内网安全管理系统的研究与实现
|
摘要
近年来,频繁的黑客攻击,网络病毒、蠕虫和木马泛滥,极大地危害到企业内部网络的安全,他们大多利用系统漏洞进行攻击、感染和传播。另一方面内部网络的越权访问和违规操作难于审计和预防,也给企业带来巨大损失。传统的以组织边界和核心资产为保护对象的安全体系逐渐显示出不足,无法有效应对内网所有终端计算机安全管理中面临的诸多问题。终端计算机依靠手工管理已经远远不能适应目前大规模的网络环境,急需新的技术手段来实现对内部网络的统一管理。这样内网安全体系建设问题就逐渐提到组织管理者和网络安全建设者的议事日程上来。
本文以内网安全管理系统的开发为背景,首先列举了企业内部网络的安全现状和问题分类,剖析了内网安全问题的形成原因,接着基于问题成因分析针对性的提出了内网安全系统的整体解决方案。然后论文讨论了内网安全管理系统的一些关键技术,包括ARP攻击与防范技术,以WINDOWS平台为代表的漏洞和补丁相关内容,钩子技术等。论文详细讲解了重点模块的设计实现,资产模块收集各种系统信息;补丁管理模块实现终端计算机的漏洞分析和补丁安装;设备控制模块根据策略禁用或者启用设备;外联监控模块探测是否存在非法外联行为;安全接入模块发现并阻断未经授权的计算机接入行为。最后论文分析了系统在实际网络环境部署中遇到的问题,并提出了优化的解决方案。
In recent years, frequent hacker attacks, network viruses, worms and Trojans, greatly endangering the safety of corporation's interior networks, most of them use system vulnerabilities, attack, infection and spread. On the other hand ultra vires access and irregular operations are difficult to audit and prevent, and brought great losses to the enterprise. Traditional boundaries and core assets protection of the security system gradually shown inadequate to effectively deal with all the network management problems. All Enterprise's Computers rely on the manual management is far from meeting the current large-scale network environment, in desperate need of new technological means to achieve the unity of the internal network management. This question of network security system construction is gradually brought to agenda of the organizations superintendent and network security builders.
In this paper, within the development of network security management system as the background, first of all listed companies internal network security status and classifications, analyze the reasons of network security problems product, and then based on the causes propose the internal network security system solution. Then paper presents a number of key technologies on the network security management system, including the ARP attack and prevent technology , WINDOWS platform vulnerabilities and patches, hook technology. Then paper discusses the Design of some most important modules, assets module to collect system's information; patch management module to achieve the vulnerabilities of computer and patch installation; peripherals control module to forbid or permit the use of equipment by strategy, the outreach monitoring module to discover illegal acts of connecting to external network , secure access module block unauthorized computer access behavior. Finally thesis describes the problem of the system encountered in the actual network environment deployment and propose the optimal solution.
本文以内网安全管理系统的开发为背景,首先列举了企业内部网络的安全现状和问题分类,剖析了内网安全问题的形成原因,接着基于问题成因分析针对性的提出了内网安全系统的整体解决方案。然后论文讨论了内网安全管理系统的一些关键技术,包括ARP攻击与防范技术,以WINDOWS平台为代表的漏洞和补丁相关内容,钩子技术等。论文详细讲解了重点模块的设计实现,资产模块收集各种系统信息;补丁管理模块实现终端计算机的漏洞分析和补丁安装;设备控制模块根据策略禁用或者启用设备;外联监控模块探测是否存在非法外联行为;安全接入模块发现并阻断未经授权的计算机接入行为。最后论文分析了系统在实际网络环境部署中遇到的问题,并提出了优化的解决方案。
In recent years, frequent hacker attacks, network viruses, worms and Trojans, greatly endangering the safety of corporation's interior networks, most of them use system vulnerabilities, attack, infection and spread. On the other hand ultra vires access and irregular operations are difficult to audit and prevent, and brought great losses to the enterprise. Traditional boundaries and core assets protection of the security system gradually shown inadequate to effectively deal with all the network management problems. All Enterprise's Computers rely on the manual management is far from meeting the current large-scale network environment, in desperate need of new technological means to achieve the unity of the internal network management. This question of network security system construction is gradually brought to agenda of the organizations superintendent and network security builders.
In this paper, within the development of network security management system as the background, first of all listed companies internal network security status and classifications, analyze the reasons of network security problems product, and then based on the causes propose the internal network security system solution. Then paper presents a number of key technologies on the network security management system, including the ARP attack and prevent technology , WINDOWS platform vulnerabilities and patches, hook technology. Then paper discusses the Design of some most important modules, assets module to collect system's information; patch management module to achieve the vulnerabilities of computer and patch installation; peripherals control module to forbid or permit the use of equipment by strategy, the outreach monitoring module to discover illegal acts of connecting to external network , secure access module block unauthorized computer access behavior. Finally thesis describes the problem of the system encountered in the actual network environment deployment and propose the optimal solution.
