GA/T 686-2007 信息安全技术 虚拟专用网安全技术要求

ICS35.040

A90

中华人民共和国公共安全行业标准

GA/T686一2007

信息安全技术

虚拟专用网安全技术要求

Inofrmationsecuritytechnology一

TechnicalrequirementsofvirtualPrivatenetworksecurity

2007一03一20发布2007一05一01实施

中华人民共和国公安部发布

GA/T686一2007

目次

前言·····························································，···················，，·······························……V

引言··············································································4·····················，·······，·····……U

1范围·······················································4·······················································……1

2规范性引用文件················4············································································，··……1

3术语、定义和缩略语····················4································，·······································……1

4VPN的一般说明··········································4··················4··································……2

概述·····················……

安全环境········4································，···············，············································……2

:;‘

4.21安全威胁····································，，···············，·············································……2

4.2.2安全应用假设·············································，··································……，.·····……3

5安全功能技术要求···························，，···············，··················.·.·.·……3

5.1标识和鉴别···················，···················，················，··········································……3

5.1.1用户标识······················4···············，····，··········，·························.··········.·……3

5.1.2用户鉴别····································，····4···········，······，······································……3

5.1.3鉴别失败处理·····························，···············，，····4·····························……，……4

5.1.4用户一主体绑定···························，····4··································……，.········……4

5.2安全审计···························································，··········································……4

5.2.1安全审计的响应···························，，···············，·····4····.········.·……4

52.2安全审计数据产生·························································.·····……，.·.·……4

5.2.3安全审计分析··································，…:············，，······················.··········……5

5.2.4安全审计查阅··················，·············，······，···············4·4···············.··.·······……5

5.2.5安全审计事件存储························，················，·······················...······……，..……5

5.26网络环境安全审计与评估·········································································4····……5

5.3通信抗抵赖················································，·····4·············.·········……6

5.3.1抗原发抵赖··························································································..……6

5.32抗接收抵赖··················································，······································..……6

5.4标记··········································，，·················，···················4··························……6

5.5自主访问控制··································4··········，····································.·...······.·.……7

5.6强制访问控制·································，，················································……7

5.7用户数据存储保护························4·····························...······……，……7

5.8用户数据传输保护·················，······················································.·..··一，，……7

5.8.IVPN内数据传输保护·········，····················································，···.·..··，··...……，…7

5.8.ZVPN向公用网络输出数据的保护············4·····················································，··……7

5.8.3公用网络向VPN输人数据的保护················································，·················……8

5.9用户数据完整性保护····························································…·…，……，，二8

59.1存储数据的完整性·············，····················，，·······························……，..···.·……8

5.9.2传输数据的完整性································，·······································.····……，，，，.…8

5.93处理数据的完整性·················，···4···············································……，····.·……8

1

GA/T686一2007

510剩余信息保护·················111·····························，，，，，··，·····1。········……8

5.11隐蔽信道分析··························································，····················.··……8

5.111一般性的隐蔽信道分析·，····························，·，，·····，································。··‘····……8

5·11·2系统化的隐蔽信道分析····················。·········，，，，···········································…·…9

5·11·3彻底化的隐蔽信道分析·····················。。·······························.·……9

5.12可信路径·········，···，··············································································，·········……9

5.13密码支持················4············，······，，························，·······································……9

6安全保证技术要求···········，········，······，，················，····················.··……，，……，.…9

6·IvPN安全功能自身安全保护···········4················，···，·····，·······································……9

6.1.1安全运行测试·············································，········，，·······，，··························……，.9

612‘失败保护················································································，，········，，······……9

6卜1.3输出VPN安全功能数据的可用性·············，，，·····，，，，，········································……9

6.1.4输出VPN安全功能数据的保密性·····························，，·····································一01

6.15输出VPN安全功能数据的完整性111····。··，····，，·····，，，······，，，·，··················一功

6.16VPN内VPN安全功能数据传输··································································……01

6.1.7物理安全保护··········································，，······，，，，·····················……01

6.1.8可信恢复·····································································4·····························……01

6.1.9重放检测··········，························································································……n

6.1.01参照仲裁······，，，········，·············································································……11

6.1.11域分离····································4···················，········，···················，·············……11

61.12状态同步协议·，·········，···················································4·············，······……11

61.13时间戳·········，·，········，·········，，··············，············································444···……n

6.1.14数据一致性···44·······4··，·······················‘··，，，······，，·······，，·······························……H

6.1.51安全功能检测·4········4·········4··，···············，，·，·······，········，······························……11

61‘.16资源利用···························，··················，，，··············································……11

