http://www.cnw.com.cn/issues/Article.asp?filename=N31024.txt
Whether it is external invasion or internal attack, it is characterized by the use of operating systems, application services, and communication protocols to attack the city. Dealing with such threats, people must find safety vulnerabilities in the network system as soon as possible, and take fixes in time.
Mingcha
- Vulnerability Scanning Product Purchase Guide
■ Zhong Li Wanxiong
Vulnerability scan is an important security technology that uses analog attacks to make a security vulnerability that may exist in network systems (servers, workstations, routers, firewalls, etc.), providing detailed vulnerabilities based on check results Describe and patching the scheme, form a system security analysis report to provide a basis for network administrators to improve network systems. Typically, we will complete the software, hardware or hardware integral combination of a hole scan, called a vulnerability scanner.
Classification of vulnerability scanners
According to the working mode, the vulnerability scanner is divided into a host vulnerability scanner and a network vulnerability scanner. The former is based on the host, and the system vulnerability is detected by the host system, such as the operating system scanner and database scanner. The latter is based on the network, remotely detects the security vulnerabilities of the target network and host system, such as Satan and ISS Internet Scanner, by requesting / responding. For different detection objects, the vulnerability scanner can also be divided into network scanners, operating system scanners, WWW service scanners, database scanners, and recent wireless network scanners.
Vulnerability Scanner usually appears in three forms: single scanning software, installed on a computer or handheld, such as ISS Internet Scanner; client (management) / server (scan engine) mode or browser / server mode, usually For software, installing on a different computer, there is also a hardware for hardware, such as NESSUS; other security products, such as a FORFE security assessment system is a component of the firewall.
The network vulnerability scanner uses the service of the target host TCP / IP to record the target host TCP / IP to record the various information on the target host, and then match the system's vulnerability library. If the matching condition is met, it is considered safe. Vulnerability exists; or attacks the target host by simulating hackers, if the simulation attack is successful, it is considered that security vulnerabilities exist.
Host Vulnerability Scanner collects their information by monitoring system configuration, registry, system log, file system or database activity in the host local agent, then compares with the system's vulnerability library, if matching condition, It is considered that security vulnerabilities exist.
In the principle of matching, most of the vulnerability scanner use rule-based matching technology, that is, through the analysis of network system security vulnerabilities, hacker attack cases and network system security configuration, form a standard security vulnerability, on this basis Further formation of the corresponding matching rules, automatically complete the scan analysis work by the scanner.
Port scan technology
Network vulnerability scanning is based on port scanning. Host and devices that support TCP / IP protocols are available in open ports. The port can be said to be system-external windows, and security vulnerabilities are often exposed through ports. Therefore, the network vulnerability scanner first needs to determine which ports of the system are open, and then perform certain scan scripts to the open port to further look for security vulnerabilities. Scanners typically integrate the following main port scanning techniques.
TCP SYN Scan is often referred to as "semi-open" scan because the scanner does not have to open a complete TCP connection. The scanner sent is a SYN packet, as if you are ready to open an actual connection and wait for the reaction (refer to the three handshake of TCP to establish a TCP connection process). An SYN | ACK return message indicates that the port is in a listening state. An RST returns, indicating that the port is not in a listening state. TCP FIN Scanning TCP FIN Scanning is the close port to reply to the FIN packet using the appropriate RST, and the open port will ignore a reply to the FIN packet. This method is a certain relationship with the system, and some systems reply to RST regardless of whether the port is opened, in which case the scanning method is not applicable, but Unix and Windows NT can be distinguished.
TCP Connect () Scan This is the most basic TCP scan. The Connect () system call provided by the operating system is used to connect with the port of each of interest target. If the port is listening, connect () can succeed. Otherwise, this port cannot be used, that is, no service is available.
The FIN URG PUSH scan sends a FIN, URG, and PUSH packets to the target host, depending on RFC793, if the corresponding port of the target host is turned off, then a RST flag should be returned.
NULL scan passes a TCP package without any flag, according to RFC793, if the corresponding port of the target host is turned off, it should be sent back to an RST packet.
The UDP ICMP port cannot reach the scan when sending a packet to an unmopked UDP port, many hosts return an ICMP_Port_ UnReach error. This will find which port is closed. UDP and ICMP errors are not guaranteed, so this scanner must be able to re-transfer the lost packet. This scanning method is very slow because RFC has made a regular rate of ICMP error messages.
