Author: Yu wonderful Source: CCID With the rapid development and popularization of computer technology, network technology, network security has increasingly become one of the focuses of attention. In recent years, safety technology and security products have made great progress, and some technical and products have become increasingly mature. However, both functional and performance of a single security technology or safety products have their limitations and can only meet the system and network specific security needs. Therefore, how to effectively utilize existing security technology and security products to ensure the safety of system and network has become one of the research hotspots in the current information security. First, let's take a look at the most secure equipment firewall and intrusion detection on the current network. To ensure the safe use of the network, it is necessary to study their limitations and vulnerability. 1. Limitations of firewalls and vulnerability firewalls refer to a combination of a series of components disposed between different networks (such as trusted enterprises inner networks and untrusted public networks) or network security domains. It is the only entry of information between different networks or network security domains, which can be found in the information flow of the enterprise's security policy control (allowable, refusal, monitoring) into the network, and itself has strong anti-attack capabilities. It is an infrastructure that provides information security services, realizing network and information security, but it also has limitations. 1. The firewall cannot prevent attacks that do not pass through the firewall. Without the firewall's data, the firewall cannot be checked, such as dialing Internet. 2. The firewall cannot solve the attack and security issues from internal networks. "External Tight" is the characteristics of a general local area network, and a strict defensive firewall is also a chaotic network. If you have sent a wooden horse's mail, the URL with Trojan, and then connect the attacker from the Machine machine of China, will instantly destroy the same firewall like the iron wall. In addition, the attack behavior between the internal hosts of the firewall can only be cold and loved as the bystanders. 3. The firewall does not prevent the latest security threats caused by the latest strategy or error configuration. The various strategies of the firewall also give the characteristics and set after this attack method after analysis. If the world's new discovery of a host vulnerability Cracker selects your first attack object, then the firewall does not have a way to help you. 4. The firewall does not prevent contact with people or nature destruction. The firewall is a safety device, but the firewall must exist in a safe place. 5. The firewall cannot solve the vulnerability of the TCP / IP and other protocols. The firewall itself is implemented based on the TCP / IP protocol, which cannot solve the vulnerability of TCP / IP operations. For example, using DOS or DDOS attacks. 6. The firewall is not stopped from the legal open port of the server. For example, use an open 3389 port to get the SP patch's super authority, using the ASP program for script attacks. Since its behavior seems to be "reasonable" and "legitimate" at the firewall level, it is simply released. 7, the firewall does not prevent the transmission of a file from viral infection. The firewall does not have the function of killing viruses, even if the third-party antivirus software is integrated, no software can kill all viruses. 8. The firewall cannot prevent data driving type attacks. Data-driven attacks may occur when some surfaces appear to be harmless or copy to the host of the internal network. 9. The firewall does not prevent internal leaks from being used. A legitimate user inside the firewall actively disclose, and the firewall is impossible to this. 10. The firewall cannot prevent the threat of its own security vulnerability. The firewall protects others sometimes not protecting yourself, because there is currently no manufacturer to ensure that the firewall does not have security vulnerabilities. The firewall is also an OS, which also has its hardware system and software, so there is still a vulnerability and bug. Therefore, it may also be faulty in attack and soft / hardware. Second, the escape technology for IDS has the above limitations of the firewall, and it is in the location of the gateway, it is impossible to make too much judgment on the entry and exit attack, otherwise it will seriously affect network performance.
If the firewall is better than the gate guard, intrusion detection is an uninterrupted camera in the network, intrusion detection is uninterrupted by the way bypass the way to collect network data, and there is no impact on the operation and performance of the network, and it is judged whether it contains attacks Attempt, through various means to the administrator alarm. Not only can you find an external attack, you can also find internal malicious behavior. Therefore, the intrusion detection is the second gate of network security, which is the necessary supplements of the firewall, constitute a complete network security solution. However, due to the limitations of NIDS itself, the black hat is constantly introducing new technologies that avoid or cross the network intrusion detection system, NIDS, and the balance of victory is tilting towards the black hat. 1. The weakness of the string matching is combined with the string processing technology and character replacement techniques, we can implement the string of complex points. For web requests, we don't have to use the command interpreter, use 16-based URL in our request, the following request can be interpreted by the target web server as / etc / passwd: get% 65% 74% 63 /% 70 % 61% 73% 73% 77% 64 or Get% 65% 74% 63 /% 70A% 73% 73% 77D In order to capture all variants of this string, IDS may take more than 1,000 signature strings Matching, this has not been considered unicode! 2, session splicing, more suitable for sessions) is to put session data in multiple packets: ------------ ------------- | Packet number | content | | -------------- --------- | | 1 | G | | -------------- --------- | | 2 | E | | --------------- ------- | | 3 | T | | --------------- ------- | | 4 | 20 | -------------- ------- | | 5 | / | | --------------- - ------ | | 6 | H | -------------- --------- In this way, only a few Bytes data may avoid monitoring of string matching intrusion detection systems. 3, the fragmentation of the so-called debris is the transmitted fragment covering the data in the previous fragment. For example: Debris 1 get x.idd debris 2 a.? (Buffer overflow data) The first character of the second debris covers the first fragment last character, the two debris be reorganized after Get X .ida? (buffer overflow data). 4. Refusal service has a more barbaric method is to refuse service, consume the processing power of the detection device, so that the real attack escapes. Blocks are filled with hard disk space to make the detection device cannot record the log. Enables detection devices to produce alarms that exceed their processing capabilities. Enable system management universible alarms. Hang up the test equipment. For IDS, such IDs don't find, so it is very difficult to deal with. Third, the ideal method of the network hidden danger scanning system to deal with the destruction of the system is of course an intensive system that is fully safe without a vulnerability, but from the actual situation, this is not possible. Miller, Wisconsin University, gives a research report on current popular operating systems and applications, pointing out that there is no vulnerability and defect in the software. Therefore, a practical method is to establish a relatively easy implementation of security system, and establish a corresponding security assist system in accordance with certain security policies, and the vulnerability scanner is such a system.