面向IPv6的入侵检测系统实现技术研究
|
摘要
随着网络技术的发展,网络安全也日益突出,通过网络进行各种攻击并窃取秘密数据等事件频繁发生。虽然防火墙、病毒检测、加密技术等安全机制在网络安全中能够有效防范安全攻击,但都不同程度地存在不足,而入侵检测系统(IDS)可以有效地弥补它们的不足。
随着IPv6技术的发展和IPv6网络的部署,在IPv6上采用新型攻击方式的网络入侵事件也不断出现,为此必须研究并开发面向IPv6的入侵检测系统,为下一代网络提供安全保障。
IPv6脆弱性分析是IPv6入侵检测系统的基础,IPv6穿透性测试研究对于设计和开发IPv6入侵检测系统是至关重要的。IPv6穿透性测试的目的是为了从理论上发现IPv6的脆弱性,并将已发现的IPv6脆弱性应用到IPv6入侵检测系统规则库中,以增强IPv6入侵检测系统的检测能力。
本文首先对IPv6协议脆弱性进行深入分析,参照计算机漏洞分类模型对IPv6脆弱性进行了分类,并对IPv6不同类型的脆弱性进行深入研究;在此基础上,提出了通过穿透性测试这种方法来发现IPv6脆弱性,设计了IPv6脆弱性穿透性测试模型和穿透性测试工具通用结构,以改进IPv6入侵检测系统的检测规则,提高IPv6入侵检测系统的检测效果;本文在Snort入侵检测系统的基础上设计了一个IPv6入侵检测系统,完成了IPv6入侵检测系统总体结构设计,并给出了各功能模块的详细设计;论文还研究了IPv6入侵检测系统各功能模块实现技术,最后实现了IPv6入侵检测系统基本功能并进行了相应的测试。
With the development of network technology, the security problems of the network have become more and more important. Although we have a lot of security systems, such as network firewall and virus detecting system. There are still a lot of network attacks which can’t be detected in time. Because these security systems are passive defense systems, the intrusion detection system comes out as an active defense system.
With the development of IPv6 technology and the deployment of IPv6 networks, the cases that using new attack methods and network intrusion are more and more. The IPv6 Intrusion Detection System should be researched and developed for providing the security to the next generation network.
The analysis of IPv6 vulnerability is the basic of IPv6 IDS. IPv6 penetration testing is essential for the design and development of IPv6 intrusion detection system. The purpose of IPv6 penetration testing is to find more security threats and to apply these security threats to the rules library of IPv6 IDS. So, the ability of IPv6 Intrusion Detection System will be more powerful.
In this paper, we firstly analyze the vulnerabilities of IPv6 protocol stacks deeply. We divide the vulnerabilities of IPv6 into five areas according the vulnerability classification model.And then, we have presented the method that applies the Penetration testing to the research of IPv6 vulnerability. We have designed the vulnerability model of IPv6 penetration testing and the general model of Penetration testing tools, which can improve the detection results of IPv6 IDS.Based on the research of the Snort system, we have presented architecture and designed various functional modules of IPv6 IDS. Finally, we discuss the implementation technology of IPv6 IDS and test the function and performance of IPv6 IDS.
随着IPv6技术的发展和IPv6网络的部署,在IPv6上采用新型攻击方式的网络入侵事件也不断出现,为此必须研究并开发面向IPv6的入侵检测系统,为下一代网络提供安全保障。
IPv6脆弱性分析是IPv6入侵检测系统的基础,IPv6穿透性测试研究对于设计和开发IPv6入侵检测系统是至关重要的。IPv6穿透性测试的目的是为了从理论上发现IPv6的脆弱性,并将已发现的IPv6脆弱性应用到IPv6入侵检测系统规则库中,以增强IPv6入侵检测系统的检测能力。
本文首先对IPv6协议脆弱性进行深入分析,参照计算机漏洞分类模型对IPv6脆弱性进行了分类,并对IPv6不同类型的脆弱性进行深入研究;在此基础上,提出了通过穿透性测试这种方法来发现IPv6脆弱性,设计了IPv6脆弱性穿透性测试模型和穿透性测试工具通用结构,以改进IPv6入侵检测系统的检测规则,提高IPv6入侵检测系统的检测效果;本文在Snort入侵检测系统的基础上设计了一个IPv6入侵检测系统,完成了IPv6入侵检测系统总体结构设计,并给出了各功能模块的详细设计;论文还研究了IPv6入侵检测系统各功能模块实现技术,最后实现了IPv6入侵检测系统基本功能并进行了相应的测试。
With the development of network technology, the security problems of the network have become more and more important. Although we have a lot of security systems, such as network firewall and virus detecting system. There are still a lot of network attacks which can’t be detected in time. Because these security systems are passive defense systems, the intrusion detection system comes out as an active defense system.
