GB 42250-2022 英文版 信息安全技術 網絡安全專用產品安全技術要求

?

我司提供標準英文版，更多信息請訪問標準翻譯網bzfyw.com

前言

本文件按照 GB / T1.1 — 2020 《標準化工作導則 第 1 部分: 標準化文件的結構和起草規(guī)則》的規(guī)定起草。

請注意本文件的某些內容可能涉及專利。 本文件的發(fā)布機構不承擔識別專利的責任。

本文件由 中華人民共和國公安部提出 并歸口 。

引言

為落實《中華人民共和國網絡安全法》的第二十三條而制定本文件。 網絡安全專用產品按照本文件的安全技術要求和國家相關主管部門規(guī)定的其他技術規(guī)范進行研發(fā)、生產、服務和檢測工作。

本文件是所有網絡安全專用產品和其提供者均需滿足的基線要求。

信息安全技術
網絡安全專用產品安全技術要求

1 ?范圍

本文件規(guī)定了網絡安全專用產品的安全功能要求、自 身安全要求與安全保障要求。

本文件適用于銷售或提供的網絡安全專用產品的研發(fā)、生產、服務、檢測。

2 ?規(guī)范性引 用文件

下列文件中的內容通過文中的規(guī)范性引 用而構成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應的版本適用于本標準;不注日期的引用文件,其最新版本(包括所有的修改單) 適用于本文件。

GB / T25069 ?信息安全技術術語

3 ?術語和定義

GB / T25069 界定的以及下列術語和定義適用于本文件。

3.1
網絡安全專用產品
specialized cybersecurity products
用于保護網絡安全的專用硬件和軟件產品。

注:包括以服務形式提供安全防護能力的產品。

3.2
網絡安全專用產品提供者
specialized cybersecurity products provider
網絡安全專用產品的研發(fā)者、生產者或維護服務提供者。

3.3
安全域
security domain
遵從共同安全策略的資產和資源的集合。

[來源: GB / T25069 — 2022 , 3.36 ]

3.4
個人信息
personal information
以電子方式記錄的與已識別或者可識別的自然人有關的各種信息,不包括匿名化處理后的信息。

3.5
用戶信息
user information
個人、法人或其他組織在安裝、使用網絡安全專用產品過程中產生、收集、存儲、傳輸、處理的電子方式記錄的信息。

注: 用戶 信息包括網絡流量信息、安全狀態(tài)信息、安全配置數(shù)據、運行過程日 志等信息, 也包括個人信息。

3.6
惡意程序
malicious program
具有破壞網絡和信息系統(tǒng)、干擾網絡和信息系統(tǒng)正常使用、竊取或惡意加密網絡和系統(tǒng)數(shù)據等網絡攻擊功能的程序。

注: 惡意程序主要包括病毒、蠕蟲、木馬, 以及其他影響主機、網絡或系統(tǒng)安全、穩(wěn)定運行的程序。

3.7
安全缺陷
security flaw
由 設計、開發(fā)、配置、生產、運維等階段中的錯誤引 入, 可能影響網絡安全專用產品安全的弱點。

3.8
漏洞
vulnerability
網絡安全專用產品中能夠被威脅利用的弱點。

4 ?安全功能要求

4.1 ?訪問控制

具有訪問控制功能的網絡安全專用產品, 應具備下述功能:

a) ?支持配置訪問控制策略;

注: 不同類型網絡安全專用產品的訪問控制策略不同。 如: 網絡型防火墻基于源地址、目 的地址、源端口 、目 的端口和網絡通信協(xié)議等設置訪問控制策略; 虛擬專用網類產品基于用戶 安全屬性等設置訪問 控制策略; 安全隔離與信息交換類產品基于應用層協(xié)議等設置訪問控制策略。

b) ?支持根據訪問控制策略控制對安全域的訪問。
Foreword

?

This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.

This document was proposed by and is under the jurisdiction of the Ministry of Public Security of the People's Republic of China.

Introduction

This document is formulated to implement Article 23 of the Cybersecurity Law of the People's Republic of China. Specialized cybersecurity products shall be developed, produced, served and tested in accordance with the security technical requirements of this document and other technical specifications stipulated by relevant competent departments of the nation.

This document gives the baseline requirements that all specialized cybersecurity products and their providers need to meet.

Information security technology -
Security technical requirements of specialized cybersecurity products

1 ?Scope

This document specifies the security function requirements, self-security requirements and security assurance requirements for the specialized cybersecurity products.

This document is applicable to the research, development, production, service and testing of specialized cybersecurity products to be sold or provided.

2 ?Normative references

The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.

GB/T 25069 Information security techniques - Terminology

3 ?Terms and definitions

For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.

3.1
specialized cybersecurity products
specialized hardware and software products for providing cybersecurity

Note: including products that provide security protection capabilities in the form of services.

3.2
specialized cybersecurity products provider
developer or producer of specialized cybersecurity products or maintenance service provider for such products

3.3
security domain
collection of assets and resources that comply with common security policies

[Source: GB/T 25069-2022, 3.36]

3.4
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic means, excluding information that has been anonymized

3.5
user information
information recorded by electronic means generated, collected, stored, transmitted or processed while any individual, legal person or other organization installs and uses specialized cybersecurity products

Note: user information includes network traffic information, security status information, security configuration data, operation process logs, as well as personal information.

3.6
malicious program
program with cyber-attack functions such as destroying networks and information systems, interfering with the normal use of networks and information systems, stealing or maliciously encrypting network and system data

Note: malicious programs mainly include viruses, worms, Trojans, and other programs that affect the safe and stable operation of hosts, networks or systems.

3.7
security flaw
weakness introduced by errors in design, development, configuration, production, operation and maintenance, etc., which may affect the security of specialized cybersecurity products

3.8
vulnerability
weakness in specialized cybersecurity products that can be threatened and exploited

4 ?Security function requirements

4.1 ?Access control

Specialized cybersecurity products with access control functions shall have the following functions:

a) ?Supporting the configuration of access control policies;

?

Note: different types of specialized cybersecurity products have different access control policies. For example, for network-based firewalls, access control policies are set based on source addresses, destination addresses, source ports, destination ports and network communication protocols; for virtual specialized cybersecurity products, access control policies are set based on user security attributes; for security isolation and information exchange products, access control policies are set based on application layer protocols.

b) ?Supporting the control over access to a secure domain based on an access control policy.
?