The necessity of network vulnerability scanning System _ Web surfing

With the rapid development and popularization of computer and network technology, network security has become one of the focus issues of people's attention. In recent years, security technology and security products have made considerable progress, some technology and products have become increasingly mature. However, the functionality and performance of individual security technologies or security products have their limitations and can only meet the specific security requirements of the system and the network. Therefore, how to effectively use the existing security technology and security products to ensure the security of the system and network has become one of the current research hotspots in the field of information security.

First, let's take a look at this stage of the network using the most security device firewall and intrusion detection. In order to ensure the safe use of networks, it is necessary to study their limitations and vulnerabilities.

　　 limitations and vulnerabilities of firewalls

A firewall is a combination of components set up between different networks, such as trusted enterprise intranets and untrusted public networks, or a network security domain. It is the only access to information between different network or network security domains, which can control (permit, reject, monitor) the traffic flow of the network according to the security policy of the enterprise, and has strong ability of resisting attack. It is the infrastructure to provide information security services, network and information security, but it also has limitations.

1, firewall can not prevent the attack without the firewall. No firewall data, firewall can not check, such as dial-up Internet.

2, the firewall can not resolve attacks and security problems from the internal network. "External tight internal loose" is the general local network characteristics, a closely guarded firewall its internal network may also be a mess. such as through social engineering to send a Trojan mail, with a Trojan URL, and so on, and then by the Trojan machine actively connected to the attacker, will instantly destroy the same firewall as the iron wall. In addition, the internal firewall within the attacks between the host, the firewall can only be as cold as the bystander and helpless.

3. Firewalls do not prevent security threats caused by the latest setup policies or incorrect configuration. The various strategies of the firewall are also set after the attack mode has been analyzed by the experts. If the cracker of a new host vulnerability in the world has selected your network for the first attack, then there is no way the firewall can help you.

4, the firewall can not prevent contact with man-made or natural damage. A firewall is a security device, but the firewall itself must exist in a secure place.

5, the firewall can not solve the TCP/IP protocols such as vulnerabilities. The firewall itself is based on TCP/IP and other protocols to implement, you will not be able to resolve the TCP/IP operation vulnerabilities. such as using DOS or DDoS attacks.

6, the firewall to the server legitimate open port attack most can not stop. For example, the use of open 3389 ports to obtain the Win2K without the SP patch, the use of ASP program for scripting attacks. Because its behavior appears to be "reasonable" and "legitimate" at the firewall level, it is simply released.

7, firewall can not prevent the transmission of virus-infected files. The firewall itself does not have the ability to kill the virus, even if the integration of Third-party anti-virus software, there is no software can kill all the virus.

8, the firewall can not prevent data-driven attacks. Data-driven attacks can occur when some seemingly harmless data is mailed or copied to the intranet host and executed.
9, the firewall can not prevent internal leakage behavior. A legitimate user inside the firewall to leak the initiative, the firewall is powerless.

10, firewall can not prevent the threat of its own security vulnerabilities. Firewalls protect others sometimes but cannot protect themselves, because there is no guarantee that the firewall will not have security vulnerabilities. Firewalls are also an OS, with their hardware systems and software, and therefore still have vulnerabilities and bugs. Therefore, it may also be vulnerable to attacks and soft/hardware failures.

　　Ii. evasion techniques for IDs

Firewall has many limitations, at the same time it is in the location of the gateway, it is not possible to make too many judgments to enter and exit attacks, otherwise it will seriously affect network performance. If the firewall compared to the door security, intrusion detection is the network of uninterrupted cameras, intrusion detection through the way of the bypass monitoring the network data, the operation and performance of the network without any impact, and to determine whether there is an attempt to attack, through various means to the administrator to the police. Not only can you discover attacks from the outside, but you can also find internal malicious behavior. So intrusion detection is the second gate of network security, and it is the necessary complement of firewall, which constitutes a complete network security solution. However, due to the limitations of NIDS itself, the black Hat community is constantly introducing new technologies to evade or bypass the network intrusion detection system (network intrusion detection system,nids), and the balance of victory is tilting towards the black hat.

　　1, the weakness of string matching

By combining string processing techniques with character substitution techniques, we can implement string camouflage for complex points. For Web requests, we do not have to use the command interpreter to use the 16-in URL in our request, which can be interpreted as/etc/passwd by the target Web server:
Get%65%74%63/%70%61%73%73%77%64
Or get%65%74%63/%70a%73%73%77d.
To capture all variants of this string, IDs may require more than 1000 signatures for string matching, which is not considered Unicode!

