Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is prepared in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 20010-2005 Information security technology—Packet filtering firewalls evaluation criteria, GB/T 20281-2015 Information security technology—Security technical requirements and testing and evaluation approaches for firewall, GB/T 31505-2015 Information security technology—Technique requirements and testing and evaluation approaches for host-based firewall and personal firewall, and GB/T 32917-2016 Information security technology—Security technique requirements and testing and evaluation approaches for WEB application firewall. This standard is developed by reference to GB/T 20281-2015 and integrates some contents of GB/T 20010-2005, GB/T 31505-2015 and GB/T 32917-2016. In addition to editorial changes, the following main technical changes have been made with respect to GB/T 20281-2015:
——The definitions of “network-based firewall”, “database firewall", "WEB application firewall" and “host-based firewall” are added (see Clause 3 hereof);
——The “General” is modified (see Clause 5 hereof; Clause 5 of Edition 2015);
——The requirements of "equipment virtualization” are added (see 6.1.1.4 hereof);
——The requirements of "application content control" are modified (see 6.1.3.3 hereof; 6.2.1.2 and 6.3.1.2 of Edition 2015);
——The requirements of "attack protection" are added (see 6.1.4 hereof);
——The requirements of "security audit and analysis" are added (see 6.1.5);
——The performance requirements of "hybrid application layer throughput", "HTTP throughput", "HTTP request rate", "SQL request rate", "number of concurrent HTTP connections" and "number of concurrent SQL connections" are added (see 6.3.1.2, 6.3.1.3, 6.3.3.2, 6.3.3.3, 6.3.4.2 and 6.3.4.3 hereof);
——Normative annexes are added (see Annexes A and B).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this standard shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Information Security of Standardization Administration of China.
The previous editions of this standard are as follows:
——GB/T 20010-2005;
——GB/T 20281-2006, GB/T 20281-2015;
——GB/T 31505-2015;
——GB/T 32917-2016.
Information security technology—
Security technical requirements and testing assessment approaches for firewall
1 Scope
This standard specifies the classification, security technical requirements and testing assessment approaches of firewalls.
This standard is applicable to the design, development and testing of firewall.
2 Normative references
The following referenced documents are indispensable for the application of this standard. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 18336.3-2015 Information technology—Security techniques—Evaluation criteria for IT security—Part 3: Security assurance components
GB/T 25069-2010 Information security technology—Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
firewall
network security product capable of analyzing the passed data flow and realizing access control and security protection functions
Note: According to different security purposes and implementation principles, it may generally be classified into network firewall, WEB application firewall, database firewall and host firewall.
3.2
network-based firewall
network security product deployed between different security domains which is capable of analyzing the passed data flow, and has the functions of access control and security protection of network layer and application layer
3.3
web application firewall
network security product deployed in the front end of WEB server which is capable of analyzing the HTTP/HTTPS access and response data flowing through, and has the functions of access control and security protection of WEB applications
3.4
database firewall
network security product deployed in the front end of the database server which is capable of analyzing the database access and response data flowing through, and has the functions of database access control and security protection
3.5
host-based firewall
network security product deployed on computers (including personal computers and servers) that provides network layer access control, application access restrictions, and attack protection
3.6
reverse proxy
deployment mode used as a server-side proxy to accept requests from clients instead of the server, then forward the requests to the internal server, and return the results from the server to the requesting client
3.7
drag attack
malicious act of downloading database data or database data files in batches through unauthorized access to the database or the operating system where the database is located
3.8
account credential enumeration attack
malicious act of attempting to collide with database data in batch
Note: for example, generate the corresponding dictionary table by collecting the leaked and known user and password information, and attempt to log in to other application systems in batch
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
BGP: Border Gateway Protocol
CSRF: Cross-site request forgery
DMZ: Demilitarized Zone
DNAT: Destination NAT
FTP: File Transfer Protocol
HTTP: Hypertext Transfer Protocol
HTTPS: Hypertext Transfer Protocol over Secure Socket Layer
Firewall is a network security product which acts between different security domains and has the functions of access control and security protection. It is mainly classified into network-based firewall, WEB application firewall, database firewall, host-based firewall or their combination.
