GB/T 25068.3-2022 Information technology—Security techniques—Network security—Part 3: Threats, design techniques and control for network access scenarios (English Version)
Introduction
The purpose of GB/T 25068 is to provide detailed guidance on the security aspects of the management, operation, use and interconnection of information systems networks and to facilitate the adoption of this document by those responsible for information security, particularly network security, within an organization to meet its specific needs. It is intended to consist of six parts.
--Part 1: Overview and Concepts. The purpose is to present concepts related to network security and provide management guidance.
--Part 2; Cybersecurity Design and Implementation Guidelines. The purpose is to provide guidance for organizations on how to plan, design, and implement a high-quality network security system to ensure that network security is appropriate for the appropriate business environment.
--Part 3; network access scenario-oriented threats, design techniques and controls. The purpose is to list the specific risks associated with typical network access scenarios, design techniques and controls, applicable to all involved in the planning, design and implementation of network security architecture.
--Part 4: Inter-network communication security protection using secure gateways. The purpose is to ensure the use of security gateways for inter-network communication security.
--Part 5: The use of virtual private network cross-network communications security protection. The purpose is to define the specific risks, design techniques, and control elements for establishing secure connections using virtual private networks.
--Part 6:Wireless Network Access Security. The purpose is to provide guidance for the selection, implementation and monitoring of technical controls necessary to provide secure communications using wireless networks, and for the review and selection of technical security architecture or design options in part peal involving the use of wireless networks.
GB/T 25068 is in GB/T 22081 "information technology security technology and plant information security control practice guide" on the basis of the further network security controls to provide detailed implementation guidance. GB/T 25068 only emphasizes the importance of business types and other factors affecting network security without specific instructions.
This document involves the use of cryptographic technology to address the confidentiality, integrity, authenticity, resistance to repudiation needs, follow the password-related national standards and industry standards.
1 Scope
This document describes the threats, design techniques and control issues associated with network access scenarios, providing a detailed guide to the three elements of security threats, security design techniques and controls that can reduce the risks associated with each network access scenario.
This document applies to the review of technical security architecture and design in accordance with GB/T 25068.2, as well as the selection and documentation of preferred technical security architecture, design, and related control options. The characteristics of the network environment under review determine the selection of specific information (including information selected from GB/T 25068.4, GB/T 25068,5 and ISO/IEC 27033-6), i.e., the selection of specific information related to specific network access scenarios and "technical" topics.
2 Normative references
The contents of the following documents constitute essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the change orders) applies to this document.
GB/T 29246 Information technology security technology Information security management system Overview and vocabulary (GB/T 29246-2017, ISO/IEC 27000:2016,IDT)
GB/T 25068.1 Information technology Security technology network security Part 1: Overview and concepts (GB/T 25068.1-2020,ISO/IEC 27033-1:2015,IDT)
3 Terms and definitions
GB/T 29246,GB/T 25068.1 defined as well as the following terms and definitions apply to this document.
3.1
Malware
A category of software with malicious design, containing features or functions that may directly or indirectly cause potential harm to the user or the user's computer system.
[Source: ISO/IEC 27032:2012, 4.35]
3.2
Opaquenessopacity
The information that may be obtained by monitoring network activity (e.g., obtaining the address of an endpoint in a VoIP call over the Internet) is given
4 Abbreviations
The following acronyms apply to this document.
5 Document structure
The structure of this document includes:
--Provides an overview of network security protection methods for each reference network access scenario (see Chapter 6 for details)
--Provides a detailed description of each reference scenario (see Chapter 1 to Chapter 15):
-Describes the threats present in the reference scenario
-Describes possible security controls and techniques based on the approach in Chapter 6.
6 Overview
This document provides guidance for each of the identified reference network access scenarios based on the following methodology:
-- Reviewing the background information and scope of the network access scenario;
--Describing the threats associated with the network access scenario
--Risk analysis of the identified vulnerabilities
--Analysis of the business impact of potential vulnerabilities;
--Identify implementation recommendations to protect the network.
7 Employee Internet Access Services
7.1 Background
When organizations need to provide Internet access services for employees, the network access scenarios provided in this chapter can be used to ensure that employee access to the Internet is clear and has been authorized, rather than general open access. Organizations need to consider how to manage access rights to avoid the loss of network bandwidth due to uncontrolled access to the Internet by employees, and may even bear joint and several legal liability.
8 Business-to-Business Services
8.1 Background
Organizations transacting with other organizations (such as manufacturers, wholesalers, retailers) are advised to consider the network access scenarios provided in this chapter.
