摘要
网络安全问题越来越引起人们的广泛关注,并成为当今网络技术研究的重点。安全漏洞是硬件、软件或者是安全策略上的错误而引起的缺陷,黑客可以利用这个缺陷在系统未授权的情况下访问系统或者破坏系统的正常使用。因此只要找到并修补所有的安全漏洞,就可以抵御绝大部分的黑客攻击。安全漏洞扫描技术能够检测网络系统潜在的安全漏洞,使网络管理员可以预先了解网络的脆弱性所在,从而确保网络系统的安全。
经过对安全漏洞扫描器原理的深入分析,以及对现有网络漏洞扫描工具的研究和一些实际的扫描经验,设计和实现了以网络安全管理人员为服务对象的基于端口扫描的安全漏洞检测系统。
本文的创新之处是提出了基于端口扫描的安全漏洞检测系统的总体设计模型和扫描引擎开放端口—依存关系树插件调度策略。通过先进行端口扫描检测主机开放的端口服务,再根据收集的主机开放端口服务信息,针对开放的网络服务调用相应的扫描插件进行安全漏洞检测,能够减少漏洞扫描的盲目性。使用开放端口—依存关系树策略能够最大化插件的扫描并发度,提高安全漏洞扫描效率。
本文详细论述了研究和设计安全漏洞检测系统所需的理论基础知识,提出了安全漏洞检测系统的设计目标和设计原则,给出了安全漏洞检测系统的总体设计方案。整个系统的设计与实现都是从面向网络安全管理人员这一基本目的出发的。漏洞检测采用扫描插件,当有新安全漏洞出现时,编写相应的插件存入插件库就完成了新漏洞的扩展,使系统具有极好的扩展性;系统采用多线程算法,最大限度利用扫描主机和网络的资源,提高扫描的效率;系统中采用扫描历史库,实现了断点扫描功能;扫描结束时给出详实的漏洞扫描报告,能够帮助安全管理人员了解系统的安全状况,完成安全漏洞的修补工作。
The problems of network security arouse more people's widespread interest and become the key points of network engineering research. The security vulnerability is the flaw which is in the hardware, software or the security policy. The hacker may use this flaw to visit the system or disturb normal use of the system in the unauthorization situation. Therefore so long as all security vulnerabilities were found and patched, the system may resist most of attacks launched by the hacker. The security vulnerability scanning technology is able to examine the latent security vulnerability and enables the network administrator to understand in advance where the vulnerability is. In this way the network system will be safe.Through studying the security vulnerability scanning principle and the existing network vulnerability scanner and learning from some actual scanning experiences, a security vulnerability scanner is designed and realized. It is based on port scanning for the network security administrators.The innovation of this article is the security loophole scanning design model based on port scanning and the scanning engine which uses openning port - relational tree strategy. The scanner is based on port scanning. Before the network vulnerabilities scanning is launced, the Ping test and port scanning are carried on. It can reduce blindness. The scanning strategy is able to maximize the scanning concurrency and enhances the efficiency during the network vulnerabilities scanning.In this article the basic knowledge is introduced which is needed during the progress of designing a security vulnerability scanner. Then the design goal and principle is proposed. And following the goal and principle, the system design is given. The essential technology to realize the security vulnerability system is introdued. The scanning plug-ins is used to examine the system vulnerabilities. The scanning plug-in is a dynamic link library file. When a new security vulnerability appears, the corresponding plug-in is made to be put into the plug-in storehouse. Then the scanner can find the new vulnerability by using the
new plug-in. The scanner has an extremely good extension with the plug-in technology; The system takes full advantage of the system and network resources with the multi-thread algorithm and enhances the scanning efficiency; The scanning results are stored in the scanning history storehouse. So the scanning work can be resumed after interruption; When the scanning work ended the scanner can produce the detailed report which can help security administrators to understand the security condition and fix the security vulnerabilities.
引文
[1] 李海翔 方睿 李祥和 芦康俊 网络隐患扫描技术剖析 信息工程大学学报,2003年02期
[2] Fyodor. Remote OS Detection via TCP/IP Stack Finger Printing.http://www.insecure.org/nmap/nmap-fingerprinting-article.html.1998.
[3] Fyodor. The Art of Port Scanning.http://www.insecure.org/nmap/nmap_doc.html.1997
[4] 薛静锋 杨帆 网络隐患扫描系统的设计 信息网络安全.2002(2).-41-42
[5] Matt Bishop, David Bailey. A Critical Analysis of Vulnerability Taxonomies.http://citeseer.ist.psu.edu/bishop96critical.html.1996.