The security technical requirements of firewall are divided into four categories: security function requirements, self security requirements, performance requirements and security assurance requirements. Where, the security function requirements put forward specific requirements for the security functions that firewalls shall have, including networking and deployment, network layer control, application layer control, attack protection and security audit and analysis; self-security requirements put forward specific requirements for the self security of firewall, including identification and authentication, management ability, management audit, management mode and security support system; the performance requirement is to specify the performance index that the firewall shall achieve, including throughput, delay, connection rate and concurrent connection number; and the security assurance requirements put forward specific requirements for the life cycle process of firewall, including development, guidance documents, life cycle support, testing and vulnerability assessment.
The firewall is classified into basic level and enhanced level. The strength of security function and its self security and the level of security assurance requirements are the specific basis for the level division, and the level highlights the security characteristics. Among them, the security assurance requirements of basic-level products correspond to EAL2 level of GB/T 18336.3-2015, and the security assurance requirements of enhanced-level products correspond to EAL4+ level of GB/T 18336.3-2015. See Annex A for specific security technical requirements and classification of various firewalls (referred to as "products"), and Annex B for testing assessment approach and classification.
6 Security technical requirements
6.1 Security functional requirements
6.1.1 Networking and deployment
6.1.1.1 Deployment mode
The products shall support the following deployment modes:
a) Transparent transmission mode;
b) Route forwarding mode; and
c) Reverse proxy mode.
6.1.1.2 Routing
6.1.1.2.1 Static routing
The products shall support static routing function and be capable of configuring static routing.
6.1.1.2.2 Policy routing
Products with multiple network interfaces with the same attributes (multiple external network interfaces, multiple internal network interfaces, or multiple DMZ network interfaces) shall support policy routing capabilities, including but not limited to:
a) Policy routing based on source and destination IP;
b) Policy routing based on interface;
c) Policy routing based on protocol and port;
d) Policy routing based on application type; and
e) Automatic routing based on multi-link load conditions.
6.1.1.2.3 Dynamic routing
The products shall support dynamic routing capabilities, including one or more dynamic routing protocols in RIP, OSPF or BGP.
6.1.1.3 High availability
6.1.1.3.1 Redundant deployment
The products shall support one or more redundant deployment modes in "master-standby", "master-master" or "cluster”.
6.1.1.3.2 Load balancing
The products shall support load balancing, which can balance network traffic to multiple servers according to security policies.
6.1.1.4 Device virtualization (optional)
6.1.1.4.1 Virtual system
If the product supports logical classification into multiple virtual subsystems, isolation and independent management shall be supported among virtual subsystems, including but not limited to:
a) Set administrators for the virtual subsystem respectively to realize the management configuration for the virtual subsystem;
b) The virtual subsystem is able to maintain routing table, security policy and log system respectively;
c) Limit the resource usage quota of the virtual subsystem.
6.1.1.4.2 Virtualization deployment
If the product is virtualized, it shall support deployment on the virtualization platform and accept the unified management of the platform, including but not limited to:
a) Support for deployment on a virtualization platform such as VMware ESxi, KVM, Citrix xenserver, Hyper-V, etc.
b) Realize elastic expansion of product resources in combination with virtualization platform, and dynamically adjust resources according to the load situation of virtualization products;
c) Realize failover in combination with virtualization platform, and automatically update and replace virtualization products when they fail.
6.1.1.5 IPv6 support (optional)
6.1.1.5.1 Support of IPv6 network environment
If the product supports IPv6, it shall support the normal operation under IPv6 network environment, which can effectively run its security functions and its self security functions.
6.1.1.5.2 Protocol conformance
If the product supports IPv6, it shall meet the requirements of IPv6 protocol conformance, including at least IPv6 core protocol, IPv6 NDP protocol, IPv6 Autoconfig protocol and ICMPv6 protocol.
6.1.1.5.3 Protocol robustness
If the product supports IPv6, it shall meet the requirements of IPv6 protocol robustness, which can resist the attack of abnormal protocol message under IPv6 network environment.
6.1.1.5.4 Support of IPv6 transition network environment
If the product supports IPv6, it shall support operation in one or more of the following IPv6 transition network environments:
a) Protocol conversion, which converts IPv4 and IPv6 protocols to each other;
b) Tunnel, which encapsulates IPv6 in IPv4 and traverses IPv4 network, such as IPv6 over IPv4, IPv6 to IPv4, ISATAP, etc.