Generally, business-to-business services are achieved through leased private lines or network segments. The Internet and related technologies do provide more options, but the implementation of such services also introduces new security risks. The evolving B2B e-commerce model allows organizations to conduct business over the Internet, and applications focus on improving business partnerships (mutually known and registered) through the use of the Internet, extranets, or both, unlike in the case of business-to-customers.
9 Business-to-customer services
9.1 Context
It is appropriate for organizations to consider the netro access scenarios provided in this chapter when transacting with customers.
10 Enhanced Collaboration Services
11Network segmentation
11.1 Context
It is appropriate to consider the network access scenarios provided in this chapter when the organization divides its intranet into multiple domains according to its organizational structure.
12 Provide network gi line for home office and small business office
12.1 Context
The network access scenarios provided in this chapter are appropriate to consider when organizations need to provide access to internal resources for employees in home offices or small offices.
13 Mobile Communications
13.1 Background
The network access scenarios provided in this chapter are appropriate to consider when organizations allow employees to use mobile devices to access the network.
This scenario is concerned with security issues when organizations use and deploy mobile devices and applications. While the consumer market is the primary driver for the rapid development of new features on mobile devices such as smartphones or PDAs, these features are equally applicable to business environments. Mobile devices are often private objects, but they are also used for business purposes. Sometimes agencies provide mobile devices, but also for personal use. Because device vendors want to get as much business as possible in a competitive market, devices for the business sector also need to introduce features that are available in the consumer market.
14 Network support for mobile users
15 Outsourcing services
Appendix A (Informational) Threat Inventory
Appendix B (Informative) Examples of Internet Usage Strategies
Bibliography
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Document structure
6 Overview
7 Employee Internet Access Services
8 Business-to-Business Services
9 Business-to-customer services
10 Enhanced Collaboration Services
11Network segmentation
12 Provide network gi line for home office and small business office
13 Mobile Communications
14 Network support for mobile users
15 Outsourcing services
Appendix A (Informational) Threat Inventory
Appendix B (Informative) Examples of Internet Usage Strategies
Bibliography
GB/T 25068.3-2022 Information technology—Security techniques—Network security—Part 3: Threats, design techniques and control for network access scenarios (English Version)
Standard No.
GB/T 25068.3-2022
Status
valid
Language
English
File Format
PDF
Word Count
18500 words
Price(USD)
555.0
Implemented on
2023-5-1
Delivery
via email in 1~5 business day
Detail of GB/T 25068.3-2022
Standard No.
GB/T 25068.3-2022
English Name
Information technology—Security techniques—Network security—Part 3: Threats, design techniques and control for network access scenarios
Introduction
The purpose of GB/T 25068 is to provide detailed guidance on the security aspects of the management, operation, use and interconnection of information systems networks and to facilitate the adoption of this document by those responsible for information security, particularly network security, within an organization to meet its specific needs. It is intended to consist of six parts.
--Part 1: Overview and Concepts. The purpose is to present concepts related to network security and provide management guidance.
--Part 2; Cybersecurity Design and Implementation Guidelines. The purpose is to provide guidance for organizations on how to plan, design, and implement a high-quality network security system to ensure that network security is appropriate for the appropriate business environment.
--Part 3; network access scenario-oriented threats, design techniques and controls. The purpose is to list the specific risks associated with typical network access scenarios, design techniques and controls, applicable to all involved in the planning, design and implementation of network security architecture.
--Part 4: Inter-network communication security protection using secure gateways. The purpose is to ensure the use of security gateways for inter-network communication security.
--Part 5: The use of virtual private network cross-network communications security protection. The purpose is to define the specific risks, design techniques, and control elements for establishing secure connections using virtual private networks.
--Part 6:Wireless Network Access Security. The purpose is to provide guidance for the selection, implementation and monitoring of technical controls necessary to provide secure communications using wireless networks, and for the review and selection of technical security architecture or design options in part peal involving the use of wireless networks.
GB/T 25068 is in GB/T 22081 "information technology security technology and plant information security control practice guide" on the basis of the further network security controls to provide detailed implementation guidance. GB/T 25068 only emphasizes the importance of business types and other factors affecting network security without specific instructions.
This document involves the use of cryptographic technology to address the confidentiality, integrity, authenticity, resistance to repudiation needs, follow the password-related national standards and industry standards.
1 Scope
This document describes the threats, design techniques and control issues associated with network access scenarios, providing a detailed guide to the three elements of security threats, security design techniques and controls that can reduce the risks associated with each network access scenario.
