ARP防火墙在终端主机安全管理系统中的设计与实现
|
摘要
安全问题是伴随着网络技术发展的重大课题。多年来,尽管人们投入了大量资金和精力对付各类攻击,但黑客们仍在不断的制造新的威胁。一直以来,安全防御的理念局限在常规的网络边界方面,应运而生了防火墙、IDS、漏洞扫描、安全审计等众多网络安全设备。集中于机房、网络入口处的重要安全设施,在这些设备的严密监控下,受到来自网络外部的安全威胁逐渐减小。相反,来自网络内部的安全威胁却成为多数网络管理人员所普遍反映的新问题。
目前国内政府机关、保密部门、科研机构、金融及企事业单位中的网络都已经具备了相当的规模,其内部却存在着不容忽视的安全隐患。在这种形势下,我们开发了“终端主机安全管理系统”,对主机的工作状态进行监控和审计,同时对软硬件资源进行安全管理,为政府企业解除内忧外患,为政府企业网络站岗放哨,为政府企业管理保驾护航。
本论文以“终端主机安全管理系统”为依托,主要对该产品的功能进行阐述,并较详细的介绍了其ARP防火墙模块的设计与实现。该模块投入使用后,有效的防止了由于ARP协议漏洞所产生的各类欺骗。其中“ARP扩展协议模式”的应用,在防止了欺骗的同时,不增加任何的网络负担,受到用户的一致好评。
With the deepening of Network Technology, Information security has gradually entered a new era, traditional security solutions are focused on the goal of the network boundary and usually neglected Intranet Security. In particular, in the government agencies, security departments, research institutes, banking and securities, enterprises and other units, Terminal Host in office network, internal business network, secret network is very weak and has potential safety problems.
The existing security measures did not play its due role, network administrators can not understand each network endpoint security situation, they often spend a lot of time and experience, or can not solve all kinds of host terminal security and management issues. While some units to formulate stringent safety management system, however, due to the lack of appropriate technical means, the system can not effectively implement, which lead to the disclosure of confidential information, hackers, worms spread of the virus, such as the frequent occurrence of security incidents, which issue challenges of internal security network.
According to IDC statistics, more than half of the security threat comes from within. As the network security of the great security challenge, and the traditional safety equipment (such as firewall, etc.) which is against outside attack can not meet the new security requirements. So we need a new generation of security technology to resolve the problems. The new solution should be within the core network security, and build a new network security management system by using Host Firewall, ARP Firewall, Mobile Media Management, HIPS, Patch Distribution, Illegal Internet Control and Capital Manage.
A comprehensive network security management system should focus on the following aspects of the Internet threat:
Firstly, terminal host of non-authorized use and authorized abuse.
Secondly, terminal host own low-intensity security.
Thirdly, peripherals and mobile media and other interface leading to the leak.
Fourthly, illegal connect to intranet with the non-trust terminal host.
Fifthly, illegal connect to internet triggered off the malicious attack.
Sixthly, the poor management of software and hardware assets lead to security risks.
On this condition, we have developed the "Terminal Host Security Management System", which is taken in advance to prevent, in a matter of monitor and after audit, to protect the terminal host.
In advance to prevent is that prevent before danger coming. First of all, using strict rules to define the security-level of person, equipment resources and data, then, set clear rules and regulations and strict implementation. Restrict the dissemination of important information on the scope and restrict the action of the person who knows the important information. In advance to prevent must be through technological means to achieve, including mobile devices, applications, Internet access, file operations, such as network access control, so that only authorized personnel to use designated equipment and complete the designated operation. Secret information will be completely closed for a limited network in the region to prevent the leakage of information.
In a matter of monitor is second only to in advance to prevent. Those who violate the security policy should be alarmed or blocked, which will minimize losses.
After audit is necessary security measures. All actions should be record, store and easy to find later.
"Terminal Host Security Management System" makes up of three components, Agent, Server and Console. Agent installs on every host on which needs to be monitored, receives data, and implement the strategy instruction. Server installs on the computer which has a high-performance CPU and high-capacity memory, stores and manages the important data. Generally Console installs on the network manager's host, monitors Agent, manages all kinds of audit events, and makes security policies.
Whenever there is a new class of network security-related problems arise, system can quickly solve by upgrades. Agent used an intermediary pattern for the model design, used plug-in to deal with the new change. For example, in recent years, with the network development, TCP/IP protocol suite is widely used, but there is a security hole in Address Resolution Protocol(ARP), an attacker can take advantage of the hole to hijack session or start denial of service attack. The traditional defense technology appears to be helpless, so ARP Firewall Plug-in came into being. ARP Firewall used State Machine and Reverse Detection Arithmetic to resist the ARP attack. In the process of ARP Firewall development, we leart from the advanced technology, and in accordance with the actual context of the system, used a modified algorithm to resolve the problem.