6.1.2 Network layer control
6.1.2.1 Access control
6.1.2.1.1 Packet filtering
The packet filtering function requirements of the product are as follows:
a) The security policy shall use the minimum security principle, that is, prohibited unless explicitly allowed;
b) The security policy shall include access control based on source IP address and destination IP address;
c) The security policy shall include access control based on source port and destination port;
d) The security policy shall include access control based on protocol type;
e) The security policy shall include access control based on MAC address;
f) The security policy shall include time-based access control;
g) The user-defined security policy shall be supported, including partial or full combination of MAC address, IP address, port, protocol type and time.
6.1.2.1.2 Network address translation
The network address translation function requirements of the product are as follows:
a) Support SNAT and DNAT;
b) SNAT shall realize "many-to-one" address translation, so that when the internal network host accesses the external network, its source IP address is translated.
c) DNAT shall realize "one-to-many" address translation, and map the IP address/port of DMZ to the legal IP address/port of external network, so that the external network host can access the DMZ server by accessing the mapped address and port;
d) Support dynamic SNAT technology and realize "many-to-many" SNAT.
Foreword i 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 General 6 Security technical requirements 6.1 Security functional requirements 6.2 Self security requirements 6.3 Performance requirements 6.4 Security assurance requirements 7 Testing assessment approach 7.1 Testing assessment environment 7.2 Testing assessment of security function 7.3 Testing assessment of self security 7.4 Testing assessment of performance 7.5 Testing assessment of security assurance Annex A (Normative) Classification of firewalls and classification of security technical requirements A.1 General A.2 Network-based firewall A.3 Web application firewall A.4 Database firewall A.5 Host-based firewall Annex B (Normative) Classification of firewall and testing assessment approach B.1 General B.2 Network-based firewall B.3 Web application firewall B.4 Database firewall B.5 Host-based firewall
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is prepared in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 20010-2005 Information security technology—Packet filtering firewalls evaluation criteria, GB/T 20281-2015 Information security technology—Security technical requirements and testing and evaluation approaches for firewall, GB/T 31505-2015 Information security technology—Technique requirements and testing and evaluation approaches for host-based firewall and personal firewall, and GB/T 32917-2016 Information security technology—Security technique requirements and testing and evaluation approaches for WEB application firewall. This standard is developed by reference to GB/T 20281-2015 and integrates some contents of GB/T 20010-2005, GB/T 31505-2015 and GB/T 32917-2016. In addition to editorial changes, the following main technical changes have been made with respect to GB/T 20281-2015:
——The definitions of “network-based firewall”, “database firewall", "WEB application firewall" and “host-based firewall” are added (see Clause 3 hereof);
——The “General” is modified (see Clause 5 hereof; Clause 5 of Edition 2015);
——The requirements of "equipment virtualization” are added (see 6.1.1.4 hereof);
——The requirements of "application content control" are modified (see 6.1.3.3 hereof; 6.2.1.2 and 6.3.1.2 of Edition 2015);
——The requirements of "attack protection" are added (see 6.1.4 hereof);
——The requirements of "security audit and analysis" are added (see 6.1.5);
——The performance requirements of "hybrid application layer throughput", "HTTP throughput", "HTTP request rate", "SQL request rate", "number of concurrent HTTP connections" and "number of concurrent SQL connections" are added (see 6.3.1.2, 6.3.1.3, 6.3.3.2, 6.3.3.3, 6.3.4.2 and 6.3.4.3 hereof);
——Normative annexes are added (see Annexes A and B).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this standard shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Information Security of Standardization Administration of China.
The previous editions of this standard are as follows:
——GB/T 20010-2005;
——GB/T 20281-2006, GB/T 20281-2015;
——GB/T 31505-2015;
——GB/T 32917-2016.
Information security technology—
Security technical requirements and testing assessment approaches for firewall
1 Scope
This standard specifies the classification, security technical requirements and testing assessment approaches of firewalls.
This standard is applicable to the design, development and testing of firewall.
2 Normative references
The following referenced documents are indispensable for the application of this standard. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 18336.3-2015 Information technology—Security techniques—Evaluation criteria for IT security—Part 3: Security assurance components
GB/T 25069-2010 Information security technology—Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
firewall
network security product capable of analyzing the passed data flow and realizing access control and security protection functions
Note: According to different security purposes and implementation principles, it may generally be classified into network firewall, WEB application firewall, database firewall and host firewall.