With the development of IPv6 technology and the deployment of IPv6 networks, the cases that using new attack methods and network intrusion are more and more. The IPv6 Intrusion Detection System should be researched and developed for providing the security to the next generation network.
The analysis of IPv6 vulnerability is the basic of IPv6 IDS. IPv6 penetration testing is essential for the design and development of IPv6 intrusion detection system. The purpose of IPv6 penetration testing is to find more security threats and to apply these security threats to the rules library of IPv6 IDS. So, the ability of IPv6 Intrusion Detection System will be more powerful.
In this paper, we firstly analyze the vulnerabilities of IPv6 protocol stacks deeply. We divide the vulnerabilities of IPv6 into five areas according the vulnerability classification model.And then, we have presented the method that applies the Penetration testing to the research of IPv6 vulnerability. We have designed the vulnerability model of IPv6 penetration testing and the general model of Penetration testing tools, which can improve the detection results of IPv6 IDS.Based on the research of the Snort system, we have presented architecture and designed various functional modules of IPv6 IDS. Finally, we discuss the implementation technology of IPv6 IDS and test the function and performance of IPv6 IDS.
引文
[1]褚玲瑜,吴学智,齐文娟. IPv6的安全问题探讨[J].微计算机信息, 2006, 22(1): 10-12
[2]张岳公,李大兴. IPv6下的网络攻击和入侵分析[J].计算机科学, 2006, 33(2): 100-102
[3]中国人民武装警察部队司令部.武警勤务[M].北京:人民武警出版社, 2006
[4] Deering S, Hinden R. Internet protocol Version6(IPv6) Specification[Z]. RFC2460, 1998
[5]周逊. IPv6——下一代互联网的核心[M].北京:电子工业出版社, 2003
[6]崔丽丽.互联网协议IPv6技术概述及其在中国市场的发展前景[J].怀化学院学报, 2006, 25(8): 92-94
[7] GENI[EB/OL]. http://www.geni.net
[8] NeTS-FIND[EB/OL]. http://www.nets-find.net
[9]王继龙. IPTV成CERNET2热点应用[J].中国教育网络, 2007(3): 41
[10] Yogesh Chauhan. Security in the wake of IPv6. A Term Paper Report for Advancde Computer Networks(CS625), Department of Computer Science &Engineeing, Indian Institute of Techonlogy, Kanpur
[11] Arrigo TriulziIntrusion Detection Systems and IPv6. http://www.alchemistowl.org/ arrigo/Papers/SPI2003-IDS-and-IPv6.pdf, 2003
[12] Michael H,Warfield. Security Implications of IPv6. http://documents.iss.net/white Papers/IPv6.pdf
[13] Pete Ldshin. IPv6详解[M].北京:机械工业出版社, 2000
[14] Deering S, Hinden R. Internet protocol Version6(IPv6) Specification[Z]. RFC1883, 1995
[15]邹涯梅.浅谈IPv6的过渡、优势及发展前景[J].科技资讯, 2008(7): 94-95
[16]华为3Com技术有限公司. IPv6技术[M].北京:清华大学出版社, 2004
[17] Kent S, Atkinson R. Security architecture for the Internet Protocol[J]. RFC2401, 1998
[18]张立志.基于攻击树的网络弱点分析系统的设计与实现.工程硕士论文,南京:东南大学, 2006
[19] Knight E. Computer Vulnerabilities and Exposures[EB/OL]. http://www.security paradigm.com, 2002-10-12
[20]朱建明,段富. IPv6安全机制分析[J].太原理工大学学报, 2003, 34(1): 75-79
[21]高文祥,刘振中. IPv6安全体系结构分析与研究[J].计算机与现代化, 2005(3): 68-70
