Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard supersedes GB/T 20281-2006 Information Security Technology Technique Requirements and Testing and Evaluation Approaches for Firewall Products.
Compared with GB/T 20281-2006, this standard has the main changes as follows:
——The description of firewall is modified;
——Functional classification of firewall is modified;
——Requirements for high performance of firewall are added;
——Requirements for capacity of firewall to control the application layer are strengthened;
——The requirements of next generation Internet Protocol for the support capability are added;
——It is uniformly divided into basic grade and reinforced grade.
This standard is proposed by and under the jurisdiction of National Technical Committee on Information Technology Security of Standardization Administration of China (SAC/TC 260).
Drafting organizations of this standard: Ministry of Public Security Computer Information System Security Product Quality Supervision Testing Center, Venustech, Huawei Technology Co., Ltd., National Liberation Army Information Security Evaluation and Certification Center, Netpower, Beijing NetentSec, Inc., the Third Research Institute of The Ministry of Public Security
Chief drafting staff of this standard: Yu You, Lu Zhen, Zou Chunming, Gu Jian, Shen Liang, Li Yi, Wei Xiang, Wang Guangyu, Lv Yingxuan, Wang Ping.
The previous edition of this standard superseded by this standard is:
——GB/T 20281-2006.
NATIONAL STANDARD
OF THE PEOPLE'S REPUBLIC OF CHINA
中华人民共和国国家标准
GB/T 20281-2015
Information Security Technology - Security Technical Requirements and Testing and Evaluation Approaches for Firewall
信息安全技术 防火墙安全技术要求
和测试评价方法
1 Scope
This standard specifies the firewall in terms of security technical requirements, testing and evaluation approaches and security grade division.
This standard is applicable to design, development and testing of firewalls.
2 Normative References
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 18336.3-2008 Information Technology - Security Techniques - Evaluation Criteria For IT Security - Part 3: Security Assurance Requirements
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purposes of this document, the terms and definitions established in GB/T 25069-2010 and the following ones apply.
3.1
Firewall
Security gateway products which are allocated among security domains to control and filter the access to network layer and with the function of application layer protocol analyses, control and contents testing, which are applicable to IPv4 and IPv6.
3.2
Deep packet inspection
It is based on flow testing and control technology of application layer and will obtain all the application program contents by reading IP packet loads and reconstructing the information of application layer and then it also deal with the contents depending on the policy of system definition.
3.3
Deep content inspection
It is able to make a deep analyses for application protocol, identifies all elements therein (such as HTTP protocol, specifically cookie, Get parameters and Post form) and all the protocol service (such as data contents included in the protocol or documents in the business system interaction) and then analyze quickly the data to restore the original communicating information. It also can test whether threat or sensitive contents are included based on the original information.
3.4
SQL injection
Its purpose is to cheat the server into doing malicious SQL command by inserting SQL command into submittal or page request parameters of web form.
3.5
Cross site scripting
A type of injection, in which the malicious HTML code is injected into a web page by the malicious attacker. The HTML code will be executed when the user browses the page so as to realize malicious attack to the user.
4 Abbreviated Terms
For the purpose of this document, the following abbreviated terms apply.
DPI: Deep packet inspection
DCI: Deep content inspection
SQL: Structured Query Language
XSS: Cross Site Scripting
5 Firewall Description
The firewall is to establish security control points in security fields, analyze and filter data flow through firewall according to predefined access control policy and security protection policy, and provide controllable visit service request to the protected security field. The firewall protocol suite compatible with the next generation of net atmosphere supports not only IPv4 technology but also IPv6, IPv4/IPv6 transition technology.
Firewall protected assets include the network service and resource under the protection of security policy as well as firewall itself and important internal data. The firewall is operated in the route or transparency mode and the network is categorized as security fields, in which the security policy is used for auditing and control of the service and visits.
Figure 1 shows a typical operating atmosphere of firewall, which divides the network into intranet, extranet and DMZ. Intranet is a trusted region, extranet is an untrusted region and DMZ server may provide application services to the users in extranet and intranet.
Foreword I
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviated Terms
5 Firewall Description
6 Security Technical Requirements
6.1 General
6.1.1 Classification
6.1.2 Security Grade
6.2 Security Requirements for Basic Grade
6.2.1 Security Function Requirements
6.2.2 Security Assurance Requirements
6.3 Security Requirements for Reinforced Grade
6.3.1 Security Function Requirements
6.3.2 Security Assurance Requirements
6.4 Environmental adaptation requirements
6.4.1 Transmission Mode
6.4.2 Next Generation of Internet Support (if any)
6.5 Performance Requirements
6.5.1 Throughput
6.5.2 Delay
6.5.3 Maximum Concurrent Connections
6.5.4 Maximum Connection Rate
7 Testing and Evaluation Approaches
7.1 Testing Environment
7.1.1 Security Function and Environmental Adaptation Testing Environment
7.1.2 Performance Testing Environment
7.2 Base Level Security Requirements Testing
7.2.1 Security Function Testing
7.2.2 Security Assurance Testing
7.3 Security Requirements Testing at Reinforced Grade
7.3.1 Security Function Testing
7.3.2 Security Assurance Testing
7.4 Environmental Adaptation Testing
7.4.1 Transmission Mode
7.4.2 Next Generation of Internet Support
7.5 Performance Testing
7.5.1 Throughput
7.5.2 Delay
7.5.3 Maximum Concurrent Connections
7.5.4 Maximum Connection Rate
References
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard supersedes GB/T 20281-2006 Information Security Technology Technique Requirements and Testing and Evaluation Approaches for Firewall Products.