Safety vulnerability
At present, most of the vulnerability scanner uses a feature-based matching technology, similar to the intrusion detection system based on misuse detection technology. The scanner first collects information on the target host by requesting / responding, or by performing an attack script, then finding the security vulnerability defined by the vulnerability feature library in the obtained information. If there is, it is considered that the security vulnerability exists. It can be seen that the security vulnerability can be found to a large extent on the definition of the vulnerability characteristics.
The security vulnerability discovered by the scanner should comply with international standards, which is the basic requirements for the scanner. However, due to the majority of the scanner's developers, the definition of security vulnerabilities is not the same.
The vulnerability feature library is usually formed on the analysis of network system security vulnerabilities, hacker attack cases, and network system security configuration.
For network security vulnerabilities, people also need to analyze their performance form, check it in response information in a connection request; or through the simulation attack, check the response information of the target during the simulation attack, and extract security vulnerabilities from the answer information. feature. The definition of vulnerability characteristics is the definition of attack characteristics in the invasion detection system, which is the main job of development vulnerability scanning systems, and its accuracy is directly related to the performance of the vulnerability scan system. These vulnerabilities features, some present in a single response packet, some exist in multiple response packets, and remain in a network connection. Therefore, the difficulty definition of vulnerability features is very difficult, and it is necessary to repeated verification and testing. At present, many of the domestic vulnerability scanners are directly developed based on some source code, using the ready-made vulnerabilities, so that the performance of the system can be synchronized with foreign countries, saving a lot of work, but the core content is not very good. . From the perspective of long-term development, my country needs a scanner developer with self-study safety vulnerabilities, to master the core technologies of vulnerability scans. The definition of vulnerability features is important, which directly determines the performance of the vulnerability scanner. When discussing intrusion detection techniques, we often talk about false positives and missions. In fact, this problem vulnerability scanner also exists, but because intrusion detection also uses abnormal detection technology, and is affected by network traffic, This problem is more highlighted. As a characteristic matching technology itself, its false positive rate and leakage rate are relatively low. A very good vulnerability feature will make the false positive and missing rates; in turn, a definition vulnerability feature will make false packets and leakage rates. From a network security perspective, a security scanning process is very calm (unlike intrusion detection requires faceting complex and multi-change network traffic and attack), the false positive rate and leakage rates are completely defined by the vulnerability.
The vulnerability feature library has determined that the vulnerability scanner can discover the number of security vulnerabilities, so this is an important factor in measurement of a vulnerability scan product function. This requires an issue of the vulnerability feature library upgrade (ie, the product upgrade) problem. Since there is a new security vulnerability every day, it is impossible to find unknown security vulnerabilities based on feature-matched vulnerabilities, so the timely upgrade of the feature library is particularly important.
Simulated attack script custom
Scanning the target information, such as the operating system type version number, the network service flag, and some security vulnerabilities, and the scanner can be obtained by sending some request packages. However, it is determined whether the security vulnerability exists, and the scanner has to be done by the analog attack. Under normal circumstances, the scanner attempts to attack a security vulnerability. If the attack is successful, it can prove that the security vulnerability exists. As a security tool, the scanner should be non-destructive or damaged by the network system. In fact, the scanner does not really attack the target host, but the custom script simulation attacks the system and then analyzes the processes and results.
Customization of attack scripts is critical for security scanning and security vulnerabilities, and it is also one of the key technologies of the scanner. The analog attack script is closely related to the vulnerability feature library, requiring information that contains the vulnerability characteristics. In fact, analog attack scripts are a simplified or weakening version of the actual attack, achieving the purpose of obtaining information, without having to attack the target or get root permissions. For example, an analog deny service attack script will stop attacks immediately when the system is abnormal. Probing a script for security vulnerabilities such as weak passwords, using an account simple transform, a shorter length and susceptible password, without a password cracking program, and will exhaust the entire search space.