[22] SUN Microsystems. Solaris 8 IPv6 Enabled Systems May Panic Handling Certain Packers[EB/OL]. http://jp.sunsolve.sun.com/search/document.do?assetKey=1-26- 55301-1, 2003-08-26
[23] Security Advisory of the FreeBSD Project. Setsockopt(2) IPv6 Sockets Input Validation Error[EB/OL]. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/Free BSD-SA-04:06.ipv6.asc, 2004-03-29
[24]刘世杰. IPv6下的网络威胁和安全技术研究.硕士学位论文,郑州:中国人民解放军信息工程大学, 2007
[25]薛海,胡湘江. IPv6网络安全性分析[J].网络信息技术, 2006, 25(2): 41-43
[26]李振强,赵晓宇,马严. IPv6安全脆弱性研究[J].计算机应用研究, 2006(11): 109-112
[27] Payne J. Filtering Customer BGP Sessions[EB/OL]. http://www.merit.edu/mail. archives/nanog/msg11184.html, 2003-07
[28] Thomson S, Narten T. IPv6 Stateless Address Autoconfiguration[J]. RFC2462, 1998
[29] Cynthia E, Jeffrey H. Internet Protocol Version 6 (IPv6) Protocol Security Assessment[J]. IEEE, 2007
[30] Narten T, Nordmark E,Simpson W. Neighbor Discovery for IP Version6(IPv6) [Z]. RFC2461, 1998
[31] RFC2463, Internet Control Message Protocol(ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification[S]
[32]苏志胜. IPv6入侵检测系统关键技术研究.硕士学位论文,北京:北京邮电大学, 2005
[33]郑晓红.基于IPv6的网络入侵检测系统的研究与设计.硕士学位论文,成都:西南科技大学, 2006
[34] RFC1981, Path MTU Discovery for IP Version 6[S]
[35] Johnson D, Perkins C, Arkko J. Mobility Support in IPv6[Z]. RFC3775, 2004
[36]官理,乔鹏.下一代互联网中的IP技术[J].网络安全技术与应用, 2008(2): 49-51
[37] Hinden R, Deering S. IP Version 6 Addressing Architecture[Z]. RFC2373, 1998
[38] Schneier B. Atack Trees: Modeling Security Threats[J]. Dr.Dobb's journal, 1999, 12(24): 21-29
[39]念其锋.域间路由系统穿透性测试技术研究与实现.硕士学位论文,长沙:国防科技大学, 2005
[40]韩东海,王超,李群.入侵检测系统实例剖析[M].北京:清华大学出版社, 2002
[41]唐正军等编著.网络入侵检测系统的设计与实现[M].北京:电子工业出版社,2002
[42] RFC2893, Transition Mechanisms for IPv6 Hosts and Routers[S]
[43] Gilligan R. Basic Transition Mechanisms for IPv6 Hosts and Routers[Z]. RFC4213, 2005
[44]唐正军,李建华.入侵检测技术[M].北京:北京邮电大学出版社, 2004
[45]李伟,鲁士文. Snort数据包捕获性能的分析与改进[J].计算机应用与软件, 2005, 22(7): 104-105
[46]李晓芳,姚远.入侵检测工具Snort的研究与使用[J].计算机应用与软件, 2006, 23(3): 45-47
[47]扈兆明,苏志胜,赵晓宇,马严. IPv6分片重组在入侵检测系统中的实现[J].现代电信科技, 2005(4): 45-49
[48]高平利,任金昌.基于Snort入侵检测系统的分析与实现[J].计算机应用与软件, 2006, 23(8): 134-135
[49]蔡开裕,朱培栋,徐明.计算机网络[M].北京:机械工业出版社, 2008
[2]张岳公,李大兴. IPv6下的网络攻击和入侵分析[J].计算机科学, 2006, 33(2): 100-102
[3]中国人民武装警察部队司令部.武警勤务[M].北京:人民武警出版社, 2006
[4] Deering S, Hinden R. Internet protocol Version6(IPv6) Specification[Z]. RFC2460, 1998
[5]周逊. IPv6——下一代互联网的核心[M].北京:电子工业出版社, 2003
[6]崔丽丽.互联网协议IPv6技术概述及其在中国市场的发展前景[J].怀化学院学报, 2006, 25(8): 92-94
[7] GENI[EB/OL]. http://www.geni.net
[8] NeTS-FIND[EB/OL]. http://www.nets-find.net
[9]王继龙. IPTV成CERNET2热点应用[J].中国教育网络, 2007(3): 41
[10] Yogesh Chauhan. Security in the wake of IPv6. A Term Paper Report for Advancde Computer Networks(CS625), Department of Computer Science &Engineeing, Indian Institute of Techonlogy, Kanpur
[11] Arrigo TriulziIntrusion Detection Systems and IPv6. http://www.alchemistowl.org/ arrigo/Papers/SPI2003-IDS-and-IPv6.pdf, 2003