3.2
network-based firewall
network security product deployed between different security domains which is capable of analyzing the passed data flow, and has the functions of access control and security protection of network layer and application layer
3.3
web application firewall
network security product deployed in the front end of WEB server which is capable of analyzing the HTTP/HTTPS access and response data flowing through, and has the functions of access control and security protection of WEB applications
3.4
database firewall
network security product deployed in the front end of the database server which is capable of analyzing the database access and response data flowing through, and has the functions of database access control and security protection
3.5
host-based firewall
network security product deployed on computers (including personal computers and servers) that provides network layer access control, application access restrictions, and attack protection
3.6
reverse proxy
deployment mode used as a server-side proxy to accept requests from clients instead of the server, then forward the requests to the internal server, and return the results from the server to the requesting client
3.7
drag attack
malicious act of downloading database data or database data files in batches through unauthorized access to the database or the operating system where the database is located
3.8
account credential enumeration attack
malicious act of attempting to collide with database data in batch
Note: for example, generate the corresponding dictionary table by collecting the leaked and known user and password information, and attempt to log in to other application systems in batch
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
BGP: Border Gateway Protocol
CSRF: Cross-site request forgery
DMZ: Demilitarized Zone
DNAT: Destination NAT
FTP: File Transfer Protocol
HTTP: Hypertext Transfer Protocol
HTTPS: Hypertext Transfer Protocol over Secure Socket Layer
ICMP: Internet Control Messages Protocol
IMAP: Internet Mail Access Protocol
IP: Internet Protocol
IPV6: Internet Protocol V6
ISATAP: Intra-Site Automatic Tunnel Addressing Protocol
MAC: Media Access Control
NAT: Network Address Translation
NTP: Network Time Protocol
OSPF: Open Shortest Path First
P2P: Peer-to-peer
RIP: Routing Information Protocol
SNAT: Source NAT
SNMP: Simple Network Management Protocol
SQL: Structured Query Language
SYSLOG: System Log
URL: Uniform Resource Locator
WEB: World Wide WEB
XSS: Cross Site Scripting
5 General
Firewall is a network security product which acts between different security domains and has the functions of access control and security protection. It is mainly classified into network-based firewall, WEB application firewall, database firewall, host-based firewall or their combination.
The security technical requirements of firewall are divided into four categories: security function requirements, self security requirements, performance requirements and security assurance requirements. Where, the security function requirements put forward specific requirements for the security functions that firewalls shall have, including networking and deployment, network layer control, application layer control, attack protection and security audit and analysis; self-security requirements put forward specific requirements for the self security of firewall, including identification and authentication, management ability, management audit, management mode and security support system; the performance requirement is to specify the performance index that the firewall shall achieve, including throughput, delay, connection rate and concurrent connection number; and the security assurance requirements put forward specific requirements for the life cycle process of firewall, including development, guidance documents, life cycle support, testing and vulnerability assessment.
The firewall is classified into basic level and enhanced level. The strength of security function and its self security and the level of security assurance requirements are the specific basis for the level division, and the level highlights the security characteristics. Among them, the security assurance requirements of basic-level products correspond to EAL2 level of GB/T 18336.3-2015, and the security assurance requirements of enhanced-level products correspond to EAL4+ level of GB/T 18336.3-2015. See Annex A for specific security technical requirements and classification of various firewalls (referred to as "products"), and Annex B for testing assessment approach and classification.
6 Security technical requirements
6.1 Security functional requirements
6.1.1 Networking and deployment
6.1.1.1 Deployment mode
The products shall support the following deployment modes:
a) Transparent transmission mode;
b) Route forwarding mode; and
c) Reverse proxy mode.
6.1.1.2 Routing
6.1.1.2.1 Static routing
The products shall support static routing function and be capable of configuring static routing.
6.1.1.2.2 Policy routing
Products with multiple network interfaces with the same attributes (multiple external network interfaces, multiple internal network interfaces, or multiple DMZ network interfaces) shall support policy routing capabilities, including but not limited to:
a) Policy routing based on source and destination IP;
b) Policy routing based on interface;
c) Policy routing based on protocol and port;
d) Policy routing based on application type; and
e) Automatic routing based on multi-link load conditions.