6171VPN安全设施访问控制·····························，，·，，·····，，，，·········…·…，……，卜卜‘..……21

6.181可信路径/信道，，········，······11·········，，，，，，，·，，，，，，·························……21

6.ZVPN设计和实现···············。。。····················，·，··，，，，，，，，，····························...·.……31

621配置管理·······························································································4·4·……31

62.2分发和操作·····················································，·，········································……41

6.23开发·················，·······································，······························.···········，····……41

62.4指导性文档································································································……巧

6.2.5生命周期支持4········，，·········，，··········，·········，·，，·········································.····……16

6.2.6测试·······························4·4········44············，，·········，··················，，·······，········……71

62.7脆弱性评定·，···············，··································································4··，·，······……81

6.3VPN安全设施安全管理···，···············4···········，，，，················，·····························……91

6卜31功能管理··················································，·················································一·”

63.2安全属性的管理············································，，，，··········································……”

63.3VPN安全功能数据的管理·······‘······················，，······，，···································……91

63.4安全角色管理···，····，·····························，·············，·，····················一91

6.3.5时限授权·······················“····‘·····························。··········。。······‘·‘·····……02

6.36撤销······，·····················································，，··········································……20

7VPN安全保护等级划分要求······························，，，，，，········································……02

盯

GA/T686一2007

7.1第一级:用户自主保护级······························，········，·········································……02

7.1.1安全功能技术要求················································，················4·····················……02

7.1.2安全保证技术要求·‘····。·····························································4······，···········……02

72第二级:系统审计保护级············，，，·，······················，，，···················，····，··，·········……21

72.1安全功能技术要求··············································，·，，，·····················，，，·，··········……21

7.2.2安全保证技术要求······················································································……22

7.3第三级:安全标记保护级····························································，····················……23

7.31安全功能技术要求···············································4·44·············4············4·4·······……23

7，3.2安全保证技术要求············，，···········4··‘·····。··················“································……24

7.4第四级:结构化保护级·········4·，，，，···，·，······················，·，····················，，·····，··········……25

7.4.1安全功能技术要求······················，·，，····，·················，，，······················，，············……25

7.4.2安全保证技术要求··········，·······································，·························，··········……62

7.5第五级:访问验证保护级····························，·················。·························……·‘·……82

7.5，1安全功能技术要求······················，·，······························································……82

7，5.2安全保证技术要求·······························1·1，·······，······11······。··········，，····…·…92

附录A(资料性附录)标准概念说明····，，························，·····，········，，···················‘·····……31

A.1组成与相互关系··，·································································，·····················……31

A.ZvPN安全等级的划分··········································，，·····················，··················……31

A.3关于vPN中的主体与客体················，······················，，·······，···········，·，···············……33

A4关于VPN中的安全设施、安全功能和安全功能策略················4············，，···，··········……33

A.5关于密码技术，，，，二·1·········，，，，，，·二·。。·1········，，，，，，·二·。········，·，，，，，，，，···········一·43

参考文献···················，························································································……35

