Technical Principles and suggestions of Network Security Scanning

Abstract:

With the rapid development of the Internet, network intrusion is becoming increasingly serious, and network security has become a concern. Network security scanning technology is one of the important technologies in the network security field. This article gives an overview of its concept and classification, the two main technologies-Port Scan, vulnerability scan, and their principles are described in detail, and their advantages and disadvantages are compared, this article introduces the implementation principles of various vulnerability scanning technologies, and provides some perfect suggestions for some problems in vulnerability scanning.

1. Introduction

With the continuous development of Internet, information technology has become a huge driving force for economic development and social progress: the highly computer-based information resources in today's society are of great value to anyone anytime and anywhere. Information stored in workstations, servers, or on the Internet has become a key strategic point of success or failure, which makes information security extremely important.

Security scanning is an important type of network security technology. Security scanning technology works with firewalls and intrusion detection systems to effectively improve network security. By scanning the network, the network administrator can understand the security configuration and application services of the network, detect security vulnerabilities in a timely manner, and objectively assess the network risk level. The network administrator can correct network security vulnerabilities and misconfigurations in the system based on the scan results to prevent hacker attacks. If the firewall and network monitoring system are passive defense methods, security scanning is an active prevention measure, which can effectively avoid hacker attacks and prevent them from happening before they happen.

Security scanning technology is mainly divided into two categories: host security scanning technology and network security scanning technology. The network security scanning technology mainly targets vulnerable passwords that are not suitable in the system, and checks for other objects that conflict with security rules; the host security scan technology simulates attacks on the system by executing some script files and records system responses to detect vulnerabilities.

2. Network Security Scanning Technology Overview

2.1 Overview of Network Security Scanning Technology

Network security scanning technology is a technology that remotely detects security vulnerabilities of target networks or local hosts based on the Internet. Through network security scanning, the system administrator can detect the distribution of various TCP/IP ports, open services, Web service software versions, and security vulnerabilities of these services and software displayed on the Internet of the Web server. The network security scanning technology also uses a positive and non-destructive method to test whether the system may be attacked or crashed. It uses a series of scripts to simulate system attacks and analyze the results. This technology is usually used for simulated attack experiments and security audits. Network security scanning technology works with firewalls and security monitoring systems to provide high security for the network.

2.2 Network Security Scan steps and Classification

A complete network security scan is divided into three phases:

(1) Stage 1: Find the target host or network.

(2) Stage 1: further collect target information after discovering the target, including the operating system type, running services, and version of service software. If the target is a network, you can further discover the topology, routing devices, and host information of the network.

(3) Stage 1: determine or further test whether the system has Security Vulnerabilities Based on the collected information.

Network security scanning technology includes PING scan, Operating system identification, how to detect Access Control Rules (firewalking), and Port scan) and vulnerability scan. These technologies are embodied in three phases of network security scanning.

The PING scan is used in the 1st phase of the network security scan to identify whether the system is active. Operating system detection, how to detect access control rules, and port scanning are used in the 2nd phase of network security scanning. The operating system detection, as its name implies, identifies the operating system running on the target host; how to detect access control rules for obtaining firewall-protected remote network information, while port scanning is connected to the target system's TCP/IP Port, and check the services in the listening or running status of the system. In Network Security Scan 3rd, the vulnerability scan is usually performed based on port scan to process the obtained information and detect the security vulnerabilities in the target system.

Port Scanning and vulnerability scanning are two core technologies in network security scanning. They are widely used in mature network scanners, such as the famous Nmap and Nessus. As these two technologies play an important role in the network security scanning technology, this article will elaborate on these two technologies and their related content.

3. Port Scanning Technology

A port is a potential communication channel, or an intrusion channel. A port scan is performed on the target computer to obtain a lot of useful information. Through port scanning, you can obtain a lot of useful information to detect system security vulnerabilities. It allows system users to understand what services the system currently provides to the outside world, thus providing a means for system users to manage the network.

Principle of port 3.1 Scanning Technology

Port Scan sends test data packets to the TCP/IP service port of the target host and records the response of the target host. By analyzing the response to determine whether the service port is opened or closed, you can know the service or information provided by the port. Port Scanning can also monitor the running status of the local host by capturing inbound and outbound IP packets from the local host or server. It can only be used to analyze the received data, it helps us to discover some inherent vulnerabilities of the target host without providing detailed steps for entering a system.

3.2 port scanning technology

Port Scanning mainly includes classic scanners (full connections) and so-called SYN (semi-connection) scanners. In addition, there are indirect and confidential scans.