In the future, with the increase in security awareness, "Terminal Host Security Management System" will be more accepted by the customers, gradually become mature and stability.
目前国内政府机关、保密部门、科研机构、金融及企事业单位中的网络都已经具备了相当的规模,其内部却存在着不容忽视的安全隐患。在这种形势下,我们开发了“终端主机安全管理系统”,对主机的工作状态进行监控和审计,同时对软硬件资源进行安全管理,为政府企业解除内忧外患,为政府企业网络站岗放哨,为政府企业管理保驾护航。
本论文以“终端主机安全管理系统”为依托,主要对该产品的功能进行阐述,并较详细的介绍了其ARP防火墙模块的设计与实现。该模块投入使用后,有效的防止了由于ARP协议漏洞所产生的各类欺骗。其中“ARP扩展协议模式”的应用,在防止了欺骗的同时,不增加任何的网络负担,受到用户的一致好评。
With the deepening of Network Technology, Information security has gradually entered a new era, traditional security solutions are focused on the goal of the network boundary and usually neglected Intranet Security. In particular, in the government agencies, security departments, research institutes, banking and securities, enterprises and other units, Terminal Host in office network, internal business network, secret network is very weak and has potential safety problems.
The existing security measures did not play its due role, network administrators can not understand each network endpoint security situation, they often spend a lot of time and experience, or can not solve all kinds of host terminal security and management issues. While some units to formulate stringent safety management system, however, due to the lack of appropriate technical means, the system can not effectively implement, which lead to the disclosure of confidential information, hackers, worms spread of the virus, such as the frequent occurrence of security incidents, which issue challenges of internal security network.
According to IDC statistics, more than half of the security threat comes from within. As the network security of the great security challenge, and the traditional safety equipment (such as firewall, etc.) which is against outside attack can not meet the new security requirements. So we need a new generation of security technology to resolve the problems. The new solution should be within the core network security, and build a new network security management system by using Host Firewall, ARP Firewall, Mobile Media Management, HIPS, Patch Distribution, Illegal Internet Control and Capital Manage.
A comprehensive network security management system should focus on the following aspects of the Internet threat:
Firstly, terminal host of non-authorized use and authorized abuse.
Secondly, terminal host own low-intensity security.
Thirdly, peripherals and mobile media and other interface leading to the leak.
Fourthly, illegal connect to intranet with the non-trust terminal host.
Fifthly, illegal connect to internet triggered off the malicious attack.
Sixthly, the poor management of software and hardware assets lead to security risks.
On this condition, we have developed the "Terminal Host Security Management System", which is taken in advance to prevent, in a matter of monitor and after audit, to protect the terminal host.
In advance to prevent is that prevent before danger coming. First of all, using strict rules to define the security-level of person, equipment resources and data, then, set clear rules and regulations and strict implementation. Restrict the dissemination of important information on the scope and restrict the action of the person who knows the important information. In advance to prevent must be through technological means to achieve, including mobile devices, applications, Internet access, file operations, such as network access control, so that only authorized personnel to use designated equipment and complete the designated operation. Secret information will be completely closed for a limited network in the region to prevent the leakage of information.
In a matter of monitor is second only to in advance to prevent. Those who violate the security policy should be alarmed or blocked, which will minimize losses.
After audit is necessary security measures. All actions should be record, store and easy to find later.
"Terminal Host Security Management System" makes up of three components, Agent, Server and Console. Agent installs on every host on which needs to be monitored, receives data, and implement the strategy instruction. Server installs on the computer which has a high-performance CPU and high-capacity memory, stores and manages the important data. Generally Console installs on the network manager's host, monitors Agent, manages all kinds of audit events, and makes security policies.
Whenever there is a new class of network security-related problems arise, system can quickly solve by upgrades. Agent used an intermediary pattern for the model design, used plug-in to deal with the new change. For example, in recent years, with the network development, TCP/IP protocol suite is widely used, but there is a security hole in Address Resolution Protocol(ARP), an attacker can take advantage of the hole to hijack session or start denial of service attack. The traditional defense technology appears to be helpless, so ARP Firewall Plug-in came into being. ARP Firewall used State Machine and Reverse Detection Arithmetic to resist the ARP attack. In the process of ARP Firewall development, we leart from the advanced technology, and in accordance with the actual context of the system, used a modified algorithm to resolve the problem.
In the future, with the increase in security awareness, "Terminal Host Security Management System" will be more accepted by the customers, gradually become mature and stability.
引文
[1]谢希仁,等.TCP/IP协议族(第三版)[M].清华大学出版社.2006.
[2]D PlummeT.An Ethernet Address Resolution Protocol.RFC-826.1982.
