Intrusion detection solution based on virtual terminal deployment (1)

With the rapid development of networks, networks have become an indispensable part of computer applications. However, the risks and opportunities of network attacks also increase rapidly. How to establish a reasonable network security system has become a hot issue in the network field.

Currently, it is impossible for developers to ensure that the development software does not have any vulnerabilities, at the same time, it is difficult for network security personnel to detect massive network information flows in real time and discover attack information and take effective measures. In order to solve the above problems, this paper puts forward the use of virtualization technology for software isolation, discusses the advantages and disadvantages of the use of isolation technology, and proposes a solution for network security intrusion detection, this paper discusses the advantages and disadvantages of several intrusion detection systems, and expounds a scheme for detecting large-traffic network intrusion. Finally, based on the virtualization technology, this paper describes the deployment scheme of intrusion detection based on virtual terminals.

Virtualization Technology

2.1 virtualization technology

A vulnerability in a program affects the running of other programs and even the entire server. Therefore, when the security of the program itself cannot be guaranteed, we need to weaken or cut off the direct connection between the program and other programs and even the server, and take the program as an independent individual. In this way, even if the program crashes, the running of other programs will not be affected. MiU's research report on today's operating systems and application software shows that it is impossible to have no vulnerabilities in the software.

Therefore, we will introduce a wide range of virtual machine technology into the security maintenance of the server. The virtual machine provides an identical but independent operating environment for applications.

The advantages of virtualization protection are as follows:

1. virtualize the runtime environment for each program. The interaction between programs is directly eliminated. All operations are limited to every virtual environment. Therefore, even if a program crashes at most, it only causes the virtual environment to crash without affecting other programs.

2. because the running environment of a program is virtualized, You Can virtualize the appropriate running environment for a program and allocate enough system resources for its operation, this avoids program incompatibility.

3. because the maximum resource that a program can use is determined by its virtual environment, it avoids the unavailability of other programs because a program can seize resources, it ensures program stability and concurrency.

4. Because the program runs in a virtual environment, it has good portability. As long as the other platforms have the same virtual environment, the migration can be stable.

5. a virtualized environment can record the running information of the environment at each time point. The running information can easily roll back the virtual environment to a previous time point. Due to the independence of the virtual environment, this rollback will not affect other programs.

However, virtualization technology requires the virtual environment to be configured for each program. Therefore, the overhead of system resources is increased objectively.

2. Application Deployment

In specific applications, we can use VMware, Sandboxie, and Returnil Virtual System to build a multi-layer Virtual environment.

VMware allows you to run two or more Windows, DOS, and LINUX systems simultaneously on one machine.

Returnil Virtual System is a well-known security company in Europe, Retumil SIA. It is a Virtual machine-based subsystem software that instantly protects your computer with an isolation hood. At the same time, a false replacement "shadow" System in the memory is used to take over the real operating system. Any operation is restricted to use in the virtual system. Cannot infect your real operating system.

Sandboxie can build a sandbox environment for the running program, so the operation of the program is limited to the virtual environment built by Sandboxie for this program. It will not affect other software.

Therefore, for a single server, we first use VMware to build a virtual computer that uses different operating systems. Then, use Returnil Virtual System for each VM environment to build a video subsystem. Then, use Sandboxie on this sub-system to run the services or programs we need to start.

The program runs in the sandbox. They do not affect each other. If you need to interact with the operating system or execute operating system-level commands, you can only access the video subsystem. The Virtual Computer provides different operating system environments required by different programs. In this case, no matter what.

Real operating systems will not be affected.

This document compares the data of aDache during normal access time. At the expense of limited computer resources, a high security factor is obtained. This article believes that it is still valuable.