3.2.1 full connection Scan

Full-connection scanning is the basis for TCP port scanning. The existing full-connection scanning includes TCP connect () scanning and TCP reverse ident scanning. The implementation principle of TCP connect () scan is described as follows:

The scan host uses the three-way handshake of TCP/IP protocol to establish a complete connection with the specified port of the target host. The connection starts when the system calls connect. If the port is open, the connection is established successfully. Otherwise, if-1 is returned, the port is closed. Connection established successfully: responds to the SYN/ACK Connection Request of the host. This response indicates that the target port is in the listener (open) status. If the target port is closed, the target host sends an RST response to the scan host.

3.2.2 semi-join (SYN) scan

If the port scan fails to complete a complete TCP connection, only the first two handshakes are completed when a specified port of the scan host and the target host is connected. in step 3, the scan host interrupts the connection so that the connection is not completely established. Such a port scan is called a semi-connection scan or an indirect scan. Existing semi-connection scans include TCPSYN scans and ip id header dumb scans.

The advantage of SYN scanning is that even if the scan is recorded in the log, the number of connections attempted is much less than the total scan. The disadvantage is that in most operating systems, the sending host needs to construct an IP packet suitable for such scanning. Generally, constructing a SYN Packet requires a Super User or authorizing the user to access a dedicated system call.

4. Vulnerability Scanning Technology

4.1 principle of vulnerability scan

The vulnerability scan mainly uses the following two methods to check whether the target host has a vulnerability: After the port scan, the port opened by the target host and the network service on the port are known, match the information with the vulnerability library provided by The WTI system to check whether any matching vulnerability exists. By simulating hacker attack methods, scans the target host system for attacking security vulnerabilities, such as weak passwords. If the attack is successfully simulated, the system of the target host has a security vulnerability.

4.2 Classification and implementation of vulnerability scanning technology

Based on the network system vulnerability library, vulnerability scans include CGI vulnerability scans, POP3 vulnerability scans, FTP vulnerability scans, SSH vulnerability scans, and HTTP Vulnerability scans. These vulnerability scans are based on the vulnerability library and compare the scan results with the relevant data of the vulnerability library to obtain the vulnerability information. vulnerability scans also include various scans without the corresponding vulnerability library, for example, Unicode traversal Directory Vulnerability Detection, FTP weak password detection, OPENRelay Email Forwarding Vulnerability Detection, etc. These scans use plug-ins (feature module technology) to simulate attacks, test the vulnerability information of the target host. The implementation methods of these two scans are discussed below:

(1) how to match the vulnerability Library

A critical part of WTI is the vulnerability library used by WTI. The rules-based matching technology is used to analyze network system security vulnerabilities, hacker attack cases, and the system administrator's experience in configuring network system security, A set of standard network system vulnerability libraries can be formed, and then corresponding matching rules can be formed based on the above. The scanner automatically performs vulnerability scanning.

In this way, the integrity and effectiveness of the vulnerability Library Information determine the performance of the vulnerability scan system. The revision and update Performance of the vulnerability Library also affect the running time of the vulnerability scan system. Therefore, the vulnerability library should not only create a vulnerability library file for each network service with security risks, but also meet the performance requirements mentioned above.

(2) Plug-in (functional module technology) Technology

A plug-in is a subroutine written in a scripting language. A scanning program can call it to scan vulnerabilities and detect one or more vulnerabilities in the system. By adding a new plug-in, you can add new features to the vulnerability scan software to scan for more vulnerabilities. After the compilation of the plug-ins is standardized, you can even use the plug-ins written in perl, c, or a self-designed scripting language to expand the functionality of the vulnerability scan software. This technology makes the upgrade and maintenance of the vulnerability scan software relatively simple, and the use of specialized scripting language simplifies the programming of new plug-ins, so that the vulnerability scan software has strong scalability.

4.3 vulnerability scan problems and Improvement Suggestions

The existing security risk scanning system uses the above two methods to scan vulnerabilities. However, these two methods also have their own shortcomings to varying degrees. The following describes the problems in the two methods and provides corresponding suggestions for these problems:

(1) system configuration rule repository Problems

The Network System Vulnerability library is the soul of vulnerability scanning based on the vulnerability library, and the system vulnerability validation is based on the system configuration rule library. However, such a system configuration rule library has its limitations:

① If the design of the rule repository is inaccurate, the accuracy of the forecast will not be discussed;

② It is arranged and planned based on known security vulnerabilities, and many dangerous threats to the network system come from unknown vulnerabilities. In this way, if the rule repository is not timely, the forecast accuracy will gradually decrease;

③ Some system vulnerabilities may not trigger any rule and are not detected due to the limitation of the vulnerability library coverage.

Improvement Suggestion: the system configuration rule repository should be constantly expanded and corrected, which is also an extension and correction of the system vulnerability library. This can be achieved only with the guidance and participation of experts.

(2) vulnerability Library Information requirements

Leakage