[3]Vivek Ramachandranl,Sukumar Nandi.Detecting ARP Spoofing:An Active Technique
[4]Yasir Jan.ARP Problems and Solutions.2008.
[5]YANG LIU,KAIKUN DONG,LAN DONG,BIN LI.Research of the ARP Spoofing Principle and a Defensive Algorithm.Department of Computer Science & Technology Harbin Institute of Technology at WEIHAI.2008.
[6](D.Bruschi),(A.Ornaghi),(E.Rosti).S-ARP:a Secure Address Resolution Protocol.Italy
[7]Fredric Raynal,Eric Detoisien,Cedric Blancher,ARP-SK:a swiss knife tool for ARP.http://www.ARP-sk.org/
[8]Lach,Sniffing local network and itsdetecting,Studia Infor-matica,Vol.2,No.24,2003,pp.289-296.
[9]Chin,Tan Saw,Singh Y P,Single-hop wavelength assign- ment using an ant algorithm in WDM MESH network.WSEAS Transactions on Computers.Vol.5,No.7,2006,pp.294-300.
[10]Wenbing Zheng,Chenzhong LI,An Algorithm Against Attacks Based on ARPSpoofing,Journal of Southern YangtzeUniversity(Uatural Science Edition),Vol.2,No.6,2003,pp.167-1696.
[11]Z.H.Tian,B.X.Fang,B.Li,et al,Avulnerability-driven approachto active alert verification for accurate and efficient intrusion detec-tion.WSEAS Transactions on Communications.Vol.4,No.10,2005,pp.1002-1009.
[12]Qinghua Deng,Songqiao Chen,ARP Spoofing and Countermeasures,Microcomputer Development,Vol.8,No.14,2004,pp.215-217.
[13]Sean Whalen,http://chocobospore.org/arpspoof April.2001.
[14]Vamshidhar Chillamcharla,ARP Spoofing,Albert Ludwigs University of Freiburg
[15]AtStake.com,Etherleak:Ethernet frame padding information leakage,http://www.atstake.com/research/advisories/2003/a010603-1.txt.2003.
[16]潘爱民,等.深入解析Windows操作系统[M].电子工业出版社.2007.
[17]Microsoft公司.Microsoft Windows驱动程序模型设计(英文影印版)[M].北京大学出版社.2000.
[2]D PlummeT.An Ethernet Address Resolution Protocol.RFC-826.1982.
[3]Vivek Ramachandranl,Sukumar Nandi.Detecting ARP Spoofing:An Active Technique
[4]Yasir Jan.ARP Problems and Solutions.2008.
[5]YANG LIU,KAIKUN DONG,LAN DONG,BIN LI.Research of the ARP Spoofing Principle and a Defensive Algorithm.Department of Computer Science & Technology Harbin Institute of Technology at WEIHAI.2008.
[6](D.Bruschi),(A.Ornaghi),(E.Rosti).S-ARP:a Secure Address Resolution Protocol.Italy
[7]Fredric Raynal,Eric Detoisien,Cedric Blancher,ARP-SK:a swiss knife tool for ARP.http://www.ARP-sk.org/
[8]Lach,Sniffing local network and itsdetecting,Studia Infor-matica,Vol.2,No.24,2003,pp.289-296.
[9]Chin,Tan Saw,Singh Y P,Single-hop wavelength assign- ment using an ant algorithm in WDM MESH network.WSEAS Transactions on Computers.Vol.5,No.7,2006,pp.294-300.
[10]Wenbing Zheng,Chenzhong LI,An Algorithm Against Attacks Based on ARPSpoofing,Journal of Southern YangtzeUniversity(Uatural Science Edition),Vol.2,No.6,2003,pp.167-1696.
[11]Z.H.Tian,B.X.Fang,B.Li,et al,Avulnerability-driven approachto active alert verification for accurate and efficient intrusion detec-tion.WSEAS Transactions on Communications.Vol.4,No.10,2005,pp.1002-1009.
[12]Qinghua Deng,Songqiao Chen,ARP Spoofing and Countermeasures,Microcomputer Development,Vol.8,No.14,2004,pp.215-217.
[13]Sean Whalen,http://chocobospore.org/arpspoof April.2001.
[14]Vamshidhar Chillamcharla,ARP Spoofing,Albert Ludwigs University of Freiburg
[15]AtStake.com,Etherleak:Ethernet frame padding information leakage,http://www.atstake.com/research/advisories/2003/a010603-1.txt.2003.
[16]潘爱民,等.深入解析Windows操作系统[M].电子工业出版社.2007.
[17]Microsoft公司.Microsoft Windows驱动程序模型设计(英文影印版)[M].北京大学出版社.2000.