　2, session splicing (sessions splicing, called session segmentation more appropriate)

is to place the session data in multiple packets:

+-------------------------+
| Packet number | Content |
|---------------+---------|
| 1 | G |
|---------------+---------|
| 2 | E |
|---------------+---------|
| 3 | T |
|---------------+---------|
| 4 | 20 |
|---------------+---------|
| 5 | / |
|---------------+---------|
| 6 | H |
+---------------+---------+

In this way, only a few bytes of data can be posted at a time, bypassing the monitoring of the string-matching intrusion detection system.

　3. Fragment attack

The so-called fragmentation overlay is the sending of fragments that overwrite the data in the previous fragment. For example:
Fragment 1 Get X.idd
Fragment 2 A.? (Buffer overflow data)
The first character of the second fragment overwrites the last character of the first fragment, the two fragments being reorganized to become a get x.ida? (Buffer overflow data).

　　4. Denial of Service

There is also a more savage way is to refuse the service, consuming the processing power of detection equipment, so that real attacks escape detection. Fills the hard disk space so that the detection device cannot log. Causes the detection equipment to produce the alarm which exceeds its processing ability. Make it impossible for system administrators to institute some alarms. Suspend the detection device. For IDs, this type of IDs is not traceable and is therefore very difficult to deal with.

　　third, the network hidden trouble scanning system surface

The ideal way to deal with sabotage attempts is, of course, to create a fully secure, free system, but in practice this is impossible. Miller at the University of Wisconsin, USA, gives a research report on today's popular operating systems and applications, pointing out that there is no possibility of bugs or flaws in software.

Therefore, a practical method is to establish a relatively easy to implement the security system, at the same time, according to a certain security policy to establish a corresponding security assistance system, vulnerability scanner is such a system. In the current system security situation, there are some loopholes in the system, therefore, there is a potential security threat, but if we can according to the specific application environment, as early as possible through network scanning to discover these vulnerabilities, and timely take appropriate treatment measures to repair, can effectively prevent the occurrence of intrusion. Although the remedial is very valuable, but for "not afraid of 10,000, only if" The key business, a rainy day is the ideal state.

Then how do we buy a professional network of hidden trouble scanning system? Generally speaking, it must have the following criteria:

　　1, whether through the various national certification

At present, the authority of the National Security products certification departments, including the Ministry of Public Security Information Safety Product Evaluation Center, the National Information Security Product Evaluation Center, the PLA Security Product Evaluation Center, the National Secret Service evaluation and Certification center.

2, the number of vulnerabilities and upgrade speed

The number of vulnerabilities is an important indicator of the vulnerability scanner, the number of recent vulnerabilities, the method of vulnerability update and upgrade, and whether the upgrade method can be mastered by the non-professional, so that the frequency of the vulnerability library upgrade is more important. For example, rj-itop Network vulnerability Scanning system once a week, the number of vulnerabilities reached 1502 (as of July 9, 2004).

　3, the safety of the product itself

The security of the operating system platform to scan the product and how the product itself attacks performance are factors that users should consider. For example, rj-itop Network vulnerability scanning system with soft and hard combination, specially optimized Linux system, shut down the unnecessary ports and services, and the transmission of data encryption.

　4, whether to support CVE international standards

The goal is to provide a standardized naming of all known vulnerabilities and security leaks. To provide better coverage for enterprises, easier synergy and enhanced security.

　5, whether to support distributed scanning

Products with flexible, easy to carry, penetrating the characteristics of the firewall. Because there is no longer a single network that divides VLANs, some packets sent by the scanner are filtered by routers and firewalls, reducing the accuracy of the scan.

The setting of firewalls and IDs within the network does not mean that our network is absolutely secure, but a properly configured firewall and IDs will at least make our network stronger and provide more attack information for our analysis. Firewalls, anti-virus, intrusion detection and vulnerability scanning are the protection and detection links in PDR and P2DR models respectively. These security technologies are organized in an orderly manner around security policies, which are coordinated and interactive, and constitute a dynamic and adaptive prevention system.

Finally, the saying remains that "no technology in the world can truly guarantee absolute security."

Because of security issues, from the device to the person, from the server every service program to the firewall, IDs and other security products of the comprehensive problem. The work of any one link is only one step towards safety.