[6] 李鹏 杨献荣 许丽华 网络漏洞扫描器的设计与实现 计算机工程.2003,29(8).-116-117,142
[7] nessus, http://www.nessus.org
[8] 胡华平 刘波 钟求喜 庞立会 网络安全脆弱性分析与处置系统的研究与实现 国防科技大学学报.2004,26(1).-36-40
[9] Last Stage of Delirium Research Group. http://www.lsd-pl.net
[10] 郎良 张玉清 高有行 钱秀槟 漏洞检测与主动防御系统模型的研究与实现 计算机工程.2004,30(13).-38-40,94
[11] Uriel Maimon. Port Scanning without the SYN flag, TCP port Steath Scanning. Phrack Magazine, Issue 49
[12] 程鹢 董小国 端口扫描技术及检测 华南金融电脑.2004,12(7).-109-112
[13] ECE4893-Internet Security. Port Scanning and Vulnerability Assessment. Georgia Institute of Technology, 2004.
[14] 陈铁明 等.基于插件的安全漏洞扫描系统设计 计算机工程与设计.2004,25(2).-194-196
[15] William Stalling. Network Security Essentials: Applications and Standards[M]. Prentice-Hall, 2000.
[16] Spafford E H. The Internet Worm Program:An Analysis. In ACM Computer Communication Review
[17] 曹元大 杨帆 等 基于UNIX主机系统的漏洞扫描器的设计 北京理工大学学报.2002,22(6).-715-717,770
[18] Bruce A. Method for consistent classification of threats, vulnerabilities and countermeasures[EB/OL].http://niap.nist.gov/TnCProceedings/HTMLpapers/Group3.htm.
[19] 洪宏 等.网络安全扫描技术研究 计算机工程.2004,30(10).-54-56
[20] Common Vulnerabilities and Exposures. http://cve.mitre.org/
[21] Find Out How You Can Secure Your Network With Cisco Secure Scanner. www.cisco.com/public/sw-center/internet/netsonar.shtml
[22] 李志强.网络漏洞扫描器的设计与实现http://www-900.ibm.com/developerWorks/cn/security/se-cgiscaner/partl/index.shtml.2002.
[23] R Bishop. Classifying vulnerabilities[C]. In Proc of 19th national Information System Security Conference, 1996
[24] Dan Forsberg. SYN Flood Dos Attack Experiments. http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html
[25] 张平 蒋凡 一种改进的的网络安全扫描工具 计算机工程.2001,27(9).-107-109
[26] 张吉才 张翔 王韬 网络CGI漏洞扫描器的研究与实现 计算机工程与设计.2003,24(12).-47-48,77
[27] van Hauser. Placing Backdoors through Firewalls. http://www.megasecurity.org/Info/Placing_Backdoors_Through_Firew alls. txt. 1998.
[28] Matt Bishop. A taxonomy of UNIX system and network vulnerabilities[EB/OL], http://www.software.umn.edu/~mcarney.
[29] 刘海燕 杨洪路 王崛一个基于网络的脆弱性扫描系统 计算机应用.2003,23(7).-98-99,102
[30] 翟钰 张玉清 武维善 胡建武 系统安全漏洞研究及数据库实现 计算机工程.2004,30(8).-68-70,148
[31] 李岩 裴昌幸 陈南 基于多线程TCP端口扫描的实现与应用 现代电子技术.2004,27(17).-16-18
[32] Andrew J. Stewart. Distributed Metastasis: A Computer Network Penetration Methodology. http://citeseer.ist.psu.edu/stewart99distributed.html.1999.
[33] Internet Security System, Real-time attack recognition and response: A solution for tightening network security, Atlanta, GA. http://www.iss.net/prod/whitepaper.html
[34] Denning D. E. Cryptography and Data Security. Addison-Wesley Publishing Company. 1987
[35] 黄菁 苏璞睿 等 可扩展的网络弱点扫描系统设计与实现 计算机工程.2002,28(2).-149-151
[36] 李鹏 杨献荣 许丽华 网络漏洞扫描器的设计与实现 计算机工程.2003,29(8).-116-117,142
[37] 刘宇东 基于plug-in的网络漏洞扫描系统信息网络安全.2003(12).-49-50
[38] 程玮玮 王清贤 防火墙技术原理及其安全脆弱性分析 计算机应用.2003,23(10).-46-48
[39] Dennis Longley, Michael Shain. Data&Computer Security-Dictionary of Standards Concepts and Terms. Macmillan Publishers Ltd. 1987.
[40] 岳峰VC++6.0多线程技术在端口扫描程序中的应用 信息技术(哈尔滨).2004,28(7).-95-97
[41] packetstorm, http://www.packetstormsecurity.nl
[42] 蔡启先 TCP SYN端口扫描的研究 广西工学院学报.2002,13(1).-25-27
[43] 赵刚 端口和端口安全 安徽电子信息职业技术学院学报.2004,3(2).-66-67