control Environment
5.5 Data Flow Control
5.6 Security Audit
5.6.1 Response of Security Audit
5.6.2 Generation of Security Audit Data
5.6.3 Security Audit Analysis
5.6.4 Security Audit Consult
5.6.5 Selection of Security Audit Event
5.6.6 Storage of Security Audit Event
5.7 User Data Integrity
5.7.1 Integrity of Storage Data
5.7.2 Integrity of Transmitted Data
5.7.3 Integrity of Processed Data
5.8 User Data Confidentiality
5.8.1 Confidentiality of Storage Data
5.8.2 Confidentiality of Transmitted Data
5.8.3 Reusing of Object Security
5.9 Trusted Path
5.10 Non-repudiation
5.10.1 Non-repudiation of Origin
5.10.2 Non-repudiation of Receipt
5.11 Network Security Monitoring
6 Requirements for Network Security Function at Each Grade and Layer
6.1 Identity Authentication Function
6.2 Discretionary Access Control Function
6.3 Tag Function
6.4 Mandatory Access Control Function
6.5 Data Flow Control Function
6.6 Security Audit function
6.7 Protection Function of User Data Integrity
6.8 User Data Confidentiality Protection Function
6.9 Trusted path function
6.10 Non-repudiation Function
6.11 Network Security Monitoring Function
7 Grading Requirements for Network Security Technology
7.1 Grade 1: the User's Discretionary Protection Grade
7.1.1 Grade 1 Security Function Requirements
7.1.2 Grade 1 Security Assurance Requirements
7.2 Grade 2: System Audit Protection Grade
7.2.1 Grade 2 Security Function Requirements
7.2.2 Grade 2 Security Assurance Requirements
7.3 Grade 3: Security Tag Protection Grade
7.3.1 Grade 3 Security Function Requirements
7.3.2 Grade 3 Security Assurance Requirements
7.4 Grade 4: Structured Protection Grade
7.4.1 Grade 4 Security Function Requirements
7.4.2 Grade 4 Security Assurance Requirements
7.5 Grade 5: Access Verification Protection Grade
7.5.1 Grade 5 Security Function Requirements
7.5.2 Grade 5 Security Assurance Requirements
Appendix A (Informative) Explanation of Standard Concept
A.1 Composition and Interrelationship
A.2 Description about the Main Functions of Network Protocol Layers
A.3 About Grading for Security Protection
A.4 About Subjects and Objects
A.5 About SSON, SSF, SSP, SFP and their Interrelationship
A.6 About Data Flow Control
A.7 About Encryption Technology
A.8 About the Construction of Secure Networks
References
1 Scope
This standard specifies basis security techniques requirements necessary for network system of every security grade according to the division of five security protection grades in GB 17859-1999 and the roles of network system in information system.
This standard is applicable to design and realization of network system according to the requirements of hierarchization and for reference for testing and management of network system security as required.
2 Normative References
The provisions in the following documents, through reference in this standard, constitute the provisions of this standard. For dated reference, subsequent amendments to, excluding correction to, or revisions of, any of these publications do not apply. However, all parties coming to an agreement according to this standard are encouraged to study whether the latest editions of these documents are applicable. For undated references, the latest edition of the normative document referred to applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20271-2006 Information Security Technology Common Security Techniques Requirement for Information System
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
For the purpose of this standard, the terms and definitions given in GB/T 17859-1999 and the following ones apply.
3.1.1
Network security
Characterization of the confidentiality, integrity and availability of information subjected to storage, transmission and treatment in the network environment.
3.1.2
Basis technology of network security
All the basis security technology necessary to realize all kinds of network system security.
3.1.3
Security subsystem of network
A generic term for safety protection system in network, including hardware, firmware, software and combination responsible for execute security policy, which establishes a basic network security environment protection and provides additional user service required by security network.
Note: SSON (security subsystem of network) is network TCB (trusted computing base) according to definition of TCB in GB 17859-1999.
3.1.4
SSON security policy
A group of rules to manage, protect and distribute SSON resource. One SSON may have one or more security policies.
Contents of GB/T 20270-2006
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Terms and definitions
3.2 Abbreviation
4 Composition and Interrelationship of Network Security
5 Basic Requirements for Network Security Function
5.1 Identity Authentication
5.1.1 User Identification
5.1.2 User Authentication
5.1.3 User-Subject Binding
5.1.4 Authentication Failure Handling
5.2 Discretionary Access Control
5.2.1 Access Control Policy
5.2.2 Access Control Function
5.2.3 Scope of Access Control
5.2.4 Granularity of Access Control
5.3 Tag
5.3.1 Subject Tag
5.3.2 Object Tag
5.3.3 Tag Integrity
5.3.4 Output of Information with Tag
5.4 Mandatory Access Control
5.4.1 Access Control Policy
5.4.2 Access Control Function
5.4.3 Scope of Access Control
5.4.4 Granularity of Access Control
5.4.5 Access Control Environment
5.5 Data Flow Control
5.6 Security Audit
5.6.1 Response of Security Audit
5.6.2 Generation of Security Audit Data
5.6.3 Security Audit Analysis
5.6.4 Security Audit Consult
5.6.5 Selection of Security Audit Event
5.6.6 Storage of Security Audit Event
5.7 User Data Integrity
5.7.1 Integrity of Storage Data
5.7.2 Integrity of Transmitted Data
5.7.3 Integrity of Processed Data
5.8 User Data Confidentiality
5.8.1 Confidentiality of Storage Data
5.8.2 Confidentiality of Transmitted Data
5.8.3 Reusing of Object Security
5.9 Trusted Path
5.10 Non-repudiation
5.10.1 Non-repudiation of Origin
5.10.2 Non-repudiation of Receipt
5.11 Network Security Monitoring
6 Requirements for Network Security Function at Each Grade and Layer
6.1 Identity Authentication Function
6.2 Discretionary Access Control Function
6.3 Tag Function
6.4 Mandatory Access Control Function
6.5 Data Flow Control Function
6.6 Security Audit function
6.7 Protection Function of User Data Integrity
6.8 User Data Confidentiality Protection Function
6.9 Trusted path function
6.10 Non-repudiation Function
6.11 Network Security Monitoring Function
7 Grading Requirements for Network Security Technology
7.1 Grade 1: the User's Discretionary Protection Grade
7.1.1 Grade 1 Security Function Requirements
7.1.2 Grade 1 Security Assurance Requirements
7.2 Grade 2: System Audit Protection Grade
7.2.1 Grade 2 Security Function Requirements
7.2.2 Grade 2 Security Assurance Requirements
7.3 Grade 3: Security Tag Protection Grade
7.3.1 Grade 3 Security Function Requirements
7.3.2 Grade 3 Security Assurance Requirements
7.4 Grade 4: Structured Protection Grade
7.4.1 Grade 4 Security Function Requirements
7.4.2 Grade 4 Security Assurance Requirements
7.5 Grade 5: Access Verification Protection Grade
7.5.1 Grade 5 Security Function Requirements
7.5.2 Grade 5 Security Assurance Requirements
Appendix A (Informative) Explanation of Standard Concept
A.1 Composition and Interrelationship
A.2 Description about the Main Functions of Network Protocol Layers
A.3 About Grading for Security Protection
A.4 About Subjects and Objects
A.5 About SSON, SSF, SSP, SFP and their Interrelationship
A.6 About Data Flow Control
A.7 About Encryption Technology
A.8 About the Construction of Secure Networks
References