Compared with GB/T 20281-2006, this standard has the main changes as follows:
——The description of firewall is modified;
——Functional classification of firewall is modified;
——Requirements for high performance of firewall are added;
——Requirements for capacity of firewall to control the application layer are strengthened;
——The requirements of next generation Internet Protocol for the support capability are added;
——It is uniformly divided into basic grade and reinforced grade.
This standard is proposed by and under the jurisdiction of National Technical Committee on Information Technology Security of Standardization Administration of China (SAC/TC 260).
Drafting organizations of this standard: Ministry of Public Security Computer Information System Security Product Quality Supervision Testing Center, Venustech, Huawei Technology Co., Ltd., National Liberation Army Information Security Evaluation and Certification Center, Netpower, Beijing NetentSec, Inc., the Third Research Institute of The Ministry of Public Security
Chief drafting staff of this standard: Yu You, Lu Zhen, Zou Chunming, Gu Jian, Shen Liang, Li Yi, Wei Xiang, Wang Guangyu, Lv Yingxuan, Wang Ping.
The previous edition of this standard superseded by this standard is:
——GB/T 20281-2006.
NATIONAL STANDARD
OF THE PEOPLE'S REPUBLIC OF CHINA
中华人民共和国国家标准
GB/T 20281-2015
Information Security Technology - Security Technical Requirements and Testing and Evaluation Approaches for Firewall
信息安全技术 防火墙安全技术要求
和测试评价方法
1 Scope
This standard specifies the firewall in terms of security technical requirements, testing and evaluation approaches and security grade division.
This standard is applicable to design, development and testing of firewalls.
2 Normative References
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 18336.3-2008 Information Technology - Security Techniques - Evaluation Criteria For IT Security - Part 3: Security Assurance Requirements
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purposes of this document, the terms and definitions established in GB/T 25069-2010 and the following ones apply.
3.1
Firewall
Security gateway products which are allocated among security domains to control and filter the access to network layer and with the function of application layer protocol analyses, control and contents testing, which are applicable to IPv4 and IPv6.
3.2
Deep packet inspection
It is based on flow testing and control technology of application layer and will obtain all the application program contents by reading IP packet loads and reconstructing the information of application layer and then it also deal with the contents depending on the policy of system definition.
3.3
Deep content inspection
It is able to make a deep analyses for application protocol, identifies all elements therein (such as HTTP protocol, specifically cookie, Get parameters and Post form) and all the protocol service (such as data contents included in the protocol or documents in the business system interaction) and then analyze quickly the data to restore the original communicating information. It also can test whether threat or sensitive contents are included based on the original information.
3.4
SQL injection
Its purpose is to cheat the server into doing malicious SQL command by inserting SQL command into submittal or page request parameters of web form.
3.5
Cross site scripting
A type of injection, in which the malicious HTML code is injected into a web page by the malicious attacker. The HTML code will be executed when the user browses the page so as to realize malicious attack to the user.
4 Abbreviated Terms
For the purpose of this document, the following abbreviated terms apply.
DPI: Deep packet inspection
DCI: Deep content inspection
SQL: Structured Query Language
XSS: Cross Site Scripting
5 Firewall Description
The firewall is to establish security control points in security fields, analyze and filter data flow through firewall according to predefined access control policy and security protection policy, and provide controllable visit service request to the protected security field. The firewall protocol suite compatible with the next generation of net atmosphere supports not only IPv4 technology but also IPv6, IPv4/IPv6 transition technology.
Firewall protected assets include the network service and resource under the protection of security policy as well as firewall itself and important internal data. The firewall is operated in the route or transparency mode and the network is categorized as security fields, in which the security policy is used for auditing and control of the service and visits.
Figure 1 shows a typical operating atmosphere of firewall, which divides the network into intranet, extranet and DMZ. Intranet is a trusted region, extranet is an untrusted region and DMZ server may provide application services to the users in extranet and intranet.
Contents of GB/T 20281-2015
Foreword I
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviated Terms
5 Firewall Description
6 Security Technical Requirements
6.1 General
6.1.1 Classification
6.1.2 Security Grade
6.2 Security Requirements for Basic Grade
6.2.1 Security Function Requirements
6.2.2 Security Assurance Requirements
6.3 Security Requirements for Reinforced Grade
6.3.1 Security Function Requirements
6.3.2 Security Assurance Requirements
6.4 Environmental adaptation requirements
6.4.1 Transmission Mode
6.4.2 Next Generation of Internet Support (if any)
6.5 Performance Requirements
6.5.1 Throughput
6.5.2 Delay
6.5.3 Maximum Concurrent Connections
6.5.4 Maximum Connection Rate
7 Testing and Evaluation Approaches
7.1 Testing Environment
7.1.1 Security Function and Environmental Adaptation Testing Environment
7.1.2 Performance Testing Environment
7.2 Base Level Security Requirements Testing
7.2.1 Security Function Testing
7.2.2 Security Assurance Testing
7.3 Security Requirements Testing at Reinforced Grade
7.3.1 Security Function Testing
7.3.2 Security Assurance Testing
7.4 Environmental Adaptation Testing
7.4.1 Transmission Mode
7.4.2 Next Generation of Internet Support
7.5 Performance Testing
7.5.1 Throughput
7.5.2 Delay
7.5.3 Maximum Concurrent Connections
7.5.4 Maximum Connection Rate
References