[12] Michael H,Warfield. Security Implications of IPv6. http://documents.iss.net/white Papers/IPv6.pdf
[13] Pete Ldshin. IPv6详解[M].北京:机械工业出版社, 2000
[14] Deering S, Hinden R. Internet protocol Version6(IPv6) Specification[Z]. RFC1883, 1995
[15]邹涯梅.浅谈IPv6的过渡、优势及发展前景[J].科技资讯, 2008(7): 94-95
[16]华为3Com技术有限公司. IPv6技术[M].北京:清华大学出版社, 2004
[17] Kent S, Atkinson R. Security architecture for the Internet Protocol[J]. RFC2401, 1998
[18]张立志.基于攻击树的网络弱点分析系统的设计与实现.工程硕士论文,南京:东南大学, 2006
[19] Knight E. Computer Vulnerabilities and Exposures[EB/OL]. http://www.security paradigm.com, 2002-10-12
[20]朱建明,段富. IPv6安全机制分析[J].太原理工大学学报, 2003, 34(1): 75-79
[21]高文祥,刘振中. IPv6安全体系结构分析与研究[J].计算机与现代化, 2005(3): 68-70
[22] SUN Microsystems. Solaris 8 IPv6 Enabled Systems May Panic Handling Certain Packers[EB/OL]. http://jp.sunsolve.sun.com/search/document.do?assetKey=1-26- 55301-1, 2003-08-26
[23] Security Advisory of the FreeBSD Project. Setsockopt(2) IPv6 Sockets Input Validation Error[EB/OL]. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/Free BSD-SA-04:06.ipv6.asc, 2004-03-29
[24]刘世杰. IPv6下的网络威胁和安全技术研究.硕士学位论文,郑州:中国人民解放军信息工程大学, 2007
[25]薛海,胡湘江. IPv6网络安全性分析[J].网络信息技术, 2006, 25(2): 41-43
[26]李振强,赵晓宇,马严. IPv6安全脆弱性研究[J].计算机应用研究, 2006(11): 109-112
[27] Payne J. Filtering Customer BGP Sessions[EB/OL]. http://www.merit.edu/mail. archives/nanog/msg11184.html, 2003-07
[28] Thomson S, Narten T. IPv6 Stateless Address Autoconfiguration[J]. RFC2462, 1998
[29] Cynthia E, Jeffrey H. Internet Protocol Version 6 (IPv6) Protocol Security Assessment[J]. IEEE, 2007
[30] Narten T, Nordmark E,Simpson W. Neighbor Discovery for IP Version6(IPv6) [Z]. RFC2461, 1998
[31] RFC2463, Internet Control Message Protocol(ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification[S]
[32]苏志胜. IPv6入侵检测系统关键技术研究.硕士学位论文,北京:北京邮电大学, 2005
[33]郑晓红.基于IPv6的网络入侵检测系统的研究与设计.硕士学位论文,成都:西南科技大学, 2006
[34] RFC1981, Path MTU Discovery for IP Version 6[S]
[35] Johnson D, Perkins C, Arkko J. Mobility Support in IPv6[Z]. RFC3775, 2004
[36]官理,乔鹏.下一代互联网中的IP技术[J].网络安全技术与应用, 2008(2): 49-51
[37] Hinden R, Deering S. IP Version 6 Addressing Architecture[Z]. RFC2373, 1998
[38] Schneier B. Atack Trees: Modeling Security Threats[J]. Dr.Dobb's journal, 1999, 12(24): 21-29
[39]念其锋.域间路由系统穿透性测试技术研究与实现.硕士学位论文,长沙:国防科技大学, 2005
[40]韩东海,王超,李群.入侵检测系统实例剖析[M].北京:清华大学出版社, 2002
[41]唐正军等编著.网络入侵检测系统的设计与实现[M].北京:电子工业出版社,2002
[42] RFC2893, Transition Mechanisms for IPv6 Hosts and Routers[S]
[43] Gilligan R. Basic Transition Mechanisms for IPv6 Hosts and Routers[Z]. RFC4213, 2005
[44]唐正军,李建华.入侵检测技术[M].北京:北京邮电大学出版社, 2004
[45]李伟,鲁士文. Snort数据包捕获性能的分析与改进[J].计算机应用与软件, 2005, 22(7): 104-105
[46]李晓芳,姚远.入侵检测工具Snort的研究与使用[J].计算机应用与软件, 2006, 23(3): 45-47
[47]扈兆明,苏志胜,赵晓宇,马严. IPv6分片重组在入侵检测系统中的实现[J].现代电信科技, 2005(4): 45-49
[48]高平利,任金昌.基于Snort入侵检测系统的分析与实现[J].计算机应用与软件, 2006, 23(8): 134-135
[49]蔡开裕,朱培栋,徐明.计算机网络[M].北京:机械工业出版社, 2008