6.1.1.2.3 Dynamic routing
The products shall support dynamic routing capabilities, including one or more dynamic routing protocols in RIP, OSPF or BGP.
6.1.1.3 High availability
6.1.1.3.1 Redundant deployment
The products shall support one or more redundant deployment modes in "master-standby", "master-master" or "cluster”.
6.1.1.3.2 Load balancing
The products shall support load balancing, which can balance network traffic to multiple servers according to security policies.
6.1.1.4 Device virtualization (optional)
6.1.1.4.1 Virtual system
If the product supports logical classification into multiple virtual subsystems, isolation and independent management shall be supported among virtual subsystems, including but not limited to:
a) Set administrators for the virtual subsystem respectively to realize the management configuration for the virtual subsystem;
b) The virtual subsystem is able to maintain routing table, security policy and log system respectively;
c) Limit the resource usage quota of the virtual subsystem.
6.1.1.4.2 Virtualization deployment
If the product is virtualized, it shall support deployment on the virtualization platform and accept the unified management of the platform, including but not limited to:
a) Support for deployment on a virtualization platform such as VMware ESxi, KVM, Citrix xenserver, Hyper-V, etc.
b) Realize elastic expansion of product resources in combination with virtualization platform, and dynamically adjust resources according to the load situation of virtualization products;
c) Realize failover in combination with virtualization platform, and automatically update and replace virtualization products when they fail.
6.1.1.5 IPv6 support (optional)
6.1.1.5.1 Support of IPv6 network environment
If the product supports IPv6, it shall support the normal operation under IPv6 network environment, which can effectively run its security functions and its self security functions.
6.1.1.5.2 Protocol conformance
If the product supports IPv6, it shall meet the requirements of IPv6 protocol conformance, including at least IPv6 core protocol, IPv6 NDP protocol, IPv6 Autoconfig protocol and ICMPv6 protocol.
6.1.1.5.3 Protocol robustness
If the product supports IPv6, it shall meet the requirements of IPv6 protocol robustness, which can resist the attack of abnormal protocol message under IPv6 network environment.
6.1.1.5.4 Support of IPv6 transition network environment
If the product supports IPv6, it shall support operation in one or more of the following IPv6 transition network environments:
a) Protocol conversion, which converts IPv4 and IPv6 protocols to each other;
b) Tunnel, which encapsulates IPv6 in IPv4 and traverses IPv4 network, such as IPv6 over IPv4, IPv6 to IPv4, ISATAP, etc.
6.1.2 Network layer control
6.1.2.1 Access control
6.1.2.1.1 Packet filtering
The packet filtering function requirements of the product are as follows:
a) The security policy shall use the minimum security principle, that is, prohibited unless explicitly allowed;
b) The security policy shall include access control based on source IP address and destination IP address;
c) The security policy shall include access control based on source port and destination port;
d) The security policy shall include access control based on protocol type;
e) The security policy shall include access control based on MAC address;
f) The security policy shall include time-based access control;
g) The user-defined security policy shall be supported, including partial or full combination of MAC address, IP address, port, protocol type and time.
6.1.2.1.2 Network address translation
The network address translation function requirements of the product are as follows:
a) Support SNAT and DNAT;
b) SNAT shall realize "many-to-one" address translation, so that when the internal network host accesses the external network, its source IP address is translated.
c) DNAT shall realize "one-to-many" address translation, and map the IP address/port of DMZ to the legal IP address/port of external network, so that the external network host can access the DMZ server by accessing the mapped address and port;
d) Support dynamic SNAT technology and realize "many-to-many" SNAT.
Contents of GB/T 20281-2020
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Security technical requirements
6.1 Security functional requirements
6.2 Self security requirements
6.3 Performance requirements
6.4 Security assurance requirements
7 Testing assessment approach
7.1 Testing assessment environment
7.2 Testing assessment of security function
7.3 Testing assessment of self security
7.4 Testing assessment of performance
7.5 Testing assessment of security assurance
Annex A (Normative) Classification of firewalls and classification of security technical requirements
A.1 General
A.2 Network-based firewall
A.3 Web application firewall
A.4 Database firewall
A.5 Host-based firewall
Annex B (Normative) Classification of firewall and testing assessment approach
B.1 General
B.2 Network-based firewall
B.3 Web application firewall
B.4 Database firewall
B.5 Host-based firewall
