1、安全評估培訓課件ToC安全評估準則DOD/TCSEC橘皮書DOD/TNI紅皮書ITSECCSSCNIST/FIPSCCBS7799密碼設備的評估安全方案的規劃需求分析具體方案基礎設施產品規劃關于安全評估需要什么樣的安全使用什么技術買什么產品對產品的評估如何部署和實施對運行系統的現狀的評估標準：關于建立、評估、審計沿革關系TCSEC/85/AM ITSEC/90/EU CTCPEC/90/CA FC/91/AM CC/95 (99IS)BS7799/95/EN ISO17799/2000/ISODOD/TCSECTCSEC 1983/1985 (Orange Book)Trusted Compu

2、ter System Evaluation Criteria Rainbow Series by NIST/NCSCgoto “TCSEC.htm”TCSEC 4個級別按照安全性遞減定義了ABCD4個級別D級，評估達不到更高級別的系統C級，自主保護級 B級，強制保護級A級，驗證保護級/t/tc/tcsec.htmlC級 自主保護級 C級具有一定的保護能力，采用自主訪問控制和審計跟蹤 一般只適用于具有一定等級的多用戶環境具有對主體責任及其動作審計的能力C1級 自主安全保護級隔離用戶與數據，使用戶具備自主安全保護的能力 為用戶提供可行的手段，保護用戶和用戶組信息，避免其他用戶對數據的非法讀寫與破壞

3、適用于處理同一敏感級別數據的多用戶環境 C2級 控制訪問保護級比C1級具有更細粒度的自主訪問控制通過注冊過程控制、審計安全相關事件以及資源隔離，使單個用戶為其行為負責 B級 強制保護級B級維護完整的安全標記，并在此基礎上執行一系列強制訪問控制規則主要數據結構必須攜帶敏感標記提供安全策略模型以及規約應提供證據證明訪問監控器得到了正確的實施 B1級 標記安全保護級要求具有C2級系統的所有特性 應提供安全策略模型的非形式化描述、數據標記以及命名主體和客體的強制訪問控制消除測試中發現的所有缺陷-B2級 結構化保護級要求將B1級系統中建立的自主和強制訪問控制擴展到所有的主體與客體鑒別機制應得到加強，提供

4、可信設施管理以支持系統管理員和操作員的職能提供嚴格的配置管理控制B2級系統應具備相當的抗滲透能力-B3 安全區域保護級安全管理員職能擴充審計機制當發生與安全相關的事件時，發出信號提供系統恢復機制系統具有很高的抗滲透能力A級 驗證保護級A級使用形式化的安全驗證方法，保證系統的自主和強制安全控制措施能夠有效地保護系統中存儲和處理的秘密信息或其他敏感信息為證明滿足設計、開發及實現等各個方面的安全要求，系統應提供豐富的文檔信息A1級 驗證設計級在功能上和B3級系統是相同的要求用形式化設計規范和驗證方法來對系統進行分析，確保按設計要求實現-超A1級系統體系結構安全測試形式化規約與驗證可信設計環境等TNI

5、TNITrusted Network Interpretation of the TCSEC Goto“TNI.htm”“TNIEG.htm”ContentPart IPart IIAPPENDIX A, B, CTNI / IPart I of this document provides interpretations of the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) (DOD-5200.28-STD), for trusted computer/communications n

6、etwork systems. The specific security feature, the assurance requirements, and the rating structure of the TCSEC are extended to networks of computers ranging from isolated local area networks to wide-area internetwork systems.TNI / IIPart II of this document describes a number of additional securit

7、y services (e.g., communications integrity, denial of service, transmission security) that arise in conjunction with networks. Those services available in specific network offerings, while inappropriate for the rigorous evaluation applied to TCSEC related feature and assurance requirements, may rece

8、ive qualitative ratings.ITSECITSEC by European UnionInformation Technology Security Evaluation CriteriaGoto “itsec-en.pdf”Ex遞增E0無安全保證E1有安全目標和關于體系結構設計的非形式化描述E2對詳細設計有非形式化的描述-E3評估源代碼或硬件設計圖E4有對安全目標/策略的基本形式模型E5設計和源代碼/硬件有緊密的對應關系E6安全功能/體系結構設計與安全目標/策略模型一致CSSCCTCPECCSSC: CTCPECGoto “ctcpec1.pdf”Canadian Syst

9、em Security Centre: Canadian Trusted Computer Product Evaluation CriteriaIt is a computer security standard comparable to the American TCSEC (Orange Book) but somewhat more advanced. It has been superseded by the international Common Criteria standard.可和TCSEC相比，但更進步已被國際標準CC替代NIST/FIPSNational Instit

10、ute of Standards and Technology, Federal Information Processing Standards Publications“sp800-12_The NIST Security Handbook.pdf”/fipspubs/CCCommon Criteria for Information Technology Securitywith the aim of replacing existing criteria (FC/TCSEC, ITSEC, CTCPEC) with a single international standard: th