The customization of the simulated attack script refers to the actual attack process. For a specific security vulnerability, people need to first use the actual attack tool to attack, record each step of the attack, target answers, and results information, analyze this information, and find the vulnerability feature, and finally customize the analog attack script. Since some security vulnerabilities exist in one subject or in the attack process, a simulated attack script sometimes detects multiple security vulnerabilities. When we look at a technical manual of a vulnerability scanner, we often see how many attack techniques have, and how many security vulnerabilities can be found. The attack technique mentioned here refers to the simulated attack script. Typically, the more simulated attack scripts, the more security vulnerabilities that the scanner can find, the more powerful functions. Technical trend
A small program from the initial specifically prepared to UNIX systems has developed to the current, and the vulnerability scanning system has become a business program that can run on various operating system platforms. The development of the vulnerability scanner is showing the following trend.
Systematic assessment is more important
At present, most of the vulnerabilities scanners can only simply put the execution of each scan test item (target host information, security vulnerability information, and remedial recommendations) to the tester, without any analysis processing of the information. Minority Vulnerability Scanners canify the scan results to summarize the scan results in accordance with some keywords (such as IP addresses and risk levels), but still have no analysis of scan results, lack the overall assessment of network security, nor A solution will be proposed.
In terms of systematic assessment, my country's national standard has clearly proposed systematic assessment analysis should include the risk level assessment of the target. Trend analysis of the same target multiple scanning formation, the overall analysis of multiple target scans, key vulnerability scan information Summary and host Comparison analysis, etc., but only simply simply collected scan results. It should be said that vulnerability scanning techniques have paid more and more attention to scanning assessments. The next generation of vulnerability scanning systems can not only scan security vulnerabilities, but also intelligently assisted the management personnel to assess the security status of the network and give security recommendations. For this purpose, developing manufacturers need to integrate safety assessment expert systems in the vulnerability scanner. The expert system should be able to fully assess the network system from a network security policy, risk assessment, vulnerability assessment, vulnerability repair, network structure, and security system.
Plug-in technology and special scripting language
The plugin is a script that collects or simulates the attack, each plugin packages one or more vulnerabilities test methods. Typically, the vulnerability scanner performs scanning by calling the plug-in by means of the main scanner. By adding a new plugin, you can add a new function to the scanner, scan more vulnerabilities. If you can format the writing specification of the plugin and publish, users or third parties can write plugins to extend the functionality of the scanner. Plug-in technology makes the scanner clear structure, and upgrade maintenance is relatively simple and has very strong scalability. At present, most scanner products have actually adopted plug-in technology, but the developers have stipulated that the interface norms have not reached a strict standard level.
A dedicated scripting language is a more advanced plugin technology that uses a dedicated scripting language to greatly expand the functionality of the scanner. These script language syntax usually relatively intuitive, and more than a dozen lines of code can customize a security vulnerability detection to add new test items for the scanner. The use of dedicated scripting languages simplifies programming work to write new plugins, making it more convenient to extend the scanner function, and can keep up with the speed of security vulnerabilities.
Network topology scan
The network topology scan is currently ignored by most scanners. As the systematic assessment is more important, the network topology is becoming an important factor in the security system. Topological scan can identify various devices on the network and the connection relationship of the device, and can identify the division of the subnet or VLAN, and it is possible to discover the unreasonable connection of the network, and present this structure in front of the user in a graphical manner.
Topological scans play a key role in illegal network access, failed network isolation, and network abnormal interrupts, and network topology scans are important means of security assessment.
Safety equipment validity detection firewall, intrusion detection system and other security equipment have been widely used, and the effect of these safety equipment has rarely caused people's attention and testing. Take the firewall configuration as an example, if it works in the exchange (transparent) mode (no IP address), the vulnerability scanner will not be effectively detected, and the firewall work is effective or not. The future vulnerability scanner will use a closed-loop loop structure to access both ends of the firewall to perform validity testing, detecting its access control measures, whether anti-attack measures are consistent with the security policy.
Support CVE international standards
Different vendors are completely different when designing scanners or developing strategies. CVE (Common Vulnerabilities and Exposures) is a list of security vulnerabilities and information leak standard names. The target of CVE is to standardize the well-known security vulnerability and information leakage. CVE editorial committees include multiple security information related organizations, composed of commercial security tools, academic members, research institutions, government agencies, and security experts. Through open and cooperative discussions, these organizations will determine which security vulnerabilities and information leaks will be included in CVE and then determine their generic names and descriptions to these entries.