GA/T686一2007

月U吕

本标准从信息技术方面详细规定了各安全保护级别的VPN系统所应具有的安全功能要求和安全

保证要求。

本标准的附录A为资料性附录。

本标准由公安部公共信息网络安全监察局提出。

本标准由公安部信息系统安全标准化技术委员会归口。

本标准起草单位:中国科学院研究生院信息安全国家重点实验室

本标准主要起草人:荆继武、冯登国、夏鲁宁、聂晓峰、黄敏、王琼霄、许良玉、高能、林碌锵、吕欣、

廖洪变。

GA/T686一2007

引言

本标准用以指导设计者如何设计和实现具有所需要的安全等级的虚拟专用网产品，主要从对虚拟

专用网的安全保护等级进行划分的角度来说明其技术要求，即主要说明为实现GB17859一1999中每

一个安全保护等级的安全要求对虚拟专用网应采取的安全技术措施，以及各安全技术要求在不同安全

保护等级中具体实现上的差异。

本标准对虚拟专用网系统安全等级保护所涉及的安全功能技术要求和安全保证技术要求做了比较

全面的描述，按GB17859一1999五个安全保护等级的划分，对每一个安全保护等级的安全功能技术要

求和安全保证技术要求做了详细描述。文中每一级别比上一级别新增的要求以加粗字表示

GA/T686一2007

信息安全技术

虚拟专用网安全技术要求

范围

本标准规定了按GB17859一1999对虚拟专用网进行安全等级保护划分所需要的详细技术要求

本标准适用于按GB17859一1999的安全等级保护要求所进行的虚拟专用网的设计和实现。

GB17859一1999安全等级保护的要求对虚拟专用网进行的测试、管理也可参照使用。

2规范性引用文件

下列文件中的条款通过本标准的引用而成为本标准的条款。凡是标注日期的引用文件，其随后所

有的修改单(不包括勘误的内容)或修订版均不适用于本标准，然而，鼓励根据本标准达成协议的各方研

究是否可使用这些文件的最新版本。凡是不注日期的引用文件，其最新版本适用于本标准。

GB17859一1999计算机信息系统安全保护等级划分准则

GB/T18336.1一2。。1信息技术安全技术信息技术安全性评估准则第1部分:简介和一般

模型

3术语、定义和缩略语

3.1术语和定义

GB17859一1999和GB/T183361一2001确立的以及下列术语、定义适用于本标准。

3，，.1

虚拟专用网vlrtualprivatenetwork;vPN

虚拟专用网，又称虚拟私人网络。VPN是一门网络技术，它为我们提供了一种像使用安全专用网

络一样使用公用网络(例如互联网)的能力。在公共的、不可信的通信基础设施上，VPN通过设备间建

立安全通信通道来保护两个通信实体间传送的数据的安全。安全通信通道通过使用加密、数字签名、鉴

别、认证和访问控制等安全机制建立。安全通信通道可以建立在局域网、城域网、私有广域网和公用广

域网(例如互联网)之上。

3.1。2

VpN安全设施turstedcmoputingbase(TcB)orvpN

在VPN中，vPN安全设施是VPN中保护装置的总称，包括硬件、固件、软件和负责执行安全策略

的组合体。它建立一个基本的保护环境，并提供VPN所要求的附加服务。VPN中，VPN安全设施是

一个物理上分散，逻辑上统一的分布式安全设施。

3.1.3

VpN安全功能策略TCB，ceurlty加nctionpolicyofvpN

对VPN安全设施中的资源进行管理、保护和分配的一组规则。VPN安全功能策略构成一个安全

域，以防止不可信主体的干扰和篡改。一个VPN安全设施可以有一个或多个安全功能策略。

3。1.4

VpN安全功能TCBsceurityfunctionorVPN

正确实施VPN安全功能策略的全部硬件、固件、软件所提供的功能。每一个安全功能策略的实

现，组成一个安全功能模块。一个VPN安全设施的所有安全功能模块共同组成该VPN安全设施的安

1

GA/T686一2007

全功能。实现VPN安全功能有两种方法，一种是设置前端过滤器，另一种是设置访问监督器。两者都

是在一定硬件基础上通过软件实现确定的安全策略，并提供所要求的附加服务。

3.1.5

隧道tunnel

在隧道的起点将待传输的原始信息经过封装处理后嵌人另一种协议的数据包内，而后像普通数据

包一样在网络中进行传输。在隧道的终点，从封装的数据包中提取出原始信息。

能够实现隧道技术的协议主要有LZTP、GRE、PIesC和MPI名等