11、e Common Criteria (CC). Goto “CC_*.*”links/cc/Documents/dictionary/cc.htmCC 3PartsPart 1Introduction and General ModelPart 2Security Functional Requirements AnnexesPart 3Security Assurance Requirementsrefto:/addon_11/CC_Overview.pptCC / EALEvaluation Assurance LevelsEAL1：功能測試EAL2：結構測試EAL3：系統測試和檢查EAL

12、4：系統設計、測試和復查EAL5：半形式化設計和測試EAL6：半形式化驗證的設計和測試EAL7：形式化驗證的設計和測試EAL1: Functional TestConfidence in current operation is requiredNo assistance from TOE developerApplicable where threat to security is not seriousIndependent testing against specification and guidance documentation EAL2: Structural TestRequi

13、res some cooperation of the developerAdds requirements for configuration list, delivery, high-level design documentation, developer functional testing, vulnerability analysis, and more extensive independent testingEAL3: Methodical Test and CheckRequires some positive security engineering at the desi

14、gn stage, with minimal changes to existing practicesAdded assurance through investigation of product and development environment controls, and high-level design documentationPlaces additional requirements on testing, development environment controls and TOE configuration managementEAL4: Methodical D

15、esign, Test, and ReviewHighest level likely for retrofit of an existing productAdditional requirements on design, implementation, vulnerability analysis, low level design documentation, development and system automated configuration management, and an informal security policy modelEAL5: Semiformal D

16、esign and TestHigher assurance, risk situations where some penetration resistance is neededRequires rigorous commercial development practices and moderate use of specialist engineering techniquesAdditional requirements on semi-formal functional specification, high-level design, and their corresponde

17、nce, vulnerability, and covert channel analysisEAL6: Semiformally Verified Design and TestedHigh Assurance - where penetration resistance is necessaryAdditional requirements on analysis, layered TOE design, semi-formal low-level design documentation, complete CM system automation and a structured de

18、velopment environment, and vulnerability/covert channel analysisEAL7: Formally Verified Design and TestedHighest assurance where high resistance to penetration is necessaryAssurance is gained through application of formal methods in the documentation of the functional specification and high-level de

19、sign Additional requirements for complete developer testing and complete independent confirmation of the test resultsCOMP CCTCSECITSEC-DE0EAL1-EAL2C1E1EAL3C2E2EAL4B1E3EAL5B2E4EAL6B3E5EAL7A1E6BS7799BS7799by BSI the British Standards Institution2000, ISO/17799Goto: “BS7799-1_1999(ISO).doc”Two partsISO

20、17799BS7799-2BS7799s介紹有關敏感資料管理的國際認可標準，強調資料的保密性及完整性。此標準可分為兩部份：首部份為準則部份，旨在協助機構確認其運作對資料保密方面的影響，這項準則已納入ISO品質認證的范疇之內（ISO 17799認證），涵蓋10大范疇，127控制點；次部份為施行細則，是有關資料保密管理系統 Information Security Management System 的架構、目標以及監控。BS7799認證標準早于一九九五年確立，旨在協助各行各業及政府機構加強資料保安，一直獲各地機構廣泛采用，某些國家政府更將BS7799認證列為全國通用的標準。Parts 1, 2P

21、art 1: ISO/IEC 17799:2000 the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do. Part 2: BS7799-2:2002 Specify for security management a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which

22、Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. ToC of P1Information security policy Security organization Assets classification and control Personal security Physic

23、al and environmental security Computer and network management System access control System development and maintenance Business continuity planning ComplianceBS7799認證BS7799認證咨詢/fwxm/rzzx/BS7799.htm/m01.htmlinksBS7799/BSI/Corporate/17799.xalterThe ISO17799 Toolkit/index.htmBS7799 SECURITY ZONE http:/

24、www.thewindow.to/bs7799/index.htm對密碼設備的評估國內相關的法規商用密碼管理條例國外NIST FIPS 140-2/cryptval/140-2.htm/cryptval/Goto“fips140-2.pdf”“fips140-2_SL.1-4.txt”“fips140faq.htm”Security Level 1/ 該級提供安全的最低水平。不要求物理安全機制。一個例子就是PC機加密板。/ 該級允許在未經評估的一般商用機器系統上運行你的密碼模塊。這主要是為了方便一些低安全需求的場合?！癴ips140-2_SL.1-4.txt”Security Level 2/

25、 該級增加了防干擾或竄改的物理安全機制要求，包括封裝、封條、防撬等。/ 該級要求最小的基于角色的認證。/ 該級允許相關部件運行在具有EAL2/CC安全級別的計算系統上。Security Level 3/ 該級阻止試圖對密碼模塊的入侵，并在必要時自毀敏感信息。/ 該級要求基于標識的認證機制。/ 該級系統得具有EAL3/CC安全級。Security Level 4/ 該級對密碼模塊提供徹底的封裝保護，能探測到非授權的物理訪問，并能及時的刪除所有明文信息。/ 必須考慮外部的高溫、高壓導致的操作失效；非正常操作可以引發故意的內部爆炸。/ 該級系統得運行在EAL4/CC以上安全級上。LinksTCSEC/FIPS 140 Security Requirements for Cryptographic Modul