Software curing and secure OS platform
Since the vulnerability scanning product is a security tool for simulating attacks, this requires the safety of the product itself. The security of the product itself mainly refers to the anti-attack performance of the product. If the software itself or the software running platform cannot guarantee security, the scanner may infect the virus, Trojan and other harmful procedures, affect the user's use. Since software products cannot eliminate infection, the vulnerability scanner is developing to hardware, and high-grade products are also using non-linking programs in Flash, document systems, communication interfaces, etc. to completely eliminate possible attacks and infections. .
Support distributed scan
The current user network is increasingly complex, and there is no more and more single network of VLANs. There are general access restrictions between multiple subnets, and there is also a firewall between different subnets. These restrictions will affect the scan of span segments, so that the scan results are inaccurate. The future scanning products must be able to make a distributed scan to thoroughly and comprehensive inspections on the network contact.
Appreciate
Prequanting is higher than that of the rain
The number of safety vulnerabilities presents rapid incremental situation. In 2002, more than 4,000 security vulnerabilities were disclosed, with an increase of 70% over 2001, and there were more than 10 new loopholes per day. At the same time, the vulnerability found that the interval for the first time by hacker is getting shorter and shorter, the risk level of the security vulnerability is elevated. So, some people also prophecy: red code and SQL worms are only used with the opening of the vulnerability to expand attacks, and a larger vulnerability attack is still behind.
The rapid increase in the number of vulnerabilities is clearly compared, and people's prevention awareness of security vulnerabilities is clearly half shot. This can be seen from the market sales of vulnerabilities scanning products. Intrusion detection and vulnerability scanning systems only occupy the entire security market. 5% sales, most users do not include the vulnerability scanner to the procurement plan. The vulnerability scanning products are obviously ignored by the user than the firewall, antivirus, etc.
Vulnerability Scan As an important part of a dynamic protection system, it is very important for the pre-action for security incidents or the rapid response to emergency events. Its important role is fully embodied in the generally recognized PDR and P2DR models. The PDR is composed of Protection, Detection, and Response. P2DR adds Policy on the basis of PDR. Firewall, antivirus, intrusion detection, vulnerability scan belong to the protection and detection links in the PDR and P2DR models, respectively. These safety technologies are organized together in order to organize each other, interact, interact, and constitute a dynamic adaptive system. In fact, most users have not established such a dynamic system, which has a big relationship with the loophoch scanning products.
Some users are used very in place for the vulnerability scanner. After understanding us, most of these users are the remedies taken by red code and SQL worm lessons. Although the dead sheep is very valuable, it is an ideal realm for "not afraid of 10,000, only one thing that is not afraid of only one". Buying considerations
Whether all kinds of certifications of the country
At present, the state's authority to conduct certification of safety products includes the Ministry of Public Security Information Security Product Equipment Center, the National Information Security Product Equipment Center, the PLA Safety Product Equipment Center, the National Secrecy Bureau Evaluation Certification Center.
Vulnerability quantity and upgrade speed
The number of vulnerabilities is to examine the important indicators of the vulnerability scanner, the number of the latest vulnerabilities, the vulnerability update, and the upgrade method, and whether the upgrade method can be mastered by non-professionals, making the frequency of the vulnerability library upgrade more important.
Product itself's safety
The operating system platform for scanning the product is safe and how the product itself is the factor that the user should need to consider.
Do you support CVE international standards?
Whether to support distributed scanning
Application field
Regular safety testing, assessment
Regular network security detection can help people maximize security hazards and find security vulnerabilities as soon as possible and repair.
Install new software, start the new service
Due to various forms of vulnerabilities and safety hazards, install new software and start-up new services are possible to expose the original hidden vulnerabilities, so safety scans should be re-scanned after these operations.
Planning assessment and results inspection before and after network construction and network transformation
When building a network, users must seek proper balance between the risk level and acceptable costs, and make a hierarchy between multiple security products and technologies, and the vulnerability scanning products can help people do this.
Network security system construction plan and construction effective assessment
Internet is responsible for security test before important task
The network should use a vulnerability scanner to securely test the network before the important task can minimize the probability of the accident.
Analysis and survey after network security accident
After a network security accident occurs, users can determine the vulnerability of the network attacked by vulnerability scanning product analysis to compensate for the vulnerability and investigation sources.
Preparation before major network security incident
By major network security incidents, the vulnerability scanning products can help users find hidden dangers and vulnerabilities in the network, helping users make up for timely.