3.1.6

互联网协议安全协议internetp，tocolcesurity;Ipsce

互联网协议安全协议是由EITF的PIes。工作组提出的，将安全机制引人TCP/PI网络的一系列

标准，是一组开放的网络安全协议的总称。

主要有认证头协议(AH)、封装安全载荷协议(ESP)和互联网密钥交换协议I(KE)。还有两个重要

的策略数据结构:安全关联数据库S(AD)和安全策略数据库s(PD)。

PISe。提供了完整性、认证和机密性等安全服务，主要有两种工作方式:隧道模式和传输模式。

3.2缩略语

下列缩略语适用于本标准。

AH认证头协议AuthenticationHeader

ATM异步传输模式AsynchronousTransfe:Mode

ESp封装安全载荷协议Encapsulatingsecuritypayload

(;RE路由封装协议GenericRoutingEncapsulation

IETF互联网工程任务组InternetEngineeringTaskForce

IKE互联网密钥交换协议InternetKeyExchange

IPSec互联网协议安全协议InternetProtocolsecurity

IZTp第二层隧道协议LayerZTuonelingprotocol

MpIS多协议标记交换协议Multi一propocollabelswitching

SAD安全关联数据库SecurityAssociationDatabase

SpD安全策略数据库securitypolicyDatabase

TCP/IP传输控制协议/互联网协议TransmissionControlProtocol/InternetProtocol

VPDN虚拟专用拨号网VirtualPrivateDialupNetworks

VPN虚拟专用网VirtualPrivateNetwork

4VPN的一般说明

4.1概述

vPN通过vPN设备将若干个专用网络与公共网络连接起来，使分布在不同地方的专用网络在不

可完全信任的公共网络(例如互联网)上安全地通信，专用网络的数据经由隧道在公共网络中传输。按

组网方式，VPN可分为远程访问VPN(RemoteAcces，VPN)、企业内部VPN(IntranetVPN)和扩展的

企业内部VPN(ExtranetVPN)。远程访问虚拟专网也称为虚拟专用拨号网。

VPN传输所使用的公用网络并不一定是PI网络，也可以是帧中继、ATM等，构建在使用PI协议

的公用网络如互联网之上的VPN也常被称为IP一VPN。在VPN中，数据在公共网络传输的安全性应

由加密技术来保障。用于实现vPN技术的协议主要包括LZTP、GRE、PIesc和MPLs等。

4.2安全环境

4.2.1安全威胁

VPN面临的安全威胁主要包括:

2

GA/T686一2007

a)授权用户可能有意或无意地访问或修改未授权信息，使用未经允许的资源或向没有相关权限

的人员或组织泄漏敏感数据。

b)审计记录容量有限造成有效审计记录的丢失;审计记录未按照发生时间记录，导致无效的审

计记录分析结果。

c)VPN系统设计或结构允许绕过安全机制，而这种机制可能被不恰当的使用。

)d操作程序不充分或没有完全实施导致对信息的未授权访问或修改以及资源的不恰当使用。

)e授权用户、系统管理员或安全管理员可能有意或无意地经由隐蔽信道向未授权用户发送信息，

而这些信息未授权用户原本并无权读取。

)f未授权用户为了访问或修改信息，使用系统资源而绕过鉴别认证机制。攻击策略包括对密钥

猜测、密钥窃取、口令扫描，重放和PI地址欺骗或人侵已建立的合法会话过程。

9)有多个出人本地网络的数据通道，从而可以绕过预定的安全功能。

h)管理员可能没有始终一致或正确地解释安全策略，这可能导致违背预定的安全策略。

)1未授权用户伪装成授权用户对审计信息进行删除、修改，停止审计记录继续记录。

j)有意或者无意的设计缺陷和实现缺陷有可能被恶意用户利用，来实现他们的恶意目的。

k)对VPN安全功能的不充分测试可能导致VPN系统潜在的安全漏洞没有被发现。

)1未授权用户可能利用VPN系统资源中遗留下来授权用户的遗留信息，伪装成授权用户，进行

未授权访问。

m)恶意用户有可能用尽系统资源，造成拒绝服务攻击。

4.2.2安全应用假设

VPN安全应用假设主要包括:

