With computer technology, network technology rapid development and popularization, network security has become one of the focus issues of concern. In recent years, safety technology and security products have made great progress, and some technical and products have become increasingly mature. However, both functional and performance of a single security technology or safety products have their limitations and can only meet the system and network specific security needs. Therefore, how to effectively utilize existing security technology and security products to ensure the safety of system and network has become one of the research hotspots in the current information security.
First, let's take a look at the most secure equipment firewall and intrusion detection on the current network. To ensure the safe use of the network, it is necessary to study their limitations and vulnerability.
First, the limitations and vulnerabilities of firewall
Firewall refers to a combination of a series of components set between different networks (such as trusted enterprises inner networks and untrusted public networks) or network security domains. It is the only entry of information between different networks or network security domains, which can be found in the information flow of the enterprise's security policy control (allowable, refusal, monitoring) into the network, and itself has strong anti-attack capabilities. It is an infrastructure that provides information security services, realizing network and information security, but it also has limitations.
1. The firewall cannot prevent attacks that do not pass through the firewall. Without the firewall's data, the firewall cannot be checked, such as dialing Internet.
2. The firewall cannot solve the attack and security issues from internal networks. "External Tight" is the characteristics of a general local area network, and a strict defensive firewall is also a chaotic network. If you have sent a wooden horse's mail, the URL with Trojan, and then connect the attacker from the Machine machine of China, will instantly destroy the same firewall like the iron wall. In addition, the attack behavior between the internal hosts of the firewall can only be cold and loved as the bystanders.
3. The firewall does not prevent the latest security threats caused by the latest strategy or error configuration. The various strategies of the firewall also give the characteristics and set after this attack method after analysis. If the world's new discovery of a host vulnerability Cracker selects your first attack object, then the firewall does not have a way to help you.
4. The firewall does not prevent contact with people or nature destruction. The firewall is a safety device, but the firewall must exist in a safe place.
5. The firewall cannot solve the vulnerability of the TCP / IP and other protocols. The firewall itself is implemented based on the TCP / IP protocol, which cannot solve the vulnerability of TCP / IP operations. For example, using DOS or DDOS attacks.
6. The firewall is not stopped from the legal open port of the server. For example, use an open 3389 port to get the SP patch's super authority, using the ASP program for script attacks. Since its behavior seems to be "reasonable" and "legitimate" at the firewall level, it is simply released.
7, the firewall does not prevent the transmission of a file from viral infection. The firewall does not have the function of killing viruses, even if the third-party antivirus software is integrated, no software can kill all viruses.
8. The firewall cannot prevent data driving type attacks. Data-driven attacks may occur when some surfaces appear to be harmless or copy to the host of the internal network.
9. The firewall does not prevent internal leaks from being used. A legitimate user inside the firewall actively disclose, and the firewall is impossible to this.
10. The firewall cannot prevent the threat of its own security vulnerability. The firewall protects others sometimes not protecting yourself, because there is currently no manufacturer to ensure that the firewall does not have security vulnerabilities. The firewall is also an OS, which also has its hardware system and software, so there is still a vulnerability and bug. Therefore, it may also be faulty in attack and soft / hardware.
Second, escape technology for IDS
The firewall has many limitations, and it is in the position of the gateway, it is impossible to make too much judgment on the entry and out of attack, otherwise it will seriously affect network performance. If the firewall is better than the gate guard, intrusion detection is an uninterrupted camera in the network, intrusion detection is uninterrupted by the way bypass the way to collect network data, and there is no impact on the operation and performance of the network, and it is judged whether it contains attacks Attempt, through various means to the administrator alarm. Not only can you find an external attack, you can also find internal malicious behavior. Therefore, the intrusion detection is the second gate of network security, which is the necessary supplements of the firewall, constitute a complete network security solution. However, due to the limitations of NIDS itself, the black hat is constantly introducing new technologies that avoid or cross the network intrusion detection system, NIDS, and the balance of victory is tilting towards the black hat. 1, the weak point matching the string
By combining the string processing technology and character replacement techniques, we can implement a string camouflage of complex points. For web requests, we don't have to use the command interpreter, use 16-based URL in our request, the following request can be interpreted by the target web server as / etc / passwd:
Get% 65% 74% 63 /% 70% 61% 73% 73% 77% 64
or
Get% 65% 74% 63 /% 70A% 73% 73% 77D
In order to capture all variants of this string, IDS may take more than 1,000 signatures to match the string, which has not been considered Unicode!