引文
[1]R.Martin,"Managing Vulnerabilities in Networked Systems," Computer,vol.34,no.11,Nov.2001.
[2]Tamizi M.,Weinstein M.,Cukier M..Automated Checking for Windows Host Vulnerabilities.Software Reliability Engineering,2005.
[3]CVE home page.http://cve.mitre.org/
[4]Bashar,M.A.,Krishnan G.Kuhn,Low-threat security patches and tools,Software Maintenance,1997.
[5]Nessus home page.http://www.nessus.org/
[6]Frederick B.Cohen.Protection and Security on the Information Superhighway,John Wiley &Sons,Hew York,1995.
[7]Edward G.Amoroso.Fundamentals of Computer Security Technology.Prentice-Hall PTR,1994.
[8]Common Criteria Project Sponsoring Organisations,Common Criteria for Information Technology Security Evaluation(Version 2.1),ISO/IEC,1999.
[9]CCIMB-99-032.Common Criteria for Information Technology Security Evaluation(Part Ⅱ)Security Functional Requirements,Version 2.1,1999.
[10]Landwehr C,Bull A,McDermott J,Choi W.A Taxonomy of Computer Program Security Flaws with Examples.ACM Computing Surveys,26(3),1994.
[11]I.Krsul,Software Vulnerability Analysis,Ph.D thesis.,Purdue University,May 1998.
[12]Mark Taber.Maximum Security.Second edition.Sams Publishing.1998.
[13]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报,2004年08期.
[14]胡华平,刘波,钟求喜,庞立会.网络安全脆弱性分析与处置系统的研究与实现.国防科技大学学报,2004年01期.
[15]单国栋,戴英侠,王航.计算机漏洞分类与研究.计算机工程,2002年10期.
[16]刘波,刘惠,胡华平,黄遵国.计算机漏洞库系统的设计、实现与应用.计算机工程与科学,2004年07期.
[17]董思良.网络安全整体框架.信息安全与保密通信,2004年10期.
[18]邱志聪,王飞.软件补丁管理六要.软件世界,2005年05期.
[19]杨海军,力立.寻求防患于未然之计—构建补丁管理的架构.数据通信,2005年第02期.
[20]王琳,张小梅.软件补丁管理在网络信息安全中的作用及趋势.武汉理工大学学报,2005年第3期.
[21]谢东亮,程时端,阙喜戎.对等网络的研究与进展.中兴通讯技术,2005年02期.
[22]郭丽,杨振启.P2P技术原理及安全性问题浅析.网络安全技术与应用,2005年06期.
[2]Tamizi M.,Weinstein M.,Cukier M..Automated Checking for Windows Host Vulnerabilities.Software Reliability Engineering,2005.
[3]CVE home page.http://cve.mitre.org/
[4]Bashar,M.A.,Krishnan G.Kuhn,Low-threat security patches and tools,Software Maintenance,1997.
[5]Nessus home page.http://www.nessus.org/
[6]Frederick B.Cohen.Protection and Security on the Information Superhighway,John Wiley &Sons,Hew York,1995.
[7]Edward G.Amoroso.Fundamentals of Computer Security Technology.Prentice-Hall PTR,1994.
[8]Common Criteria Project Sponsoring Organisations,Common Criteria for Information Technology Security Evaluation(Version 2.1),ISO/IEC,1999.
[9]CCIMB-99-032.Common Criteria for Information Technology Security Evaluation(Part Ⅱ)Security Functional Requirements,Version 2.1,1999.
[10]Landwehr C,Bull A,McDermott J,Choi W.A Taxonomy of Computer Program Security Flaws with Examples.ACM Computing Surveys,26(3),1994.
[11]I.Krsul,Software Vulnerability Analysis,Ph.D thesis.,Purdue University,May 1998.
[12]Mark Taber.Maximum Security.Second edition.Sams Publishing.1998.
[13]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报,2004年08期.
[14]胡华平,刘波,钟求喜,庞立会.网络安全脆弱性分析与处置系统的研究与实现.国防科技大学学报,2004年01期.
[15]单国栋,戴英侠,王航.计算机漏洞分类与研究.计算机工程,2002年10期.
[16]刘波,刘惠,胡华平,黄遵国.计算机漏洞库系统的设计、实现与应用.计算机工程与科学,2004年07期.
[17]董思良.网络安全整体框架.信息安全与保密通信,2004年10期.
[18]邱志聪,王飞.软件补丁管理六要.软件世界,2005年05期.
[19]杨海军,力立.寻求防患于未然之计—构建补丁管理的架构.数据通信,2005年第02期.
[20]王琳,张小梅.软件补丁管理在网络信息安全中的作用及趋势.武汉理工大学学报,2005年第3期.
[21]谢东亮,程时端,阙喜戎.对等网络的研究与进展.中兴通讯技术,2005年02期.
[22]郭丽,杨振启.P2P技术原理及安全性问题浅析.网络安全技术与应用,2005年06期.