a)VPN中有专门的授权用户对VPN进行管理。他们被给予充分的信任。但为防止误操作造成

的损失，应视需要增加一些约束

b)VPN文件和配置参数等数据的备份操作与安全策略是一致的。在发生系统故障或受到安全

威胁时，这些备份能够恢复VPN的操作。备份对用户是透明的，并按照安全策略自动执行。

c)实施VPN的环境是物理安全的，例如安装VPN的机房的消防措施，VPN设备的防盗防毁

等，都能保障整个VPN的环境的物理安全

)dVPN的所有授权用户受过适当的培训，应尽其能力准确地实施已制定的安全策略。

)eVPN通过公共网络进行互连，其中的路由器，通信线路能够正确地没有改动地传送数据。

)f在vPN设备上没有安装通用目的的计算或者储存能力(例如编译器、编辑器、用户应用程序

等)，不考虑它们将可能给VPN带来的安全问题。

5安全功能技术要求

5.1标识和鉴别

5.1.1用户标识

5.1.11基本标识

在用户对VPN资源访问之前，VPN安全功能应对用户进行基本标识。基本标识一般以用户名或

用户ID实现。口令的存储和传输应得到保护。

5.1.1.2唯一性标识

应确保所标识用户在VPN系统生命周期内的唯一性，并将用户标识与审计相关联。

5.1.2用户鉴别

5.1.2.1动作前鉴别

VPN安全功能应在允许任何代表该用户的其他VPN安全功能促成的动作之前，应对该用户的身

份进行成功的鉴别。应通过用户所使用设备的MAC地址或PI地址等对用户进行设备级验证。

只

GA/T6B6一2007

5.12.2同步鉴别

VPN安全功能应允许用户在被鉴别之前以该用户名义实施由VPN安全功能促成的某些动作。这

些动作用来确定鉴别自己的条件(如生成口令)。除了这些动作以外，用户在实施其他动作之前，都应先

鉴别用户的身份

5.1.23不可伪造鉴别

VPN安全功能应具有相关的安全机制能检测出已经丢弃的或复制的鉴别数据的重放操作。能检

测或防止由任何别的用户伪造的鉴别数据，同时应检测或防止当前用户从任何其他用户处复制的鉴别

数据的使用。在远程访问VPN中，应确保远程用户的鉴别信息具有加密、完整性保护和具有抗重播的

:旨育

2.4一次性使用鉴别

VPN安全功能应能提供一次性使用鉴别数据操作的鉴别机制，防止与已标识过的鉴别机制有关的

鉴别数据的重用

5.1.2.5多鉴别机制

除口令鉴别机制外，VPN安全功能应提供基于智能卡、人体生物特征(指纹、视网膜、声音)等特殊

信息进行的身份鉴别以及预共享密钥、公共密钥加密和数字证书等多种鉴别机制来进行身份鉴别。

512.6皿新鉴别

VPN安全功能应规定需要重新鉴别用户的事件，如VPN隧道的重新建立，VPN一些资源的重新

启动、用户长时间未访问资源或VPN隧道在一定时间内没有数据包的传送等。发生相关的事件后，应

对用户进行重新鉴别

5.1.3鉴别失败处理

当对用户鉴别失败的次数达到或超过某一给定值时。VPN安全功能应:

a)记录鉴别错误事件;

b)通知VPN的安全管理员;

)c终止该用户的访问;

)d当用户是远程访问时，切断与相应主机的通信。

5.1.4用户一主体娜定

对VPN系统中一个已标识和鉴别的用户，为了完成某个任务，需要激活另一个主体如〔进程)，这

时，应通过用户一主体绑定将该用户与该主体相关联，应把该用户的身份与其所有可审计行为(如用户的

登陆时间，登陆失败的次数等)相关联。

52安全审计

5.2.1安全审计的响应

当检测到可能的安全侵害事件时，VPN系统应:

a)将审计数据记人审计日志;

b)生成实时报警信息;

c)终止违例进程;

)d取消当前的服务，断开当前用户账号，并使其失效。VPN隧道终止，相关的安全关联参数失

效，需重新建立。

5.2.2安全审计数据产生

VPN安全功能应为可审计事件生成审计记录。审计记录应包括以下内容:事件的日期和时间，事

件的类型，主客体身份，事件的结果(成功或失败)。审计数据应易于理解，不被末授权修改。VPN主要

的审计事件包括:

a)审计功能的启用和关闭;

b)用户鉴别失败事件;

4

GA/T686一2007

C)授权用户的一般操作;

)d系统管理员、系统安全员、审计员和一般操作员所实施的操作;

e)vPN隧道的建立和删除;

)f连续的对同一VPN隧道的建立和删除;

9)用户数据完整性校验失败;

h)用户数据解密失败;

)1根据策略，数据包被丢弃事件;

j)审计日志存储失败;

在利用PISec实现的VPN中，审计事件还应包括:

k)对VPN安全策略数据库的修改;

)1对VPN安全关联数据库的修改。

5.23安全审计分析

a)潜在侵害分析:VPN安全功能应提供一系列规则去监控审计事件，并根据这些规则指出VPN

系统的潜在威胁;

b)基于异常检测的描述:通过对审计历史的记录，VPN安全功能应维护与每个用户相对应的质

疑等级，当用户的质疑等级超出某一门限时，VPN安全功能应指出即将发生的安全威胁;

)c简单攻击探测:VPN安全功能对有侵害性的系统事件进行分组，并做相应的描述，当检测到侵

害性事件与上述组中的相应描述相匹配时，指出一个对VPN系统攻击的到来;

)d复杂攻击探测:在简单攻击探测的基础上，VPN安全功能应能检测到多步人侵情况，并能根据

已知的事件序列模拟出完整的人侵情况，还应指出发现对VPN安全功能的潜在侵害的签名

事件或事件序列的时间。

5.2.4安全审计查阅

安全审计查阅工具应其有:

a)审计查阅:VPN安全功能应为授权用户提供获得和解释审计信息的能力当用户是人时，应

以人类可懂的方式表示信息;当用户是外部IT实体时，应以电子方式无歧义地表示审计信息。

b)有限审计查阅:在审计查阅的基础上，审计查阅工具应不准许具有读访问权限以外的用户读

取审计信息。

c)可选审计查阅:在上述有限审计查阅的基础上，审计查阅工具应具有根据准则来选择要查阅的

审计数据的功能，并根据某种逻辑关系的标准提供对审计数据进行搜索、分类、排序的能力。

5.2.5安全审计事件存储

应具有以下创建并维护安全的审计踪迹记录的能力:

a)受保护的审计踪迹存储:审计踪迹的存储应受到保护，能检测或防止对VPN系统审计记录的

修改;

b)确保审计数据的可用性:在意外情况出现时，VPN安全功能能检测或防止对审