2, session splicing, called sessions more suitable)
That is to put the session data in multiple packets:
-----------------------
| Packet Number | Content |
| --------------- ------- |
| 1 | g |
| --------------- ------- |
| 2 | E |
| --------------- ------- |
| 3 | T |
| --------------- ------- |
| 4 | 20 |
| --------------- ------- |
| 5 | / |
| --------------- ------- |
| 6 | H |
------------- -------
In this way, each time you only deliver only a few bytes of data, you may avoid monitoring of string matching intrusion detection systems.
3, debris attack
The so-called debris is to transmit data in the previous fragmentation. E.g:
Debris 1 get x.idd
Debris 2 a.? (Buffer overflow data)
The first character of the second fragment covers the first fragment last character. After the two debris be reorganized, it becomes GET X.IDA? (Buffer overflow data).
4, refuse to serve
There is also a barbaric method to reject the service, consume the processing power of the test equipment, and escape the real attack. Blocks are filled with hard disk space to make the detection device cannot record the log. Enables detection devices to produce alarms that exceed their processing capabilities. Enable system management universible alarms. Hang up the test equipment. For IDS, such IDs don't find, so it is very difficult to deal with.
Third, the network hidden danger scanning system surfaces surface
The ideal method to deal with the destruction system is of course a system that establishes a fully safe vulnerability, but from the actual situation, this is not possible. Miller, Wisconsin University, gives a research report on current popular operating systems and applications, pointing out that there is no vulnerability and defect in the software.
Therefore, a practical method is to establish a relatively easy implementation of security system, and establish a corresponding security assist system in accordance with certain security policies, and the vulnerability scanner is such a system. In the system's security situation, there is a certain vulnerability in the system, so there is a potential security threat, but if we can discover these vulnerabilities through the network scan according to the specific application environment, And in time to take appropriate treatment measures for repair, it can effectively prevent the occurrence of intrusion events. Although the dead sheep is very valuable, it is an ideal realm for "not afraid of 10,000, only one thing that is not afraid of only one". Then how do we buy a professional online hidden danger scanning system? Generally speaking, it must have the following criteria:
1. Whether to pass the country's various certifications
At present, the state's authority to conduct certification of safety products includes the Ministry of Public Security Information Security Product Equipment Center, the National Information Security Product Equipment Center, the PLA Safety Product Equipment Center, the National Secrecy Bureau Evaluation Certification Center.
2, the number of vulnerabilities and the upgrade speed
The number of vulnerabilities is to examine the important indicators of the vulnerability scanner, the number of the latest vulnerabilities, the vulnerability update, and the upgrade method, and whether the upgrade method can be mastered by non-professionals, making the frequency of the vulnerability library upgrade more important. For example, the RJ-ITOP network hidden danger scanning system once a week, the number of vulnerabilities reached 1502 (as of July 9, 2004).
3, the safety of the product itself
The operating system platform for scanning the product is safe and how the product itself is the factor that the user should need to consider. For example, the RJ-ITOP network hazard scanning system uses a soft and hard integration, specially optimized Linux system, closes unnecessary ports and services, and transmits data encryption.
4. Do you support CVE international standards?
Its purpose is to provide a standardized naming for all known vulnerabilities and security leaks. Provide better coverage and more secure coordination and security.
5. Whether to support distributed scanning
The products are flexible, easy to carry, and through the characteristics of the firewall. Because there is no longer a single network that is divided by the VLAN; some packets issued by the scanner are somewhat being filtered by the router, firewall, and reduce the accuracy of scanning.
In the network, the firewall and IDS settings do not mean that our network is absolutely safe, but set proper firewalls and IDs, at least make our network more robust, and provide more attack information for us. analysis. Firewall, antivirus, intrusion detection, vulnerability scan belong to the protection and detection links in the PDR and P2DR models, respectively. These safety technologies are organized together in order to organize each other, interact, interact, and constitute a dynamic adaptive system.
Finally, it is still that "there is no technology in the world to truly guarantee absolute safety."
Because of the security problem, it is a comprehensive issue of a comprehensive issue of security products such as firewalls and IDS from the equipment to people. Any one of the links is just one of the steps to safety.