This document applies to the review of technical security architecture and design in accordance with GB/T 25068.2, as well as the selection and documentation of preferred technical security architecture, design, and related control options. The characteristics of the network environment under review determine the selection of specific information (including information selected from GB/T 25068.4, GB/T 25068,5 and ISO/IEC 27033-6), i.e., the selection of specific information related to specific network access scenarios and "technical" topics.
2 Normative references
The contents of the following documents constitute essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the change orders) applies to this document.
GB/T 29246 Information technology security technology Information security management system Overview and vocabulary (GB/T 29246-2017, ISO/IEC 27000:2016,IDT)
GB/T 25068.1 Information technology Security technology network security Part 1: Overview and concepts (GB/T 25068.1-2020,ISO/IEC 27033-1:2015,IDT)
3 Terms and definitions
GB/T 29246,GB/T 25068.1 defined as well as the following terms and definitions apply to this document.
3.1
Malware
A category of software with malicious design, containing features or functions that may directly or indirectly cause potential harm to the user or the user's computer system.
[Source: ISO/IEC 27032:2012, 4.35]
3.2
Opaquenessopacity
The information that may be obtained by monitoring network activity (e.g., obtaining the address of an endpoint in a VoIP call over the Internet) is given
4 Abbreviations
The following acronyms apply to this document.
5 Document structure
The structure of this document includes:
--Provides an overview of network security protection methods for each reference network access scenario (see Chapter 6 for details)
--Provides a detailed description of each reference scenario (see Chapter 1 to Chapter 15):
-Describes the threats present in the reference scenario
-Describes possible security controls and techniques based on the approach in Chapter 6.
6 Overview
This document provides guidance for each of the identified reference network access scenarios based on the following methodology:
-- Reviewing the background information and scope of the network access scenario;
--Describing the threats associated with the network access scenario
--Risk analysis of the identified vulnerabilities
--Analysis of the business impact of potential vulnerabilities;
--Identify implementation recommendations to protect the network.
7 Employee Internet Access Services
7.1 Background
When organizations need to provide Internet access services for employees, the network access scenarios provided in this chapter can be used to ensure that employee access to the Internet is clear and has been authorized, rather than general open access. Organizations need to consider how to manage access rights to avoid the loss of network bandwidth due to uncontrolled access to the Internet by employees, and may even bear joint and several legal liability.
8 Business-to-Business Services
8.1 Background
Organizations transacting with other organizations (such as manufacturers, wholesalers, retailers) are advised to consider the network access scenarios provided in this chapter.
Generally, business-to-business services are achieved through leased private lines or network segments. The Internet and related technologies do provide more options, but the implementation of such services also introduces new security risks. The evolving B2B e-commerce model allows organizations to conduct business over the Internet, and applications focus on improving business partnerships (mutually known and registered) through the use of the Internet, extranets, or both, unlike in the case of business-to-customers.
9 Business-to-customer services
9.1 Context
It is appropriate for organizations to consider the netro access scenarios provided in this chapter when transacting with customers.
10 Enhanced Collaboration Services
11Network segmentation
11.1 Context
It is appropriate to consider the network access scenarios provided in this chapter when the organization divides its intranet into multiple domains according to its organizational structure.
12 Provide network gi line for home office and small business office
12.1 Context
The network access scenarios provided in this chapter are appropriate to consider when organizations need to provide access to internal resources for employees in home offices or small offices.
13 Mobile Communications
13.1 Background
The network access scenarios provided in this chapter are appropriate to consider when organizations allow employees to use mobile devices to access the network.
This scenario is concerned with security issues when organizations use and deploy mobile devices and applications. While the consumer market is the primary driver for the rapid development of new features on mobile devices such as smartphones or PDAs, these features are equally applicable to business environments. Mobile devices are often private objects, but they are also used for business purposes. Sometimes agencies provide mobile devices, but also for personal use. Because device vendors want to get as much business as possible in a competitive market, devices for the business sector also need to introduce features that are available in the consumer market.
14 Network support for mobile users
15 Outsourcing services
Appendix A (Informational) Threat Inventory
Appendix B (Informative) Examples of Internet Usage Strategies
Bibliography
Contents of GB/T 25068.3-2022
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Document structure
6 Overview
7 Employee Internet Access Services
8 Business-to-Business Services
9 Business-to-customer services
10 Enhanced Collaboration Services
11Network segmentation
12 Provide network gi line for home office and small business office
13 Mobile Communications
14 Network support for mobile users
15 Outsourcing services
Appendix A (Informational) Threat Inventory
Appendix B (Informative) Examples of Internet Usage Strategies
Bibliography
